remade handling of missing chains or other errors from IPTables

2005-10-12 14:16:52 +00:00 · 2005-10-12 14:16:52 +00:00 · da0bb74180
parent 03e7d722de
commit da0bb74180
3 changed files with 174 additions and 146 deletions
--- a/37
+++ b/37
@ -26,7 +26,7 @@ __date__ = "$Date: 2005/08/04 20:51:14 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
-import sys, traceback, logging, time
+import sys, traceback, logging
 # Appends our own modules path.
 sys.path.append("/usr/share/fail2ban")
@ -34,16 +34,6 @@ sys.path.append("/usr/share/fail2ban")
 # Now we can import our modules.
 import fail2ban
 from utils.pidlock import PIDLock
 from utils.process import ExternalError
 # Start the application. Handle all the unhandled exceptions
 # yoh: I don't think that this parameters need to be configured
 #      and probably maxRestarts should be removed
 legitRestartTime = 10				 # legitimate minimal restart time
 maxRestarts = 100			  # max number of times to perform restart
 lastRestartTime = time.time()
 restarts = 0
 # Get the instance of the logger.
 logSys = logging.getLogger("fail2ban")
@ -51,21 +41,9 @@ logSys = logging.getLogger("fail2ban")
 # Get PID lock file instance
 pidLock = PIDLock()
 # Start the application. Handle all the unhandled exceptions
 try:
-	while True:
+	fail2ban.main()
 		restarts += 1
 		try:
 			fail2ban.main(restarts>1)
 		except ExternalError, e:
 			# There went something wrong while dealing with Iptables. May be chain got
 			# removed?
 			logSys.error("Fail2Ban got a problem: " + e.__str__())
 			if (time.time() - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
 				logSys.error("Restarting for the %d time "%restarts)
 				lastRestartTime = time.time()
 			else:
 				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
 				sys.exit(0)
 except SystemExit:
 	# We called sys.exit(). Nothing wrong so just pass
 	pass
@ -77,9 +55,6 @@ except Exception, e:
 	logSys.error("Type: " + `type.__name__` + "\n" +
 				 "Value: " + `e.args` + "\n" +
 				 "TB: " + `tbStack`)
-
+	# Remove the PID lock file. Should close #1239562
-# Remove the PID lock file. Should close #1239562
+	pidLock.remove()
-pidLock.remove()
+	logging.shutdown()
 logSys.info("Exiting...")
 logging.shutdown()
--- a/fail2ban.py
+++ b/fail2ban.py
@ -25,7 +25,7 @@ __date__ = "$Date: 2005/09/13 20:42:33 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
-import time, sys, getopt, os, string, signal, logging, logging.handlers
+import time, sys, getopt, os, string, signal, logging, logging.handlers, copy
 from ConfigParser import *
 from version import version
@ -92,12 +92,34 @@ def sigTERMhandler(signum, frame):
 	logSys.debug("Signal handler called with sig "+`signum`)
 	killApp()
 def initializeFwRules():
 	""" Initializes firewalls by running cmdstart and then
 	    fwstart for each section
 	"""
 	# Execute global start command
 	executeCmd(conf["cmdstart"], conf["debug"])
 	# Execute start command of each section
 	for element in logFwList:
 		l = element[4]
 		executeCmd(l["fwstart"], conf["debug"])
 def reBan():
 	""" For each section asks the Firewall to reban known IPs
 	"""
 	for element in logFwList:
 		element[2].reBan(conf["debug"])
 def restoreFwRules():
 	""" Flush the ban list
 	"""
 	logSys.warn("Restoring firewall rules...")
 	for element in logFwList:
-		element[2].flushBanList(conf["debug"])
+		try:
 			element[2].flushBanList(conf["debug"])
 		except ExternalError, e:
 			# nothing bad really - we can survive :-)
 			pass
 	# Execute end command of each section
 	for element in logFwList:
 		l = element[4]
@ -106,11 +128,15 @@ def restoreFwRules():
 	executeCmd(conf["cmdend"], conf["debug"])
 def killApp():
-	""" Flush the ban list, remove and exit
+	""" Flush the ban list, remove the PID lock file and exit
 		nicely.
 	"""
 	# Restore Fw rules
 	restoreFwRules()
 	# Remove the PID lock
 	pidLock.remove()
 	logSys.info("Exiting...")
