From ea1948eff40953b4590858698ced9f6b4c3733f8 Mon Sep 17 00:00:00 2001 From: Cyril Jaquier Date: Mon, 26 Jun 2006 20:05:00 +0000 Subject: [PATCH] - Initial commit of the new development release 0.7 git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@249 a942ae1a-1317-0410-a47c-b1dcaea8d605 --- TODO | 97 +- {confreader => client}/__init__.py | 6 +- client/actionreader.py | 80 ++ {confreader => client}/configreader.py | 79 +- client/configurator.py | 68 ++ client/csocket.py | 54 ++ client/fail2banreader.py | 51 + client/filterreader.py | 80 ++ client/jailreader.py | 84 ++ client/jailsreader.py | 73 ++ config/action.d/dummy.conf | 52 + config/action.d/iptables.conf | 55 ++ config/debian-initd | 73 -- config/fail2ban.conf | 4 + config/fail2ban.conf.hostsdeny | 327 ------- config/fail2ban.conf.iptables | 362 ------- config/fail2ban.conf.shorewall | 314 ------ config/fail2ban.local | 4 + config/filter.d/apache-auth.conf | 0 config/filter.d/sshd.conf | 32 + config/gentoo-confd | 23 - config/gentoo-initd | 50 - config/jail.conf | 21 + config/redhat-initd | 78 -- doc/Doxyfile | 1237 ++++++++++++++++++++++++ fail2ban | 75 -- fail2ban-client | 236 +++++ fail2ban-server | 122 +++ fail2ban-testcases | 61 ++ fail2ban.py | 542 ----------- firewall/firewall.py | 192 ---- kill-server | 2 + log-test/apache | 108 --- log-test/current | 11 - log-test/test | 432 --------- logreader/logreader.py | 225 ----- man/fail2ban.8 | 58 -- man/fail2ban.conf.5 | 20 - {logreader => server}/__init__.py | 6 +- server/action.py | 281 ++++++ server/banmanager.py | 184 ++++ server/banticket.py | 50 + server/faildata.py | 53 + server/failmanager.py | 106 ++ version.py => server/failticket.py | 18 +- server/filter.py | 452 +++++++++ server/jail.py | 95 ++ server/jailthread.py | 114 +++ server/server.py | 291 ++++++ server/ssocket.py | 103 ++ server/ticket.py | 49 + server/transmitter.py | 182 ++++ setup.cfg | 5 - setup.py | 82 -- {firewall => testcases}/__init__.py | 6 +- testcases/banmanagertestcase.py | 56 ++ testcases/failmanagertestcase.py | 79 ++ testcases/files/testcase01.log | 18 + testcases/files/testcase02.log | 10 + testcases/filtertestcase.py | 98 ++ testcases/servertestcase.py | 127 +++ utils/process.py | 37 +- 62 files changed, 4734 insertions(+), 3156 deletions(-) rename {confreader => client}/__init__.py (88%) create mode 100644 client/actionreader.py rename {confreader => client}/configreader.py (54%) create mode 100644 client/configurator.py create mode 100644 client/csocket.py create mode 100644 client/fail2banreader.py create mode 100644 client/filterreader.py create mode 100644 client/jailreader.py create mode 100644 client/jailsreader.py create mode 100644 config/action.d/dummy.conf create mode 100644 config/action.d/iptables.conf delete mode 100644 config/debian-initd create mode 100644 config/fail2ban.conf delete mode 100644 config/fail2ban.conf.hostsdeny delete mode 100644 config/fail2ban.conf.iptables delete mode 100644 config/fail2ban.conf.shorewall create mode 100644 config/fail2ban.local create mode 100644 config/filter.d/apache-auth.conf create mode 100644 config/filter.d/sshd.conf delete mode 100644 config/gentoo-confd delete mode 100755 config/gentoo-initd create mode 100644 config/jail.conf delete mode 100644 config/redhat-initd create mode 100644 doc/Doxyfile delete mode 100755 fail2ban create mode 100755 fail2ban-client create mode 100755 fail2ban-server create mode 100755 fail2ban-testcases delete mode 100755 fail2ban.py delete mode 100644 firewall/firewall.py create mode 100755 kill-server delete mode 100644 log-test/apache delete mode 100644 log-test/current delete mode 100644 log-test/test delete mode 100644 logreader/logreader.py delete mode 100644 man/fail2ban.8 delete mode 100644 man/fail2ban.conf.5 rename {logreader => server}/__init__.py (88%) create mode 100644 server/action.py create mode 100644 server/banmanager.py create mode 100644 server/banticket.py create mode 100644 server/faildata.py create mode 100644 server/failmanager.py rename version.py => server/failticket.py (73%) create mode 100644 server/filter.py create mode 100644 server/jail.py create mode 100644 server/jailthread.py create mode 100644 server/server.py create mode 100644 server/ssocket.py create mode 100644 server/ticket.py create mode 100644 server/transmitter.py delete mode 100644 setup.cfg delete mode 100755 setup.py rename {firewall => testcases}/__init__.py (88%) create mode 100644 testcases/banmanagertestcase.py create mode 100644 testcases/failmanagertestcase.py create mode 100644 testcases/files/testcase01.log create mode 100644 testcases/files/testcase02.log create mode 100644 testcases/filtertestcase.py create mode 100644 testcases/servertestcase.py diff --git a/TODO b/TODO index 5e7b6347..7c388e85 100644 --- a/TODO +++ b/TODO @@ -1,95 +1,2 @@ - __ _ _ ___ _ - / _|__ _(_) |_ ) |__ __ _ _ _ - | _/ _` | | |/ /| '_ \/ _` | ' \ - |_| \__,_|_|_/___|_.__/\__,_|_||_| - -============================================================= -ToDo $Revision$ -============================================================= - -See Feature Request Tracking System at SourceForge.net - -- improve installation process (better prefix support) - -- improve documentation and website for user - -- use Doxygen - -- use PyLint to check the code - -- better configuration files - -- add a check to see if the time of the log messages is - correctly detected (valid regexp) - -- use Gentoo Portage style for scripts. - - banning engines script in /etc/fail2ban/scripts.d - Example: /etc/fail2ban/scripts.d/iptables - Will be mostly bash scripting which is more "user - friendly". - - split configuration files in /etc/fail2ban/services.d - for log files - Example: /etc/fail2ban/services.d/apache - Mainly regular expressions. - - template for common regex in /etc/fail2ban/templates.d - Example: /etc/fail2ban/templates.d/date - Mainly regular expressions. - -- remove debug mode (root check) - -- better return values in function - -- use more email.Utils in mail.py - -- add gettext support. Is this really needed for a server - utility? - -- send an email when fail2ban is running - -- add multithreading. Python threading is not really - efficient. However, fail2ban could benefit of it. We could - use threads like this: - - one thread which check for host to unban. - - one thread per file to watch. This will allow things like - different polling time for each file. - is read-only (we only read log files) thus no locks - are required. However, is read-write and must take - care of concurrency in case of multithreading. - -- add FAM/Gamin support. Should be quite efficient with - threading. Take care that handle_one_event() release the - Python lock. - -- add a test framework. We could use unittest which is in - Python since 2.1. It should be possible to run all tests - automatically. - -- add client/server using socket. Something similar to - gdesklets. DBUS seems to be designed for desktop use. - - fail2ban start -> start the daemon. - - fail2ban stop -> stop the daemon. - - fail2ban add -> add monitoring with - ban method (iptables, hosts.deny, etc). - - fail2ban del -> remove monitoring. - - fail2ban status -> query current fail2ban status. - Should return infos like a ban counter. Could be graph - with rrdtool. - - fail2ban pause -> suspend monitoring. - - fail2ban resume -> resume monitoring. - - fail2ban list -> list available services. - - fail2ban flush -> flush the ban list. - -- remove PID file. - -- remove most of the command lines options if possible. - -- add the possibility to specify wildcard in log files. - Example: logfile = /var/log/apache2/access-*.log - Should we start one thread per file or just one thread per - serivce? - -- autodetect date format in log file. Match the most popular - format and sort them using the hit ratio. Should avoid - user problem with regex and not have a big impact on perfs. - -- restart automatically the daemon if an exception occurs. +- Don't close socket after a send +- Multiple actions !!! \ No newline at end of file diff --git a/confreader/__init__.py b/client/__init__.py similarity index 88% rename from confreader/__init__.py rename to client/__init__.py index 76dba873..60ef5531 100644 --- a/confreader/__init__.py +++ b/client/__init__.py @@ -16,10 +16,10 @@ # Author: Cyril Jaquier # -# $Revision$ +# $Revision: 1.1 $ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" +__version__ = "$Revision: 1.1 $" +__date__ = "$Date: 2004/10/10 13:33:40 $" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" \ No newline at end of file diff --git a/client/actionreader.py b/client/actionreader.py new file mode 100644 index 00000000..5486b90e --- /dev/null +++ b/client/actionreader.py @@ -0,0 +1,80 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class ActionReader(ConfigReader): + + def __init__(self, file, name): + ConfigReader.__init__(self) + self.file = file + self.name = name + + def setFile(self, file): + self.file = file + + def getFile(self): + return self.file + + def setName(self, name): + self.name = name + + def getName(self): + return self.name + + def read(self): + ConfigReader.read(self, "action.d/" + self.file) + + def getOptions(self, pOpts): + opts = [["string", "bantime", "600"], + ["string", "actionstart", ""], + ["string", "actionstop", ""], + ["string", "actioncheck", ""], + ["string", "actionban", ""], + ["string", "actionunban", ""]] + self.opts = ConfigReader.getOptions(self, "DEFAULT", opts, pOpts) + + def convert(self): + stream = list() + for opt in self.opts: + if opt == "bantime": + stream.append(["set", self.name, "bantime", self.opts[opt]]) + elif opt == "actionstart": + stream.append(["set", self.name, "actionstart", self.opts[opt]]) + elif opt == "actionstop": + stream.append(["set", self.name, "actionstop", self.opts[opt]]) + elif opt == "actioncheck": + stream.append(["set", self.name, "actioncheck", self.opts[opt]]) + elif opt == "actionban": + stream.append(["set", self.name, "actionban", self.opts[opt]]) + elif opt == "actionunban": + stream.append(["set", self.name, "actionunban", self.opts[opt]]) + return stream + \ No newline at end of file diff --git a/confreader/configreader.py b/client/configreader.py similarity index 54% rename from confreader/configreader.py rename to client/configreader.py index 150858b5..27b56fd2 100644 --- a/confreader/configreader.py +++ b/client/configreader.py @@ -16,70 +16,73 @@ # Author: Cyril Jaquier # -# $Revision$ +# $Revision: 1.6 $ __author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" __copyright__ = "Copyright (c) 2004 Cyril Jaquier" __license__ = "GPL" import logging - from ConfigParser import * # Gets the instance of the logger. -logSys = logging.getLogger("fail2ban") +logSys = logging.getLogger("fail2ban.client.config") -class ConfigReader: - """ This class allow the handling of the configuration options. - The DEFAULT section contains the global information about - Fail2Ban. Each other section is for a different log file. - """ - - def __init__(self, confPath): - self.confPath = confPath - self.configParser = SafeConfigParser() +class ConfigReader(SafeConfigParser): + + basedir = "/etc/fail2ban/" + + def __init__(self): + SafeConfigParser.