Upgraded to fresh upstream 0.6.0

CHANGELOG

@@ -4,9 +4,37 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.5.4)                           2005/09/13
+Fail2Ban (version 0.6.0)                           2005/11/20
 =============================================================
 
+ver. 0.6.0 (2005/11/20) - stable
+----------
+- Propagated patches introduced by Debian maintainer 
+  (Yaroslav Halchenko):
+  * Added an option to report local time (including timezone)
+    or GMT in mail notification.
+
+ver. 0.5.5 (2005/10/26) - beta
+----------
+- Propagated patches introduced by Debian maintainer 
+  (Yaroslav Halchenko):
+  * Introduced fwcheck option to verify consistency of the
+    chains. Implemented automatic restart of fail2ban main
+    function in case check of fwban or fwunban command failed
+    (closes: #329163, #331695). (Introduced patch was further
+    adjusted by upstream author).
+  * Added -f command line parameter for [findtime].
+  * Added a cleanup of firewall rules on emergency shutdown
+    when unknown exception is catched.
+  * Fail2ban should not crash now if a wrong file name is
+    specified in config.
+  * reordered code a bit so that log targets are setup right
+    after background and then only loglevel (verbose, debug)
+    is processed, so the warning could be seen in the logs
+  * Added a keyword <section> in parsing of the subject and
+    the body of an email sent out by fail2ban (closes:
+    #330311)
+
 ver. 0.5.4 (2005/09/13) - beta
 ----------
 - Fixed bug #1286222.

PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 1.0
 Name: fail2ban
-Version: 0.5.4
+Version: 0.6.0
 Summary: Ban IPs that make too many password failure
 Home-page: http://fail2ban.sourceforge.net
 Author: Cyril Jaquier

README

@@ -4,7 +4,7 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-Fail2Ban (version 0.5.4)                           2005/09/13
+Fail2Ban (version 0.6.0)                           2005/11/20
 =============================================================
 
 Fail2Ban scans log files like /var/log/pwdfail and bans IP
@@ -54,12 +54,12 @@ firewalls.
 Installation:
 -------------
 
-Require: python-2.3 (http://www.python.org)
+Require: python-2.4 (http://www.python.org)
 
 To install, just do:
 
-> tar xvfj fail2ban-0.5.4.tar.bz2
+> tar xvfj fail2ban-0.6.0.tar.bz2
-> cd fail2ban-0.5.4
+> cd fail2ban-0.6.0
 > python setup.py install
 
 This will install Fail2Ban into /usr/lib/fail2ban. The fail2ban
@@ -102,8 +102,9 @@ options:
   -h         display this help message
   -i <IP(s)> IP(s) to ignore
   -k         kill a currently running instance
-  -r <VALUE> allow a max of VALUE password failure
+  -r <VALUE> allow a max of VALUE password failure [maxfailures]
-  -t <TIME>  ban IP for TIME seconds
+  -t <TIME>  ban IP for TIME seconds [bantime]
+  -f <TIME>  lifetime in seconds of failed entry [findtime]
   -v         verbose. Use twice for greater effect
   -V         print software version
 

TODO

@@ -4,7 +4,7 @@
              |_| \__,_|_|_/___|_.__/\__,_|_||_|
 
 =============================================================
-ToDo
+ToDo                                     $Revision: 1.5 $
 =============================================================
 
 See Feature Request Tracking System at SourceForge.net
@@ -12,3 +12,12 @@ See Feature Request Tracking System at SourceForge.net
 - improve installation process (better prefix support)
 - install Fail2ban into /usr/share
 - better configuration files
+- add a check to see if the time of the log messages is
+  correctly detected (valid regexp)
+- split configuration files in /etc/fail2ban/services.d
+  Example: /etc/fail2ban/services.d/apache
+- template for common services in /etc/fail2ban/scripts.d
+  Example: /etc/fail2ban/scripts.d/apache
+- remove debug mode (root check)
+- better return values in function
+- use more email.Utils in mail.py

config/debian-initd

@@ -8,7 +8,7 @@
 #               Adjusted for Fail2Ban
 #                by Yaroslav Halchenko <debian@onerussian.com>.
 #
-# Version:	$Id: debian-initd,v 1.1.2.2 2005/09/11 15:42:32 yarikoptic Exp $
+# Version:	$Id: debian-initd,v 1.2 2005/11/20 17:07:47 lostcontrol Exp $
 #
 
 PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

config/fail2ban.conf.default

@@ -1,6 +1,6 @@
 # Fail2Ban configuration file
 #
-# $Revision: 1.8.2.13 $
+# $Revision: 1.9 $
 #
 # 2005.06.21  modified for readability  Iain Lea  iain@bricbrac.de
 
@@ -85,6 +85,21 @@ cmdend =
 #
 polltime = 1
 
+# Option:  reinittime
+# Notes.:  minimal number of seconds between the re-initialization of
+#          firewalls due to external changes in their rules (see fwcheck)
+# Values:  NUM  Default:  100
+#
+reinittime = 10
+
+# Option:  maxreinits
+# Notes.:  maximal number of re-initialization of firewalls due to external
+#          changes. -1 stays for infinite, so only reinittime is of importance
+# Values:  NUM  Default:  -1
+#
+maxreinits = -1
+
+
 [MAIL]
 # Option:  enabled
 # Notes.:  enable mail notification when banning an IP address.
@@ -117,18 +132,26 @@ from = fail2ban
 #
 to = root
 
+# Option:  localtime
+# Notes.:  report local time (including timezone) or GMT
+# Values:  [true | false]  Default:  false
+#
+localtime = true
+
 # Option:  subject
 # Notes.:  subject of the e-mail.
-# Tags:    <ip>  IP address
+# Tags:    <section> active section (eg ssh, apache, etc)
+#          <ip>  IP address
 #          <failures>  number of failures
 #          <failtime>  unix timestamp of the last failure
-# Values:  TEXT  Default:  [Fail2Ban] Banned <ip>
+# Values:  TEXT  Default:  [Fail2Ban] <section>: Banned <ip>
 #
-subject = [Fail2Ban] Banned <ip>
+subject = [Fail2Ban] <section>: Banned <ip>
 
 # Option:  message
 # Notes.:  message of the e-mail.
-# Tags:    <ip>  IP address
+# Tags:    <section> active section (eg ssh, apache, etc)
+#          <ip>  IP address
 #          <failures>  number of failures
 #          <failtime>  unix timestamp of the last failure
 #          <br>  new line
@@ -136,7 +159,7 @@ subject = [Fail2Ban] Banned <ip>
 #
 message = Hi,<br>
           The IP <ip> has just been banned by Fail2Ban after
-          <failures> attempts.<br>
+          <failures> attempts against <section>.<br>
           Regards,<br>
           Fail2Ban
 
@@ -145,6 +168,7 @@ message = Hi,<br>
 # options: logfile, fwban, fwunban, timeregex, timepattern,
 # failregex.
 
+
 [Apache]
 # Option:  enabled
 # Notes.:  enable monitoring for this section.
@@ -171,9 +195,15 @@ fwstart = iptables -N fail2ban-http
 # Values:  CMD  Default:
 #
 fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
-        iptables -D fail2ban-http -j RETURN
+        iptables -F fail2ban-http
         iptables -X fail2ban-http
 
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD  Default:
+#
+fwcheck = iptables -L INPUT | grep -q fail2ban-http
+
 # Option:  fwban
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.
@@ -217,6 +247,7 @@ timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
 #
 failregex = authentication failure|user .* not found
 
+
 [SSH]
 # Option:  enabled
 # Notes.:  enable monitoring for this section.
@@ -243,9 +274,15 @@ fwstart = iptables -N fail2ban-ssh
 # Values:  CMD  Default:
 #
 fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
-        iptables -D fail2ban-ssh -j RETURN
+        iptables -F fail2ban-ssh
         iptables -X fail2ban-ssh
 
