mirror of https://github.com/fail2ban/fail2ban
commit
ad466ecb3c
30
CHANGELOG
30
CHANGELOG
|
@ -4,9 +4,37 @@
|
|||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
Fail2Ban (version 0.5.4) 2005/09/13
|
||||
Fail2Ban (version 0.6.0) 2005/11/20
|
||||
=============================================================
|
||||
|
||||
ver. 0.6.0 (2005/11/20) - stable
|
||||
----------
|
||||
- Propagated patches introduced by Debian maintainer
|
||||
(Yaroslav Halchenko):
|
||||
* Added an option to report local time (including timezone)
|
||||
or GMT in mail notification.
|
||||
|
||||
ver. 0.5.5 (2005/10/26) - beta
|
||||
----------
|
||||
- Propagated patches introduced by Debian maintainer
|
||||
(Yaroslav Halchenko):
|
||||
* Introduced fwcheck option to verify consistency of the
|
||||
chains. Implemented automatic restart of fail2ban main
|
||||
function in case check of fwban or fwunban command failed
|
||||
(closes: #329163, #331695). (Introduced patch was further
|
||||
adjusted by upstream author).
|
||||
* Added -f command line parameter for [findtime].
|
||||
* Added a cleanup of firewall rules on emergency shutdown
|
||||
when unknown exception is catched.
|
||||
* Fail2ban should not crash now if a wrong file name is
|
||||
specified in config.
|
||||
* reordered code a bit so that log targets are setup right
|
||||
after background and then only loglevel (verbose, debug)
|
||||
is processed, so the warning could be seen in the logs
|
||||
* Added a keyword <section> in parsing of the subject and
|
||||
the body of an email sent out by fail2ban (closes:
|
||||
#330311)
|
||||
|
||||
ver. 0.5.4 (2005/09/13) - beta
|
||||
----------
|
||||
- Fixed bug #1286222.
|
||||
|
|
2
PKG-INFO
2
PKG-INFO
|
@ -1,6 +1,6 @@
|
|||
Metadata-Version: 1.0
|
||||
Name: fail2ban
|
||||
Version: 0.5.4
|
||||
Version: 0.6.0
|
||||
Summary: Ban IPs that make too many password failure
|
||||
Home-page: http://fail2ban.sourceforge.net
|
||||
Author: Cyril Jaquier
|
||||
|
|
13
README
13
README
|
@ -4,7 +4,7 @@
|
|||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
Fail2Ban (version 0.5.4) 2005/09/13
|
||||
Fail2Ban (version 0.6.0) 2005/11/20
|
||||
=============================================================
|
||||
|
||||
Fail2Ban scans log files like /var/log/pwdfail and bans IP
|
||||
|
@ -54,12 +54,12 @@ firewalls.
|
|||
Installation:
|
||||
-------------
|
||||
|
||||
Require: python-2.3 (http://www.python.org)
|
||||
Require: python-2.4 (http://www.python.org)
|
||||
|
||||
To install, just do:
|
||||
|
||||
> tar xvfj fail2ban-0.5.4.tar.bz2
|
||||
> cd fail2ban-0.5.4
|
||||
> tar xvfj fail2ban-0.6.0.tar.bz2
|
||||
> cd fail2ban-0.6.0
|
||||
> python setup.py install
|
||||
|
||||
This will install Fail2Ban into /usr/lib/fail2ban. The fail2ban
|
||||
|
@ -102,8 +102,9 @@ options:
|
|||
-h display this help message
|
||||
-i <IP(s)> IP(s) to ignore
|
||||
-k kill a currently running instance
|
||||
-r <VALUE> allow a max of VALUE password failure
|
||||
-t <TIME> ban IP for TIME seconds
|
||||
-r <VALUE> allow a max of VALUE password failure [maxfailures]
|
||||
-t <TIME> ban IP for TIME seconds [bantime]
|
||||
-f <TIME> lifetime in seconds of failed entry [findtime]
|
||||
-v verbose. Use twice for greater effect
|
||||
-V print software version
|
||||
|
||||
|
|
11
TODO
11
TODO
|
@ -4,7 +4,7 @@
|
|||
|_| \__,_|_|_/___|_.__/\__,_|_||_|
|
||||
|
||||
=============================================================
|
||||
ToDo
|
||||
ToDo $Revision: 1.5 $
|
||||
=============================================================
|
||||
|
||||
See Feature Request Tracking System at SourceForge.net
|
||||
|
@ -12,3 +12,12 @@ See Feature Request Tracking System at SourceForge.net
|
|||
- improve installation process (better prefix support)
|
||||
- install Fail2ban into /usr/share
|
||||
- better configuration files
|
||||
- add a check to see if the time of the log messages is
|
||||
correctly detected (valid regexp)
|
||||
- split configuration files in /etc/fail2ban/services.d
|
||||
Example: /etc/fail2ban/services.d/apache
|
||||
- template for common services in /etc/fail2ban/scripts.d
|
||||
Example: /etc/fail2ban/scripts.d/apache
|
||||
- remove debug mode (root check)