 	logging.shutdown()
 	sys.exit(0)
 def getCmdLineOptions(optList):
@ -138,12 +164,9 @@ def getCmdLineOptions(optList):
 		if opt[0] == "-k":
 			conf["kill"] = True
-def main(secondaryStart):
+def main():
 	""" Fail2Ban main function
 	"""
 	# (re)Initialize global variables
 	logFwList.__init__()
 	conf.clear()
 	# Add the default logging handler
 	stdout = logging.StreamHandler(sys.stdout)
@ -218,110 +241,106 @@ def main(secondaryStart):
 	except KeyError:
 		pass
-	# If it is not a hot restart
+	# Start Fail2Ban in daemon mode
-	#   fork, setup logging, create pid, check for root
+	if conf["background"]:
-	if not secondaryStart:
+		retCode = createDaemon()
-		# Start Fail2Ban in daemon mode 
+		signal.signal(signal.SIGTERM, sigTERMhandler)
-		if conf["background"]:
+		if not retCode:
-			logSys.debug("Daemonizing")
+			logSys.error("Unable to start daemon")
 			retCode = createDaemon()
 			signal.signal(signal.SIGTERM, sigTERMhandler)
 			if not retCode:
 				logSys.error("Unable to start daemon")
 				sys.exit(-1)
 		# First setup Log targets
 		# Bug fix for #1234699
 		os.umask(0077)
 		for target in conf["logtargets"].split():
 			# target formatter
 			# By default global formatter is taken. Is different for SYSLOG
 			tformatter = formatter
 			if target == "STDERR":
 				hdlr = logging.StreamHandler(sys.stderr)
 			elif target == "SYSLOG":
 				# SYSLOG target can be either
 				# a socket (file, so it starts with /)
 				# or hostname
 				# or hostname:port
 				syslogtargets = re.findall("(/[\w/]*)|([^/ ][^: ]*)(:(\d+)){,1}",
 										   conf["syslog-target"])
 				# we are waiting for a single match
 				syslogtargets = syslogtargets[0]
 				# assign facility if it was defined
 				if conf["syslog-facility"] < 0:
 					facility = handlers.SysLogHandler.LOG_USER
 				else:
 					facility = conf["syslog-facility"]
 				if len(syslogtargets) == 0: # everything default
 					hdlr = logging.handlers.SysLogHandler()
 				else:
 					if not ( syslogtargets[0] == "" ): # got socket
 						syslogtarget = syslogtargets[0]
 					else:		# got hostname and maybe a port
 						if syslogtargets[3] == "": # no port specified
 							port = 514
 						else:
 							port = int(syslogtargets[3])
 						syslogtarget = (syslogtargets[1], port)
 					hdlr = logging.handlers.SysLogHandler(syslogtarget, facility)
 				tformatter = logging.Formatter("fail2ban[%(process)d]: " +
 											   formatterstring);
 			else:
 				# Target should be a file
 				try:
 					open(target, "a")
 					hdlr = logging.FileHandler(target)
 				except IOError:
 					logSys.error("Unable to log to " + target)
 					continue
 			# Set formatter and add handler to logger
 			hdlr.setFormatter(tformatter)
 			logSys.addHandler(hdlr)
 		# Process some options
 		# Verbose level
 		if conf["verbose"]:
 			logSys.warn("Verbose level is "+`conf["verbose"]`)
 			if conf["verbose"] == 1:
 				logSys.setLevel(logging.INFO)
 			elif conf["verbose"] > 1:
 				logSys.setLevel(logging.DEBUG)
 		# Set debug log level
 		if conf["debug"]:
 			logSys.setLevel(logging.DEBUG)
 			formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
 							   '%(message)s')
 			formatter = logging.Formatter("%(asctime)s " + formatterstring)
 			stdout.setFormatter(formatter)
 			logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
 						"ONLY DISPLAYED IN THE LOG MESSAGES")
 		# Checks for root user. This is necessary because log files
 		# are owned by root and firewall needs root access.
 		if not checkForRoot():
 			logSys.error("You must be root")
 			if not conf["debug"]:
 				sys.exit(-1)