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD  Default:
+#
+fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
+
 # Option:  fwbanrule
 # Notes.:  command executed when banning an IP. Take care that the
 #          command is executed with Fail2Ban user rights.

config/gentoo-confd

@@ -16,7 +16,7 @@
 #
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.1.2.1 $
+# $Revision: 1.2 $
 
 # Command line options for Fail2Ban. Refer to "fail2ban -h" for
 # valid options.

config/gentoo-initd

@@ -17,7 +17,7 @@
 #
 # Author: Sireyessire, Cyril Jaquier
 # 
-# $Revision: 1.1.2.2 $
+# $Revision: 1.2 $
 
 opts="start stop restart showlog"
 

config/redhat-initd

@@ -9,7 +9,7 @@
 #
 # Author: Andrey G. Grozin
 # 
-# $Revision: 1.1.2.2 $
+# $Revision: 1.2 $
 
 # Source function library.
 . /etc/init.d/functions

confreader/configreader.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.5.2.5 $
+# $Revision: 1.6 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.5.2.5 $"
+__version__ = "$Revision: 1.6 $"
-__date__ = "$Date: 2005/08/01 16:31:13 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 

fail2ban

@@ -18,11 +18,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.4.2.5 $
+# $Revision: 1.5 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.4.2.5 $"
+__version__ = "$Revision: 1.5 $"
-__date__ = "$Date: 2005/08/04 20:51:14 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -55,6 +55,12 @@ except Exception, e:
 	logSys.error("Type: " + `type.__name__` + "\n" +
 				 "Value: " + `e.args` + "\n" +
 				 "TB: " + `tbStack`)
+	# Try to clean up after ourselves
+	# just for extreme caution - wrapping with try
+	try:
+		fail2ban.restoreFwRules()
+	except Exception:
+		pass
 	# Remove the PID lock file. Should close #1239562
 	pidLock.remove()
 	logging.shutdown()

fail2ban.py

@@ -17,15 +17,15 @@
 # Author: Cyril Jaquier
 # Modified by: Yaroslav Halchenko (SYSLOG, findtime)
 # 
-# $Revision: 1.20.2.18 $
+# $Revision: 1.21 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.20.2.18 $"
+__version__ = "$Revision: 1.21 $"
-__date__ = "$Date: 2005/09/13 20:42:33 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-import time, sys, getopt, os, string, signal, logging, logging.handlers
+import time, sys, getopt, os, string, signal, logging, logging.handlers, copy
 from ConfigParser import *
 
 from version import version
@@ -62,8 +62,9 @@ def dispUsage():
 	print "  -h         display this help message"
 	print "  -i <IP(s)> IP(s) to ignore"
 	print "  -k         kill a currently running instance"
-	print "  -r <VALUE> allow a max of VALUE password failure"
+	print "  -r <VALUE> allow a max of VALUE password failure [maxfailures]"
-	print "  -t <TIME>  ban IP for TIME seconds"
+	print "  -t <TIME>  ban IP for TIME seconds [bantime]"
+	print "  -f <TIME>  lifetime in seconds of failed entry [findtime]"
 	print "  -v         verbose. Use twice for greater effect"
 	print "  -V         print software version"
 	print
@@ -92,19 +93,48 @@ def sigTERMhandler(signum, frame):
 	logSys.debug("Signal handler called with sig "+`signum`)
 	killApp()	
 
