ENH: Add usedns parameter for the jails

following commits were squashed from feature branch use_dns

commit 068c105eb5
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 22:19:04 2012 -0500

    Prevent warning when IP is read from log

commit 635ed36a8c
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 22:17:08 2012 -0500

    Removed logDebug

commit 24656d2812
Merge: 7957fbe c429f5c
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 21:13:11 2012 -0500

    Merge branch 'enh/use_dns' of github:leeclemens/fail2ban into enh/use_dns

    Conflicts:
    	testcases/filtertestcase.py

commit 7957fbe821
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 21:09:58 2012 -0500

    filtertestcase fixes from yarikoptic

commit 6ce9d04640
Author: Yaroslav Halchenko <debian@onerussian.com>
Date:   Tue Jan 10 19:26:05 2012 -0500

    RF: for consistency use_dns -> usedns

    I guess it was might fault of inconsistency suggesting that name.
    Other options/commands do not have _ in the names, so let it be
    consistent with the rest for now

commit cfb2c75b49
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:18:41 2012 -0500

    Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp

commit f6186eff14
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:02:04 2012 -0500

    Changed wording of 'DNS Reverse lookup used' message

commit 82c62d29dc
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 18:53:17 2012 -0500

    Removed extraneous "n"

commit dc0ae21932
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 23:07:59 2012 -0500

    ENH: use_dns - removed debugging statements

commit 594e25818c
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:53:39 2012 -0500

    Added use_dns protocol to set and get per jail during runtime

commit 48ff80ffac
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:41:18 2012 -0500

    Completed use_dns for initial startup - with debugging statements

commit 0bdab4c2d7
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:05:35 2012 -0500

    ENH: Added use_dns option

commit 6d6b734ea5
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:01:34 2012 -0500

    ENH: Added use_dns option

commit 11ad2b6125
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 19:17:30 2012 -0500

    Added useDns flag to testcase

commit b48fa9b6af
Author: Lee Clemens <java@leeclemens.net>
Date:   Sun Jan 8 15:13:27 2012 -0500

    Added use_dns option in jail.conf

commit c429f5c91a
Merge: 4b18afb 0021906
Author: leeclemens <java@leeclemens.net>
Date:   Tue Jan 10 16:32:22 2012 -0800

    Merge pull request #3 from yarikoptic/enh/use_dns

    let's be consistent ;-)

commit 0021906358
Author: Yaroslav Halchenko <debian@onerussian.com>
Date:   Tue Jan 10 19:26:05 2012 -0500

    RF: for consistency use_dns -> usedns

    I guess it was might fault of inconsistency suggesting that name.
    Other options/commands do not have _ in the names, so let it be
    consistent with the rest for now

commit 4b18afb28a
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:18:41 2012 -0500

    Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp

commit 4fae37e46f
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 19:02:04 2012 -0500

    Changed wording of 'DNS Reverse lookup used' message

commit e94806ce48
Author: Lee Clemens <java@leeclemens.net>
Date:   Tue Jan 10 18:53:17 2012 -0500

    Removed extraneous "n"

commit 4d30c52907
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 23:07:59 2012 -0500

    ENH: use_dns - removed debugging statements

commit 76696d452a
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:53:39 2012 -0500

    Added use_dns protocol to set and get per jail during runtime

commit 0631618087
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 22:41:18 2012 -0500

    Completed use_dns for initial startup - with debugging statements

commit d23d495547
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:05:35 2012 -0500

    ENH: Added use_dns option

commit 9538553bc5
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 20:01:34 2012 -0500

    ENH: Added use_dns option

commit ae1e857e53
Author: Lee Clemens <java@leeclemens.net>
Date:   Mon Jan 9 19:17:30 2012 -0500

    Added useDns flag to testcase

commit ace43eb941
Author: Lee Clemens <java@leeclemens.net>
Date:   Sun Jan 8 15:13:27 2012 -0500

    Added use_dns option in jail.conf
pull/27/merge
Lee Clemens 2012-01-12 23:23:41 -05:00 committed by Yaroslav Halchenko
parent 35e9f6e464
commit d73a71f5cf
7 changed files with 82 additions and 20 deletions

