github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions);

Browse Source 
the interpolation of hostsdeny is test-covered now;
closes gh-2114.
pull/2133/head
sebres 7 years ago
parent 22e9ccb387
commit bba7a6c5cf
2 changed files with 26 additions and 20 deletions
Show Stats Download Patch File Download Diff File

8
config/action.d/hostsdeny.conf
Unescape View File

@ -31,7 +31,7 @@ actioncheck =
# Tags: See jail.conf(5) man page # Tags: See jail.conf(5) man page
# Values: CMD # Values: CMD
# #
actionban = printf %%b "<daemon_list>: <_ip_value>\n" >> <file> actionban = printf %%b "<daemon_list>: <ip_value>\n" >> <file>
# Option: actionunban # Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the # Notes.: command executed when unbanning an IP. Take care that the
@ -39,7 +39,7 @@ actionban = printf %%b "<daemon_list>: <_ip_value>\n" >> <file>
# Tags: See jail.conf(5) man page # Tags: See jail.conf(5) man page
# Values: CMD # Values: CMD
# #
actionunban = IP=$(echo "<_ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file> actionunban = IP=$(echo "<ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file>
[Init] [Init]
@ -56,7 +56,7 @@ file = /etc/hosts.deny
daemon_list = ALL daemon_list = ALL
# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets): # internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
_ip_value = <ip> ip_value = <ip>
[Init?family=inet6] [Init?family=inet6]
_ip_value = [<ip>] ip_value = [<ip>]