+def setFwMustCheck(value):
+	""" Set the mustCheck value of the firewalls (True/False)
+	"""
+	for element in logFwList:
+		element[2].setMustCheck(value)
+
+def initializeFwRules():
+	""" Initializes firewalls by running cmdstart and then
+	    fwstart for each section
+	"""
+	# Execute global start command
+	executeCmd(conf["cmdstart"], conf["debug"])
+	# Execute start command of each section
+	for element in logFwList:
+		element[2].initialize(conf["debug"])
+
+def reBan():
+	""" For each section asks the Firewall to reban known IPs
+	"""
+	for element in logFwList:
+		element[2].reBan(conf["debug"])
+
+def restoreFwRules():
+	""" Flush the ban list
+	"""
+	logSys.warn("Restoring firewall rules...")
+	try:
+		for element in logFwList:
+			# Execute end command of each section
+			element[2].restore(conf["debug"])
+		# Execute global end command
+		executeCmd(conf["cmdend"], conf["debug"])
+	except ExternalError:
+		# nothing bad really - we can survive :-)
+		pass
+
 def killApp():
 	""" Flush the ban list, remove the PID lock file and exit
 		nicely.
 	"""
-	logSys.warn("Restoring firewall rules...")
+	# Restore Fw rules
-	for element in logFwList:
+	restoreFwRules()
-		element[2].flushBanList(conf["debug"])
-	# Execute end command of each section
-	for element in logFwList:
-		l = element[4]
-		executeCmd(l["fwend"], conf["debug"])
-	# Execute global start command
-	executeCmd(conf["cmdend"], conf["debug"])
 	# Remove the PID lock
 	pidLock.remove()
 	logSys.info("Exiting...")
@@ -127,6 +157,12 @@ def getCmdLineOptions(optList):
 			except ValueError:
 				logSys.warn("banTime must be an integer")
 				logSys.warn("Using default value")
+		if opt[0] == "-f":
+			try:
+				conf["findtime"] = int(opt[1])
+			except ValueError:
+				logSys.warn("findTime must be an integer")
+				logSys.warn("Using default value")
 		if opt[0] == "-i":
 			conf["ignoreip"] = opt[1]
 		if opt[0] == "-r":
@@ -149,6 +185,7 @@ def main():
 	formatter = logging.Formatter('%(asctime)s ' + formatterstring)
 	stdout.setFormatter(formatter)
 	
+	conf["kill"] = False
 	conf["verbose"] = 0
 	conf["conffile"] = "/etc/fail2ban.conf"
 	
@@ -187,7 +224,9 @@ def main():
 					["str", "ignoreip", ""],
 					["int", "polltime", 1],
 					["str", "cmdstart", ""],
-					["str", "cmdend", ""])
+					["str", "cmdend", ""],
+					["int", "reinittime", 100],
+					["int", "maxreinits", 100])
 	
 	# Gets global configuration options
 	conf.update(confReader.getLogOptions("DEFAULT", optionValues))
@@ -199,8 +238,7 @@ def main():
 	pidLock.setPath(conf["pidlock"])
 	
 	# Now we can kill properly a running instance if needed
-	try:
+	if conf["kill"]:
-		conf["kill"]
 		pid = pidLock.exists()
 		if pid:
 			killPID(int(pid))
@@ -209,8 +247,6 @@ def main():
 		else:
 			logSys.error("No running Fail2Ban found")
 			sys.exit(-1)
-	except KeyError:
-		pass
 
 	# Start Fail2Ban in daemon mode
 	if conf["background"]:
@@ -220,26 +256,8 @@ def main():
 			logSys.error("Unable to start daemon")
 			sys.exit(-1)
 
-	# Verbose level
-	if conf["verbose"]:
-		logSys.warn("Verbose level is "+`conf["verbose"]`)
-		if conf["verbose"] == 1:
-			logSys.setLevel(logging.INFO)
-		elif conf["verbose"] > 1:
-			logSys.setLevel(logging.DEBUG)
-		
-	# Set debug log level
-	if conf["debug"]:
-		logSys.setLevel(logging.DEBUG)
-		formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
-						   '%(message)s')
-		formatter = logging.Formatter("%(asctime)s " + formatterstring)
-		stdout.setFormatter(formatter)
-		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
-					"ONLY DISPLAYED IN THE LOG MESSAGES")
-
 	# Process some options
-	# Log targets
+	# First setup Log targets
 	# Bug fix for #1234699
 	os.umask(0077)
 	for target in conf["logtargets"].split():
@@ -290,6 +308,24 @@ def main():
 		hdlr.setFormatter(tformatter)
 		logSys.addHandler(hdlr)
 	