__init__(self) + self.opts = None + + @staticmethod + def setBaseDir(dir): + global basedir + path = dir.rstrip('/') + basedir = path + '/' - def openConf(self): - """ Opens the configuration file. - """ - self.configParser.read(self.confPath) + @staticmethod + def getBaseDir(): + global basedir + return basedir - def getSections(self): - """ Returns all the sections present in the configuration - file except the DEFAULT and MAIL sections. - """ - sections = self.configParser.sections() - sections.remove("MAIL") - logSys.debug("Found sections: " + `sections`) - return sections + def read(self, filename): + global basedir + basename = basedir + filename + logSys.debug("Reading " + basename) + SafeConfigParser.read(self, [basename + ".conf", basename + ".local"]) + ## + # Read the options. + # + # Read the given option in the configuration file. Default values + # are used... # Each optionValues entry is composed of an array with: # 0 -> the type of the option # 1 -> the name of the option # 2 -> the default value for the option - def getLogOptions(self, sec, options): - """ Gets all the options of a given section. The options - are defined in the optionValues list. - """ + def getOptions(self, sec, options, pOptions = None): values = dict() for option in options: try: if option[0] == "bool": - v = self.configParser.getboolean(sec, option[1]) + v = self.getboolean(sec, option[1]) elif option[0] == "int": - v = self.configParser.getint(sec, option[1]) + v = self.getint(sec, option[1]) else: - v = self.configParser.get(sec, option[1]) - + v = self.get(sec, option[1]) + if not pOptions == None and option[1] in pOptions: + continue values[option[1]] = v except NoOptionError: - logSys.warn("No '" + option[1] + "' defined in '" + sec + "'") - values[option[1]] = option[2] + if not option[2] == None: + logSys.warn("No '" + option[1] + "' defined in '" + sec + "'") + values[option[1]] = option[2] except ValueError: logSys.warn("Wrong value for '" + option[1] + "' in '" + sec + "'. Using default one: '" + `option[2]` + "'") values[option[1]] = option[2] - return values - \ No newline at end of file + return values \ No newline at end of file diff --git a/client/configurator.py b/client/configurator.py new file mode 100644 index 00000000..9ceed3d2 --- /dev/null +++ b/client/configurator.py @@ -0,0 +1,68 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader +from fail2banreader import Fail2banReader +from jailsreader import JailsReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class Configurator: + + def __init__(self): + self.settings = dict() + self.streams = dict() + self.fail2ban = Fail2banReader() + self.jails = JailsReader() + + def setBaseDir(self, dir): + ConfigReader.setBaseDir(dir) + + def getBaseDir(self): + return ConfigReader.getBaseDir() + + def readAll(self): + self.fail2ban.read() + self.jails.read() + + def getAllOptions(self): + self.settings["general"] = self.fail2ban.getOptions() + self.settings["jails"] = self.jails.getOptions() + + def convertToProtocol(self): + self.streams["general"] = self.fail2ban.convert() + self.streams["jails"] = self.jails.convert() + + def getConfigStream(self): + cmds = list() + for opt in self.streams["general"]: + cmds.append(opt) + for opt in self.streams["jails"]: + cmds.append(opt) + return cmds + \ No newline at end of file diff --git a/client/csocket.py b/client/csocket.py new file mode 100644 index 00000000..4e07fa0d --- /dev/null +++ b/client/csocket.py @@ -0,0 +1,54 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.1 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.1 $" +__date__ = "$Date: 2004/10/10 13:33:40 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import socket, pickle + +class CSocket: + + def __init__(self): + self.socketFile = "/tmp/fail2ban.sock" + # Create an INET, STREAMing socket + #self.csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.csock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + #self.csock.connect(("localhost", 2222)) + self.csock.connect(self.socketFile) + + def send(self, msg): + # Convert every list member to string + obj = pickle.dumps(map(str, msg)) + self.csock.send(obj + "") + ret = self.receive(self.csock) + self.csock.close() + return ret + + def receive(self, socket): + msg = '' + while msg.rfind("") == -1: + chunk = socket.recv(6) + if chunk == '': + raise RuntimeError, "socket connection broken" + msg = msg + chunk + return pickle.loads(msg) diff --git a/client/fail2banreader.py b/client/fail2banreader.py new file mode 100644 index 00000000..a99c3001 --- /dev/null +++ b/client/fail2banreader.py @@ -0,0 +1,51 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class Fail2banReader(ConfigReader): + + def __init__(self): + ConfigReader.__init__(self) + + def read(self): + ConfigReader.read(self, "fail2ban") + + def getOptions(self): + opts = [["int", "loglevel", 1]] + self.opts = ConfigReader.getOptions(self, "DEFAULT", opts) + + def convert(self): + stream = list() + for opt in self.opts: + if opt == "loglevel": + stream.append(["set", "loglevel", self.opts[opt]]) + return stream + \ No newline at end of file diff --git a/client/filterreader.py b/client/filterreader.py new file mode 100644 index 00000000..79f517b8 --- /dev/null +++ b/client/filterreader.py @@ -0,0 +1,80 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class FilterReader(ConfigReader): + + def __init__(self, file, name): + ConfigReader.__init__(self) + self.file = file + self.name = name + + def setFile(self, file): + self.file = file + + def getFile(self): + return self.file + + def setName(self, name): + self.name = name + + def getName(self): + return self.name + + def read(self): + ConfigReader.read(self, "filter.d/" + self.file) + + def getOptions(self, pOpts): + opts = [["string", "logpath", "/var/log/sshd.log"], + ["string", "timeregex", ""], + ["string", "timepattern", ""], + ["string", "failregex", ""], + ["int", "maxtime", 600], + ["int", "maxretry", 3]] + self.opts = ConfigReader.getOptions(self, "DEFAULT", opts, pOpts) + + def convert(self): + stream = list() + for opt in self.opts: + if opt == "logpath": + stream.append(["set", self.name, "logpath", self.opts[opt]]) + elif opt == "timeregex": + stream.append(["set", self.name, "timeregex", self.opts[opt]]) + elif opt == "timepattern": + stream.append(["set", self.name, "timepattern", self.opts[opt]]) + elif opt == "failregex": + stream.append(["set", self.name, "failregex", self.opts[opt]]) + elif opt == "maxtime": + stream.append(["set", self.name, "maxtime", self.opts[opt]]) + elif opt == "maxretry": + stream.append(["set", self.name, "maxretry", self.opts[opt]]) + return stream + \ No newline at end of file diff --git a/client/jailreader.py b/client/jailreader.py new file mode 100644 index 00000000..b839172c --- /dev/null +++ b/client/jailreader.py @@ -0,0 +1,84 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader +from filterreader import FilterReader +from actionreader import ActionReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class JailReader(ConfigReader): + + def __init__(self, name): + ConfigReader.__init__(self) + self.name = name + self.filter = None + self.action = None + + def setName(self, value): + self.name = value + + def getName(self): + return self.name + + def read(self): + ConfigReader.read(self, "jail") + + def isEnabled(self): + return self.opts["enabled"] + + def getOptions(self): + opts = [["bool", "enabled", "false"], + ["int", "maxretry", None], + ["int", "bantime", None], + ["string", "filter", ""], + ["string", "action", ""]] + self.opts = ConfigReader.getOptions(self, self.name, opts) + + if self.isEnabled(): + # Read filter + self.filter = FilterReader(self.opts["filter"], self.name) + self.filter.read() + self.filter.getOptions(self.opts) + + # Read action + self.action = ActionReader(self.opts["action"], self.name) + self.action.read() + self.action.getOptions(self.opts) + + def convert(self): + stream = [["add", self.name]] + for opt in self.opts: + if opt == "maxretry": + stream.append(["set", self.name, "maxretry", self.opts[opt]]) + elif opt == "bantime": + stream.append(["set", self.name, "bantime", self.opts[opt]]) + stream.extend(self.filter.convert()) + stream.extend(self.action.convert()) + return stream + \ No newline at end of file diff --git a/client/jailsreader.py b/client/jailsreader.py new file mode 100644 index 00000000..b092cf21 --- /dev/null +++ b/client/jailsreader.py @@ -0,0 +1,73 @@ +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.6 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.6 $" +__date__ = "$Date: 2005/11/20 17:07:47 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import logging +from configreader import ConfigReader +from jailreader import JailReader + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client.config") + +class JailsReader(ConfigReader): + + def __init__(self): + ConfigReader.__init__(self) + self.jails = list() + + def read(self): + ConfigReader.read(self, "jail") + + def getOptions(self): + opts = [] + self.opts = ConfigReader.getOptions(self, "DEFAULT", opts) + + for sec in self.sections(): + jail = JailReader(sec) + jail.read() + jail.getOptions() + if jail.isEnabled(): + # We only add enabled jails + self.jails.append(jail) + + def getFilterOptions(self, file): + filter = FilterReader(file) + filter.read() + return filter.getOptions() + + def convert(self): + stream = list() + for opt in self.opts: + if opt == "": + stream.append([]) + # Convert jails + for jail in self.jails: + stream.extend(jail.convert()) + # Start jails + for jail in self.jails: + stream.append(["start", jail.getName()]) + + return stream + \ No newline at end of file diff --git a/config/action.d/dummy.conf b/config/action.d/dummy.conf new file mode 100644 index 00000000..1be6253b --- /dev/null +++ b/config/action.d/dummy.conf @@ -0,0 +1,52 @@ +[DEFAULT] + +bantime = 1234 + +name = temporary + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: fwstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD Default: +# +actionstart = touch /tmp/fail2ban.dummy + +# Option: fwend +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD Default: +# +actionstop = rm /tmp/fail2ban.dummy + +# Option: fwcheck +# Notes.: command executed once before each fwban command +# Values: CMD Default: +# +actioncheck = + +# Option: fwban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +# unix timestamp of the last failure +# unix timestamp of the ban time +# Values: CMD +# Default: iptables -I INPUT 1 -s -j DROP +# +actionban = echo "+" >> /tmp/fail2ban.dummy + +# Option: fwunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# unix timestamp of the ban time +# unix timestamp of the unban time +# Values: CMD +# Default: iptables -D INPUT -s -j DROP +# +actionunban = echo "-" >> /tmp/fail2ban.dummy diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf new file mode 100644 index 00000000..2da845f4 --- /dev/null +++ b/config/action.d/iptables.conf @@ -0,0 +1,55 @@ +[DEFAULT] + +name = temporary +port = 22 + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: fwstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD Default: +# +actionstart = iptables -N fail2ban-%(name)s + iptables -A fail2ban-%(name)s -j RETURN + iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(name)s + +# Option: fwend +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD Default: +# +actionstop = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(name)s + iptables -F fail2ban-%(name)s + iptables -X fail2ban-%(name)s + +# Option: fwcheck +# Notes.: command executed once before each fwban command +# Values: CMD Default: +# +actioncheck = iptables -L INPUT | grep -q fail2ban-%(name)s + +# Option: fwban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +# unix timestamp of the last failure +# unix timestamp of the ban time +# Values: CMD +# Default: iptables -I INPUT 1 -s -j DROP +# +actionban = iptables -I fail2ban-%(name)s 1 -s -j DROP + +# Option: fwunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# unix timestamp of the ban time +# unix timestamp of the unban time +# Values: CMD +# Default: iptables -D INPUT -s -j DROP +# +actionunban = iptables -D fail2ban-%(name)s -s -j DROP diff --git a/config/debian-initd b/config/debian-initd deleted file mode 100644 index 2c5c48d1..00000000 --- a/config/debian-initd +++ /dev/null @@ -1,73 +0,0 @@ -#! /bin/sh -# -# Fail2Ban init.d file - to be launched on boot -# -# Written by Miquel van Smoorenburg . -# Modified for Debian -# by Ian Murdock . -# Adjusted for Fail2Ban -# by Yaroslav Halchenko . -# -# Version: $Id$ -# - -PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin -DAEMON=/usr/bin/fail2ban -NAME=fail2ban -DESC=fail2ban -PIDFILE=/var/run/$NAME.pid - -test -x $DAEMON || exit 0 - -# Include fail2ban defaults if available -if [ -f /etc/default/fail2ban ] ; then - . /etc/default/fail2ban -fi -DAEMON_OPTS=$FAIL2BAN_OPTS -set -e - -case "$1" in - start) - echo -n "Starting $DESC: " - [ -f $PIDFILE ] && [ ! -d /proc/`cat $PIDFILE` ] && rm -f $PIDFILE - start-stop-daemon --start --quiet --pidfile $PIDFILE \ - -b --exec $DAEMON -- $DAEMON_OPTS - echo "$NAME." - ;; - stop) - echo -n "Stopping $DESC: " - start-stop-daemon --stop --quiet --pidfile $PIDFILE - echo "$NAME." - ;; - restart|force-reload) - echo -n "Restarting $DESC: " - ( $0 stop ) - sleep 1 - $0 start - ;; - status) - echo -n "Status of $DESC: " - if [ ! -e "$PIDFILE" ]; then - echo "$NAME is not running." - exit 3 - fi - if [ ! -r "$PIDFILE" ]; then - echo "$PIDFILE not readable, status of $NAME unknown." - exit 4 - fi - if [ -d /proc/`cat "$PIDFILE"` ]; then - echo "$NAME is running." - exit 0 - else - echo "$NAME is not running