ENH: Add usedns parameter for the jails

following commits were squashed from feature branch use_dns

commit 068c105eb5
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 22:19:04 2012 -0500

    Prevent warning when IP is read from log

commit 635ed36a8c
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 22:17:08 2012 -0500

    Removed logDebug

commit 24656d2812
Merge: 7957fbe c429f5c
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 21:13:11 2012 -0500

    Merge branch 'enh/use_dns' of github:leeclemens/fail2ban into enh/use_dns

    Conflicts:
    	testcases/filtertestcase.py

commit 7957fbe821
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 21:09:58 2012 -0500

    filtertestcase fixes from yarikoptic

commit 6ce9d04640
Author: Yaroslav Halchenko <debian@onerussian.com>
Date:   Tue Jan 10 19:26:05 2012 -0500

    RF: for consistency use_dns -> usedns

    I guess it was might fault of inconsistency suggesting that name.
    Other options/commands do not have _ in the names, so let it be
    consistent with the rest for now

commit cfb2c75b49
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:18:41 2012 -0500

    Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp

commit f6186eff14
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:02:04 2012 -0500

    Changed wording of 'DNS Reverse lookup used' message

commit 82c62d29dc
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 18:53:17 2012 -0500

    Removed extraneous "n"

commit dc0ae21932
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 23:07:59 2012 -0500

    ENH: use_dns - removed debugging statements

commit 594e25818c
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:53:39 2012 -0500

    Added use_dns protocol to set and get per jail during runtime

commit 48ff80ffac
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:41:18 2012 -0500

    Completed use_dns for initial startup - with debugging statements

commit 0bdab4c2d7
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:05:35 2012 -0500

    ENH: Added use_dns option

commit 6d6b734ea5
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:01:34 2012 -0500

    ENH: Added use_dns option

commit 11ad2b6125
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 19:17:30 2012 -0500

    Added useDns flag to testcase

commit b48fa9b6af
Author: Lee Clemens <java@leeclemens.net>
Date:   Sun Jan 8 15:13:27 2012 -0500

    Added use_dns option in jail.conf

commit c429f5c91a
Merge: 4b18afb 0021906
Author: leeclemens <java@leeclemens.net>
Date:   Tue Jan 10 16:32:22 2012 -0800

    Merge pull request #3 from yarikoptic/enh/use_dns

    let's be consistent ;-)

commit 0021906358
Author: Yaroslav Halchenko <debian@onerussian.com>
Date:   Tue Jan 10 19:26:05 2012 -0500

    RF: for consistency use_dns -> usedns

    I guess it was might fault of inconsistency suggesting that name.
    Other options/commands do not have _ in the names, so let it be
    consistent with the rest for now

commit 4b18afb28a
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:18:41 2012 -0500

    Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp

commit 4fae37e46f
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:02:04 2012 -0500

    Changed wording of 'DNS Reverse lookup used' message

commit e94806ce48
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 18:53:17 2012 -0500

    Removed extraneous "n"

commit 4d30c52907
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 23:07:59 2012 -0500

    ENH: use_dns - removed debugging statements

commit 76696d452a
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:53:39 2012 -0500

    Added use_dns protocol to set and get per jail during runtime

commit 0631618087
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:41:18 2012 -0500

    Completed use_dns for initial startup - with debugging statements

commit d23d495547
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:05:35 2012 -0500

    ENH: Added use_dns option

commit 9538553bc5
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:01:34 2012 -0500

    ENH: Added use_dns option

commit ae1e857e53
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 19:17:30 2012 -0500

    Added useDns flag to testcase

commit ace43eb941
Author: Lee Clemens <java@leeclemens.net>
Date:   Sun Jan 8 15:13:27 2012 -0500

    Added use_dns option in jail.conf

client/jailreader.py

@@ -65,6 +65,7 @@ class JailReader(ConfigReader):
 				["int", "maxretry", 3],
 				["int", "findtime", 600],
 				["int", "bantime", 600],
+				["string", "usedns", "warn"],
 				["string", "failregex", None],
 				["string", "ignoreregex", None],
 				["string", "ignoreip", None],
@@ -122,6 +123,8 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "findtime", self.__opts[opt]])
 			elif opt == "bantime":
 				stream.append(["set", self.__name, "bantime", self.__opts[opt]])
+			elif opt == "usedns":
+				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
 			elif opt == "ignoreregex":

common/protocol.py

@@ -62,6 +62,7 @@ protocol = [
 ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
 ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
 ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
+["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
 ["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
 ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
 ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
@@ -80,6 +81,7 @@ protocol = [
 ["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"],
 ["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"],
 ["get <JAIL> bantime", "gets the time a host is banned for <JAIL>"],
+["get <JAIL> usedns", "gets the usedns setting for <JAIL>"],
 ["get <JAIL> maxretry", "gets the number of failures allowed for <JAIL>"],
 ["get <JAIL> addaction", "gets the last action which has been added for <JAIL>"],
 ["get <JAIL> actionstart <ACT>", "gets the start command for the action <ACT> for <JAIL>"],

config/jail.conf

@@ -38,6 +38,16 @@ maxretry = 3
 #              pyinotify, gamin, polling.
 backend = auto
 
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
+# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+usedns = warn
+
 
