- Added "fwcheck" option to verify consistency of the firewall

- Added section in email - Added "-f" command line option - Reordered code a bit Many thanks to Yaroslav Halchenko git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_5@211 a942ae1a-1317-0410-a47c-b1dcaea8d605
2005-10-26 21:57:03 +00:00 · 2005-10-26 21:57:03 +00:00 · e12db53bf7
parent 6151d11720
commit e12db53bf7
1 changed files with 120 additions and 48 deletions
--- a/fail2ban.py
+++ b/fail2ban.py
@ -25,7 +25,7 @@ __date__ = "$Date$"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"
-import time, sys, getopt, os, string, signal, logging, logging.handlers
+import time, sys, getopt, os, string, signal, logging, logging.handlers, copy
 from ConfigParser import *
 from version import version
@ -62,8 +62,9 @@ def dispUsage():
 	print "  -h         display this help message"
 	print "  -i <IP(s)> IP(s) to ignore"
 	print "  -k         kill a currently running instance"
-	print "  -r <VALUE> allow a max of VALUE password failure"
+	print "  -r <VALUE> allow a max of VALUE password failure [maxfailures]"
-	print "  -t <TIME>  ban IP for TIME seconds"
+	print "  -t <TIME>  ban IP for TIME seconds [bantime]"
 	print "  -f <TIME>  lifetime in seconds of failed entry [findtime]"
 	print "  -v         verbose. Use twice for greater effect"
 	print "  -V         print software version"
 	print
@ -92,19 +93,48 @@ def sigTERMhandler(signum, frame):
 	logSys.debug("Signal handler called with sig "+`signum`)
 	killApp()	
 def setFwMustCheck(value):
 	""" Set the mustCheck value of the firewalls (True/False)
 	"""
 	for element in logFwList:
 		element[2].setMustCheck(value)
 def initializeFwRules():
 	""" Initializes firewalls by running cmdstart and then
 	    fwstart for each section
 	"""
 	# Execute global start command
 	executeCmd(conf["cmdstart"], conf["debug"])
 	# Execute start command of each section
 	for element in logFwList:
 		element[2].initialize(conf["debug"])
 def reBan():
 	""" For each section asks the Firewall to reban known IPs
 	"""
 	for element in logFwList:
 		element[2].reBan(conf["debug"])
 def restoreFwRules():
 	""" Flush the ban list
 	"""
 	logSys.warn("Restoring firewall rules...")
 	try:
 		for element in logFwList:
 			# Execute end command of each section
 			element[2].restore(conf["debug"])
 		# Execute global end command
 		executeCmd(conf["cmdend"], conf["debug"])
 	except ExternalError:
 		# nothing bad really - we can survive :-)
 		pass
 def killApp():
 	""" Flush the ban list, remove the PID lock file and exit
 		nicely.
 	"""
-	logSys.warn("Restoring firewall rules...")
+	# Restore Fw rules
-	for element in logFwList:
+	restoreFwRules()
 		element[2].flushBanList(conf["debug"])
 	# Execute end command of each section
 	for element in logFwList:
 		l = element[4]
 		executeCmd(l["fwend"], conf["debug"])
 	# Execute global start command
 	executeCmd(conf["cmdend"], conf["debug"])
 	# Remove the PID lock
 	pidLock.remove()
 	logSys.info("Exiting...")
@ -127,6 +157,12 @@ def getCmdLineOptions(optList):
 			except ValueError:
 				logSys.warn("banTime must be an integer")
 				logSys.warn("Using default value")
 		if opt[0] == "-f":
 			try:
 				conf["findtime"] = int(opt[1])
 			except ValueError:
 				logSys.warn("findTime must be an integer")
 				logSys.warn("Using default value")
 		if opt[0] == "-i":
 			conf["ignoreip"] = opt[1]
 		if opt[0] == "-r":
@ -149,6 +185,7 @@ def main():
 	formatter = logging.Formatter('%(asctime)s ' + formatterstring)
 	stdout.setFormatter(formatter)
 	conf["kill"] = False
 	conf["verbose"] = 0
 	conf["conffile"] = "/etc/fail2ban.conf"
@ -187,7 +224,9 @@ def main():
 					["str", "ignoreip", ""],
 					["int", "polltime", 1],
 					["str", "cmdstart", ""],
-					["str", "cmdend", ""])
+					["str", "cmdend", ""],
 					["int", "reinittime", 100],
 					["int", "maxreinits", 100])
 	# Gets global configuration options
 	conf.update(confReader.getLogOptions("DEFAULT", optionValues))
@ -199,8 +238,7 @@ def main():
 	pidLock.setPath(conf["pidlock"])
 	# Now we can kill properly a running instance if needed
-	try:
+	if conf["kill"]:
 		conf["kill"]
 		pid = pidLock.exists()
 		if pid:
 			killPID(int(pid))
@ -209,8 +247,6 @@ def main():
 		else:
 			logSys.error("No running Fail2Ban found")
 			sys.exit(-1)
 	except KeyError:
 		pass
 	# Start Fail2Ban in daemon mode
 	if conf["background"]:
@ -220,26 +256,8 @@ def main():
 			logSys.error("Unable to start daemon")
 			sys.exit(-1)
 	# Verbose level
 	if conf["verbose"]:
 		logSys.warn("Verbose level is "+`conf["verbose"]`)
 		if conf["verbose"] == 1:
 			logSys.setLevel(logging.INFO)
