diff --git a/ChangeLog b/ChangeLog index c589dbe1..87cdaeb8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -25,6 +25,10 @@ code-review and minor additions from Yaroslav Halchenko. Steven Hiscocks * [..5aef036] Core functionality moved into fail2ban/ module. Closes gh-26 + Daniel Black + * Jail names increased to 26 characters and iptables prefix reduced + from fail2ban- to f2b- as suggested by buanzo in gh-462. + - New features: Steven Hiscocks * [..c7ae460] Multiline failregex. Close gh-54 diff --git a/config/action.d/firewall-cmd-direct-new.conf b/config/action.d/firewall-cmd-direct-new.conf index 55b6762d..837352e9 100644 --- a/config/action.d/firewall-cmd-direct-new.conf +++ b/config/action.d/firewall-cmd-direct-new.conf @@ -12,19 +12,19 @@ before = iptables-blocktype.conf [Definition] -actionstart = firewall-cmd --direct --add-chain ipv4 filter fail2ban- - firewall-cmd --direct --add-rule ipv4 filter fail2ban- 1000 -j RETURN - firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- +actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- + firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN + firewall-cmd --direct --add-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- -actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j fail2ban- - firewall-cmd --direct --remove-rules ipv4 filter fail2ban- - firewall-cmd --direct --remove-chain ipv4 filter fail2ban- +actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -m state --state NEW -p --dport -j f2b- + firewall-cmd --direct --remove-rules ipv4 filter f2b- + firewall-cmd --direct --remove-chain ipv4 filter f2b- -actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'fail2ban-[ \t]' +actioncheck = firewall-cmd --direct --get-chains ipv4 filter | grep -q 'f2b-[ \t]' -actionban = firewall-cmd --direct --add-rule ipv4 filter fail2ban- 0 -s -j +actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j -actionunban = firewall-cmd --direct --remove-rule ipv4 filter fail2ban- 0 -s -j +actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j [Init] diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index 91d40711..480badc7 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -17,23 +17,23 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban- - iptables -A fail2ban- -j RETURN - iptables -I -p -j fail2ban- +actionstart = iptables -N f2b- + iptables -A f2b- -j RETURN + iptables -I -p -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D -p -j fail2ban- - iptables -F fail2ban- - iptables -X fail2ban- +actionstop = iptables -D -p -j f2b- + iptables -F f2b- + iptables -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' +actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,7 +41,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j +actionban = iptables -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +49,7 @@ actionban = iptables -I fail2ban- 1 -s -j # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j +actionunban = iptables -D f2b- -s -j [Init] diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index 9a445303..fc03c68c 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -27,16 +27,16 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = ipset --create fail2ban- iphash - iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j +actionstart = ipset --create f2b- iphash + iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j - ipset --flush fail2ban- - ipset --destroy fail2ban- +actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j + ipset --flush f2b- + ipset --destroy f2b- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -44,7 +44,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -m set # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset --test fail2ban- || ipset --add fail2ban- +actionban = ipset --test f2b- || ipset --add f2b- # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -52,7 +52,7 @@ actionban = ipset --test fail2ban- || ipset --add fail2ban- && ipset --del fail2ban- +actionunban = ipset --test f2b- && ipset --del f2b- [Init] diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index 933926e3..72fba9cd 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -24,16 +24,16 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = ipset create fail2ban- hash:ip timeout - iptables -I INPUT -m set --match-set fail2ban- src -j +actionstart = ipset create f2b- hash:ip timeout + iptables -I INPUT -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m set --match-set fail2ban- src -j - ipset flush fail2ban- - ipset destroy fail2ban- +actionstop = iptables -D INPUT -m set --match-set f2b- src -j + ipset flush f2b- + ipset destroy f2b- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,7 +41,7 @@ actionstop = iptables -D INPUT -m set --match-set fail2ban- src -j timeout -exist +actionban = ipset add f2b- timeout -exist # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +49,7 @@ actionban = ipset add fail2ban- timeout -exist # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = ipset del fail2ban- -exist +actionunban = ipset del f2b- -exist [Init] diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index 4dfb1a62..5d848110 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -24,16 +24,16 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = ipset create fail2ban- hash:ip timeout - iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j +actionstart = ipset create f2b- hash:ip timeout + iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j - ipset flush fail2ban- - ipset destroy fail2ban- +actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j + ipset flush f2b- + ipset destroy f2b- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,7 +41,7 @@ actionstop = iptables -D INPUT -p -m multiport --dports -m set # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipset add fail2ban- timeout -exist +actionban = ipset add f2b- timeout -exist # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +49,7 @@ actionban = ipset add fail2ban- timeout -exist # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = ipset del fail2ban- -exist +actionunban = ipset del f2b- -exist [Init] diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 6084cb6c..5a611033 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -3,9 +3,9 @@ # Author: Guido Bozzetto # Modified: Cyril Jaquier # -# make "fail2ban-" chain to match drop IP -# make "fail2ban--log" chain to log and drop -# insert a jump to fail2ban- from -I if proto/port match +# make "f2b-" chain to match drop IP +# make "f2b--log" chain to log and drop +# insert a jump to f2b- from -I if proto/port match # # @@ -19,28 +19,28 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban- - iptables -A fail2ban- -j RETURN - iptables -I 1 -p -m multiport --dports -j fail2ban- - iptables -N fail2ban--log - iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 - iptables -A fail2ban--log -j +actionstart = iptables -N f2b- + iptables -A f2b- -j RETURN + iptables -I 1 -p -m multiport --dports -j f2b- + iptables -N f2b--log + iptables -I f2b--log -j LOG --log-prefix "$(expr f2b- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 + iptables -A f2b--log -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D -p -m multiport --dports -j fail2ban- - iptables -F fail2ban- - iptables -F fail2ban--log - iptables -X fail2ban- - iptables -X fail2ban--log +actionstop = iptables -D -p -m multiport --dports -j f2b- + iptables -F f2b- + iptables -F f2b--log + iptables -X f2b- + iptables -X f2b--log # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L fail2ban--log >/dev/null +actioncheck = iptables -n -L f2b--log >/dev/null # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -48,7 +48,7 @@ actioncheck = iptables -n -L fail2ban--log >/dev/null # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j fail2ban--log +actionban = iptables -I f2b- 1 -s -j f2b--log # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -56,7 +56,7 @@ actionban = iptables -I fail2ban- 1 -s -j fail2ban--log # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j fail2ban--log +actionunban = iptables -D f2b- -s -j f2b--log [Init] diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index daa31148..ab3225bc 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -14,23 +14,23 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban- - iptables -A fail2ban- -j RETURN - iptables -I -p -m multiport --dports -j fail2ban- +actionstart = iptables -N f2b- + iptables -A f2b- -j RETURN + iptables -I -p -m multiport --dports -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D -p -m multiport --dports -j fail2ban- - iptables -F fail2ban- - iptables -X fail2ban- +actionstop = iptables -D -p -m multiport --dports -j f2b- + iptables -F f2b- + iptables -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' +actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -38,7 +38,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j +actionban = iptables -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -46,7 +46,7 @@ actionban = iptables -I fail2ban- 1 -s -j # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j +actionunban = iptables -D f2b- -s -j [Init] diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 38927442..75411ad1 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -17,23 +17,23 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban- - iptables -A fail2ban- -j RETURN - iptables -I -m state --state NEW -p --dport -j fail2ban- +actionstart = iptables -N f2b- + iptables -A f2b- -j RETURN + iptables -I -m state --state NEW -p --dport -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D -m state --state NEW -p --dport -j fail2ban- - iptables -F fail2ban- - iptables -X fail2ban- +actionstop = iptables -D -m state --state NEW -p --dport -j f2b- + iptables -F f2b- + iptables -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' +actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -41,7 +41,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j +actionban = iptables -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -49,7 +49,7 @@ actionban = iptables -I fail2ban- 1 -s -j # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j +actionunban = iptables -D f2b- -s -j [Init] diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 829d4c06..4be97c44 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -23,29 +23,29 @@ before = iptables-blocktype.conf # iptables-persistent package). # # Explanation of the rule below: -# Check if any packets coming from an IP on the fail2ban- +# Check if any packets coming from an IP on the f2b- # list have been seen in the last 3600 seconds. If yes, update the # timestamp for this IP and drop the packet. If not, let the packet # through. # -# Fail2ban inserts blacklisted hosts into the fail2ban- list +# Fail2ban inserts blacklisted hosts into the f2b- list # and removes them from the list after some time, according to its # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j +actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name f2b- -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = echo / > /proc/net/xt_recent/fail2ban- +actionstop = echo / > /proc/net/xt_recent/f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = test -e /proc/net/xt_recent/fail2ban- +actioncheck = test -e /proc/net/xt_recent/f2b- # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -53,7 +53,7 @@ actioncheck = test -e /proc/net/xt_recent/fail2ban- # Tags: See jail.conf(5) man page # Values: CMD # -actionban = echo + > /proc/net/xt_recent/fail2ban- +actionban = echo + > /proc/net/xt_recent/f2b- # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -61,7 +61,7 @@ actionban = echo + > /proc/net/xt_recent/fail2ban- # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = echo - > /proc/net/xt_recent/fail2ban- +actionunban = echo - > /proc/net/xt_recent/f2b- [Init] diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 370e4731..5afe4bf1 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -14,23 +14,23 @@ before = iptables-blocktype.conf # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # -actionstart = iptables -N fail2ban- - iptables -A fail2ban- -j RETURN - iptables -I -p --dport -j fail2ban- +actionstart = iptables -N f2b- + iptables -A f2b- -j RETURN + iptables -I -p --dport -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D -p --dport -j fail2ban- - iptables -F fail2ban- - iptables -X fail2ban- +actionstop = iptables -D -p --dport -j f2b- + iptables -F f2b- + iptables -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # -actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' +actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the @@ -38,7 +38,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j +actionban = iptables -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -46,7 +46,7 @@ actionban = iptables -I fail2ban- 1 -s -j # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j +actionunban = iptables -D f2b- -s -j [Init] diff --git a/fail2ban/server/jail.py b/fail2ban/server/jail.py index d25fda7e..9fa17369 100644 --- a/fail2ban/server/jail.py +++ b/fail2ban/server/jail.py @@ -109,7 +109,7 @@ class Jail: self.__filter = FilterSystemd(self) def setName(self, name): - if len(name) >= 20: + if len(name) >= 26: logSys.warning("Jail name %r might be too long and some commands " "might not function correctly. Please shorten" % name)