View File

@ -65,6 +65,7 @@ class JailReader(ConfigReader):
["int", "maxretry", 3], ["int", "maxretry", 3],
["int", "findtime", 600], ["int", "findtime", 600],
["int", "bantime", 600], ["int", "bantime", 600],
["string", "usedns", "warn"],
["string", "failregex", None], ["string", "failregex", None],
["string", "ignoreregex", None], ["string", "ignoreregex", None],
["string", "ignoreip", None], ["string", "ignoreip", None],
@ -122,6 +123,8 @@ class JailReader(ConfigReader):
stream.append(["set", self.__name, "findtime", self.__opts[opt]]) stream.append(["set", self.__name, "findtime", self.__opts[opt]])
elif opt == "bantime": elif opt == "bantime":
stream.append(["set", self.__name, "bantime", self.__opts[opt]]) stream.append(["set", self.__name, "bantime", self.__opts[opt]])
elif opt == "usedns":
stream.append(["set", self.__name, "usedns", self.__opts[opt]])
elif opt == "failregex": elif opt == "failregex":
stream.append(["set", self.__name, "addfailregex", self.__opts[opt]]) stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
elif opt == "ignoreregex": elif opt == "ignoreregex":

View File

@ -62,6 +62,7 @@ protocol = [
["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"],
["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"],
["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"],
["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], ["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"],
["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"],
["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"],
@ -80,6 +81,7 @@ protocol = [
["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"], ["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"],
["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"], ["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"],
["get <JAIL> bantime", "gets the time a host is banned for <JAIL>"], ["get <JAIL> bantime", "gets the time a host is banned for <JAIL>"],
["get <JAIL> usedns", "gets the usedns setting for <JAIL>"],
["get <JAIL> maxretry", "gets the number of failures allowed for <JAIL>"], ["get <JAIL> maxretry", "gets the number of failures allowed for <JAIL>"],
["get <JAIL> addaction", "gets the last action which has been added for <JAIL>"], ["get <JAIL> addaction", "gets the last action which has been added for <JAIL>"],
["get <JAIL> actionstart <ACT>", "gets the start command for the action <ACT> for <JAIL>"], ["get <JAIL> actionstart <ACT>", "gets the start command for the action <ACT> for <JAIL>"],

View File

@ -38,6 +38,16 @@ maxretry = 3
# pyinotify, gamin, polling. # pyinotify, gamin, polling.
backend = auto backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a reverse DNS lookup will be performed.
# warn: if a hostname is encountered, a reverse DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# This jail corresponds to the standard configuration in Fail2ban 0.6. # This jail corresponds to the standard configuration in Fail2ban 0.6.
# The mail-whois action send a notification e-mail with a whois request # The mail-whois action send a notification e-mail with a whois request

View File

@ -64,6 +64,8 @@ class Filter(JailThread):
self.__failRegex = list() self.__failRegex = list()
## The regular expression list with expressions to ignore. ## The regular expression list with expressions to ignore.
self.__ignoreRegex = list() self.__ignoreRegex = list()
## Use DNS setting
self.__useDns = "warn"
## The amount of time to look back. ## The amount of time to look back.
self.__findTime = 6000 self.__findTime = 6000
## The ignore IP list. ## The ignore IP list.
@ -139,6 +141,20 @@ class Filter(JailThread):
ignoreRegex.append(regex.getRegex()) ignoreRegex.append(regex.getRegex())
return ignoreRegex return ignoreRegex
##
# Set the Use DNS mode
# @param value the usedns mode
def setUseDns(self, value):
self.__useDns = value
##
# Get the usedns mode
# @return the usedns mode
def getUseDns(self):
return self.__useDns
## ##
# Set the time needed to find a failure. # Set the time needed to find a failure.
# #
@ -325,7 +341,7 @@ class Filter(JailThread):
else: else:
try: try:
host = failRegex.getHost() host = failRegex.getHost()
ipMatch = DNSUtils.textToIp(host) ipMatch = DNSUtils.textToIp(host, self.__useDns)
if ipMatch: if ipMatch:
for ip in ipMatch: for ip in ipMatch:
failList.append([ip, date]) failList.append([ip, date])
@ -564,13 +580,17 @@ class DNSUtils:
isValidIP = staticmethod(isValidIP) isValidIP = staticmethod(isValidIP)
#@staticmethod #@staticmethod
def textToIp(text): def textToIp(text, useDns):
""" Return the IP of DNS found in a given text. """ Return the IP of DNS found in a given text.
""" """
if useDns == "no":
return None
else:
logSys.debug("usedns = %s" % useDns)
ipList = list() ipList = list()
# Search for plain IP # Search for plain IP
plainIP = DNSUtils.searchIP(text) plainIP = DNSUtils.searchIP(text)
if not plainIP == None: if not plainIP is None:
plainIPStr = plainIP.group(0) plainIPStr = plainIP.group(0)
if DNSUtils.isValidIP(plainIPStr): if DNSUtils.isValidIP(plainIPStr):
ipList.append(plainIPStr) ipList.append(plainIPStr)
@ -579,6 +599,9 @@ class DNSUtils:
ip = DNSUtils.dnsToIp(text) ip = DNSUtils.dnsToIp(text)
for e in ip: for e in ip:
ipList.append(e) ipList.append(e)
if useDns == "warn":
logSys.warning("Determined IP using DNS Reverse Lookup: %s = %s",
text, ipList)
return ipList return ipList
textToIp = staticmethod(textToIp) textToIp = staticmethod(textToIp)