+	# Verbose level
+	if conf["verbose"]:
+		logSys.warn("Verbose level is "+`conf["verbose"]`)
+		if conf["verbose"] == 1:
+			logSys.setLevel(logging.INFO)
+		elif conf["verbose"] > 1:
+			logSys.setLevel(logging.DEBUG)
+		
+	# Set debug log level
+	if conf["debug"]:
+		logSys.setLevel(logging.DEBUG)
+		formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
+						   '%(message)s')
+		formatter = logging.Formatter("%(asctime)s " + formatterstring)
+		stdout.setFormatter(formatter)
+		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
+					"ONLY DISPLAYED IN THE LOG MESSAGES")
+	
 	# Ignores IP list
 	ignoreIPList = conf["ignoreip"].split(' ')
 
@@ -322,6 +358,7 @@ def main():
 					["int", "port", "25"],
 					["str", "from", "root"],
 					["str", "to", "root"],
+					["bool", "localtime", False],
 					["str", "subject", "[Fail2Ban] Banned <ip>"],
 					["str", "message", "Fail2Ban notification"])
 	
@@ -334,6 +371,7 @@ def main():
 		mail = Mail(mailConf["host"], mailConf["port"])
 		mail.setFromAddr(mailConf["from"])
 		mail.setToAddr(mailConf["to"])
+		mail.setLocalTimeFlag(mailConf["localtime"])
 		logSys.debug("to: " + mailConf["to"] + " from: " + mailConf["from"])
 	
 	# Options
@@ -348,7 +386,10 @@ def main():
 					["str", "fwstart", ""],
 					["str", "fwend", ""],
 					["str", "fwban", ""],
-					["str", "fwunban", ""])
+					["str", "fwunban", ""],
+					["str", "fwcheck", ""])
+	
+	logSys.info("Fail2Ban v" + version + " is running")
 	
 	# Gets the options of each sections
 	for t in confReader.getSections():
@@ -358,7 +399,10 @@ def main():
 			lObj = LogReader(l["logfile"], l["timeregex"], l["timepattern"],
 							 l["failregex"], l["maxfailures"], l["findtime"])
 			# Creates a firewall object
-			fObj = Firewall(l["fwban"], l["fwunban"], l["bantime"])
+			fObj = Firewall(l["fwstart"], l["fwend"], l["fwban"], l["fwunban"],
+							l["fwcheck"], l["bantime"])
+			# "Name" the firewall
+			fObj.setSection(t)
 			# Links them into a list. I'm not really happy
 			# with this :/
 			logFwList.append([t, lObj, fObj, dict(), l])
@@ -376,13 +420,10 @@ def main():
 		else:
 			logSys.warn(ip + " is not a valid IP address")
 	