|
||||
- better return values in function
|
||||
- use more email.Utils in mail.py
|
||||
|
|
|
@ -8,7 +8,7 @@
|
|||
# Adjusted for Fail2Ban
|
||||
# by Yaroslav Halchenko <debian@onerussian.com>.
|
||||
#
|
||||
# Version: $Id: debian-initd,v 1.1.2.2 2005/09/11 15:42:32 yarikoptic Exp $
|
||||
# Version: $Id: debian-initd,v 1.2 2005/11/20 17:07:47 lostcontrol Exp $
|
||||
#
|
||||
|
||||
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# $Revision: 1.8.2.13 $
|
||||
# $Revision: 1.9 $
|
||||
#
|
||||
# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de
|
||||
|
||||
|
@ -85,6 +85,21 @@ cmdend =
|
|||
#
|
||||
polltime = 1
|
||||
|
||||
# Option: reinittime
|
||||
# Notes.: minimal number of seconds between the re-initialization of
|
||||
# firewalls due to external changes in their rules (see fwcheck)
|
||||
# Values: NUM Default: 100
|
||||
#
|
||||
reinittime = 10
|
||||
|
||||
# Option: maxreinits
|
||||
# Notes.: maximal number of re-initialization of firewalls due to external
|
||||
# changes. -1 stays for infinite, so only reinittime is of importance
|
||||
# Values: NUM Default: -1
|
||||
#
|
||||
maxreinits = -1
|
||||
|
||||
|
||||
[MAIL]
|
||||
# Option: enabled
|
||||
# Notes.: enable mail notification when banning an IP address.
|
||||
|
@ -117,18 +132,26 @@ from = fail2ban
|
|||
#
|
||||
to = root
|
||||
|
||||
# Option: localtime
|
||||
# Notes.: report local time (including timezone) or GMT
|
||||
# Values: [true | false] Default: false
|
||||
#
|
||||
localtime = true
|
||||
|
||||
# Option: subject
|
||||
# Notes.: subject of the e-mail.
|
||||
# Tags: <ip> IP address
|
||||
# Tags: <section> active section (eg ssh, apache, etc)
|
||||
# <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <failtime> unix timestamp of the last failure
|
||||
# Values: TEXT Default: [Fail2Ban] Banned <ip>
|
||||
# Values: TEXT Default: [Fail2Ban] <section>: Banned <ip>
|
||||
#
|
||||
subject = [Fail2Ban] Banned <ip>
|
||||
subject = [Fail2Ban] <section>: Banned <ip>
|
||||
|
||||
# Option: message
|
||||
# Notes.: message of the e-mail.
|
||||
# Tags: <ip> IP address
|
||||
# Tags: <section> active section (eg ssh, apache, etc)
|
||||
# <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <failtime> unix timestamp of the last failure
|
||||
# <br> new line
|
||||
|
@ -136,7 +159,7 @@ subject = [Fail2Ban] Banned <ip>
|
|||
#
|
||||
message = Hi,<br>
|
||||
The IP <ip> has just been banned by Fail2Ban after
|
||||
<failures> attempts.<br>
|
||||
<failures> attempts against <section>.<br>
|
||||
Regards,<br>
|
||||
Fail2Ban
|
||||
|
||||
|
@ -145,6 +168,7 @@ message = Hi,<br>
|
|||
# options: logfile, fwban, fwunban, timeregex, timepattern,
|
||||
# failregex.
|
||||
|
||||
|
||||
[Apache]
|
||||
# Option: enabled
|
||||
# Notes.: enable monitoring for this section.
|
||||
|
@ -171,9 +195,15 @@ fwstart = iptables -N fail2ban-http
|
|||
# Values: CMD Default:
|
||||
#
|
||||
fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
|
||||
iptables -D fail2ban-http -j RETURN
|
||||
iptables -F fail2ban-http
|
||||
iptables -X fail2ban-http
|
||||
|
||||
# Option: fwcheck
|
||||
# Notes.: command executed once before each fwban command
|
||||
# Values: CMD Default:
|
||||
#
|
||||
fwcheck = iptables -L INPUT | grep -q fail2ban-http
|
||||
|
||||
# Option: fwban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
|
@ -217,6 +247,7 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
|
|||
#
|
||||
failregex = authentication failure|user .* not found
|
||||
|
||||
|
||||
[SSH]
|
||||
# Option: enabled
|
||||
# Notes.: enable monitoring for this section.
|
||||
|
@ -243,9 +274,15 @@ fwstart = iptables -N fail2ban-ssh
|
|||
# Values: CMD Default:
|
||||
#
|
||||
fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
|
||||
iptables -D fail2ban-ssh -j RETURN
|
||||
iptables -F fail2ban-ssh
|
||||
iptables -X fail2ban-ssh
|
||||
|
||||
# Option: fwcheck
|
||||
# Notes.: command executed once before each fwban command
|
||||
# Values: CMD Default:
|
||||
#
|
||||
fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
|
||||
|
||||
# Option: fwbanrule
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
|
|
|
@ -16,7 +16,7 @@
|
|||
#
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.1 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