View File

@ -204,6 +204,12 @@ class Server:
def getIgnoreRegex(self, name): def getIgnoreRegex(self, name):
return self.__jails.getFilter(name).getIgnoreRegex() return self.__jails.getFilter(name).getIgnoreRegex()
def setUseDns(self, name, value):
self.__jails.getFilter(name).setUseDns(value)
def getUseDns(self, name):
return self.__jails.getFilter(name).getUseDns()
def setMaxRetry(self, name, value): def setMaxRetry(self, name, value):
self.__jails.getFilter(name).setMaxRetry(value) self.__jails.getFilter(name).setMaxRetry(value)

View File

@ -154,6 +154,10 @@ class Transmitter:
value = int(command[2]) value = int(command[2])
self.__server.delIgnoreRegex(name, value) self.__server.delIgnoreRegex(name, value)
return self.__server.getIgnoreRegex(name) return self.__server.getIgnoreRegex(name)
elif command[1] == "usedns":
value = command[2]
self.__server.setUseDns(name, value)
return self.__server.getUseDns(name)
elif command[1] == "findtime": elif command[1] == "findtime":
value = command[2] value = command[2]
self.__server.setFindTime(name, int(value)) self.__server.setFindTime(name, int(value))
@ -231,6 +235,8 @@ class Transmitter:
return self.__server.getFailRegex(name) return self.__server.getFailRegex(name)
elif command[1] == "ignoreregex": elif command[1] == "ignoreregex":
return self.__server.getIgnoreRegex(name) return self.__server.getIgnoreRegex(name)
elif command[1] == "usedns":
return self.__server.getUseDns(name)
elif command[1] == "findtime": elif command[1] == "findtime":
return self.__server.getFindTime(name) return self.__server.getFindTime(name)
elif command[1] == "maxretry": elif command[1] == "maxretry":

View File

@ -222,12 +222,24 @@ class GetFailures(unittest.TestCase):
class DNSUtilsTests(unittest.TestCase): class DNSUtilsTests(unittest.TestCase):
def testUseDns(self):
res = DNSUtils.textToIp('www.example.com', 'no')
self.assertEqual(res, None)
res = DNSUtils.textToIp('www.example.com', 'warn')
self.assertEqual(res, ['192.0.43.10'])
res = DNSUtils.textToIp('www.example.com', 'yes')
self.assertEqual(res, ['192.0.43.10'])
def testTextToIp(self): def testTextToIp(self):
# Bogus addresses which should have no DNS matches # Test hostnames
bogus = [ hostnames = [
'www.example.com',
'doh1.2.3.4.buga.xxxxx.yyy.invalid', 'doh1.2.3.4.buga.xxxxx.yyy.invalid',
'1.2.3.4.buga.xxxxx.yyy.invalid', '1.2.3.4.buga.xxxxx.yyy.invalid',
] ]
for s in bogus: for s in hostnames:
res = DNSUtils.textToIp(s) res = DNSUtils.textToIp(s, 'yes')
if s == 'www.example.com':
self.assertEqual(res, ['192.0.43.10'])
else:
self.assertEqual(res, []) self.assertEqual(res, [])