but $PIDFILE exists." - exit 1 - fi - ;; - *) - N=/etc/init.d/$NAME - echo "Usage: $N {start|stop|restart|force-reload|status}" >&2 - exit 1 - ;; -esac - -exit 0 diff --git a/config/fail2ban.conf b/config/fail2ban.conf new file mode 100644 index 00000000..32a33411 --- /dev/null +++ b/config/fail2ban.conf @@ -0,0 +1,4 @@ +[DEFAULT] + +loglevel = 4 + diff --git a/config/fail2ban.conf.hostsdeny b/config/fail2ban.conf.hostsdeny deleted file mode 100644 index 05c9d582..00000000 --- a/config/fail2ban.conf.hostsdeny +++ /dev/null @@ -1,327 +0,0 @@ -# Fail2Ban configuration file -# -# $Revision$ -# -# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de - -[DEFAULT] -# Option: background -# Notes.: start fail2ban as a daemon. Output is redirect to logfile. -# Values: [true | false] Default: false -# -background = false - -# Option: logtargets -# Notes.: log targets. Space separated list of logging targets. -# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log -# -logtargets = /var/log/fail2ban.log - -# Option: syslog-target -# Notes.: where to find syslog facility if logtarget SYSLOG. -# Values: SOCKET HOST HOST:PORT Default: /dev/log -# -syslog-target = /dev/log - -# Option: syslog-facility -# Notes.: which syslog facility to use if logtarget SYSLOG. -# Values: NUM Default: 1 -# -syslog-facility = 1 - -# Option: pidlock -# Notes.: path of the PID lock file (must be able to write to file). -# Values: FILE Default: /var/run/fail2ban.pid -# -pidlock = /var/run/fail2ban.pid - -# Option: maxfailures -# Notes.: number of failures before IP gets banned. -# Values: NUM Default: 5 -# -maxfailures = 5 - -# Option: bantime -# Notes.: number of seconds an IP will be banned. If set to a negative -# value, IP will never be unbanned (permanent banning). -# Values: NUM Default: 600 -# -bantime = 600 - -# Option: findtime -# Notes.: lifetime in seconds of a "failed" log entry. -# Values: NUM Default: 600 -# -findtime = 600 - -# Option: ignoreip -# Notes.: space separated list of IP's to be ignored by fail2ban. -# You can use CIDR mask in order to specify a range. -# Example: ignoreip = 192.168.0.1/24 123.45.235.65 -# Values: IP Default: -# -ignoreip = - -# Option: cmdstart -# Notes.: command executed once at the start of Fail2Ban -# Values: CMD Default: -# -cmdstart = - -# Option: cmdend -# Notes.: command executed once at the end of Fail2Ban. -# Values: CMD Default: -# -cmdend = - -# Option: polltime -# Notes.: number of seconds fail2ban sleeps between iterations. -# Values: NUM Default: 1 -# -polltime = 1 - -# Option: reinittime -# Notes.: minimal number of seconds between the re-initialization of -# firewalls due to external changes in their rules (see fwcheck) -# Values: NUM Default: 100 -# -reinittime = 10 - -# Option: maxreinits -# Notes.: maximal number of re-initialization of firewalls due to external -# changes. -1 stays for infinite, so only reinittime is of importance -# Values: NUM Default: -1 -# -maxreinits = -1 - -# NOTE: Interpolations -# -# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations -# so %(__name__)s will be substituted by a name of each section -# (unless the option is overriden in a section). -# If you are going to use interpolations in your setup, please make -# sure that you specified options port and protocol (which also has -# an option in DEFAULT). -# - -# Option: hostsdeny -# Notes.: hosts.deny file path. -# Values: STR Default: /etc/hosts.deny -# -hostsdeny = /etc/hosts.deny - -# Option: fwban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -# unix timestamp of the last failure -# unix timestamp of the ban time -# Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP -# -fwban = IP= && echo "ALL: $IP" >> %(hostsdeny)s - -# Option: fwunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# unix timestamp of the ban time -# unix timestamp of the unban time -# Values: CMD -# Default: iptables -D INPUT -s -j DROP -# -fwunban = IP= && sed -i.old s/ALL:\ $IP// %(hostsdeny)s - -[MAIL] -# Option: enabled -# Notes.: enable mail notification when banning an IP address. -# Values: [true | false] Default: false -# -enabled = false - -# Option: host -# Notes.: host running the mail server. -# Values: STR Default: localhost -# -host = localhost - -# Option: port -# Notes.: port of the mail server. -# Values: INT Default: 25 -# -port = 25 - -# Option: user -# Notes.: the username for smtp-server if authentification is required. -# if user is empty, no authentification is done. -# Values: STR Default: -# -user = - -# Option: password -# Notes.: the smtp-user's password if authentification is required. -# Values: STR Default: -# -password = - -# Option: from -# Notes.: e-mail address of the sender. -# Values: MAIL Default: fail2ban -# -from = fail2ban - -# Option: to -# Notes.: e-mail addresses of the receiver. Addresses are space -# separated. -# Values: MAIL Default: root -# -to = root - -# Option: localtime -# Notes.: report local time (including timezone) or GMT -# Values: [true | false] Default: false -# -localtime = true - -# Option: subject -# Notes.: subject of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -# Values: TEXT Default: [Fail2Ban]
: Banned -# -subject = [Fail2Ban]
: Banned - -# Option: message -# Notes.: message of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -#
new line -# Values: TEXT Default: -# -message = Hi,
- The IP has just been banned by Fail2Ban after - attempts against
.
- Regards,
- Fail2Ban - -# You can define a new section for each log file to check for -# password failure. Each section has to define the following -# options: logfile, fwban, fwunban, timeregex, timepattern, -# failregex. - - -[Apache] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/httpd/access_log -# -logfile = /var/log/httpd/access_log - -# Option: timeregex -# Notes.: regex to match timestamp in Apache logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Wed Jan 05 15:08:01 2005] -# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} -# -timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y -# -timepattern = %%a %%b %%d %%H:%%M:%%S %%Y - -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. -# Values: TEXT Default: authentication failure|user .* not found -# -failregex = authentication failure|user .* not found - - -[VSFTPD] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -logfile = /var/log/vsftpd.log - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ftp - -# Option: timeregex -# Notes.: regex to match timestamp in VSFTPD logfile. -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = FAIL LOGIN - - -[SSH] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: true -# -enabled = true - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -logfile = /var/log/secure - -# Option: timeregex -# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = Authentication failure|Failed password|Invalid user diff --git a/config/fail2ban.conf.iptables b/config/fail2ban.conf.iptables deleted file mode 100644 index 46da5466..00000000 --- a/config/fail2ban.conf.iptables +++ /dev/null @@ -1,362 +0,0 @@ -# Fail2Ban configuration file -# -# $Revision$ -# -# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de - -[DEFAULT] -# Option: background -# Notes.: start fail2ban as a daemon. Output is redirect to logfile. -# Values: [true | false] Default: false -# -background = false - -# Option: logtargets -# Notes.: log targets. Space separated list of logging targets. -# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log -# -logtargets = /var/log/fail2ban.log - -# Option: syslog-target -# Notes.: where to find syslog facility if logtarget SYSLOG. -# Values: SOCKET HOST HOST:PORT Default: /dev/log -# -syslog-target = /dev/log - -# Option: syslog-facility -# Notes.: which syslog facility to use if logtarget SYSLOG. -# Values: NUM Default: 1 -# -syslog-facility = 1 - -# Option: pidlock -# Notes.: path of the PID lock file (must be able to write to file). -# Values: FILE Default: /var/run/fail2ban.pid -# -pidlock = /var/run/fail2ban.pid - -# Option: maxfailures -# Notes.: number of failures before IP gets banned. -# Values: NUM Default: 5 -# -maxfailures = 5 - -# Option: bantime -# Notes.: number of seconds an IP will be banned. If set to a negative -# value, IP will never be unbanned (permanent banning). -# Values: NUM Default: 600 -# -bantime = 600 - -# Option: findtime -# Notes.: lifetime in seconds of a "failed" log entry. -# Values: NUM Default: 600 -# -findtime = 600 - -# Option: ignoreip -# Notes.: space separated list of IP's to be ignored by fail2ban. -# You can use CIDR mask in order to specify a range. -# Example: ignoreip = 192.168.0.1/24 123.45.235.65 -# Values: IP Default: -# -ignoreip = - -# Option: cmdstart -# Notes.: command executed once at the start of Fail2Ban -# Values: CMD Default: -# -cmdstart = - -# Option: cmdend -# Notes.: command executed once at the end of Fail2Ban. -# Values: CMD Default: -# -cmdend = - -# Option: polltime -# Notes.: number of seconds fail2ban sleeps between iterations. -# Values: NUM Default: 1 -# -polltime = 1 - -# Option: reinittime -# Notes.: minimal number of seconds between the re-initialization of -# firewalls due to external changes in their rules (see fwcheck) -# Values: NUM Default: 100 -# -reinittime = 10 - -# Option: maxreinits -# Notes.: maximal number of re-initialization of firewalls due to external -# changes. -1 stays for infinite, so only reinittime is of importance -# Values: NUM Default: -1 -# -maxreinits = -1 - -# NOTE: Interpolations -# -# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations -# so %(__name__)s will be substituted by a name of each section -# (unless the option is overriden in a section). -# If you are going to use interpolations in your setup, please make -# sure that you specified options port and protocol (which also has -# an option in DEFAULT). -# - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: fwstart -# Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: -# -fwstart = iptables -N fail2ban-%(__name__)s - iptables -A fail2ban-%(__name__)s -j RETURN - iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s - -# Option: fwend -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: -# -fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s - iptables -F fail2ban-%(__name__)s - iptables -X fail2ban-%(__name__)s - -# Option: fwcheck -# Notes.: command executed once before each fwban command -# Values: CMD Default: -# -fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s - -# Option: fwban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -# unix timestamp of the last failure -# unix timestamp of the ban time -# Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP -# -fwban = iptables -I fail2ban-%(__name__)s 1 -s -j DROP - -# Option: fwunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# unix timestamp of the ban time -# unix timestamp of the unban time -# Values: CMD -# Default: iptables -D INPUT -s -j DROP -# -fwunban = iptables -D fail2ban-%(__name__)s -s -j DROP - -[MAIL] -# Option: enabled -# Notes.: enable mail notification when banning an IP address. -# Values: [true | false] Default: false -# -enabled = false - -# Option: host -# Notes.: host running the mail server. -# Values: STR Default: localhost -# -host = localhost - -# Option: port -# Notes.: port of the mail server. -# Values: INT Default: 25 -# -port = 25 - -# Option: user -# Notes.: the username for smtp-server if authentification is required. -# if user is empty, no authentification is done. -# Values: STR Default: -# -user = - -# Option: password -# Notes.: the smtp-user's password if authentification is required. -# Values: STR Default: -# -password = - -# Option: from -# Notes.: e-mail address of the sender. -# Values: MAIL Default: fail2ban -# -from = fail2ban - -# Option: to -# Notes.: e-mail addresses of the receiver. Addresses are space -# separated. -# Values: MAIL Default: root -# -to = root - -# Option: localtime -# Notes.: report local time (including timezone) or GMT -# Values: [true | false] Default: false -# -localtime = true - -# Option: subject -# Notes.: subject of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -# Values: TEXT Default: [Fail2Ban]
: Banned -# -subject = [Fail2Ban]
: Banned - -# Option: message -# Notes.: message of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -#
new line -# Values: TEXT Default: -# -message = Hi,
- The IP has just been banned by Fail2Ban after - attempts against
.