# Command line options for Fail2Ban. Refer to "fail2ban -h" for
|
||||
# valid options.
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
#
|
||||
# Author: Sireyessire, Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.2 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
opts="start stop restart showlog"
|
||||
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
#
|
||||
# Author: Andrey G. Grozin
|
||||
#
|
||||
# $Revision: 1.1.2.2 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
# Source function library.
|
||||
. /etc/init.d/functions
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.5.2.5 $
|
||||
# $Revision: 1.6 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.5.2.5 $"
|
||||
__date__ = "$Date: 2005/08/01 16:31:13 $"
|
||||
__version__ = "$Revision: 1.6 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
|
12
fail2ban
12
fail2ban
|
@ -18,11 +18,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.4.2.5 $
|
||||
# $Revision: 1.5 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.4.2.5 $"
|
||||
__date__ = "$Date: 2005/08/04 20:51:14 $"
|
||||
__version__ = "$Revision: 1.5 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
@ -55,6 +55,12 @@ except Exception, e:
|
|||
logSys.error("Type: " + `type.__name__` + "\n" +
|
||||
"Value: " + `e.args` + "\n" +
|
||||
"TB: " + `tbStack`)
|
||||
# Try to clean up after ourselves
|
||||
# just for extreme caution - wrapping with try
|
||||
try:
|
||||
fail2ban.restoreFwRules()
|
||||
except Exception:
|
||||
pass
|
||||
# Remove the PID lock file. Should close #1239562
|
||||
pidLock.remove()
|
||||
logging.shutdown()
|
||||
|
|
176
fail2ban.py
176
fail2ban.py
|
@ -17,15 +17,15 @@
|
|||
# Author: Cyril Jaquier
|
||||
# Modified by: Yaroslav Halchenko (SYSLOG, findtime)
|
||||
#
|
||||
# $Revision: 1.20.2.18 $
|
||||
# $Revision: 1.21 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.20.2.18 $"
|
||||
__date__ = "$Date: 2005/09/13 20:42:33 $"
|
||||
__version__ = "$Revision: 1.21 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
import time, sys, getopt, os, string, signal, logging, logging.handlers
|
||||
import time, sys, getopt, os, string, signal, logging, logging.handlers, copy
|
||||
from ConfigParser import *
|
||||
|
||||
from version import version
|
||||
|
@ -62,8 +62,9 @@ def dispUsage():
|
|||
print " -h display this help message"
|
||||
print " -i <IP(s)> IP(s) to ignore"
|
||||
print " -k kill a currently running instance"
|
||||
print " -r <VALUE> allow a max of VALUE password failure"
|
||||
print " -t <TIME> ban IP for TIME seconds"
|
||||
print " -r <VALUE> allow a max of VALUE password failure [maxfailures]"
|
||||
print " -t <TIME> ban IP for TIME seconds [bantime]"
|
||||
print " -f <TIME> lifetime in seconds of failed entry [findtime]"
|
||||
print " -v verbose. Use twice for greater effect"
|
||||
print " -V print software version"
|
||||
print
|
||||
|
@ -92,19 +93,48 @@ def sigTERMhandler(signum, frame):
|
|||
logSys.debug("Signal handler called with sig "+`signum`)
|
||||
killApp()
|
||||
|
||||
def setFwMustCheck(value):
|
||||
""" Set the mustCheck value of the firewalls (True/False)
|
||||
"""
|
||||
for element in logFwList:
|
||||
element[2].setMustCheck(value)
|
||||
|
||||
def initializeFwRules():
|
||||
""" Initializes firewalls by running cmdstart and then
|
||||
fwstart for each section
|
||||
"""
|
||||
# Execute global start command
|
||||
executeCmd(conf["cmdstart"], conf["debug"])
|
||||
# Execute start command of each section
|
||||
for element in logFwList:
|
||||
element[2].initialize(conf["debug"])
|
||||
|
||||
def reBan():
|
||||
""" For each section asks the Firewall to reban known IPs
|
||||
"""
|
||||
for element in logFwList:
|
||||
element[2].reBan(conf["debug"])
|
||||
|
||||
def restoreFwRules():
|
||||
""" Flush the ban list
|
||||
"""
|
||||
logSys.warn("Restoring firewall rules...")
