ENH: Add usedns parameter for the jails

following commits were squashed from feature branch use_dns commit 068c105eb5 Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 22:19:04 2012 -0500 Prevent warning when IP is read from log commit 635ed36a8c Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 22:17:08 2012 -0500 Removed logDebug commit 24656d2812 Merge: 7957fbe c429f5c Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 21:13:11 2012 -0500 Merge branch 'enh/use_dns' of github:leeclemens/fail2ban into enh/use_dns Conflicts: testcases/filtertestcase.py commit 7957fbe821 Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 21:09:58 2012 -0500 filtertestcase fixes from yarikoptic commit 6ce9d04640 Author: Yaroslav Halchenko <debian@onerussian.com> Date: Tue Jan 10 19:26:05 2012 -0500 RF: for consistency use_dns -> usedns I guess it was might fault of inconsistency suggesting that name. Other options/commands do not have _ in the names, so let it be consistent with the rest for now commit cfb2c75b49 Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 19:18:41 2012 -0500 Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp commit f6186eff14 Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 19:02:04 2012 -0500 Changed wording of 'DNS Reverse lookup used' message commit 82c62d29dc Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 18:53:17 2012 -0500 Removed extraneous "n" commit dc0ae21932 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 23:07:59 2012 -0500 ENH: use_dns - removed debugging statements commit 594e25818c Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 22:53:39 2012 -0500 Added use_dns protocol to set and get per jail during runtime commit 48ff80ffac Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 22:41:18 2012 -0500 Completed use_dns for initial startup - with debugging statements commit 0bdab4c2d7 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 20:05:35 2012 -0500 ENH: Added use_dns option commit 6d6b734ea5 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 20:01:34 2012 -0500 ENH: Added use_dns option commit 11ad2b6125 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 19:17:30 2012 -0500 Added useDns flag to testcase commit b48fa9b6af Author: Lee Clemens <java@leeclemens.net> Date: Sun Jan 8 15:13:27 2012 -0500 Added use_dns option in jail.conf commit c429f5c91a Merge: 4b18afb 0021906 Author: leeclemens <java@leeclemens.net> Date: Tue Jan 10 16:32:22 2012 -0800 Merge pull request #3 from yarikoptic/enh/use_dns let's be consistent ;-) commit 0021906358 Author: Yaroslav Halchenko <debian@onerussian.com> Date: Tue Jan 10 19:26:05 2012 -0500 RF: for consistency use_dns -> usedns I guess it was might fault of inconsistency suggesting that name. Other options/commands do not have _ in the names, so let it be consistent with the rest for now commit 4b18afb28a Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 19:18:41 2012 -0500 Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp commit 4fae37e46f Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 19:02:04 2012 -0500 Changed wording of 'DNS Reverse lookup used' message commit e94806ce48 Author: Lee Clemens <java@leeclemens.net> Date: Tue Jan 10 18:53:17 2012 -0500 Removed extraneous "n" commit 4d30c52907 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 23:07:59 2012 -0500 ENH: use_dns - removed debugging statements commit 76696d452a Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 22:53:39 2012 -0500 Added use_dns protocol to set and get per jail during runtime commit 0631618087 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 22:41:18 2012 -0500 Completed use_dns for initial startup - with debugging statements commit d23d495547 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 20:05:35 2012 -0500 ENH: Added use_dns option commit 9538553bc5 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 20:01:34 2012 -0500 ENH: Added use_dns option commit ae1e857e53 Author: Lee Clemens <java@leeclemens.net> Date: Mon Jan 9 19:17:30 2012 -0500 Added useDns flag to testcase commit ace43eb941 Author: Lee Clemens <java@leeclemens.net> Date: Sun Jan 8 15:13:27 2012 -0500 Added use_dns option in jail.conf
