initial ipv6 via iptable wapper

pull/88/head
Th4nat0s 2012-06-14 23:44:52 +02:00
parent b4099dae57
commit abc45d28f7
5 changed files with 131 additions and 9 deletions

View File

@ -0,0 +1,69 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Paul Jung for calling wrapper in dual stack ipv6 and v4 banning
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptwrp -N fail2ban-<name>
fail2ban-iptwrp -A fail2ban-<name> -j RETURN
fail2ban-iptwrp -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptwrp -D INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptwrp -F fail2ban-<name>
fail2ban-iptwrp -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptwrp -n -L INPUT | grep -q fail2ban-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptwrp -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptwrp -D fail2ban-<name> -s <ip> -j DROP
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp

49
fail2ban-iptwrp Executable file
View File

@ -0,0 +1,49 @@
#!/bin/sh
# This file is part of Fail2Ban.
#
# Fail2Ban is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Fail2Ban is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Fail2Ban; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
# Author: Paul Jung aka 'Thanat0s'
# IPTable WRaPper
# This script will call iptable or ip6tables6 depending of the ip format
LINE=$@
# try to be simple, keep regexes 'approximatives'
RESULT4=`echo $LINE | egrep -c -e "([0-9]{1,3}\.){3}[0-9]{1,3}"`
RESULT6=`echo $LINE | egrep -c -e "(::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,})"`
if [ $RESULT4 -ne "0" ]; then
# action for ipv4
iptables $LINE
ERRCODE=$?
elif [ $RESULT6 -ne "0" ]; then
# action for ipv6
ip6tables $LINE
ERRCODE=$?
else
# action for both iptables if no ip is present
iptables $LINE
ERRCODE=$?
ip6tables $LINE
if [ $? -ge "1" ]; then
ERRCODE=$?
fi
fi
# always report the error
exit $ERRCODE

View File

@ -47,7 +47,7 @@ class Regex:
self._matchCache = None
# Perform shortcuts expansions.
# Replace "<HOST>" with default regular expression for host.
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]+)")
regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]+)")
if regex.lstrip() == '':
raise RegexException("Cannot add empty regex")
try:

View File

@ -547,6 +547,7 @@ import socket, struct
class DNSUtils:
IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$")
IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$")
#@staticmethod
def dnsToIp(dns):
@ -570,19 +571,21 @@ class DNSUtils:
if match:
return match
else:
return None
match = DNSUtils.IP_CRE6.match(text)
if match:
""" Right Here, we faced to a ipv6
"""
return match
else:
return None
searchIP = staticmethod(searchIP)
#@staticmethod
def isValidIP(string):
""" Return true if str is a valid IP
We Consider that logfiles didn't make errors ;)
"""
s = string.split('/', 1)
try:
socket.inet_aton(s[0])
return True
except socket.error:
return False
return True
isValidIP = staticmethod(isValidIP)
#@staticmethod

View File

@ -54,7 +54,8 @@ setup(
scripts = [
'fail2ban-client',
'fail2ban-server',
'fail2ban-regex'
'fail2ban-regex' ,
'fail2ban-iptwrp'
],
packages = [
'common',