|
||||
try:
|
||||
for element in logFwList:
|
||||
# Execute end command of each section
|
||||
element[2].restore(conf["debug"])
|
||||
# Execute global end command
|
||||
executeCmd(conf["cmdend"], conf["debug"])
|
||||
except ExternalError:
|
||||
# nothing bad really - we can survive :-)
|
||||
pass
|
||||
|
||||
def killApp():
|
||||
""" Flush the ban list, remove the PID lock file and exit
|
||||
nicely.
|
||||
"""
|
||||
logSys.warn("Restoring firewall rules...")
|
||||
for element in logFwList:
|
||||
element[2].flushBanList(conf["debug"])
|
||||
# Execute end command of each section
|
||||
for element in logFwList:
|
||||
l = element[4]
|
||||
executeCmd(l["fwend"], conf["debug"])
|
||||
# Execute global start command
|
||||
executeCmd(conf["cmdend"], conf["debug"])
|
||||
# Restore Fw rules
|
||||
restoreFwRules()
|
||||
# Remove the PID lock
|
||||
pidLock.remove()
|
||||
logSys.info("Exiting...")
|
||||
|
@ -127,6 +157,12 @@ def getCmdLineOptions(optList):
|
|||
except ValueError:
|
||||
logSys.warn("banTime must be an integer")
|
||||
logSys.warn("Using default value")
|
||||
if opt[0] == "-f":
|
||||
try:
|
||||
conf["findtime"] = int(opt[1])
|
||||
except ValueError:
|
||||
logSys.warn("findTime must be an integer")
|
||||
logSys.warn("Using default value")
|
||||
if opt[0] == "-i":
|
||||
conf["ignoreip"] = opt[1]
|
||||
if opt[0] == "-r":
|
||||
|
@ -149,6 +185,7 @@ def main():
|
|||
formatter = logging.Formatter('%(asctime)s ' + formatterstring)
|
||||
stdout.setFormatter(formatter)
|
||||
|
||||
conf["kill"] = False
|
||||
conf["verbose"] = 0
|
||||
conf["conffile"] = "/etc/fail2ban.conf"
|
||||
|
||||
|
@ -187,7 +224,9 @@ def main():
|
|||
["str", "ignoreip", ""],
|
||||
["int", "polltime", 1],
|
||||
["str", "cmdstart", ""],
|
||||
["str", "cmdend", ""])
|
||||
["str", "cmdend", ""],
|
||||
["int", "reinittime", 100],
|
||||
["int", "maxreinits", 100])
|
||||
|
||||
# Gets global configuration options
|
||||
conf.update(confReader.getLogOptions("DEFAULT", optionValues))
|
||||
|
@ -199,8 +238,7 @@ def main():
|
|||
pidLock.setPath(conf["pidlock"])
|
||||
|
||||
# Now we can kill properly a running instance if needed
|
||||
try:
|
||||
conf["kill"]
|
||||
if conf["kill"]:
|
||||
pid = pidLock.exists()
|
||||
if pid:
|
||||
killPID(int(pid))
|
||||
|
@ -209,8 +247,6 @@ def main():
|
|||
else:
|
||||
logSys.error("No running Fail2Ban found")
|
||||
sys.exit(-1)
|
||||
except KeyError:
|
||||
pass
|
||||
|
||||
# Start Fail2Ban in daemon mode
|
||||
if conf["background"]:
|
||||
|
@ -220,26 +256,8 @@ def main():
|
|||
logSys.error("Unable to start daemon")
|
||||
sys.exit(-1)
|
||||
|
||||
# Verbose level
|
||||
if conf["verbose"]:
|
||||
logSys.warn("Verbose level is "+`conf["verbose"]`)
|
||||
if conf["verbose"] == 1:
|
||||
logSys.setLevel(logging.INFO)
|
||||
elif conf["verbose"] > 1:
|
||||
logSys.setLevel(logging.DEBUG)
|
||||
|
||||
# Set debug log level
|
||||
if conf["debug"]:
|
||||
logSys.setLevel(logging.DEBUG)
|
||||
formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
|
||||
'%(message)s')
|
||||
formatter = logging.Formatter("%(asctime)s " + formatterstring)
|
||||
stdout.setFormatter(formatter)
|
||||
logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
|
||||
"ONLY DISPLAYED IN THE LOG MESSAGES")
|
||||
|
||||
# Process some options
|
||||
# Log targets
|
||||
# First setup Log targets
|
||||
# Bug fix for #1234699
|
||||
os.umask(0077)
|
||||
for target in conf["logtargets"].split():
|
||||
|
@ -290,6 +308,24 @@ def main():
|
|||
hdlr.setFormatter(tformatter)
|
||||