2012-01-12 23:23:41 -05:00 · 2012-01-12 23:23:41 -05:00 · d73a71f5cf
parent 35e9f6e464
commit d73a71f5cf
7 changed files with 82 additions and 20 deletions
--- a/client/jailreader.py
+++ b/client/jailreader.py
@ -65,6 +65,7 @@ class JailReader(ConfigReader):
 				["int", "maxretry", 3],
 				["int", "findtime", 600],
 				["int", "bantime", 600],
 				["string", "usedns", "warn"],
 				["string", "failregex", None],
 				["string", "ignoreregex", None],
 				["string", "ignoreip", None],
@ -122,6 +123,8 @@ class JailReader(ConfigReader):
 				stream.append(["set", self.__name, "findtime", self.__opts[opt]])
 			elif opt == "bantime":
 				stream.append(["set", self.__name, "bantime", self.__opts[opt]])
 			elif opt == "usedns":
 				stream.append(["set", self.__name, "usedns", self.__opts[opt]])
 			elif opt == "failregex":
 				stream.append(["set", self.__name, "addfailregex", self.__opts[opt]])
 			elif opt == "ignoreregex":
--- a/common/protocol.py
+++ b/common/protocol.py
@ -62,6 +62,7 @@ protocol = [
 ["set <JAIL> delignoreregex <INDEX>", "removes the regular expression at <INDEX> for ignoreregex"], 
 ["set <JAIL> findtime <TIME>", "sets the number of seconds <TIME> for which the filter will look back for <JAIL>"], 
 ["set <JAIL> bantime <TIME>", "sets the number of seconds <TIME> a host will be banned for <JAIL>"], 
 ["set <JAIL> usedns <VALUE>", "sets the usedns mode for <JAIL>"],
 ["set <JAIL> banip <IP>", "manually Ban <IP> for <JAIL>"], 
 ["set <JAIL> maxretry <RETRY>", "sets the number of failures <RETRY> before banning the host for <JAIL>"], 
 ["set <JAIL> addaction <ACT>", "adds a new action named <NAME> for <JAIL>"], 
@ -80,6 +81,7 @@ protocol = [
 ["get <JAIL> ignoreregex", "gets the list of regular expressions which matches patterns to ignore for <JAIL>"],
 ["get <JAIL> findtime", "gets the time for which the filter will look back for failures for <JAIL>"],
 ["get <JAIL> bantime", "gets the time a host is banned for <JAIL>"],
 ["get <JAIL> usedns", "gets the usedns setting for <JAIL>"],
 ["get <JAIL> maxretry", "gets the number of failures allowed for <JAIL>"],
 ["get <JAIL> addaction", "gets the last action which has been added for <JAIL>"],
 ["get <JAIL> actionstart <ACT>", "gets the start command for the action <ACT> for <JAIL>"],
--- a/config/jail.conf
+++ b/config/jail.conf
@ -38,6 +38,16 @@ maxretry = 3
 #              pyinotify, gamin, polling.
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
 #   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
 #
 # yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
 # warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
 #        but it will be logged as a warning.
 # no:    if a hostname is encountered, will not be used for banning,
 #        but it will be logged as info.
 usedns = warn
 # This jail corresponds to the standard configuration in Fail2ban 0.6.
 # The mail-whois action send a notification e-mail with a whois request
--- a/server/filter.py
+++ b/server/filter.py
@ -64,6 +64,8 @@ class Filter(JailThread):
 		self.__failRegex = list()
 		## The regular expression list with expressions to ignore.
 		self.__ignoreRegex = list()
 		## Use DNS setting
 		self.__useDns = "warn"
 		## The amount of time to look back.
 		self.__findTime = 6000
 		## The ignore IP list.
@ -139,6 +141,20 @@ class Filter(JailThread):
 			ignoreRegex.append(regex.getRegex())
 		return ignoreRegex
 	##
 	# Set the Use DNS mode
 	# @param value the usedns mode
 	def setUseDns(self, value):
 		self.__useDns = value
 	##
 	# Get the usedns mode
 	# @return the usedns mode
 	def getUseDns(self):
 		return self.__useDns
 	##
 	# Set the time needed to find a failure.
 	#
@ -325,7 +341,7 @@ class Filter(JailThread):
 				else:
 					try:
 						host = failRegex.getHost()
-						ipMatch = DNSUtils.textToIp(host)
+						ipMatch = DNSUtils.textToIp(host, self.__useDns)
 						if ipMatch:
 							for ip in ipMatch:
 								failList.append([ip, date])
@ -564,22 +580,29 @@ class DNSUtils:
 	isValidIP = staticmethod(isValidIP)
 	#@staticmethod
-	def textToIp(text):
+	def textToIp(text, useDns):
 		""" Return the IP of DNS found in a given text.