 # This jail corresponds to the standard configuration in Fail2ban 0.6.
 # The mail-whois action send a notification e-mail with a whois request

server/filter.py

@@ -64,6 +64,8 @@ class Filter(JailThread):
 		self.__failRegex = list()
 		## The regular expression list with expressions to ignore.
 		self.__ignoreRegex = list()
+		## Use DNS setting
+		self.__useDns = "warn"
 		## The amount of time to look back.
 		self.__findTime = 6000
 		## The ignore IP list.
@@ -139,6 +141,20 @@ class Filter(JailThread):
 			ignoreRegex.append(regex.getRegex())
 		return ignoreRegex
 	
+	##
+	# Set the Use DNS mode
+	# @param value the usedns mode
+	
+	def setUseDns(self, value):
+		self.__useDns = value
+	
+	##
+	# Get the usedns mode
+	# @return the usedns mode
+	
+	def getUseDns(self):
+		return self.__useDns
+	
 	##
 	# Set the time needed to find a failure.
 	#
@@ -325,7 +341,7 @@ class Filter(JailThread):
 				else:
 					try:
 						host = failRegex.getHost()
-						ipMatch = DNSUtils.textToIp(host)
+						ipMatch = DNSUtils.textToIp(host, self.__useDns)
 						if ipMatch:
 							for ip in ipMatch:
 								failList.append([ip, date])
@@ -564,22 +580,29 @@ class DNSUtils:
 	isValidIP = staticmethod(isValidIP)
 	
 	#@staticmethod
-	def textToIp(text):
+	def textToIp(text, useDns):
 		""" Return the IP of DNS found in a given text.
 		"""
-		ipList = list()
-		# Search for plain IP
-		plainIP = DNSUtils.searchIP(text)
-		if not plainIP == None:
-			plainIPStr = plainIP.group(0)
-			if DNSUtils.isValidIP(plainIPStr):
-				ipList.append(plainIPStr)
-		if not ipList:
-			# Try to get IP from possible DNS
-			ip = DNSUtils.dnsToIp(text)
-			for e in ip:
-				ipList.append(e)
-		return ipList
+		if useDns == "no":
+			return None
+		else:
+			logSys.debug("usedns = %s" % useDns)
+			ipList = list()
+			# Search for plain IP
+			plainIP = DNSUtils.searchIP(text)
+			if not plainIP is None:
+				plainIPStr = plainIP.group(0)
+				if DNSUtils.isValidIP(plainIPStr):
+					ipList.append(plainIPStr)
+			if not ipList:
+				# Try to get IP from possible DNS
+				ip = DNSUtils.dnsToIp(text)
+				for e in ip:
+					ipList.append(e)
+				if useDns == "warn":
+					logSys.warning("Determined IP using DNS Reverse Lookup: %s = %s",
+						text, ipList)
+			return ipList
 	textToIp = staticmethod(textToIp)
 	
 	#@staticmethod

server/server.py

@@ -204,6 +204,12 @@ class Server:
 	def getIgnoreRegex(self, name):
 		return self.__jails.getFilter(name).getIgnoreRegex()
 	
+	def setUseDns(self, name, value):
+		self.__jails.getFilter(name).setUseDns(value)
+	
+	def getUseDns(self, name):
+		return self.__jails.getFilter(name).getUseDns()
+	
 	def setMaxRetry(self, name, value):
 		self.__jails.getFilter(name).setMaxRetry(value)
 	

server/transmitter.py

@@ -154,6 +154,10 @@ class Transmitter:
 			value = int(command[2])
 			self.__server.delIgnoreRegex(name, value)
 			return self.__server.getIgnoreRegex(name)
+		elif command[1] == "usedns":
+			value = command[2]
+			self.__server.setUseDns(name, value)
+			return self.__server.getUseDns(name)
 		elif command[1] == "findtime":
 			value = command[2]
 			self.__server.setFindTime(name, int(value))
@@ -231,6 +235,8 @@ class Transmitter:
 			return self.__server.getFailRegex(name)
 		elif command[1] == "ignoreregex":
 			return self.__server.getIgnoreRegex(name)
+		elif command[1] == "usedns":
+			return self.__server.getUseDns(name)
 		elif command[1] == "findtime":
 			return self.__server.getFindTime(name)
 		elif command[1] == "maxretry":

testcases/filtertestcase.py

@@ -222,12 +222,24 @@ class GetFailures(unittest.TestCase):
 
 class DNSUtilsTests(unittest.TestCase):
 
+	def testUseDns(self):
+		res = DNSUtils.textToIp('www.example.com', 'no')
+		self.assertEqual(res, None)
+		res = DNSUtils.textToIp('www.example.com', 'warn')
+		self.assertEqual(res, ['192.0.43.10'])
+		res = DNSUtils.textToIp('www.example.com', 'yes')
+		self.assertEqual(res, ['192.0.43.10'])
+	
 	def testTextToIp(self):
-		# Bogus addresses which should have no DNS matches
-		bogus = [
+		# Test hostnames
+		hostnames = [
+			'www.example.com',
 			'doh1.2.3.4.buga.xxxxx.yyy.invalid',
 			'1.2.3.4.buga.xxxxx.yyy.invalid',
 			]
-		for s in bogus:
-			res = DNSUtils.textToIp(s)
-			self.assertEqual(res, [])
+		for s in hostnames:
+			res = DNSUtils.textToIp(s, 'yes')
+			if s == 'www.example.com':
+				self.assertEqual(res, ['192.0.43.10'])
+			else:
+				self.assertEqual(res, [])