logSys.addHandler(hdlr)
|
||||
|
||||
# Verbose level
|
||||
if conf["verbose"]:
|
||||
logSys.warn("Verbose level is "+`conf["verbose"]`)
|
||||
if conf["verbose"] == 1:
|
||||
logSys.setLevel(logging.INFO)
|
||||
elif conf["verbose"] > 1:
|
||||
logSys.setLevel(logging.DEBUG)
|
||||
|
||||
# Set debug log level
|
||||
if conf["debug"]:
|
||||
logSys.setLevel(logging.DEBUG)
|
||||
formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
|
||||
'%(message)s')
|
||||
formatter = logging.Formatter("%(asctime)s " + formatterstring)
|
||||
stdout.setFormatter(formatter)
|
||||
logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
|
||||
"ONLY DISPLAYED IN THE LOG MESSAGES")
|
||||
|
||||
# Ignores IP list
|
||||
ignoreIPList = conf["ignoreip"].split(' ')
|
||||
|
||||
|
@ -322,6 +358,7 @@ def main():
|
|||
["int", "port", "25"],
|
||||
["str", "from", "root"],
|
||||
["str", "to", "root"],
|
||||
["bool", "localtime", False],
|
||||
["str", "subject", "[Fail2Ban] Banned <ip>"],
|
||||
["str", "message", "Fail2Ban notification"])
|
||||
|
||||
|
@ -334,6 +371,7 @@ def main():
|
|||
mail = Mail(mailConf["host"], mailConf["port"])
|
||||
mail.setFromAddr(mailConf["from"])
|
||||
mail.setToAddr(mailConf["to"])
|
||||
mail.setLocalTimeFlag(mailConf["localtime"])
|
||||
logSys.debug("to: " + mailConf["to"] + " from: " + mailConf["from"])
|
||||
|
||||
# Options
|
||||
|
@ -348,8 +386,11 @@ def main():
|
|||
["str", "fwstart", ""],
|
||||
["str", "fwend", ""],
|
||||
["str", "fwban", ""],
|
||||
["str", "fwunban", ""])
|
||||
|
||||
["str", "fwunban", ""],
|
||||
["str", "fwcheck", ""])
|
||||
|
||||
logSys.info("Fail2Ban v" + version + " is running")
|
||||
|
||||
# Gets the options of each sections
|
||||
for t in confReader.getSections():
|
||||
l = confReader.getLogOptions(t, optionValues)
|
||||
|
@ -358,7 +399,10 @@ def main():
|
|||
lObj = LogReader(l["logfile"], l["timeregex"], l["timepattern"],
|
||||
l["failregex"], l["maxfailures"], l["findtime"])
|
||||
# Creates a firewall object
|
||||
fObj = Firewall(l["fwban"], l["fwunban"], l["bantime"])
|
||||
fObj = Firewall(l["fwstart"], l["fwend"], l["fwban"], l["fwunban"],
|
||||
l["fwcheck"], l["bantime"])
|
||||
# "Name" the firewall
|
||||
fObj.setSection(t)
|
||||
# Links them into a list. I'm not really happy
|
||||
# with this :/
|
||||
logFwList.append([t, lObj, fObj, dict(), l])
|
||||
|
@ -376,13 +420,10 @@ def main():
|
|||
else:
|
||||
logSys.warn(ip + " is not a valid IP address")
|
||||
|
||||
logSys.info("Fail2Ban v" + version + " is running")
|
||||
# Execute global start command
|
||||
executeCmd(conf["cmdstart"], conf["debug"])
|
||||
# Execute start command of each section
|
||||
for element in logFwList:
|
||||
l = element[4]
|
||||
executeCmd(l["fwstart"], conf["debug"])
|
||||
initializeFwRules()
|
||||
# try to reinit once if it fails immediately
|
||||
lastReinitTime = time.time() - conf["reinittime"] - 1
|
||||
reinits = 0
|
||||
# Main loop
|
||||
while True:
|
||||
try:
|
||||
|
@ -429,7 +470,8 @@ def main():
|
|||
if failTime < unixTime - findTime:
|
||||
del element[3][attempt]
|
||||
elif fails[attempt][0] >= element[1].getMaxRetry():
|
||||
aInfo = {"ip": attempt,
|
||||
aInfo = {"section": element[0],
|
||||
"ip": attempt,
|
||||
"failures": element[3][attempt][0],
|
||||
"failtime": failTime}
|
||||
logSys.info(element[0] + ": " + aInfo["ip"] +
|
||||
|
@ -441,7 +483,39 @@ def main():
|
|||
mail.sendmail(mailConf["subject"],
|
||||
mailConf["message"], aInfo)
|
||||
del element[3][attempt]
|
||||
|
||||
except ExternalError, e:
|
||||
# Something wrong while dealing with Iptables.
|
||||
# May be chain got removed?
|
||||
reinits += 1
|
||||
logSys.error(e)
|
||||
if ((unixTime - lastReinitTime > conf["reinittime"]) and
|
||||
((conf["maxreinits"] < 0) or (reinits < conf["maxreinits"]))):
|
||||
logSys.warn("#%d reinitialization of firewalls"%reinits)
|
||||
lastReinitTime = unixTime
|
||||
else:
|
||||
logSys.error("Exiting: reinits follow too often, or too many " +
|
||||
"reinit attempts")
|
||||
killApp()
|
||||
# We already failed runCheck so disable it until
|
||||
# restoring a safe state
|
||||
setFwMustCheck(False)
|
||||
# save firewalls to keep a list of IPs for rebanning
|
||||
logFwListCopy = copy.deepcopy(logFwList)
|
||||
try:
|
||||
# restore as much as possible
|
||||
restoreFwRules()
|
||||
# reinitialize all the chains
|
||||
initializeFwRules()
|
||||
# restore the lists of baned IPs
|
||||
logFwList.__init__(logFwListCopy)
|
||||
# reBan known IPs
|
||||
reBan()
|
||||
# Now we can enable the runCheck test again
|
||||
setFwMustCheck(True)
|
||||
except ExternalError:
|
||||
raise ExternalError("Big Oops happened: situation is out of " +
|
||||
"control. Something is wrong with your " +
|
||||
"setup. Please check your settings")
|
||||
except KeyboardInterrupt:
|
||||
# When the user press <ctrl>+<c> we exit nicely.
|
||||
killApp()
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.8.2.6 $
|
||||
# $Revision: 1.9 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.8.2.6 $"
|
||||
__date__ = "$Date: 2005/08/01 16:31:42 $"
|
||||
__version__ = "$Revision: 1.9 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
@ -28,6 +28,10 @@ import time, os, logging, re
|
|||
|
||||
from utils.process import executeCmd
|
||||
from utils.strings import replaceTag
|
||||
# unfortunately but I have to bring ExternalError in especially for
|
||||
# flushBanList: if one of IPs got flushed manually outside or something, we
|
||||
# might endup with not "full" flush unless we handle exception within the loop
|
||||
from utils.process import ExternalError
|
||||
|
||||
# Gets the instance of the logger.
|
||||
logSys = logging.getLogger("fail2ban")
|
||||
|
@ -37,41 +41,102 @@ class Firewall:
|
|||
the IP.
|
||||
"""
|
||||
|
||||
def __init__(self, banRule, unBanRule, banTime):
|
||||
def __init__(self, startRule, endRule, banRule, unBanRule, checkRule,
|
||||
banTime):
|
||||
self.banRule = banRule
|
||||
self.unBanRule = unBanRule
|
||||
self.checkRule = checkRule
|
||||
self.startRule = startRule
|
||||
self.endRule = endRule
|
||||
self.banTime = banTime
|
||||
self.banList = dict()
|
||||
self.section = ""
|
||||
self.mustCheck = True
|
||||
|
||||
def setSection(self, section):
|
||||
""" Set optional section name for clarify of logging
|
||||
"""
|
||||
self.section = section
|
||||
|
||||
def getMustCheck(self):
|
||||
""" Return true if the runCheck test is executed
|
||||
"""
|
||||
return self.mustCheck
|
||||
|
||||
def setMustCheck(self, value):
|
||||
""" Enable or disable the execution of runCheck test
|
||||
"""
|
||||
self.mustCheck = value
|
||||
|
||||
def initialize(self, debug):
|
||||
logSys.debug("%s: Initialize firewall rules"%self.section)
|
||||
executeCmd(self.startRule, debug)
|
||||
|
||||
def restore(self, debug):
|
||||
logSys.debug("%s: Restore firewall rules"%self.section)
|
||||
try:
|
||||
self.flushBanList(debug)
|
||||
executeCmd(self.endRule, debug)
|
||||
except ExternalError:
|
||||
pass
|
||||
|
||||
def addBanIP(self, aInfo, debug):
|
||||
""" Bans an IP.
|
||||
"""
|
||||
ip = aInfo["ip"]
|
||||
if not self.inBanList(ip):
|
||||
crtTime = time.time()
|
||||
logSys.warn("Ban " + ip)
|
||||
logSys.warn("%s: Ban "%self.section + ip)
|
||||
self.banList[ip] = crtTime
|
||||
aInfo["bantime"] = crtTime
|
||||
executeCmd(self.banIP(aInfo), debug)
|
||||
self.runCheck(debug)
|
||||
cmd = self.banIP(aInfo)
|
||||
if executeCmd(cmd, debug):
|
||||
raise ExternalError("Firewall: execution of fwban command " +
|
||||
"'%s' failed"%cmd)
|
||||
else:
|
||||
logSys.error(ip+" already in ban list")
|
||||
self.runCheck(debug)
|
||||
logSys.error("%s: "%self.section+ip+" already in ban list")
|
||||
|
||||
def delBanIP(self, aInfo, debug):
|
||||
""" Unban an IP.