- Regards,
- Fail2Ban - -# You can define a new section for each log file to check for -# password failure. Each section has to define the following -# options: logfile, fwban, fwunban, timeregex, timepattern, -# failregex. - - -[Apache] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/httpd/access_log -# -logfile = /var/log/httpd/access_log - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = http - -# Option: timeregex -# Notes.: regex to match timestamp in Apache logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Wed Jan 05 15:08:01 2005] -# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} -# -timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y -# -timepattern = %%a %%b %%d %%H:%%M:%%S %%Y - -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. -# Values: TEXT Default: authentication failure|user .* not found -# -failregex = authentication failure|user .* not found - - -[VSFTPD] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -logfile = /var/log/vsftpd.log - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ftp - -# Option: timeregex -# Notes.: regex to match timestamp in VSFTPD logfile. -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = FAIL LOGIN - - -[SSH] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: true -# -enabled = true - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -#logfile = /var/log/secure -logfile = /home/cyril/workspace/fail2ban-stable/log-test/test - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: timeregex -# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = Authentication failure|Failed password|Invalid user diff --git a/config/fail2ban.conf.shorewall b/config/fail2ban.conf.shorewall deleted file mode 100644 index 2cb0fc46..00000000 --- a/config/fail2ban.conf.shorewall +++ /dev/null @@ -1,314 +0,0 @@ -# Fail2Ban configuration file -# -# $Revision$ -# -# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de - -[DEFAULT] -# Option: background -# Notes.: start fail2ban as a daemon. Output is redirect to logfile. -# Values: [true | false] Default: false -# -background = false - -# Option: logtargets -# Notes.: log targets. Space separated list of logging targets. -# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log -# -logtargets = /var/log/fail2ban.log - -# Option: syslog-target -# Notes.: where to find syslog facility if logtarget SYSLOG. -# Values: SOCKET HOST HOST:PORT Default: /dev/log -# -syslog-target = /dev/log - -# Option: syslog-facility -# Notes.: which syslog facility to use if logtarget SYSLOG. -# Values: NUM Default: 1 -# -syslog-facility = 1 - -# Option: pidlock -# Notes.: path of the PID lock file (must be able to write to file). -# Values: FILE Default: /var/run/fail2ban.pid -# -pidlock = /var/run/fail2ban.pid - -# Option: maxfailures -# Notes.: number of failures before IP gets banned. -# Values: NUM Default: 5 -# -maxfailures = 5 - -# Option: bantime -# Notes.: number of seconds an IP will be banned. If set to a negative -# value, IP will never be unbanned (permanent banning). -# Values: NUM Default: 600 -# -bantime = 600 - -# Option: findtime -# Notes.: lifetime in seconds of a "failed" log entry. -# Values: NUM Default: 600 -# -findtime = 600 - -# Option: ignoreip -# Notes.: space separated list of IP's to be ignored by fail2ban. -# You can use CIDR mask in order to specify a range. -# Example: ignoreip = 192.168.0.1/24 123.45.235.65 -# Values: IP Default: -# -ignoreip = - -# Option: cmdstart -# Notes.: command executed once at the start of Fail2Ban -# Values: CMD Default: -# -cmdstart = - -# Option: cmdend -# Notes.: command executed once at the end of Fail2Ban. -# Values: CMD Default: -# -cmdend = - -# Option: polltime -# Notes.: number of seconds fail2ban sleeps between iterations. -# Values: NUM Default: 1 -# -polltime = 1 - -# Option: reinittime -# Notes.: minimal number of seconds between the re-initialization of -# firewalls due to external changes in their rules (see fwcheck) -# Values: NUM Default: 100 -# -reinittime = 10 - -# Option: maxreinits -# Notes.: maximal number of re-initialization of firewalls due to external -# changes. -1 stays for infinite, so only reinittime is of importance -# Values: NUM Default: -1 -# -maxreinits = -1 - -# NOTE: Interpolations -# -# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations -# so %(__name__)s will be substituted by a name of each section -# (unless the option is overriden in a section). -# If you are going to use interpolations in your setup, please make -# sure that you specified options port and protocol (which also has -# an option in DEFAULT). -# - -# Option: fwban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -# unix timestamp of the last failure -# unix timestamp of the ban time -# Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP -# -fwban = shorewall drop - -# Option: fwunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# unix timestamp of the ban time -# unix timestamp of the unban time -# Values: CMD -# Default: iptables -D INPUT -s -j DROP -# -fwunban = shorewall allow - -[MAIL] -# Option: enabled -# Notes.: enable mail notification when banning an IP address. -# Values: [true | false] Default: false -# -enabled = false - -# Option: host -# Notes.: host running the mail server. -# Values: STR Default: localhost -# -host = localhost - -# Option: port -# Notes.: port of the mail server. -# Values: INT Default: 25 -# -port = 25 - -# Option: user -# Notes.: the username for smtp-server if authentification is required. -# if user is empty, no authentification is done. -# Values: STR Default: -# -user = - -# Option: password -# Notes.: the smtp-user's password if authentification is required. -# Values: STR Default: -# -password = - -# Option: from -# Notes.: e-mail address of the sender. -# Values: MAIL Default: fail2ban -# -from = fail2ban - -# Option: to -# Notes.: e-mail addresses of the receiver. Addresses are space -# separated. -# Values: MAIL Default: root -# -to = root - -# Option: localtime -# Notes.: report local time (including timezone) or GMT -# Values: [true | false] Default: false -# -localtime = true - -# Option: subject -# Notes.: subject of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -# Values: TEXT Default: [Fail2Ban]
: Banned -# -subject = [Fail2Ban]
: Banned - -# Option: message -# Notes.: message of the e-mail. -# Tags:
active section (eg ssh, apache, etc) -# IP address -# number of failures -# unix timestamp of the last failure -#
new line -# Values: TEXT Default: -# -message = Hi,
- The IP has just been banned by Fail2Ban after - attempts against
.
- Regards,
- Fail2Ban - -# You can define a new section for each log file to check for -# password failure. Each section has to define the following -# options: logfile, fwban, fwunban, timeregex, timepattern, -# failregex. - - -[Apache] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/httpd/access_log -# -logfile = /var/log/httpd/access_log - -# Option: timeregex -# Notes.: regex to match timestamp in Apache logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Wed Jan 05 15:08:01 2005] -# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} -# -timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y -# -timepattern = %%a %%b %%d %%H:%%M:%%S %%Y - -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. -# Values: TEXT Default: authentication failure|user .* not found -# -failregex = authentication failure|user .* not found - -[VSFTPD] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: false -# -enabled = false - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -logfile = /var/log/vsftpd.log - -# Option: timeregex -# Notes.: regex to match timestamp in VSFTPD logfile. -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = FAIL LOGIN - - -[SSH] -# Option: enabled -# Notes.: enable monitoring for this section. -# Values: [true | false] Default: true -# -enabled = true - -# Option: logfile -# Notes.: logfile to monitor. -# Values: FILE Default: /var/log/secure -# -logfile = /var/log/secure - -# Option: timeregex -# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, -# use timeregex = @[0-9a-f]{24} -# Values: [Mar 7 17:53:28] -# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} -# -timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} - -# Option: timepattern -# Notes.: format used in "timeregex" fields definition. Note that '%' must be -# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). -# For TAI64N format, use timepattern = tai64n -# Values: TEXT Default: %%b %%d %%H:%%M:%%S -# -timepattern = %%b %%d %%H:%%M:%%S - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user -# -failregex = Authentication failure|Failed password|Invalid user diff --git a/config/fail2ban.local b/config/fail2ban.local new file mode 100644 index 00000000..12b8a6f5 --- /dev/null +++ b/config/fail2ban.local @@ -0,0 +1,4 @@ +[DEFAULT] + +test = 4567 +prout = fuck you diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf new file mode 100644 index 00000000..e69de29b diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf new file mode 100644 index 00000000..7d2a007a --- /dev/null +++ b/config/filter.d/sshd.conf @@ -0,0 +1,32 @@ +[DEFAULT] + +maxretry = 22 + +# Option: logpath +# Notes.: logfile to monitor. +# Values: FILE Default: /var/log/secure +# +logpath = testcases/files/testcase01.log + +# Option: timeregex +# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, +# use timeregex = @[0-9a-f]{24} +# Values: [Mar 7 17:53:28] +# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} +# +timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} + +# Option: timepattern +# Notes.: format used in "timeregex" fields definition. Note that '%' must be +# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). +# For TAI64N format, use timepattern = tai64n +# Values: TEXT Default: %%b %%d %%H:%%M:%%S +# +timepattern = %%b %%d %%H:%%M:%%S + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# +failregex = Authentication failure|Failed password|Invalid user + diff --git a/config/gentoo-confd b/config/gentoo-confd deleted file mode 100644 index bea9017e..00000000 --- a/config/gentoo-confd +++ /dev/null @@ -1,23 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Author: Cyril Jaquier -# -# $Revision$ - -# Command line options for Fail2Ban. Refer to "fail2ban -h" for -# valid options. -FAIL2BAN_OPTS="-v" diff --git a/config/gentoo-initd b/config/gentoo-initd deleted file mode 100755 index 8cab7535..00000000 --- a/config/gentoo-initd +++ /dev/null @@ -1,50 +0,0 @@ -#!/sbin/runscript -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Author: Sireyessire, Cyril Jaquier -# -# $Revision$ - -opts="start stop restart showlog" - -FAIL2BAN="/usr/bin/fail2ban" - -depend() { - need net - need logger - after iptables -} - -start() { - ebegin "Starting fail2ban" - ${FAIL2BAN} -b ${FAIL2BAN_OPTS} > /dev/null - eend $? "Failed to start fail2ban" -} - -stop() { - ebegin "Stopping fail2ban" - ${FAIL2BAN} -k > /dev/null - eend $? "Failed to stop fail2ban" -} - -zap() { - rm /var/run/fail2ban.pid -} - -showlog(){ - less /var/log/fail2ban.log -} diff --git a/config/jail.conf b/config/jail.conf new file mode 100644 index 00000000..66853517 --- /dev/null +++ b/config/jail.conf @@ -0,0 +1,21 @@ +[dummy] + +enabled = true +filter = sshd +action = dummy +maxretry = 2 +#bantime = 10 + +[SSH] + +enabled = false +filter = sshd +action = iptables +bantime = 10 + +[Apache-error] + +enabled = false +filter = apache-error +action = hostdeny + diff --git a/config/redhat-initd b/config/redhat-initd deleted file mode 100644 index 6e885ab5..00000000 --- a/config/redhat-initd +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash -# -# fail2ban -# -# chkconfig: 345 91 9 -# description: if many unsuccessfull login attempts from some ip address \ -# during a short period happen, this address is banned \ -# by the firewall -# -# Author: Andrey G. Grozin -# -# $Revision$ - -# Source function library. -. /etc/init.d/functions - -# Get config. -. /etc/sysconfig/network - -# Check that networking is up. -[ "${NETWORKING}" = "no" ] && exit 0 -[ -f /etc/fail2ban.conf ] || exit 0 - -FAIL2BAN="/usr/bin/fail2ban" -PIDFILE="/var/run/fail2ban.pid" - -RETVAL=0 - -start() { - echo -n $"Starting fail2ban: " - "${FAIL2BAN}" -b > /dev/null - RETVAL=$? - echo -} - -stop() { - if [ -f "${PIDFILE}" ]; then - echo -n $"Stopping fail2ban: " - "${FAIL2BAN}" -k > /dev/null - echo - fi -} - -restart() { - stop - start -} - -# See how we were called. -case "$1" in - start) - start - ;; - stop) - stop - ;; - status) - status fail2ban - RETVAL=$? - ;; - reload) - restart - ;; - restart) - restart - ;; - condrestart) - if [ -f "${PIDFILE}" ]; then - restart - fi - ;; - *) - echo $"Usage: $0 {start|stop|status|restart|condrestart}" - exit 1 - ;; -esac - -exit $RETVAL diff --git a/doc/Doxyfile b/doc/Doxyfile new file mode 100644 index 00000000..39a9beae --- /dev/null +++ b/doc/Doxyfile @@ -0,0 +1,1237 @@ +# Doxyfile 1.4.6 + +# This file describes the settings to be used by the documentation system +# doxygen (www.doxygen.org) for a project +# +# All text after a hash (#) is considered a comment and will be ignored +# The format is: +# TAG = value [value, ...] +# For lists items can also be appended using: +# TAG += value [value, ...] +# Values that contain spaces should be placed between quotes (" ") + +#--------------------------------------------------------------------------- +# Project related configuration options +#--------------------------------------------------------------------------- + +# The PROJECT_NAME tag is a single word (or a sequence of words surrounded +# by quotes) that should identify the project. + +PROJECT_NAME = Fail2Ban + +# The PROJECT_NUMBER tag can be used to enter a project or revision number. +# This could be handy for archiving the generated documentation or +# if some version control system is used. + +PROJECT_NUMBER = 0.7 + +# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) +# base path where the generated documentation will be put. +# If a relative path is entered, it will be relative to the location +# where doxygen was started. If left blank the current directory will be used. + +OUTPUT_DIRECTORY = + +# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create +# 4096 sub-directories (in 2 levels) under the output directory of each output +# format and will distribute the generated files over these directories. +# Enabling this option can be useful when feeding doxygen a huge amount of +# source files, where putting all generated files in the same directory would +# otherwise cause performance problems for the file system. + +CREATE_SUBDIRS = NO + +# The