-	logSys.info("Fail2Ban v" + version + " is running")
+	initializeFwRules()
-	# Execute global start command
+	# try to reinit once if it fails immediately
-	executeCmd(conf["cmdstart"], conf["debug"])
+	lastReinitTime = time.time() - conf["reinittime"] - 1
-	# Execute start command of each section
+	reinits = 0
-	for element in logFwList:
-		l = element[4]
-		executeCmd(l["fwstart"], conf["debug"])
 	# Main loop
 	while True:
 		try:
@@ -429,7 +470,8 @@ def main():
 					if failTime < unixTime - findTime:
 						del element[3][attempt]
 					elif fails[attempt][0] >= element[1].getMaxRetry():
-						aInfo = {"ip": attempt,
+						aInfo = {"section": element[0],
+								 "ip": attempt,
 								 "failures": element[3][attempt][0],
 								 "failtime": failTime}
 						logSys.info(element[0] + ": " + aInfo["ip"] +
@@ -441,7 +483,39 @@ def main():
 							mail.sendmail(mailConf["subject"],
 										  mailConf["message"], aInfo)
 						del element[3][attempt]
-			
+		except ExternalError, e:
+			# Something wrong while dealing with Iptables.
+			# May be chain got removed?
+			reinits += 1
+			logSys.error(e)
+			if ((unixTime - lastReinitTime > conf["reinittime"]) and
+				((conf["maxreinits"] < 0) or (reinits < conf["maxreinits"]))):
+				logSys.warn("#%d reinitialization of firewalls"%reinits)
+				lastReinitTime = unixTime
+			else:
+				logSys.error("Exiting: reinits follow too often, or too many " +
+							 "reinit attempts")
+				killApp()
+			# We already failed runCheck so disable it until
+			# restoring a safe state
+			setFwMustCheck(False)
+			# save firewalls to keep a list of IPs for rebanning
+			logFwListCopy = copy.deepcopy(logFwList)
+			try:
+				# restore as much as possible
+				restoreFwRules()
+				# reinitialize all the chains
+				initializeFwRules()
+				# restore the lists of baned IPs
+				logFwList.__init__(logFwListCopy)
+				# reBan known IPs
+				reBan()
+				# Now we can enable the runCheck test again
+				setFwMustCheck(True)
+			except ExternalError:
+				raise ExternalError("Big Oops happened: situation is out of " +
+									"control. Something is wrong with your " +
+									"setup. Please check your settings")
 		except KeyboardInterrupt:
 			# When the user press <ctrl>+<c> we exit nicely.
 			killApp()

firewall/firewall.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.8.2.6 $
+# $Revision: 1.9 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.8.2.6 $"
+__version__ = "$Revision: 1.9 $"
-__date__ = "$Date: 2005/08/01 16:31:42 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -28,6 +28,10 @@ import time, os, logging, re
 
 from utils.process import executeCmd
 from utils.strings import replaceTag
+# unfortunately but I have to bring ExternalError in especially for
+# flushBanList: if one of IPs got flushed manually outside or something, we
+# might endup with not "full" flush unless we handle exception within the loop
+from utils.process import ExternalError
 
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban")
@@ -37,11 +41,44 @@ class Firewall:
 		the IP.
 	"""
 	
-	def __init__(self, banRule, unBanRule, banTime):
+	def __init__(self, startRule, endRule, banRule, unBanRule, checkRule,
+				 banTime):
 		self.banRule = banRule
 		self.unBanRule = unBanRule
+		self.checkRule = checkRule
+		self.startRule = startRule
+		self.endRule = endRule
 		self.banTime = banTime
 		self.banList = dict()
+		self.section = ""
+		self.mustCheck = True
+
+	def setSection(self, section):
+		""" Set optional section name for clarify of logging
+		"""
+		self.section = section
+		
+	def getMustCheck(self):
+		""" Return true if the runCheck test is executed
+		"""
+		return self.mustCheck
+	
+	def setMustCheck(self, value):
+		""" Enable or disable the execution of runCheck test
+		"""
+		self.mustCheck = value
+
+  	def initialize(self, debug):
+		logSys.debug("%s: Initialize firewall rules"%self.section)
+  		executeCmd(self.startRule, debug)
+
+	def restore(self, debug):
+		logSys.debug("%s: Restore firewall rules"%self.section)
+		try:
+			self.flushBanList(debug)
+			executeCmd(self.endRule, debug)
+		except ExternalError:
+			pass
 
 	def addBanIP(self, aInfo, debug):
 		""" Bans an IP.
@@ -49,29 +86,57 @@ class Firewall:
 		ip = aInfo["ip"]
 		if not self.inBanList(ip):
 			crtTime = time.time()
-			logSys.warn("Ban " + ip)
+			logSys.warn("%s: Ban "%self.section + ip)
 			self.banList[ip] = crtTime
 			aInfo["bantime"] = crtTime
-			executeCmd(self.banIP(aInfo), debug)
+			self.runCheck(debug)
+			cmd = self.banIP(aInfo)
+			if executeCmd(cmd, debug):
+				raise ExternalError("Firewall: execution of fwban command " +
+									"'%s' failed"%cmd)
 		else:
-			logSys.error(ip+" already in ban list")
+			self.runCheck(debug)
+			logSys.error("%s: "%self.section+ip+" already in ban list")
 	