|
||||
"""
|
||||
ip = aInfo["ip"]
|
||||
if self.inBanList(ip):
|
||||
logSys.warn("Unban "+ip)
|
||||
logSys.warn("%s: Unban "%self.section + ip)
|
||||
del self.banList[ip]
|
||||
self.runCheck(debug)
|
||||
executeCmd(self.unBanIP(aInfo), debug)
|
||||
else:
|
||||
logSys.error(ip+" not in ban list")
|
||||
logSys.error("%s: "%self.section+ip+" not in ban list")
|
||||
|
||||
def reBan(self, debug):
|
||||
""" Re-Bans known IPs.
|
||||
TODO: implement "failures" and "failtime"
|
||||
"""
|
||||
for ip in self.banList:
|
||||
aInfo = {"ip": ip,
|
||||
"bantime":self.banList[ip]}
|
||||
logSys.warn("%s: ReBan "%self.section + ip)
|
||||
# next piece is similar to the on in addBanIp
|
||||
# so might be one more function will not hurt
|
||||
self.runCheck(debug)
|
||||
executeCmd(self.banIP(aInfo), debug)
|
||||
|
||||
def inBanList(self, ip):
|
||||
""" Checks if IP is in ban list.
|
||||
"""
|
||||
return self.banList.has_key(ip)
|
||||
|
||||
|
||||
def runCheck(self, debug):
|
||||
""" Runs fwcheck command and throws an exception if it returns non-0
|
||||
result
|
||||
"""
|
||||
if self.mustCheck:
|
||||
executeCmd(self.checkRule, debug)
|
||||
else:
|
||||
return None
|
||||
|
||||
def checkForUnBan(self, debug):
|
||||
""" Check for IP to remove from ban list.
|
||||
"""
|
||||
|
@ -93,7 +158,12 @@ class Firewall:
|
|||
aInfo = {"ip": element[0],
|
||||
"bantime": element[1],
|
||||
"unbantime": time.time()}
|
||||
self.delBanIP(aInfo, debug)
|
||||
try:
|
||||
self.delBanIP(aInfo, debug)
|
||||
except ExternalError:
|
||||
# we must let it fail here in the loop, or we don't
|
||||
# flush properly
|
||||
pass
|
||||
|
||||
def banIP(self, aInfo):
|
||||
""" Returns query to ban IP.
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.13.2.8 $
|
||||
# $Revision: 1.14 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.13.2.8 $"
|
||||
__date__ = "$Date: 2005/09/05 21:06:15 $"
|
||||
__version__ = "$Revision: 1.14 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
@ -97,15 +97,15 @@ class LogReader:
|
|||
"""
|
||||
try:
|
||||
self.logStats = os.stat(self.logPath)
|
||||
if self.lastModTime == self.logStats.st_mtime:
|
||||
return False
|
||||
else:
|
||||
logSys.debug(self.logPath+" has been modified")
|
||||
self.lastModTime = self.logStats.st_mtime
|
||||
return True
|
||||
except OSError:
|
||||
logSys.error("Unable to get stat on "+self.logPath)
|
||||
|
||||
if self.lastModTime == self.logStats.st_mtime:
|
||||
return False
|
||||
else:
|
||||
logSys.debug(self.logPath+" has been modified")
|
||||
self.lastModTime = self.logStats.st_mtime
|
||||
return True
|
||||
|
||||
def setFilePos(self, file):
|
||||
""" Sets the file position. We must take care of log file rotation
|
||||
|
|
|
@ -33,10 +33,13 @@ display this help message
|
|||
kill a currently running Fail2Ban instance
|
||||
.TP
|
||||
\fB\-r\fR \fIVALUE\fR
|
||||
allow a max of \fIVALUE\fR password failure
|
||||
allow a max of \fIVALUE\fR password failure [maxfailures]
|
||||
.TP
|
||||
\fB\-t\fR \fITIME\fR
|
||||
ban IP for \fITIME\fR seconds
|
||||
ban IP for \fITIME\fR seconds [bantime]
|
||||
.TP
|
||||
\fB\-f\fR \fITIME\fR
|
||||
lifetime in seconds of failed entry [findtime]
|
||||
.TP
|
||||
\fB\-v\fR
|
||||
verbose. Use twice for greater effect
|
||||
|
|
6
setup.py
6
setup.py
|
@ -18,11 +18,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.4.2.4 $
|
||||
# $Revision: 1.5 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.4.2.4 $"
|
||||
__date__ = "$Date: 2005/08/07 13:10:39 $"
|
||||
__version__ = "$Revision: 1.5 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.7.2.3 $
|
||||
# $Revision: 1.8 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.7.2.3 $"
|
||||
__date__ = "$Date: 2005/08/17 19:26:49 $"
|
||||
__version__ = "$Revision: 1.8 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
|
|
@ -16,18 +16,17 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.4 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.1.2.4 $"
