part of #927 - filter enhancement to parse IP sub-nets (IP/CIDR with correct recognition of IP-family),

provides new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559): - `<CIDR>` - helper regex to match CIDR (simple integer form of net-mask); - `<SUBNET>` - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
2019-11-01 16:29:17 +01:00 · 2019-11-01 16:29:17 +01:00 · d44607a161
parent 5e3fef1631
commit d44607a161
6 changed files with 84 additions and 8 deletions
--- a/3
+++ b/3
@ -79,6 +79,9 @@ ver. 0.10.5-dev-1 (20??/??/??) - development edition
    - `prefregex` extended, more selective now (denied/NOTAUTH suffix moved from failregex, so no catch-all there anymore)

 ### New Features
+* new replacement tags for failregex to match subnets in form of IP-addresses with CIDR mask (gh-2559):
+  - `<CIDR>` - helper regex to match CIDR (simple integer form of net-mask);
+  - `<SUBNET>` - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional);
 * new failregex-flag tag `<F-MLFGAINED>` for failregex, signaled that the access to service was gained
  (ATM used similar to tag `<F-NOFAIL>`, but it does not add the log-line to matches, gh-2279)
 * filters: introduced new configuration parameter `logtype` (default `file` for file-backends, and 
--- a/fail2ban/server/failregex.py
+++ b/fail2ban/server/failregex.py
@ -44,7 +44,11 @@ R_HOST = [
 		# place-holder for ADDR tag-replacement (joined):
 		"",
 		# place-holder for HOST tag replacement (joined):
-		""
+		"",
+		# CIDR in simplest integer form:
+		r"(?P<cidr>\d+)",
+		# place-holder for SUBNET tag-replacement
+		"",
 ]
 RI_IPV4 =		0
 RI_IPV6 =		1
@ -52,10 +56,13 @@ RI_IPV6BR =	2
 RI_DNS =		3
 RI_ADDR =		4
 RI_HOST =		5
+RI_CIDR =		6
+RI_SUBNET =	7

 R_HOST[RI_IPV6BR] =	r"""\[?%s\]?""" % (R_HOST[RI_IPV6],)
-R_HOST[RI_ADDR] =		"(?:%s)" % ("|".join((R_HOST[RI_IPV4], R_HOST[RI_IPV6BR])),)
-R_HOST[RI_HOST] =		"(?:%s)" % ("|".join((R_HOST[RI_IPV4], R_HOST[RI_IPV6BR], R_HOST[RI_DNS])),)
+R_HOST[RI_ADDR] =		"(?:%s|%s)" % (R_HOST[RI_IPV4], R_HOST[RI_IPV6BR],)
+R_HOST[RI_HOST] =		"(?:%s|%s|%s)" % (R_HOST[RI_IPV4], R_HOST[RI_IPV6BR], R_HOST[RI_DNS],)
+R_HOST[RI_SUBNET] =	r"""(?:%s|%s)(?:/%s)?""" % (R_HOST[RI_IPV4], R_HOST[RI_IPV6], R_HOST[RI_CIDR],)

 RH4TAG = {
 	# separated ipv4 (self closed, closed):
@ -68,6 +75,11 @@ RH4TAG = {
 	# for separate usage of 2 address groups only (regardless of `usedns`), `ip4` and `ip6` together
 	"ADDR":			R_HOST[RI_ADDR],
 	"F-ADDR/":	R_HOST[RI_ADDR],
+	# subnet tags for usage as `<ADDR>/<CIDR>` or `<SUBNET>`:
+	"CIDR":			R_HOST[RI_CIDR],
+	"F-CIDR/":	R_HOST[RI_CIDR],
+	"SUBNET":		R_HOST[RI_SUBNET],
+	"F-SUBNET/":R_HOST[RI_SUBNET],
 	# separated dns (self closed, closed):
 	"DNS":			R_HOST[RI_DNS],
 	"F-DNS/":		R_HOST[RI_DNS],
@ -416,3 +428,7 @@ class FailRegex(Regex):
 	
 	def getHost(self):
 		return self.getFailID(("ip4", "ip6", "dns"))
+
+	def getIP(self):
+		fail = self.getGroups()
+		return IPAddr(self.getFailID(("ip4", "ip6")), int(fail.get("cidr") or IPAddr.CIDR_UNSPEC))
--- a/fail2ban/server/filter.py
+++ b/fail2ban/server/filter.py
@ -865,12 +865,12 @@ class Filter(JailThread):
 				# ip-address or host:
 				host = fail.get('ip4')
 				if host is not None:
-					cidr = IPAddr.FAM_IPv4
+					cidr = int(fail.get('cidr') or IPAddr.FAM_IPv4)
 					raw = True
 				else:
 					host = fail.get('ip6')
 					if host is not None:
-						cidr = IPAddr.FAM_IPv6
+						cidr = int(fail.get('cidr') or IPAddr.FAM_IPv6)
 						raw = True
 				if host is None:
 					host = fail.get('dns')
--- a/fail2ban/tests/fail2banregextestcase.py
+++ b/fail2ban/tests/fail2banregextestcase.py
@ -315,6 +315,19 @@ class Fail2banRegexTest(LogCaptureTestCase):
 		self.assertTrue(fail2banRegex.start(args))
 		self.assertLogged('Lines: 4 lines, 0 ignored, 4 matched, 0 missed')