OUTPUT_LANGUAGE tag is used to specify the language in which all +# documentation generated by doxygen is written. Doxygen will use this +# information to generate all constant output in the proper language. +# The default language is English, other supported languages are: +# Brazilian, Catalan, Chinese, Chinese-Traditional, Croatian, Czech, Danish, +# Dutch, Finnish, French, German, Greek, Hungarian, Italian, Japanese, +# Japanese-en (Japanese with English messages), Korean, Korean-en, Norwegian, +# Polish, Portuguese, Romanian, Russian, Serbian, Slovak, Slovene, Spanish, +# Swedish, and Ukrainian. + +OUTPUT_LANGUAGE = English + +# This tag can be used to specify the encoding used in the generated output. +# The encoding is not always determined by the language that is chosen, +# but also whether or not the output is meant for Windows or non-Windows users. +# In case there is a difference, setting the USE_WINDOWS_ENCODING tag to YES +# forces the Windows encoding (this is the default for the Windows binary), +# whereas setting the tag to NO uses a Unix-style encoding (the default for +# all platforms other than Windows). + +USE_WINDOWS_ENCODING = NO + +# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will +# include brief member descriptions after the members that are listed in +# the file and class documentation (similar to JavaDoc). +# Set to NO to disable this. + +BRIEF_MEMBER_DESC = YES + +# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend +# the brief description of a member or function before the detailed description. +# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the +# brief descriptions will be completely suppressed. + +REPEAT_BRIEF = YES + +# This tag implements a quasi-intelligent brief description abbreviator +# that is used to form the text in various listings. Each string +# in this list, if found as the leading text of the brief description, will be +# stripped from the text and the result after processing the whole list, is +# used as the annotated text. Otherwise, the brief description is used as-is. +# If left blank, the following values are used ("$name" is automatically +# replaced with the name of the entity): "The $name class" "The $name widget" +# "The $name file" "is" "provides" "specifies" "contains" +# "represents" "a" "an" "the" + +ABBREVIATE_BRIEF = + +# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then +# Doxygen will generate a detailed section even if there is only a brief +# description. + +ALWAYS_DETAILED_SEC = NO + +# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all +# inherited members of a class in the documentation of that class as if those +# members were ordinary class members. Constructors, destructors and assignment +# operators of the base classes will not be shown. + +INLINE_INHERITED_MEMB = NO + +# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full +# path before files name in the file list and in the header files. If set +# to NO the shortest path that makes the file name unique will be used. + +FULL_PATH_NAMES = NO + +# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag +# can be used to strip a user-defined part of the path. Stripping is +# only done if one of the specified strings matches the left-hand part of +# the path. The tag can be used to show relative paths in the file list. +# If left blank the directory from which doxygen is run is used as the +# path to strip. + +STRIP_FROM_PATH = + +# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of +# the path mentioned in the documentation of a class, which tells +# the reader which header file to include in order to use a class. +# If left blank only the name of the header file containing the class +# definition is used. Otherwise one should specify the include paths that +# are normally passed to the compiler using the -I flag. + +STRIP_FROM_INC_PATH = + +# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter +# (but less readable) file names. This can be useful is your file systems +# doesn't support long names like on DOS, Mac, or CD-ROM. + +SHORT_NAMES = NO + +# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen +# will interpret the first line (until the first dot) of a JavaDoc-style +# comment as the brief description. If set to NO, the JavaDoc +# comments will behave just like the Qt-style comments (thus requiring an +# explicit @brief command for a brief description. + +JAVADOC_AUTOBRIEF = NO + +# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen +# treat a multi-line C++ special comment block (i.e. a block of //! or /// +# comments) as a brief description. This used to be the default behaviour. +# The new default is to treat a multi-line C++ comment block as a detailed +# description. Set this tag to YES if you prefer the old behaviour instead. + +MULTILINE_CPP_IS_BRIEF = NO + +# If the DETAILS_AT_TOP tag is set to YES then Doxygen +# will output the detailed description near the top, like JavaDoc. +# If set to NO, the detailed description appears after the member +# documentation. + +DETAILS_AT_TOP = NO + +# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented +# member inherits the documentation from any documented member that it +# re-implements. + +INHERIT_DOCS = YES + +# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce +# a new page for each member. If set to NO, the documentation of a member will +# be part of the file/class/namespace that contains it. + +SEPARATE_MEMBER_PAGES = NO + +# The TAB_SIZE tag can be used to set the number of spaces in a tab. +# Doxygen uses this value to replace tabs by spaces in code fragments. + +TAB_SIZE = 4 + +# This tag can be used to specify a number of aliases that acts +# as commands in the documentation. An alias has the form "name=value". +# For example adding "sideeffect=\par Side Effects:\n" will allow you to +# put the command \sideeffect (or @sideeffect) in the documentation, which +# will result in a user-defined paragraph with heading "Side Effects:". +# You can put \n's in the value part of an alias to insert newlines. + +ALIASES = + +# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C +# sources only. Doxygen will then generate output that is more tailored for C. +# For instance, some of the names that are used will be different. The list +# of all members will be omitted, etc. + +OPTIMIZE_OUTPUT_FOR_C = NO + +# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java +# sources only. Doxygen will then generate output that is more tailored for Java. +# For instance, namespaces will be presented as packages, qualified scopes +# will look different, etc. + +OPTIMIZE_OUTPUT_JAVA = YES + +# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to +# include (a tag file for) the STL sources as input, then you should +# set this tag to YES in order to let doxygen match functions declarations and +# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. +# func(std::string) {}). This also make the inheritance and collaboration +# diagrams that involve STL classes more complete and accurate. + +BUILTIN_STL_SUPPORT = NO + +# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC +# tag is set to YES, then doxygen will reuse the documentation of the first +# member in the group (if any) for the other members of the group. By default +# all members of a group must be documented explicitly. + +DISTRIBUTE_GROUP_DOC = NO + +# Set the SUBGROUPING tag to YES (the default) to allow class member groups of +# the same type (for instance a group of public functions) to be put as a +# subgroup of that type (e.g. under the Public Functions section). Set it to +# NO to prevent subgrouping. Alternatively, this can be done per class using +# the \nosubgrouping command. + +SUBGROUPING = YES + +#--------------------------------------------------------------------------- +# Build related configuration options +#--------------------------------------------------------------------------- + +# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in +# documentation are documented, even if no documentation was available. +# Private class members and static file members will be hidden unless +# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES + +EXTRACT_ALL = YES + +# If the EXTRACT_PRIVATE tag is set to YES all private members of a class +# will be included in the documentation. + +EXTRACT_PRIVATE = YES + +# If the EXTRACT_STATIC tag is set to YES all static members of a file +# will be included in the documentation. + +EXTRACT_STATIC = YES + +# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) +# defined locally in source files will be included in the documentation. +# If set to NO only classes defined in header files are included. + +EXTRACT_LOCAL_CLASSES = YES + +# This flag is only useful for Objective-C code. When set to YES local +# methods, which are defined in the implementation section but not in +# the interface are included in the documentation. +# If set to NO (the default) only methods in the interface are included. + +EXTRACT_LOCAL_METHODS = NO + +# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all +# undocumented members of documented classes, files or namespaces. +# If set to NO (the default) these members will be included in the +# various overviews, but no documentation section is generated. +# This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_MEMBERS = NO + +# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all +# undocumented classes that are normally visible in the class hierarchy. +# If set to NO (the default) these classes will be included in the various +# overviews. This option has no effect if EXTRACT_ALL is enabled. + +HIDE_UNDOC_CLASSES = NO + +# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all +# friend (class|struct|union) declarations. +# If set to NO (the default) these declarations will be included in the +# documentation. + +HIDE_FRIEND_COMPOUNDS = NO + +# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any +# documentation blocks found inside the body of a function. +# If set to NO (the default) these blocks will be appended to the +# function's detailed documentation block. + +HIDE_IN_BODY_DOCS = NO + +# The INTERNAL_DOCS tag determines if documentation +# that is typed after a \internal command is included. If the tag is set +# to NO (the default) then the documentation will be excluded. +# Set it to YES to include the internal documentation. + +INTERNAL_DOCS = NO + +# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate +# file names in lower-case letters. If set to YES upper-case letters are also +# allowed. This is useful if you have classes or files whose names only differ +# in case and if your file system supports case sensitive file names. Windows +# and Mac users are advised to set this option to NO. + +CASE_SENSE_NAMES = YES + +# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen +# will show members with their full class and namespace scopes in the +# documentation. If set to YES the scope will be hidden. + +HIDE_SCOPE_NAMES = NO + +# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen +# will put a list of the files that are included by a file in the documentation +# of that file. + +SHOW_INCLUDE_FILES = YES + +# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] +# is inserted in the documentation for inline members. + +INLINE_INFO = YES + +# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen +# will sort the (detailed) documentation of file and class members +# alphabetically by member name. If set to NO the members will appear in +# declaration order. + +SORT_MEMBER_DOCS = YES + +# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the +# brief documentation of file, namespace and class members alphabetically +# by member name. If set to NO (the default) the members will appear in +# declaration order. + +SORT_BRIEF_DOCS = YES + +# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be +# sorted by fully-qualified names, including namespaces. If set to +# NO (the default), the class list will be sorted only by class name, +# not including the namespace part. +# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES. +# Note: This option applies only to the class list, not to the +# alphabetical list. + +SORT_BY_SCOPE_NAME = YES + +# The GENERATE_TODOLIST tag can be used to enable (YES) or +# disable (NO) the todo list. This list is created by putting \todo +# commands in the documentation. + +GENERATE_TODOLIST = YES + +# The GENERATE_TESTLIST tag can be used to enable (YES) or +# disable (NO) the test list. This list is created by putting \test +# commands in the documentation. + +GENERATE_TESTLIST = YES + +# The GENERATE_BUGLIST tag can be used to enable (YES) or +# disable (NO) the bug list. This list is created by putting \bug +# commands in the documentation. + +GENERATE_BUGLIST = YES + +# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or +# disable (NO) the deprecated list. This list is created by putting +# \deprecated commands in the documentation. + +GENERATE_DEPRECATEDLIST= YES + +# The ENABLED_SECTIONS tag can be used to enable conditional +# documentation sections, marked by \if sectionname ... \endif. + +ENABLED_SECTIONS = + +# The MAX_INITIALIZER_LINES tag determines the maximum number of lines +# the initial value of a variable or define consists of for it to appear in +# the documentation. If the initializer consists of more lines than specified +# here it will be hidden. Use a value of 0 to hide initializers completely. +# The appearance of the initializer of individual variables and defines in the +# documentation can be controlled using \showinitializer or \hideinitializer +# command in the documentation regardless of this setting. + +MAX_INITIALIZER_LINES = 30 + +# Set the SHOW_USED_FILES tag to NO to disable the list of files generated +# at the bottom of the documentation of classes and structs. If set to YES the +# list will mention the files that were used to generate the documentation. + +SHOW_USED_FILES = YES + +# If the sources in your project are distributed over multiple directories +# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy +# in the documentation. The default is NO. + +SHOW_DIRECTORIES = NO + +# The FILE_VERSION_FILTER tag can be used to specify a program or script that +# doxygen should invoke to get the current version for each file (typically from the +# version control system). Doxygen will invoke the program by executing (via +# popen()) the command , where is the value of +# the FILE_VERSION_FILTER tag, and is the name of an input file +# provided by doxygen. Whatever the program writes to standard output +# is used as the file version. See the manual