|
||||
__date__ = "$Date: 2005/09/12 14:42:08 $"
|
||||
__version__ = "$Revision: 1.2 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
import logging, smtplib
|
||||
import logging, smtplib, email.Utils
|
||||
|
||||
from utils.strings import replaceTag
|
||||
from time import strftime, gmtime
|
||||
|
||||
# Gets the instance of the logger.
|
||||
logSys = logging.getLogger("fail2ban")
|
||||
|
@ -39,6 +38,7 @@ class Mail:
|
|||
def __init__(self, host, port = 25):
|
||||
self.host = host
|
||||
self.port = port
|
||||
self.localTimeFlag = False
|
||||
|
||||
def setFromAddr(self, fromAddr):
|
||||
""" Set from: address
|
||||
|
@ -50,6 +50,11 @@ class Mail:
|
|||
"""
|
||||
self.toAddr = toAddr.split()
|
||||
|
||||
def setLocalTimeFlag(self, localTimeFlag):
|
||||
""" Set to: address
|
||||
"""
|
||||
self.localTimeFlag = localTimeFlag
|
||||
|
||||
def sendmail(self, subject, message, aInfo):
|
||||
""" Send an email using smtplib
|
||||
"""
|
||||
|
@ -58,7 +63,7 @@ class Mail:
|
|||
|
||||
mail = ("From: %s\r\nTo: %s\r\nDate: %s\r\nSubject: %s\r\n\r\n" %
|
||||
(self.fromAddr, ", ".join(self.toAddr),
|
||||
strftime("%a, %d %b %Y %H:%M:%S +0000", gmtime()),
|
||||
email.Utils.formatdate(localtime = self.localTimeFlag),
|
||||
subj)) + msg
|
||||
|
||||
try:
|
||||
|
@ -71,4 +76,4 @@ class Mail:
|
|||
logSys.error("Unable to send mail to " + self.host + ":" +
|
||||
`self.port` + " from " + self.fromAddr + " to " +
|
||||
`self.toAddr` + ": " + `e` + ": " + `e.args`)
|
||||
|
||||
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.2 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.1.2.2 $"
|
||||
__date__ = "$Date: 2005/08/07 13:08:18 $"
|
||||
__version__ = "$Revision: 1.2 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
@ -70,6 +70,9 @@ class PIDLock:
|
|||
logSys.debug("Removed PID lock " + self.path)
|
||||
except OSError:
|
||||
logSys.error("Unable to remove PID lock " + self.path)
|
||||
except AttributeError:
|
||||
# AttributeError if self.path wasn't specified yet
|
||||
logSys.debug("PID lock not removed because not defined yet")
|
||||
|
||||
def exists(self):
|
||||
""" Returns the current PID if Fail2Ban is running or False
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.4 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.1.2.4 $"
|
||||
__date__ = "$Date: 2005/08/04 20:48:30 $"
|
||||
__version__ = "$Revision: 1.2 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
@ -29,6 +29,11 @@ import os, logging, signal
|
|||
# Gets the instance of the logger.
|
||||
logSys = logging.getLogger("fail2ban")
|
||||
|
||||
class ExternalError(UserWarning):
|
||||
""" Exception to warn about failed fwcheck or fwban command
|
||||
"""
|
||||
pass
|
||||
|
||||
def createDaemon():
|
||||
""" Detach a process from the controlling terminal and run it in the
|
||||
background as a daemon.
|
||||
|
@ -126,6 +131,7 @@ def executeCmd(cmd, debug):
|
|||
retval = os.system(cmd)
|
||||
if not retval == 0:
|
||||
logSys.error("'" + cmd + "' returned " + `retval`)
|
||||
raise ExternalError("Execution of command '%s' failed" % cmd)
|
||||
return retval
|
||||
else:
|
||||
return None
|
||||
|
|
|
@ -16,11 +16,11 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.1.2.2 $
|
||||
# $Revision: 1.2 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.1.2.2 $"
|
||||
__date__ = "$Date: 2005/08/01 16:35:18 $"
|
||||
__version__ = "$Revision: 1.2 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
|
|
|
@ -16,12 +16,12 @@
|
|||
|
||||
# Author: Cyril Jaquier
|
||||
#
|
||||
# $Revision: 1.12.2.10 $
|
||||
# $Revision: 1.13 $
|
||||
|
||||
__author__ = "Cyril Jaquier"
|
||||
__version__ = "$Revision: 1.12.2.10 $"
|
||||
__date__ = "$Date: 2005/09/13 20:43:00 $"
|
||||
__version__ = "$Revision: 1.13 $"
|
||||
__date__ = "$Date: 2005/11/20 17:07:47 $"
|
||||
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
||||
__license__ = "GPL"
|
||||
|
||||
version = "0.5.4"
|
||||
version = "0.6.0"
|
||||
|
|
Loading…
Reference in New Issue