+	def testRegexSubnet(self):
+		(opts, args, fail2banRegex) = _Fail2banRegex(
+			"-vv", "-d", r"^\[{LEPOCH}\]\s+", "--maxlines", "5",
+			"[1516469849] 192.0.2.1 FAIL: failure\n"
+			"[1516469849] 192.0.2.1/24 FAIL: failure\n"
+			"[1516469849] 2001:DB8:FF:FF::1 FAIL: failure\n"
+			"[1516469849] 2001:DB8:FF:FF::1/60 FAIL: failure\n",
+			r"^<SUBNET> FAIL\b"
+		)
+		self.assertTrue(fail2banRegex.start(args))
+		self.assertLogged('Lines: 4 lines, 0 ignored, 4 matched, 0 missed')
+		self.assertLogged('192.0.2.0/24', '2001:db8:ff:f0::/60', all=True)
+
 	def testWrongFilterFile(self):
 		# use test log as filter file to cover eror cases...
 		(opts, args, fail2banRegex) = _Fail2banRegex(
--- a/fail2ban/tests/servertestcase.py
+++ b/fail2ban/tests/servertestcase.py
@ -1055,6 +1055,34 @@ class RegexTests(unittest.TestCase):
 		fr.search([('test id group: user:(test login name)',"","")])
 		self.assertTrue(fr.hasMatched())
 		self.assertEqual(fr.getFailID(), 'test login name')
+		# Success case: subnet with IPAddr (IP and subnet) conversion:
+		fr = FailRegex(r'%%net=<SUBNET>')
+		fr.search([('%%net=192.0.2.1',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('192.0.2.1', 'inet4'))
+		fr.search([('%%net=192.0.2.1/24',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('192.0.2.0/24', 'inet4'))
+		fr.search([('%%net=2001:DB8:FF:FF::1',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('2001:db8:ff:ff::1', 'inet6'))
+		fr.search([('%%net=2001:DB8:FF:FF::1/60',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('2001:db8:ff:f0::/60', 'inet6'))
+		# CIDR:
+		fr = FailRegex(r'%%ip="<ADDR>", mask="<CIDR>?"')
+		fr.search([('%%ip="192.0.2.2", mask=""',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('192.0.2.2', 'inet4'))
+		fr.search([('%%ip="192.0.2.2", mask="24"',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('192.0.2.0/24', 'inet4'))
+		fr.search([('%%ip="2001:DB8:2FF:FF::1", mask=""',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('2001:db8:2ff:ff::1', 'inet6'))
+		fr.search([('%%ip="2001:DB8:2FF:FF::1", mask="60"',"","")])
+		ip = fr.getIP()
+		self.assertEqual((ip, ip.familyStr), ('2001:db8:2ff:f0::/60', 'inet6'))


 class _BadThread(JailThread):
--- a/man/jail.conf.5
+++ b/man/jail.conf.5
@ -277,7 +277,7 @@ It defaults to "auto" which will try "pyinotify", "gamin", "systemd" before "pol
 use DNS to resolve HOST names that appear in the logs. By default it is "warn" which will resolve hostnames to IPs however it will also log a warning. If you are using DNS here you could be blocking the wrong IPs due to the asymmetric nature of reverse DNS (that the application used to write the domain name to log) compared to forward DNS that fail2ban uses to resolve this back to an IP (but not necessarily the same one). Ideally you should configure your applications to log a real IP. This can be set to "yes" to prevent warnings in the log or "no" to disable DNS resolution altogether (thus ignoring entries where hostname, not an IP is logged)..
 .TP
 .B failregex
-regex (Python \fBreg\fRular \fBex\fRpression) to be added to the filter's failregexes. If this is useful for others using your application please share you regular expression with the fail2ban developers by reporting an issue (see REPORTING BUGS below).
+regex (Python \fBreg\fRular \fBex\fRpression) to be added to the filter's failregexes (see \fBfailregex\fR in section FILTER FILES for details). If this is useful for others using your application please share you regular expression with the fail2ban developers by reporting an issue (see REPORTING BUGS below).
 .TP
 .B ignoreregex
 regex which, if the log line matches, would cause Fail2Ban not consider that line.  This line will be ignored even if it matches a failregex of the jail or any of its filters.
@ -428,8 +428,24 @@ Like action files, filter files are ini files. The main section is the [Definiti
 There are two filter definitions used in the [Definition] section:
 .TP
 .B failregex
-is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The tag \fI<HOST>\fR is used as part of the regex and is itself a regex
-for IPv4 addresses (and hostnames if \fBusedns\fR). Fail2Ban will work out which one of these it actually is.
+is the regex (\fBreg\fRular \fBex\fRpression) that will match failed attempts. The standard replacement tags can be used as part of the regex:
+.RS
+.IP
+\fI<HOST>\fR - common regex for IP addresses and hostnames (if \fBusedns\fR is enabled). Fail2Ban will work out which one of these it actually is.
+.IP
+\fI<ADDR>\fR - regex for IP addresses (both families).
+.IP
+\fI<IP4>\fR - regex for IPv4 addresses.
+.IP
+\fI<IP6>\fR - regex for IPv6 addresses (also IP enclosed in brackets).
+.IP
+\fI<DNS>\fR - regex to match hostnames.
+.IP
+\fI<CIDR>\fR - helper regex to match CIDR (simple integer form of net-mask).
+.IP
+\fI<SUBNET>\fR - regex to match sub-net adresses (in form of IP/CIDR, also single IP is matched, so part /CIDR is optional).
+.RE
+.TP
 For multiline regexs the tag \fI<SKIPLINES>\fR should be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times.

 .TP