for examples. + +FILE_VERSION_FILTER = + +#--------------------------------------------------------------------------- +# configuration options related to warning and progress messages +#--------------------------------------------------------------------------- + +# The QUIET tag can be used to turn on/off the messages that are generated +# by doxygen. Possible values are YES and NO. If left blank NO is used. + +QUIET = NO + +# The WARNINGS tag can be used to turn on/off the warning messages that are +# generated by doxygen. Possible values are YES and NO. If left blank +# NO is used. + +WARNINGS = YES + +# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings +# for undocumented members. If EXTRACT_ALL is set to YES then this flag will +# automatically be disabled. + +WARN_IF_UNDOCUMENTED = YES + +# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for +# potential errors in the documentation, such as not documenting some +# parameters in a documented function, or documenting parameters that +# don't exist or using markup commands wrongly. + +WARN_IF_DOC_ERROR = YES + +# This WARN_NO_PARAMDOC option can be abled to get warnings for +# functions that are documented, but have no documentation for their parameters +# or return value. If set to NO (the default) doxygen will only warn about +# wrong or incomplete parameter documentation, but not about the absence of +# documentation. + +WARN_NO_PARAMDOC = NO + +# The WARN_FORMAT tag determines the format of the warning messages that +# doxygen can produce. The string should contain the $file, $line, and $text +# tags, which will be replaced by the file and line number from which the +# warning originated and the warning text. Optionally the format may contain +# $version, which will be replaced by the version of the file (if it could +# be obtained via FILE_VERSION_FILTER) + +WARN_FORMAT = "$file:$line: $text" + +# The WARN_LOGFILE tag can be used to specify a file to which warning +# and error messages should be written. If left blank the output is written +# to stderr. + +WARN_LOGFILE = + +#--------------------------------------------------------------------------- +# configuration options related to the input files +#--------------------------------------------------------------------------- + +# The INPUT tag can be used to specify the files and/or directories that contain +# documented source files. You may enter file names like "myfile.cpp" or +# directories like "/usr/src/myproject". Separate the files or directories +# with spaces. + +INPUT = ../server ../client ../testcases ../utils ../ + +# If the value of the INPUT tag contains directories, you can use the +# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank the following patterns are tested: +# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx +# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py + +FILE_PATTERNS = *.py + +# The RECURSIVE tag can be used to turn specify whether or not subdirectories +# should be searched for input files as well. Possible values are YES and NO. +# If left blank NO is used. + +RECURSIVE = NO + +# The EXCLUDE tag can be used to specify files and/or directories that should +# excluded from the INPUT source files. This way you can easily exclude a +# subdirectory from a directory tree whose root is specified with the INPUT tag. + +EXCLUDE = + +# The EXCLUDE_SYMLINKS tag can be used select whether or not files or +# directories that are symbolic links (a Unix filesystem feature) are excluded +# from the input. + +EXCLUDE_SYMLINKS = NO + +# If the value of the INPUT tag contains directories, you can use the +# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude +# certain files from those directories. Note that the wildcards are matched +# against the file with absolute path, so to exclude all test directories +# for example use the pattern */test/* + +EXCLUDE_PATTERNS = + +# The EXAMPLE_PATH tag can be used to specify one or more files or +# directories that contain example code fragments that are included (see +# the \include command). + +EXAMPLE_PATH = + +# If the value of the EXAMPLE_PATH tag contains directories, you can use the +# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp +# and *.h) to filter out the source-files in the directories. If left +# blank all files are included. + +EXAMPLE_PATTERNS = + +# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be +# searched for input files to be used with the \include or \dontinclude +# commands irrespective of the value of the RECURSIVE tag. +# Possible values are YES and NO. If left blank NO is used. + +EXAMPLE_RECURSIVE = NO + +# The IMAGE_PATH tag can be used to specify one or more files or +# directories that contain image that are included in the documentation (see +# the \image command). + +IMAGE_PATH = + +# The INPUT_FILTER tag can be used to specify a program that doxygen should +# invoke to filter for each input file. Doxygen will invoke the filter program +# by executing (via popen()) the command , where +# is the value of the INPUT_FILTER tag, and is the name of an +# input file. Doxygen will then use the output that the filter program writes +# to standard output. If FILTER_PATTERNS is specified, this tag will be +# ignored. + +INPUT_FILTER = + +# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern +# basis. Doxygen will compare the file name with each pattern and apply the +# filter if there is a match. The filters are a list of the form: +# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further +# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER +# is applied to all files. + +FILTER_PATTERNS = + +# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using +# INPUT_FILTER) will be used to filter the input files when producing source +# files to browse (i.e. when SOURCE_BROWSER is set to YES). + +FILTER_SOURCE_FILES = NO + +#--------------------------------------------------------------------------- +# configuration options related to source browsing +#--------------------------------------------------------------------------- + +# If the SOURCE_BROWSER tag is set to YES then a list of source files will +# be generated. Documented entities will be cross-referenced with these sources. +# Note: To get rid of all source code in the generated output, make sure also +# VERBATIM_HEADERS is set to NO. + +SOURCE_BROWSER = YES + +# Setting the INLINE_SOURCES tag to YES will include the body +# of functions and classes directly in the documentation. + +INLINE_SOURCES = NO + +# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct +# doxygen to hide any special comment blocks from generated source code +# fragments. Normal C and C++ comments will always remain visible. + +STRIP_CODE_COMMENTS = YES + +# If the REFERENCED_BY_RELATION tag is set to YES (the default) +# then for each documented function all documented +# functions referencing it will be listed. + +REFERENCED_BY_RELATION = YES + +# If the REFERENCES_RELATION tag is set to YES (the default) +# then for each documented function all documented entities +# called/used by that function will be listed. + +REFERENCES_RELATION = YES + +# If the USE_HTAGS tag is set to YES then the references to source code +# will point to the HTML generated by the htags(1) tool instead of doxygen +# built-in source browser. The htags tool is part of GNU's global source +# tagging system (see http://www.gnu.org/software/global/global.html). You +# will need version 4.8.6 or higher. + +USE_HTAGS = NO + +# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen +# will generate a verbatim copy of the header file for each class for +# which an include is specified. Set to NO to disable this. + +VERBATIM_HEADERS = YES + +#--------------------------------------------------------------------------- +# configuration options related to the alphabetical class index +#--------------------------------------------------------------------------- + +# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index +# of all compounds will be generated. Enable this if the project +# contains a lot of classes, structs, unions or interfaces. + +ALPHABETICAL_INDEX = NO + +# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then +# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns +# in which this list will be split (can be a number in the range [1..20]) + +COLS_IN_ALPHA_INDEX = 5 + +# In case all classes in a project start with a common prefix, all +# classes will be put under the same header in the alphabetical index. +# The IGNORE_PREFIX tag can be used to specify one or more prefixes that +# should be ignored while generating the index headers. + +IGNORE_PREFIX = + +#--------------------------------------------------------------------------- +# configuration options related to the HTML output +#--------------------------------------------------------------------------- + +# If the GENERATE_HTML tag is set to YES (the default) Doxygen will +# generate HTML output. + +GENERATE_HTML = YES + +# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `html' will be used as the default path. + +HTML_OUTPUT = html + +# The HTML_FILE_EXTENSION tag can be used to specify the file extension for +# each generated HTML page (for example: .htm,.php,.asp). If it is left blank +# doxygen will generate files with .html extension. + +HTML_FILE_EXTENSION = .html + +# The HTML_HEADER tag can be used to specify a personal HTML header for +# each generated HTML page. If it is left blank doxygen will generate a +# standard header. + +HTML_HEADER = + +# The HTML_FOOTER tag can be used to specify a personal HTML footer for +# each generated HTML page. If it is left blank doxygen will generate a +# standard footer. + +HTML_FOOTER = + +# The HTML_STYLESHEET tag can be used to specify a user-defined cascading +# style sheet that is used by each HTML page. It can be used to +# fine-tune the look of the HTML output. If the tag is left blank doxygen +# will generate a default style sheet. Note that doxygen will try to copy +# the style sheet file to the HTML output directory, so don't put your own +# stylesheet in the HTML output directory as well, or it will be erased! + +HTML_STYLESHEET = + +# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, +# files or namespaces will be aligned in HTML using tables. If set to +# NO a bullet list will be used. + +HTML_ALIGN_MEMBERS = YES + +# If the GENERATE_HTMLHELP tag is set to YES, additional index files +# will be generated that can be used as input for tools like the +# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) +# of the generated HTML documentation. + +GENERATE_HTMLHELP = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can +# be used to specify the file name of the resulting .chm file. You +# can add a path in front of the file if the result should not be +# written to the html output directory. + +CHM_FILE = + +# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can +# be used to specify the location (absolute path including file name) of +# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run +# the HTML help compiler on the generated index.hhp. + +HHC_LOCATION = + +# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag +# controls if a separate .chi index file is generated (YES) or that +# it should be included in the master .chm file (NO). + +GENERATE_CHI = NO + +# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag +# controls whether a binary table of contents is generated (YES) or a +# normal table of contents (NO) in the .chm file. + +BINARY_TOC = NO + +# The TOC_EXPAND flag can be set to YES to add extra items for group members +# to the contents of the HTML help documentation and to the tree view. + +TOC_EXPAND = NO + +# The DISABLE_INDEX tag can be used to turn on/off the condensed index at +# top of each HTML page. The value NO (the default) enables the index and +# the value YES disables it. + +DISABLE_INDEX = NO + +# This tag can be used to set the number of enum values (range [1..20]) +# that doxygen will group on one line in the generated HTML documentation. + +ENUM_VALUES_PER_LINE = 4 + +# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be +# generated containing a tree-like index structure (just like the one that +# is generated for HTML Help). For this to work a browser that supports +# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, +# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are +# probably better off using the HTML help feature. + +GENERATE_TREEVIEW = NO + +# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be +# used to set the initial width (in pixels) of the frame in which the tree +# is shown. + +TREEVIEW_WIDTH = 250 + +#--------------------------------------------------------------------------- +# configuration options related to the LaTeX output +#--------------------------------------------------------------------------- + +# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will +# generate Latex output. + +GENERATE_LATEX = NO + +# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `latex' will be used as the default path. + +LATEX_OUTPUT = latex + +# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be +# invoked. If left blank `latex' will be used as the default command name. + +LATEX_CMD_NAME = latex + +# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to +# generate index for LaTeX. If left blank `makeindex' will be used as the +# default command name. + +MAKEINDEX_CMD_NAME = makeindex + +# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact +# LaTeX documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_LATEX = NO + +# The PAPER_TYPE tag can be used to set the paper type that is used +# by the printer. Possible values are: a4, a4wide, letter, legal and +# executive. If left blank a4wide will be used. + +PAPER_TYPE = a4wide + +# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX +# packages that should be included in the LaTeX output. + +EXTRA_PACKAGES = + +# The LATEX_HEADER tag can be used to specify a personal LaTeX header for +# the generated latex document. The header should contain everything until +# the first chapter. If it is left blank doxygen will generate a +# standard header. Notice: only use this tag if you know what you are doing! + +LATEX_HEADER = + +# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated +# is prepared for conversion to pdf (using ps2pdf). The pdf file will +# contain links (just like the HTML output) instead of page references +# This makes the output suitable for online browsing using a pdf viewer. + +PDF_HYPERLINKS = NO + +# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of +# plain