 		elif conf["verbose"] > 1:
 			logSys.setLevel(logging.DEBUG)
 	# Set debug log level
 	if conf["debug"]:
 		logSys.setLevel(logging.DEBUG)
 		formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
 						   '%(message)s')
 		formatter = logging.Formatter("%(asctime)s " + formatterstring)
 		stdout.setFormatter(formatter)
 		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
 					"ONLY DISPLAYED IN THE LOG MESSAGES")
 	# Process some options
-	# Log targets
+	# First setup Log targets
 	# Bug fix for #1234699
 	os.umask(0077)
 	for target in conf["logtargets"].split():
@ -290,6 +308,24 @@ def main():
 		hdlr.setFormatter(tformatter)
 		logSys.addHandler(hdlr)
 	# Verbose level
 	if conf["verbose"]:
 		logSys.warn("Verbose level is "+`conf["verbose"]`)
 		if conf["verbose"] == 1:
 			logSys.setLevel(logging.INFO)
 		elif conf["verbose"] > 1:
 			logSys.setLevel(logging.DEBUG)
 	# Set debug log level
 	if conf["debug"]:
 		logSys.setLevel(logging.DEBUG)
 		formatterstring = ('%(levelname)s: [%(filename)s (%(lineno)d)] ' +
 						   '%(message)s')
 		formatter = logging.Formatter("%(asctime)s " + formatterstring)
 		stdout.setFormatter(formatter)
 		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
 					"ONLY DISPLAYED IN THE LOG MESSAGES")
 	# Ignores IP list
 	ignoreIPList = conf["ignoreip"].split(' ')
@ -348,8 +384,11 @@ def main():
 					["str", "fwstart", ""],
 					["str", "fwend", ""],
 					["str", "fwban", ""],
-					["str", "fwunban", ""])
+					["str", "fwunban", ""],
-					
+					["str", "fwcheck", ""])
 	logSys.info("Fail2Ban v" + version + " is running")
 	# Gets the options of each sections
 	for t in confReader.getSections():
 		l = confReader.getLogOptions(t, optionValues)
@ -358,7 +397,10 @@ def main():
 			lObj = LogReader(l["logfile"], l["timeregex"], l["timepattern"],
 							 l["failregex"], l["maxfailures"], l["findtime"])
 			# Creates a firewall object
-			fObj = Firewall(l["fwban"], l["fwunban"], l["bantime"])
+			fObj = Firewall(l["fwstart"], l["fwend"], l["fwban"], l["fwunban"],
 							l["fwcheck"], l["bantime"])
 			# "Name" the firewall
 			fObj.setSection(t)
 			# Links them into a list. I'm not really happy
 			# with this :/
 			logFwList.append([t, lObj, fObj, dict(), l])
@ -376,13 +418,10 @@ def main():
 		else:
 			logSys.warn(ip + " is not a valid IP address")
-	logSys.info("Fail2Ban v" + version + " is running")
+	initializeFwRules()
-	# Execute global start command
+	# try to reinit once if it fails immediately
-	executeCmd(conf["cmdstart"], conf["debug"])
+	lastReinitTime = time.time() - conf["reinittime"] - 1
-	# Execute start command of each section
+	reinits = 0
 	for element in logFwList:
 		l = element[4]
 		executeCmd(l["fwstart"], conf["debug"])
 	# Main loop
 	while True:
 		try:
@ -429,7 +468,8 @@ def main():
 					if failTime < unixTime - findTime:
 						del element[3][attempt]
 					elif fails[attempt][0] >= element[1].getMaxRetry():
-						aInfo = {"ip": attempt,
+						aInfo = {"section": element[0],
 								 "ip": attempt,
 								 "failures": element[3][attempt][0],
 								 "failtime": failTime}
 						logSys.info(element[0] + ": " + aInfo["ip"] +
@ -441,7 +481,39 @@ def main():
 							mail.sendmail(mailConf["subject"],
 										  mailConf["message"], aInfo)
 						del element[3][attempt]
-			
+		except ExternalError, e:
 			# Something wrong while dealing with Iptables.
 			# May be chain got removed?
 			reinits += 1
 			logSys.error(e)
 			if ((unixTime - lastReinitTime > conf["reinittime"]) and
 				((conf["maxreinits"] < 0) or (reinits < conf["maxreinits"]))):
 				logSys.warn("#%d reinitialization of firewalls"%reinits)
 				lastReinitTime = unixTime
 			else:
 				logSys.error("Exiting: reinits follow too often, or too many " +
 							 "reinit attempts")
 				killApp()
 			# We already failed runCheck so disable it until
 			# restoring a safe state
 			setFwMustCheck(False)
 			# save firewalls to keep a list of IPs for rebanning
 			logFwListCopy = copy.deepcopy(logFwList)
 			try:
 				# restore as much as possible
 				restoreFwRules()
 				# reinitialize all the chains
 				initializeFwRules()
 				# restore the lists of baned IPs
 				logFwList.__init__(logFwListCopy)
 				# reBan known IPs
 				reBan()
 				# Now we can enable the runCheck test again
 				setFwMustCheck(True)
 			except ExternalError:
 				raise ExternalError("Big Oops happened: situation is out of " +
 									"control. Something is wrong with your " +
 									"setup. Please check your settings")
 		except KeyboardInterrupt:
 			# When the user press <ctrl>+<c> we exit nicely.
 			killApp()