38
fail2ban/tests/servertestcase.py
Unescape View File

@ -1186,6 +1186,22 @@ class ServerConfigReaderTests(LogCaptureTestCase):
# 'start', 'stop' - should be found (logged) on action start/stop, # 'start', 'stop' - should be found (logged) on action start/stop,
# etc. # etc.
testJailsActions = ( testJailsActions = (
# hostsdeny --
('j-hostsdeny', 'hostsdeny[name=%(__name__)s, actionstop="rm <file>", file="/tmp/fail2ban.dummy"]', {
'ip4': ('family: inet4',), 'ip6': ('family: inet6',),
'ip4-ban': (
r'''`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`''',
),
'ip4-unban': (
r'''`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''',
),
'ip6-ban': (
r'''`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`''',
),
'ip6-unban': (
r'''`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`''',
),
}),
# dummy -- # dummy --
('j-dummy', 'dummy[name=%(__name__)s, init="==", target="/tmp/fail2ban.dummy"]', { ('j-dummy', 'dummy[name=%(__name__)s, init="==", target="/tmp/fail2ban.dummy"]', {
'ip4': ('family: inet4',), 'ip6': ('family: inet6',), 'ip4': ('family: inet4',), 'ip6': ('family: inet6',),
@ -1198,8 +1214,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
'stop': ( 'stop': (
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`', '`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`',
), ),
'ip4-check': (),
'ip6-check': (),
'ip4-ban': ( 'ip4-ban': (
'`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`', '`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`',
), ),
@ -1324,8 +1338,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
"`ipset flush f2b-j-w-iptables-ipset6`", "`ipset flush f2b-j-w-iptables-ipset6`",
"`ipset destroy f2b-j-w-iptables-ipset6`", "`ipset destroy f2b-j-w-iptables-ipset6`",
), ),
'ip4-check': (),
'ip6-check': (),
'ip4-ban': ( 'ip4-ban': (
r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 600 -exist`", r"`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 600 -exist`",
), ),
@ -1362,8 +1374,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
"`ipset flush f2b-j-w-iptables-ipset-ap6`", "`ipset flush f2b-j-w-iptables-ipset-ap6`",
"`ipset destroy f2b-j-w-iptables-ipset-ap6`", "`ipset destroy f2b-j-w-iptables-ipset-ap6`",
), ),
'ip4-check': (),
'ip6-check': (),
'ip4-ban': ( 'ip4-ban': (
r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 600 -exist`", r"`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 600 -exist`",
), ),
@ -1671,8 +1681,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
"`ipset flush f2b-j-w-fwcmd-ipset6`", "`ipset flush f2b-j-w-fwcmd-ipset6`",
"`ipset destroy f2b-j-w-fwcmd-ipset6`", "`ipset destroy f2b-j-w-fwcmd-ipset6`",
), ),
'ip4-check': (),
'ip6-check': (),
'ip4-ban': ( 'ip4-ban': (
r"`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 600 -exist`", r"`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 600 -exist`",
), ),
@ -1709,8 +1717,6 @@ class ServerConfigReaderTests(LogCaptureTestCase):
"`ipset flush f2b-j-w-fwcmd-ipset-ap6`", "`ipset flush f2b-j-w-fwcmd-ipset-ap6`",
"`ipset destroy f2b-j-w-fwcmd-ipset-ap6`", "`ipset destroy f2b-j-w-fwcmd-ipset-ap6`",
), ),
'ip4-check': (),
'ip6-check': (),
'ip4-ban': ( 'ip4-ban': (
r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`", r"`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 600 -exist`",
), ),
@ -1762,7 +1768,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
action.start() action.start()
if tests.get('start'): if tests.get('start'):
self.assertLogged(*tests['start'], all=True) self.assertLogged(*tests['start'], all=True)
else: elif tests.get('ip4-start') and tests.get('ip6-start'):
self.assertNotLogged(*tests['ip4-start']+tests['ip6-start'], all=True) self.assertNotLogged(*tests['ip4-start']+tests['ip6-start'], all=True)
ainfo = { ainfo = {
'ip4': _actions.Actions.ActionInfo(tickets['ip4'], jails[jail]), 'ip4': _actions.Actions.ActionInfo(tickets['ip4'], jails[jail]),
@ -1773,24 +1779,24 @@ class ServerConfigReaderTests(LogCaptureTestCase):
action.ban(ainfo['ip4']) action.ban(ainfo['ip4'])
if tests.get('ip4-start'): self.assertLogged(*tests['ip4-start'], all=True) if tests.get('ip4-start'): self.assertLogged(*tests['ip4-start'], all=True)
if tests.get('ip6-start'): self.assertNotLogged(*tests['ip6-start'], all=True) if tests.get('ip6-start'): self.assertNotLogged(*tests['ip6-start'], all=True)
self.assertLogged(*tests['ip4-check']+tests['ip4-ban'], all=True) self.assertLogged(*tests.get('ip4-check',())+tests['ip4-ban'], all=True)
self.assertNotLogged(*tests['ip6'], all=True) self.assertNotLogged(*tests['ip6'], all=True)
# test unban ip4 : # test unban ip4 :
self.pruneLog('# === unban ipv4 ===') self.pruneLog('# === unban ipv4 ===')
action.unban(ainfo['ip4']) action.unban(ainfo['ip4'])
self.assertLogged(*tests['ip4-check']+tests['ip4-unban'], all=True) self.assertLogged(*tests.get('ip4-check',())+tests['ip4-unban'], all=True)
self.assertNotLogged(*tests['ip6'], all=True) self.assertNotLogged(*tests['ip6'], all=True)
# test ban ip6 : # test ban ip6 :
self.pruneLog('# === ban ipv6 ===') self.pruneLog('# === ban ipv6 ===')
action.ban(ainfo['ip6']) action.ban(ainfo['ip6'])
if tests.get('ip6-start'): self.assertLogged(*tests['ip6-start'], all=True) if tests.get('ip6-start'): self.assertLogged(*tests['ip6-start'], all=True)
if tests.get('ip4-start'): self.assertNotLogged(*tests['ip4-start'], all=True) if tests.get('ip4-start'): self.assertNotLogged(*tests['ip4-start'], all=True)
self.assertLogged(*tests['ip6-check']+tests['ip6-ban'], all=True) self.assertLogged(*tests.get('ip6-check',())+tests['ip6-ban'], all=True)
self.assertNotLogged(*tests['ip4'], all=True) self.assertNotLogged(*tests['ip4'], all=True)
# test unban ip6 : # test unban ip6 :
self.pruneLog('# === unban ipv6 ===') self.pruneLog('# === unban ipv6 ===')
action.unban(ainfo['ip6']) action.unban(ainfo['ip6'])
self.assertLogged(*tests['ip6-check']+tests['ip6-unban'], all=True) self.assertLogged(*tests.get('ip6-check',())+tests['ip6-unban'], all=True)
self.assertNotLogged(*tests['ip4'], all=True) self.assertNotLogged(*tests['ip4'], all=True)
# test flush for actions should supported this: # test flush for actions should supported this:
if tests.get('flush'): if tests.get('flush'):
@ -1800,7 +1806,7 @@ class ServerConfigReaderTests(LogCaptureTestCase):
# test stop : # test stop :
self.pruneLog('# === stop ===') self.pruneLog('# === stop ===')
action.stop() action.stop()
self.assertLogged(*tests['stop'], all=True) if tests.get('stop'): self.assertLogged(*tests['stop'], all=True)
def _executeMailCmd(self, realCmd, timeout=60): def _executeMailCmd(self, realCmd, timeout=60):
# replace pipe to mail with pipe to cat: # replace pipe to mail with pipe to cat:

Write Preview
Loading…
Cancel
Save