latex in the generated Makefile. Set this option to YES to get a +# higher quality PDF documentation. + +USE_PDFLATEX = NO + +# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. +# command to the generated LaTeX files. This will instruct LaTeX to keep +# running if errors occur, instead of asking the user for help. +# This option is also used when generating formulas in HTML. + +LATEX_BATCHMODE = NO + +# If LATEX_HIDE_INDICES is set to YES then doxygen will not +# include the index chapters (such as File Index, Compound Index, etc.) +# in the output. + +LATEX_HIDE_INDICES = NO + +#--------------------------------------------------------------------------- +# configuration options related to the RTF output +#--------------------------------------------------------------------------- + +# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output +# The RTF output is optimized for Word 97 and may not look very pretty with +# other RTF readers or editors. + +GENERATE_RTF = NO + +# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `rtf' will be used as the default path. + +RTF_OUTPUT = rtf + +# If the COMPACT_RTF tag is set to YES Doxygen generates more compact +# RTF documents. This may be useful for small projects and may help to +# save some trees in general. + +COMPACT_RTF = NO + +# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated +# will contain hyperlink fields. The RTF file will +# contain links (just like the HTML output) instead of page references. +# This makes the output suitable for online browsing using WORD or other +# programs which support those fields. +# Note: wordpad (write) and others do not support links. + +RTF_HYPERLINKS = NO + +# Load stylesheet definitions from file. Syntax is similar to doxygen's +# config file, i.e. a series of assignments. You only have to provide +# replacements, missing definitions are set to their default value. + +RTF_STYLESHEET_FILE = + +# Set optional variables used in the generation of an rtf document. +# Syntax is similar to doxygen's config file. + +RTF_EXTENSIONS_FILE = + +#--------------------------------------------------------------------------- +# configuration options related to the man page output +#--------------------------------------------------------------------------- + +# If the GENERATE_MAN tag is set to YES (the default) Doxygen will +# generate man pages + +GENERATE_MAN = NO + +# The MAN_OUTPUT tag is used to specify where the man pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `man' will be used as the default path. + +MAN_OUTPUT = man + +# The MAN_EXTENSION tag determines the extension that is added to +# the generated man pages (default is the subroutine's section .3) + +MAN_EXTENSION = .3 + +# If the MAN_LINKS tag is set to YES and Doxygen generates man output, +# then it will generate one additional man file for each entity +# documented in the real man page(s). These additional files +# only source the real man page, but without them the man command +# would be unable to find the correct page. The default is NO. + +MAN_LINKS = NO + +#--------------------------------------------------------------------------- +# configuration options related to the XML output +#--------------------------------------------------------------------------- + +# If the GENERATE_XML tag is set to YES Doxygen will +# generate an XML file that captures the structure of +# the code including all documentation. + +GENERATE_XML = NO + +# The XML_OUTPUT tag is used to specify where the XML pages will be put. +# If a relative path is entered the value of OUTPUT_DIRECTORY will be +# put in front of it. If left blank `xml' will be used as the default path. + +XML_OUTPUT = xml + +# The XML_SCHEMA tag can be used to specify an XML schema, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_SCHEMA = + +# The XML_DTD tag can be used to specify an XML DTD, +# which can be used by a validating XML parser to check the +# syntax of the XML files. + +XML_DTD = + +# If the XML_PROGRAMLISTING tag is set to YES Doxygen will +# dump the program listings (including syntax highlighting +# and cross-referencing information) to the XML output. Note that +# enabling this will significantly increase the size of the XML output. + +XML_PROGRAMLISTING = YES + +#--------------------------------------------------------------------------- +# configuration options for the AutoGen Definitions output +#--------------------------------------------------------------------------- + +# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will +# generate an AutoGen Definitions (see autogen.sf.net) file +# that captures the structure of the code including all +# documentation. Note that this feature is still experimental +# and incomplete at the moment. + +GENERATE_AUTOGEN_DEF = NO + +#--------------------------------------------------------------------------- +# configuration options related to the Perl module output +#--------------------------------------------------------------------------- + +# If the GENERATE_PERLMOD tag is set to YES Doxygen will +# generate a Perl module file that captures the structure of +# the code including all documentation. Note that this +# feature is still experimental and incomplete at the +# moment. + +GENERATE_PERLMOD = NO + +# If the PERLMOD_LATEX tag is set to YES Doxygen will generate +# the necessary Makefile rules, Perl scripts and LaTeX code to be able +# to generate PDF and DVI output from the Perl module output. + +PERLMOD_LATEX = NO + +# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be +# nicely formatted so it can be parsed by a human reader. This is useful +# if you want to understand what is going on. On the other hand, if this +# tag is set to NO the size of the Perl module output will be much smaller +# and Perl will parse it just the same. + +PERLMOD_PRETTY = YES + +# The names of the make variables in the generated doxyrules.make file +# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. +# This is useful so different doxyrules.make files included by the same +# Makefile don't overwrite each other's variables. + +PERLMOD_MAKEVAR_PREFIX = + +#--------------------------------------------------------------------------- +# Configuration options related to the preprocessor +#--------------------------------------------------------------------------- + +# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will +# evaluate all C-preprocessor directives found in the sources and include +# files. + +ENABLE_PREPROCESSING = YES + +# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro +# names in the source code. If set to NO (the default) only conditional +# compilation will be performed. Macro expansion can be done in a controlled +# way by setting EXPAND_ONLY_PREDEF to YES. + +MACRO_EXPANSION = NO + +# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES +# then the macro expansion is limited to the macros specified with the +# PREDEFINED and EXPAND_AS_DEFINED tags. + +EXPAND_ONLY_PREDEF = NO + +# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files +# in the INCLUDE_PATH (see below) will be search if a #include is found. + +SEARCH_INCLUDES = YES + +# The INCLUDE_PATH tag can be used to specify one or more directories that +# contain include files that are not input files but should be processed by +# the preprocessor. + +INCLUDE_PATH = + +# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard +# patterns (like *.h and *.hpp) to filter out the header-files in the +# directories. If left blank, the patterns specified with FILE_PATTERNS will +# be used. + +INCLUDE_FILE_PATTERNS = + +# The PREDEFINED tag can be used to specify one or more macro names that +# are defined before the preprocessor is started (similar to the -D option of +# gcc). The argument of the tag is a list of macros of the form: name +# or name=definition (no spaces). If the definition and the = are +# omitted =1 is assumed. To prevent a macro definition from being +# undefined via #undef or recursively expanded use the := operator +# instead of the = operator. + +PREDEFINED = + +# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then +# this tag can be used to specify a list of macro names that should be expanded. +# The macro definition that is found in the sources will be used. +# Use the PREDEFINED tag if you want to use a different macro definition. + +EXPAND_AS_DEFINED = + +# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then +# doxygen's preprocessor will remove all function-like macros that are alone +# on a line, have an all uppercase name, and do not end with a semicolon. Such +# function macros are typically used for boiler-plate code, and will confuse +# the parser if not removed. + +SKIP_FUNCTION_MACROS = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to external references +#--------------------------------------------------------------------------- + +# The TAGFILES option can be used to specify one or more tagfiles. +# Optionally an initial location of the external documentation +# can be added for each tagfile. The format of a tag file without +# this location is as follows: +# TAGFILES = file1 file2 ... +# Adding location for the tag files is done as follows: +# TAGFILES = file1=loc1 "file2 = loc2" ... +# where "loc1" and "loc2" can be relative or absolute paths or +# URLs. If a location is present for each tag, the installdox tool +# does not have to be run to correct the links. +# Note that each tag file must have a unique name +# (where the name does NOT include the path) +# If a tag file is not located in the directory in which doxygen +# is run, you must also specify the path to the tagfile here. + +TAGFILES = + +# When a file name is specified after GENERATE_TAGFILE, doxygen will create +# a tag file that is based on the input files it reads. + +GENERATE_TAGFILE = + +# If the ALLEXTERNALS tag is set to YES all external classes will be listed +# in the class index. If set to NO only the inherited external classes +# will be listed. + +ALLEXTERNALS = NO + +# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed +# in the modules index. If set to NO, only the current project's groups will +# be listed. + +EXTERNAL_GROUPS = YES + +# The PERL_PATH should be the absolute path and name of the perl script +# interpreter (i.e. the result of `which perl'). + +PERL_PATH = /usr/bin/perl + +#--------------------------------------------------------------------------- +# Configuration options related to the dot tool +#--------------------------------------------------------------------------- + +# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will +# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base +# or super classes. Setting the tag to NO turns the diagrams off. Note that +# this option is superseded by the HAVE_DOT option below. This is only a +# fallback. It is recommended to install and use dot, since it yields more +# powerful graphs. + +CLASS_DIAGRAMS = YES + +# If set to YES, the inheritance and collaboration graphs will hide +# inheritance and usage relations if the target is undocumented +# or is not a class. + +HIDE_UNDOC_RELATIONS = YES + +# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is +# available from the path. This tool is part of Graphviz, a graph visualization +# toolkit from AT&T and Lucent Bell Labs. The other options in this section +# have no effect if this option is set to NO (the default) + +HAVE_DOT = YES + +# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect inheritance relations. Setting this tag to YES will force the +# the CLASS_DIAGRAMS tag to NO. + +CLASS_GRAPH = YES + +# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for each documented class showing the direct and +# indirect implementation dependencies (inheritance, containment, and +# class references variables) of the class with other documented classes. + +COLLABORATION_GRAPH = YES + +# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen +# will generate a graph for groups, showing the direct groups dependencies + +GROUP_GRAPHS = YES + +# If the UML_LOOK tag is set to YES doxygen will generate inheritance and +# collaboration diagrams in a style similar to the OMG's Unified Modeling +# Language. + +UML_LOOK = NO + +# If set to YES, the inheritance and collaboration graphs will show the +# relations between templates and their instances. + +TEMPLATE_RELATIONS = NO + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT +# tags are set to YES then doxygen will generate a graph for each documented +# file showing the direct and indirect include dependencies of the file with +# other documented files. + +INCLUDE_GRAPH = YES + +# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and +# HAVE_DOT tags are set to YES then doxygen will generate a graph for each +# documented header file showing the documented files that directly or +# indirectly include this file. + +INCLUDED_BY_GRAPH = YES + +# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will +# generate a call dependency graph for every global function or class method. +# Note that enabling this option will significantly increase the time of a run. +# So in most cases it will be better to enable call graphs for selected +# functions only using the \callgraph command. + +CALL_GRAPH = NO + +# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen +# will graphical hierarchy of all classes instead of a textual one. + +GRAPHICAL_HIERARCHY = YES + +# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES +# then doxygen will show the dependencies a directory has on other directories +# in a graphical way. The dependency relations are determined by the #include +# relations between the files in the directories. + +DIRECTORY_GRAPH = YES + +# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images +# generated by dot. Possible values are png, jpg, or gif +# If left blank png will be used. + +DOT_IMAGE_FORMAT = png + +# The tag DOT_PATH can be used to specify the path where the dot tool can be +# found. If left blank, it is assumed the dot tool can be found in the path. + +DOT_PATH = + +# The DOTFILE_DIRS tag can be used to specify one or more directories that +# contain dot files that are included in the documentation (see the +# \dotfile command). + +DOTFILE_DIRS = + +# The MAX_DOT_GRAPH_WIDTH tag can be used to set the maximum allowed width +# (in pixels) of the graphs generated by dot. If a graph becomes larger than +# this value, doxygen will try to truncate the graph, so that it fits within +# the specified constraint. Beware that most browsers cannot cope with very +# large images. + +MAX_DOT_GRAPH_WIDTH = 1024 + +# The MAX_DOT_GRAPH_HEIGHT