 	def delBanIP(self, aInfo, debug):
 		""" Unban an IP.
 		"""
 		ip = aInfo["ip"]
 		if self.inBanList(ip):
-			logSys.warn("Unban "+ip)
+			logSys.warn("%s: Unban "%self.section + ip)
 			del self.banList[ip]
+			self.runCheck(debug)
 			executeCmd(self.unBanIP(aInfo), debug)
 		else:
-			logSys.error(ip+" not in ban list")
+			logSys.error("%s: "%self.section+ip+" not in ban list")
+
+	def reBan(self, debug):
+		""" Re-Bans known IPs.
+			TODO: implement "failures" and "failtime"
+		"""
+		for ip in self.banList:
+			aInfo = {"ip": ip,
+					 "bantime":self.banList[ip]}
+			logSys.warn("%s: ReBan "%self.section + ip)
+			# next piece is similar to the on in addBanIp
+			# so might be one more function will not hurt
+			self.runCheck(debug)
+			executeCmd(self.banIP(aInfo), debug)
 	
 	def inBanList(self, ip):
 		""" Checks if IP is in ban list.
 		"""
 		return self.banList.has_key(ip)
 
+	def runCheck(self, debug):
+		""" Runs fwcheck command and throws an exception if it returns non-0
+			result
+		"""
+		if self.mustCheck:
+			executeCmd(self.checkRule, debug)
+		else:
+			return None
+
 	def checkForUnBan(self, debug):
 		""" Check for IP to remove from ban list.
 		"""
@@ -93,7 +158,12 @@ class Firewall:
 			aInfo = {"ip": element[0],
 					 "bantime": element[1],
 					 "unbantime": time.time()}
+			try:
 				self.delBanIP(aInfo, debug)
+			except ExternalError:
+				# we must let it fail here in the loop, or we don't
+				# flush properly
+				pass
 			
 	def banIP(self, aInfo):
 		""" Returns query to ban IP.

logreader/logreader.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.13.2.8 $
+# $Revision: 1.14 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.13.2.8 $"
+__version__ = "$Revision: 1.14 $"
-__date__ = "$Date: 2005/09/05 21:06:15 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -97,15 +97,15 @@ class LogReader:
 		"""
 		try:
 			self.logStats = os.stat(self.logPath)
-		except OSError:
-			logSys.error("Unable to get stat on "+self.logPath)
-		
 			if self.lastModTime == self.logStats.st_mtime:
 				return False
 			else:
 				logSys.debug(self.logPath+" has been modified")
 				self.lastModTime = self.logStats.st_mtime
 				return True
+		except OSError:
+			logSys.error("Unable to get stat on "+self.logPath)
+			return False
 	
 	def setFilePos(self, file):
 		""" Sets the file position. We must take care of log file rotation

man/fail2ban.8

@@ -33,10 +33,13 @@ display this help message
 kill a currently running Fail2Ban instance
 .TP 
 \fB\-r\fR \fIVALUE\fR
-allow a max of \fIVALUE\fR password failure
+allow a max of \fIVALUE\fR password failure [maxfailures]
 .TP 
 \fB\-t\fR \fITIME\fR
-ban IP for \fITIME\fR seconds
+ban IP for \fITIME\fR seconds [bantime]
+.TP 
+\fB\-f\fR \fITIME\fR
+lifetime in seconds of failed entry [findtime]
 .TP 
 \fB\-v\fR
 verbose. Use twice for greater effect

setup.py

@@ -18,11 +18,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.4.2.4 $
+# $Revision: 1.5 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.4.2.4 $"
+__version__ = "$Revision: 1.5 $"
-__date__ = "$Date: 2005/08/07 13:10:39 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 