 		# Checks that no instance of Fail2Ban is currently running.
 		pid = pidLock.exists()
 		if pid:
 			logSys.error("Fail2Ban already running with PID "+pid)
 			sys.exit(-1)
 	# First setup Log targets
 	# Bug fix for #1234699
 	os.umask(0077)
 	for target in conf["logtargets"].split():
 		# target formatter
 		# By default global formatter is taken. Is different for SYSLOG
 		tformatter = formatter
 		if target == "STDERR":
 			hdlr = logging.StreamHandler(sys.stderr)
 		elif target == "SYSLOG":
 			# SYSLOG target can be either
 			# a socket (file, so it starts with /)
 			# or hostname
 			# or hostname:port
 			syslogtargets = re.findall("(/[\w/]*)|([^/ ][^: ]*)(:(\d+)){,1}",
 									   conf["syslog-target"])
 			# we are waiting for a single match
 			syslogtargets = syslogtargets[0]
 			# assign facility if it was defined
 			if conf["syslog-facility"] < 0:
 				facility = handlers.SysLogHandler.LOG_USER
 			else:
 				facility = conf["syslog-facility"]
 			if len(syslogtargets) == 0: # everything default
 				hdlr = logging.handlers.SysLogHandler()
 			else:
 				if not ( syslogtargets[0] == "" ): # got socket
 					syslogtarget = syslogtargets[0]
 				else:		# got hostname and maybe a port
 					if syslogtargets[3] == "": # no port specified
 						port = 514
 					else:
 						port = int(syslogtargets[3])
 					syslogtarget = (syslogtargets[1], port)
 				hdlr = logging.handlers.SysLogHandler(syslogtarget, facility)
 			tformatter = logging.Formatter("fail2ban[%(process)d]: " +
 										   formatterstring);
 		else:
-			ret = pidLock.create()
+			# Target should be a file
-			if not ret:
+			try:
-				# Unable to create PID lock. Exit
+				open(target, "a")
-				sys.exit(-1)
+				hdlr = logging.FileHandler(target)
 			except IOError:
 				logSys.error("Unable to log to " + target)
 				continue
 		# Set formatter and add handler to logger
 		hdlr.setFormatter(tformatter)
 		logSys.addHandler(hdlr)
 	# Process some options
 	# Verbose level
 	if conf["verbose"]:
 		logSys.warn("Verbose level is "+`conf["verbose"]`)
 		if conf["verbose"] == 1:
 			logSys.setLevel(logging.INFO)
 		elif conf["verbose"] > 1:
 			logSys.setLevel(logging.DEBUG)
 	# Set debug log level
 	if conf["debug"]:
 		logSys.setLevel(logging.DEBUG)
 		formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
 						   '%(message)s')
 		formatter = logging.Formatter("%(asctime)s " + formatterstring)
 		stdout.setFormatter(formatter)
 		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
 					"ONLY DISPLAYED IN THE LOG MESSAGES")
 	# Ignores IP list
 	ignoreIPList = conf["ignoreip"].split(' ')
 	# Checks for root user. This is necessary because log files
 	# are owned by root and firewall needs root access.
 	if not checkForRoot():
 		logSys.error("You must be root")
 		if not conf["debug"]:
 			sys.exit(-1)
 	# Checks that no instance of Fail2Ban is currently running.
 	pid = pidLock.exists()
 	if pid:
 		logSys.error("Fail2Ban already running with PID "+pid)
 		sys.exit(-1)
 	else:
 		ret = pidLock.create()
 		if not ret:
 			# Unable to create PID lock. Exit
 			sys.exit(-1)
 	logSys.debug("ConfFile is " + conf["conffile"])
 	logSys.debug("BanTime is " + `conf["bantime"]`)
 	logSys.debug("FindTime is " + `conf["findtime"]`)
@ -394,12 +413,15 @@ def main(secondaryStart):
 		else:
 			logSys.warn(ip + " is not a valid IP address")
-	# Execute global start command
+	initializeFwRules()
-	executeCmd(conf["cmdstart"], conf["debug"])
+	
-	# Execute start command of each section
+	# yoh: I don't think that this parameters need to be configured
-	for element in logFwList:
+	#      and probably maxRestarts should be removed
-		l = element[4]
+	legitRestartTime = 10				 # legitimate minimal restart time
-		executeCmd(l["fwstart"], conf["debug"])
+	maxRestarts = 100			  # max number of times to perform restart
 	lastRestartTime = time.time()
 	restarts = 0
 	# Main loop
 	while True:
 		try:
@ -459,10 +481,27 @@ def main(secondaryStart):
 							mail.sendmail(mailConf["subject"],
 										  mailConf["message"], aInfo)
 						del element[3][attempt]
-		except ExternalError:
+		except ExternalError, e:
-			# restore as much as possible before restart
+			# Something wrong while dealing with Iptables.
 			# May be chain got removed?
 			logSys.error("Fail2Ban got a problem: " + e.__str__())
 			if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
 				logSys.error("Reinitializing firewalls for the %dst time "%restarts)
 				lastRestartTime = time.time()
 			else:
 				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
 				killApp()
 			# save firewalls to keep a list of IPs for rebanning
 			logFwListCopy = copy.deepcopy(logFwList)
 			# restore as much as possible
 			restoreFwRules()
-			raise
+			# reinitialize all the chains
 			initializeFwRules()
 			# restore the lists of baned IPs
 			logFwList = logFwListCopy
 			# reBan known IPs
 			reBan()
 		except KeyboardInterrupt:
 			# When the user press <ctrl>+<c> we exit nicely.
 			killApp()
--- a/firewall/firewall.py
+++ b/firewall/firewall.py
@ -73,6 +73,20 @@ class Firewall:
 		else:
 			logSys.error(ip+" not in ban list")
 	def reBan(self, debug):
 		""" Re-Bans known IPs.
 		"""
 		for ip in self.banList:
 			aInfo = {"ip": ip,
 					 "bantime":self.banList[ip]}
 			logSys.warn("ReBan "+ip)
 			# next piece is similar to the on in addBanIp
 			# so might be one more function will not hurt
 			self.runCheck("pre-fw-reban", debug)
 			cmd = self.banIP(aInfo)
 			if executeCmd(cmd, debug):
 				raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)
 	def inBanList(self, ip):
 		""" Checks if IP is in ban list.
 		"""