 		"""
-		ipList = list()
+		if useDns == "no":
-		# Search for plain IP
+			return None
-		plainIP = DNSUtils.searchIP(text)
+		else:
-		if not plainIP == None:
+			logSys.debug("usedns = %s" % useDns)
-			plainIPStr = plainIP.group(0)
+			ipList = list()
-			if DNSUtils.isValidIP(plainIPStr):
+			# Search for plain IP
-				ipList.append(plainIPStr)
+			plainIP = DNSUtils.searchIP(text)
-		if not ipList:
+			if not plainIP is None:
-			# Try to get IP from possible DNS
+				plainIPStr = plainIP.group(0)
-			ip = DNSUtils.dnsToIp(text)
+				if DNSUtils.isValidIP(plainIPStr):
-			for e in ip:
+					ipList.append(plainIPStr)
-				ipList.append(e)
+			if not ipList:
-		return ipList
+				# Try to get IP from possible DNS
 				ip = DNSUtils.dnsToIp(text)
 				for e in ip:
 					ipList.append(e)
 				if useDns == "warn":
 					logSys.warning("Determined IP using DNS Reverse Lookup: %s = %s",
 						text, ipList)
 			return ipList
 	textToIp = staticmethod(textToIp)
 	#@staticmethod
--- a/server/server.py
+++ b/server/server.py
@ -204,6 +204,12 @@ class Server:
 	def getIgnoreRegex(self, name):
 		return self.__jails.getFilter(name).getIgnoreRegex()
 	def setUseDns(self, name, value):
 		self.__jails.getFilter(name).setUseDns(value)
 	def getUseDns(self, name):
 		return self.__jails.getFilter(name).getUseDns()
 	def setMaxRetry(self, name, value):
 		self.__jails.getFilter(name).setMaxRetry(value)
--- a/server/transmitter.py
+++ b/server/transmitter.py
@ -154,6 +154,10 @@ class Transmitter:
 			value = int(command[2])
 			self.__server.delIgnoreRegex(name, value)
 			return self.__server.getIgnoreRegex(name)
 		elif command[1] == "usedns":
 			value = command[2]
 			self.__server.setUseDns(name, value)
 			return self.__server.getUseDns(name)
 		elif command[1] == "findtime":
 			value = command[2]
 			self.__server.setFindTime(name, int(value))
@ -231,6 +235,8 @@ class Transmitter:
 			return self.__server.getFailRegex(name)
 		elif command[1] == "ignoreregex":
 			return self.__server.getIgnoreRegex(name)
 		elif command[1] == "usedns":
 			return self.__server.getUseDns(name)
 		elif command[1] == "findtime":
 			return self.__server.getFindTime(name)
 		elif command[1] == "maxretry":
--- a/testcases/filtertestcase.py
+++ b/testcases/filtertestcase.py
@ -222,12 +222,24 @@ class GetFailures(unittest.TestCase):
 class DNSUtilsTests(unittest.TestCase):
 	def testUseDns(self):
 		res = DNSUtils.textToIp('www.example.com', 'no')
 		self.assertEqual(res, None)
 		res = DNSUtils.textToIp('www.example.com', 'warn')
 		self.assertEqual(res, ['192.0.43.10'])
 		res = DNSUtils.textToIp('www.example.com', 'yes')
 		self.assertEqual(res, ['192.0.43.10'])
 	def testTextToIp(self):
-		# Bogus addresses which should have no DNS matches
+		# Test hostnames
-		bogus = [
+		hostnames = [
 			'www.example.com',
 			'doh1.2.3.4.buga.xxxxx.yyy.invalid',
 			'1.2.3.4.buga.xxxxx.yyy.invalid',
 			]
-		for s in bogus:
+		for s in hostnames:
-			res = DNSUtils.textToIp(s)
+			res = DNSUtils.textToIp(s, 'yes')
-			self.assertEqual(res, [])
+			if s == 'www.example.com':
 				self.assertEqual(res, ['192.0.43.10'])
 			else:
 				self.assertEqual(res, [])