utils/dns.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.7.2.3 $
+# $Revision: 1.8 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.7.2.3 $"
+__version__ = "$Revision: 1.8 $"
-__date__ = "$Date: 2005/08/17 19:26:49 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 

utils/mail.py

@@ -16,18 +16,17 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.1.2.4 $
+# $Revision: 1.2 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.1.2.4 $"
+__version__ = "$Revision: 1.2 $"
-__date__ = "$Date: 2005/09/12 14:42:08 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-import logging, smtplib
+import logging, smtplib, email.Utils
 
 from utils.strings import replaceTag
-from time import strftime, gmtime
 
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban")
@@ -39,6 +38,7 @@ class Mail:
 	def __init__(self, host, port = 25):
 		self.host = host
 		self.port = port
+		self.localTimeFlag = False
 		
 	def setFromAddr(self, fromAddr):
 		""" Set from: address
@@ -50,6 +50,11 @@ class Mail:
 		"""
 		self.toAddr = toAddr.split()
 
+	def setLocalTimeFlag(self, localTimeFlag):
+		""" Set to: address
+		"""
+		self.localTimeFlag = localTimeFlag
+
 	def sendmail(self, subject, message, aInfo):
 		""" Send an email using smtplib
 		"""
@@ -58,7 +63,7 @@ class Mail:
 		
 		mail = ("From: %s\r\nTo: %s\r\nDate: %s\r\nSubject: %s\r\n\r\n" %
 				(self.fromAddr, ", ".join(self.toAddr),
-				strftime("%a, %d %b %Y %H:%M:%S +0000", gmtime()),
+				email.Utils.formatdate(localtime = self.localTimeFlag),
 				subj)) + msg
 		
 		try:

utils/pidlock.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.1.2.2 $
+# $Revision: 1.2 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.1.2.2 $"
+__version__ = "$Revision: 1.2 $"
-__date__ = "$Date: 2005/08/07 13:08:18 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -70,6 +70,9 @@ class PIDLock:
 				logSys.debug("Removed PID lock " + self.path)
 			except OSError:
 				logSys.error("Unable to remove PID lock " + self.path)
+			except AttributeError:
+				# AttributeError if self.path wasn't specified yet
+				logSys.debug("PID lock not removed because not defined yet")
 		
 		def exists(self):
 			""" Returns the current PID if Fail2Ban is running or False

utils/process.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.1.2.4 $
+# $Revision: 1.2 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.1.2.4 $"
+__version__ = "$Revision: 1.2 $"
-__date__ = "$Date: 2005/08/04 20:48:30 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
@@ -29,6 +29,11 @@ import os, logging, signal
 # Gets the instance of the logger.
 logSys = logging.getLogger("fail2ban")
 
+class ExternalError(UserWarning):
+	""" Exception to warn about failed fwcheck or fwban command
+	"""
+	pass
+
 def createDaemon():
 	""" Detach a process from the controlling terminal and run it in the
 		background as a daemon.
@@ -126,6 +131,7 @@ def executeCmd(cmd, debug):
 		retval = os.system(cmd)
 		if not retval == 0:
 			logSys.error("'" + cmd + "' returned " + `retval`)
+			raise ExternalError("Execution of command '%s' failed" % cmd)
 		return retval
 	else:
 		return None

utils/strings.py

@@ -16,11 +16,11 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.1.2.2 $
+# $Revision: 1.2 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.1.2.2 $"
+__version__ = "$Revision: 1.2 $"
-__date__ = "$Date: 2005/08/01 16:35:18 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 

version.py

@@ -16,12 +16,12 @@
 
 # Author: Cyril Jaquier
 # 
-# $Revision: 1.12.2.10 $
+# $Revision: 1.13 $
 
 __author__ = "Cyril Jaquier"
-__version__ = "$Revision: 1.12.2.10 $"
+__version__ = "$Revision: 1.13 $"
-__date__ = "$Date: 2005/09/13 20:43:00 $"
+__date__ = "$Date: 2005/11/20 17:07:47 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
 
-version = "0.5.4"
+version = "0.6.0"