tag can be used to set the maximum allows height +# (in pixels) of the graphs generated by dot. If a graph becomes larger than +# this value, doxygen will try to truncate the graph, so that it fits within +# the specified constraint. Beware that most browsers cannot cope with very +# large images. + +MAX_DOT_GRAPH_HEIGHT = 1024 + +# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the +# graphs generated by dot. A depth value of 3 means that only nodes reachable +# from the root by following a path via at most 3 edges will be shown. Nodes +# that lay further from the root node will be omitted. Note that setting this +# option to 1 or 2 may greatly reduce the computation time needed for large +# code bases. Also note that a graph may be further truncated if the graph's +# image dimensions are not sufficient to fit the graph (see MAX_DOT_GRAPH_WIDTH +# and MAX_DOT_GRAPH_HEIGHT). If 0 is used for the depth value (the default), +# the graph is not depth-constrained. + +MAX_DOT_GRAPH_DEPTH = 0 + +# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent +# background. This is disabled by default, which results in a white background. +# Warning: Depending on the platform used, enabling this option may lead to +# badly anti-aliased labels on the edges of a graph (i.e. they become hard to +# read). + +DOT_TRANSPARENT = NO + +# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output +# files in one run (i.e. multiple -o and -T options on the command line). This +# makes dot run faster, but since only newer versions of dot (>1.8.10) +# support this, this feature is disabled by default. + +DOT_MULTI_TARGETS = YES + +# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will +# generate a legend page explaining the meaning of the various boxes and +# arrows in the dot generated graphs. + +GENERATE_LEGEND = YES + +# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will +# remove the intermediate dot files that are used to generate +# the various graphs. + +DOT_CLEANUP = YES + +#--------------------------------------------------------------------------- +# Configuration::additions related to the search engine +#--------------------------------------------------------------------------- + +# The SEARCHENGINE tag specifies whether or not a search engine should be +# used. If set to NO the values of all tags below this one will be ignored. + +SEARCHENGINE = NO diff --git a/fail2ban b/fail2ban deleted file mode 100755 index 5eace8bd..00000000 --- a/fail2ban +++ /dev/null @@ -1,75 +0,0 @@ -#!/usr/bin/env python - -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import sys, traceback, logging, locale - -# Set the locale with the user's default setting -try: - locale.setlocale(locale.LC_ALL, '') -except Exception: - print "Unable to set locale to " + `locale.getdefaultlocale()` - sys.exit(-1) - -# Inserts our own modules path first in the list -# fix for bug #343821 -sys.path.insert(1, "/usr/lib/fail2ban") - -# Now we can import our modules. -import fail2ban -from utils.pidlock import PIDLock - -# Get the instance of the logger. -logSys = logging.getLogger("fail2ban") - -# Get PID lock file instance -pidLock = PIDLock() - -# Handle all the unhandled exceptions -try: - # Start the application - fail2ban.main() -except SystemExit: - # We called sys.exit(). Nothing wrong so just pass - pass -except Exception, e: - # Print the exception data - (type, value, tb) = sys.exc_info() - tbStack = traceback.extract_tb(tb) - logSys.error("Fail2Ban got an unhandled exception and died.") - logSys.error("Type: " + `type.__name__` + "\n" + - "Value: " + `e.args` + "\n" + - "TB: " + `tbStack`) - # Try to clean up after ourselves - # just for extreme caution - wrapping with try - try: - fail2ban.restoreFwRules() - except Exception: - pass - # Remove the PID lock file. Should close #1239562 - pidLock.remove() - logging.shutdown() diff --git a/fail2ban-client b/fail2ban-client new file mode 100755 index 00000000..fa395b6e --- /dev/null +++ b/fail2ban-client @@ -0,0 +1,236 @@ +#!/usr/bin/env python +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.1 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.1 $" +__date__ = "$Date: 2004/10/10 13:33:40 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +import sys, string, os, pickle, re, logging, getopt, time + +# Inserts our own modules path first in the list +# fix for bug #343821 +sys.path.insert(1, "/usr/lib/fail2ban") + +# Now we can import our modules +from client.csocket import CSocket +from client.configurator import Configurator + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban.client") + +## +# +# @todo This class needs cleanup. + +class Fail2banClient: + + def __init__(self): + self.argv = None + self.stream = None + self.conf = dict() + self.conf["cmdfile"] = None + self.conf["background"] = True + self.conf["dump"] = False + + def dispUsage(self): + """ Prints Fail2Ban command line options and exits + """ + print "Usage: "+self.argv[0]+" [OPTIONS] " + print + print "Fail2Ban v0.7 reads log file that contains password failure report" + print "and bans the corresponding IP addresses using firewall rules." + print + print " -b start in background" + print " -f start in foreground" + print " -c configuration directory" + print " -s read command file" + print " -d dump configuration" + print " -h display this help message" + print + print "Report bugs to " + sys.exit(0) + + def getCmdLineOptions(self, optList): + """ Gets the command line options + """ + for opt in optList: + if opt[0] == "-d": + self.conf["dump"] = True + if opt[0] == "-b": + self.conf["background"] = True + if opt[0] == "-f": + self.conf["background"] = False + if opt[0] == "-s": + self.conf["cmdfile"] = opt[1] + if opt[0] in ["-h", "--help"]: + self.dispUsage() + + def ping(self): + return self.processCmd([["ping"]]) + + @staticmethod + def processCmd(cmd): + for c in cmd: + try: + client = CSocket() + except Exception, e: + logSys.error(e) + logSys.error("Arrggh... Start the server first") + return False + ret = client.send(c) + if ret[0] == 0: + logSys.info("OK : " + `ret[1]`) + else: + logSys.info("NOK: " + `ret[1].args`) + return False + return True + + ## + # Process a command line. + # + # Process one command line and exit. + # @param cmd the command line + + def processCommand(self, cmd): + if self.conf["dump"]: + self.readConfig() + self.dumpConfig(self.stream) + return True + + if len(sys.argv) < 2: + logSys.error("Add some options...") + return False + + if cmd[0] == "start" and len(cmd) == 1: + self.readConfig() + self.startServer(self.conf["background"]) + # Configure the server + self.processCmd(self.stream) + else: + try: + client = CSocket() + ret = client.send(cmd) + if ret[0] == 0: + logSys.info("OK : " + `ret[1]`) + return True + else: + logSys.info("NOK: " + `ret[1].args`) + return False + except SystemExit, e: + return True + except Exception, e: + logSys.error(e) + logSys.error("Arrggh... Start the server first") + return False + + ## + # Process a script file. + # + # Read each line of the file and execute the command. Lines which + # start with '#' are ignored. + # @bug The splitting of the command is wrong and awful. + # @param file the path of the script file + + def processFile(self, file): + try: + handler = open(file) + except IOError: + logSys.fatal("Unable to open " + file) + return False + for line in handler: + l = line.strip() + if l.find('#') != 0: + s = re.split("\s+", l, 3) + j = list() + for i in s: + j.append(i.strip("'")) + self.processCommand(j) + return True + + ## + # Start Fail2Ban server. + # + # Start the Fail2ban server in daemon mode. + + def startServer(self, background = True): + args = list() + args.append("fail2ban-server") + if background: + args.append("-b") + else: + args.append("-f") + + pid = os.fork() + if pid == 0: + os.execv("fail2ban-server", args) + else: + # Wait for the server to start + while not self.ping(): + time.sleep(0.1) + + def start(self, argv): + # Command line options + self.argv = argv + + # Reads the command line options. + try: + cmdOpts = 'bfhc:s:d' + cmdLongOpts = ['help'] + optList, args = getopt.getopt(self.argv[1:], cmdOpts, cmdLongOpts) + except getopt.GetoptError: + self.dispUsage() + + self.getCmdLineOptions(optList) + + logSys.setLevel(logging.DEBUG) + # Add the default logging handler + stdout = logging.StreamHandler(sys.stdout) + # set a format which is simpler for console use + formatter = logging.Formatter('%(name)-16s: %(levelname)-6s %(message)s') + # tell the handler to use this format + stdout.setFormatter(formatter) + logSys.addHandler(stdout) + + if self.conf["cmdfile"] == None: + self.processCommand(args) + else: + self.processFile(self.conf["cmdfile"]) + + def readConfig(self): + # Read the configuration + cfg = Configurator() + cfg.setBaseDir("config") + cfg.readAll() + cfg.getAllOptions() + cfg.convertToProtocol() + self.stream = cfg.getConfigStream() + + @staticmethod + def dumpConfig(cmd): + for c in cmd: + print c + return True + +if __name__ == "__main__": + client = Fail2banClient() + client.start(sys.argv) diff --git a/fail2ban-server b/fail2ban-server new file mode 100755 index 00000000..1d8ece42 --- /dev/null +++ b/fail2ban-server @@ -0,0 +1,122 @@ +#!/usr/bin/env python +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.1 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.1 $" +__date__ = "$Date: 2004/10/10 13:33:40 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + +from server.server import Server +from utils.process import * +import locale, getopt, logging, sys + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban") + +## +# \mainpage Fail2Ban +# +# \section Introduction +# +# Fail2ban is designed to protect your server against brute force attacks. +# Its first goal was to protect a SSH server. + +class Fail2banServer: + + def __init__(self): + self.server = None + self.argv = None + self.conf = dict() + self.conf["background"] = True + + def dispUsage(self): + """ Prints Fail2Ban command line options and exits + """ + print "Usage: "+self.argv[0]+" [OPTIONS]" + print + print "Fail2Ban v0.7 reads log file that contains password failure report" + print "and bans the corresponding IP addresses using firewall rules." + print + print " -b start in background" + print " -f start in foreground" + print " -h display this help message" + print + print "Report bugs to " + sys.exit(0) + + def getCmdLineOptions(self, optList): + """ Gets the command line options + """ + for opt in optList: + if opt[0] == "-b": + self.conf["background"] = True + if opt[0] == "-f": + self.conf["background"] = False + if opt[0] in ["-h", "--help"]: + self.dispUsage() + + #def sigTERMhandler(signum, frame): + # """ Handles the TERM signal when in daemon mode in order to + # exit properly. + # """ + # logSys.debug("Signal handler called with sig "+`signum`) + # server.quit() + + def start(self, argv): + # Command line options + self.argv = argv + + # Reads the command line options. + try: + cmdOpts = 'bfh' + cmdLongOpts = ['help'] + optList, args = getopt.getopt(self.argv[1:], cmdOpts, cmdLongOpts) + except getopt.GetoptError: + self.dispUsage() + + self.getCmdLineOptions(optList) + + # Add the default logging handler + stdout = logging.StreamHandler(sys.stdout) + # set a format which is simpler for console use + formatter = logging.Formatter('%(name)-16s: %(levelname)-6s %(message)s') + # tell the handler to use this format + stdout.setFormatter(formatter) + logSys.addHandler(stdout) + + if self.conf["background"]: + retCode = createDaemon() + #signal.signal(signal.SIGTERM, sigTERMhandler) + if not retCode: + logSys.error("Unable to start daemon") + sys.exit(-1) + + try: + self.server = Server() + self.server.start() + except Exception, e: + print e + self.server.quit() + +if __name__ == "__main__": + server = Fail2banServer() + server.start(sys.argv) diff --git a/fail2ban-testcases b/fail2ban-testcases new file mode 100755 index 00000000..3c427fe9 --- /dev/null +++ b/fail2ban-testcases @@ -0,0 +1,61 @@ +#!/usr/bin/env python +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +# Author: Cyril Jaquier +# +# $Revision: 1.1 $ + +__author__ = "Cyril Jaquier" +__version__ = "$Revision: 1.1 $" +__date__ = "$Date: 2004/10/10 13:33:40 $" +__copyright__ = "Copyright (c) 2004 Cyril Jaquier" +__license__ = "GPL" + + +import unittest, logging, sys + +from testcases import filtertestcase +from testcases import servertestcase +from testcases import failmanagertestcase +from testcases import banmanagertestcase + +# Gets the instance of the logger. +logSys = logging.getLogger("fail2ban") +# Add the default logging handler +stdout = logging.StreamHandler(sys.stdout) +logSys.addHandler(stdout) +logSys.setLevel(logging.FATAL) + +print "Fail2ban test suite. Please wait..." + +tests = unittest.TestSuite() + +# Filter +tests.addTest(unittest.makeSuite(filtertestcase.IgnoreIP)) +tests.addTest(unittest.makeSuite(filtertestcase.LogFile)) +tests.addTest(unittest.makeSuite(filtertestcase.GetFailures)) +# Server +#tests.addTest(unittest.makeSuite(servertestcase.StartStop)) +#tests.addTest(unittest.makeSuite(servertestcase.Transmitter)) +# FailManager +tests.addTest(unittest.makeSuite(failmanagertestcase.AddFailure)) +# BanManager +tests.addTest(unittest.makeSuite(banmanagertestcase.AddFailure)) + +# Tests runner +testRunner = unittest.TextTestRunner() +testRunner.run(tests) diff --git a/fail2ban.py b/fail2ban.py deleted file mode 100755 index 1ab2ab90..00000000 --- a/fail2ban.py +++ /dev/null @@ -1,542 +0,0 @@ -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - -# Author: Cyril Jaquier -# Modified by: Yaroslav Halchenko (SYSLOG, findtime) -# -# $Revision$ - -__author__ = "Cyril Jaquier" -__version__ = "$Revision$" -__date__ = "$Date$" -__copyright__ = "Copyright (c) 2004 Cyril Jaquier" -__license__ = "GPL" - -import time, sys, getopt, os, string, signal, logging, logging.handlers, copy -from ConfigParser import * - -from version import version -from firewall.firewall import Firewall -from logreader.logreader import LogReader -from confreader.configreader import ConfigReader -from utils.mail import Mail -from utils.pidlock import PIDLock -from utils.dns import * -from utils.process import * - -# Get the instance of the logger. -logSys = logging.getLogger("fail2ban") - -# Get PID lock file instance -pidLock = PIDLock() - -# Global variables -logFwList = list() -conf = dict() - -def dispUsage(): - """ Prints Fail2Ban command line options and exits - """ - print "Usage: "+sys.argv[0]+" [OPTIONS]" - print - print "Fail2Ban v"+version+" reads log file that contains password failure report" - print "and bans the corresponding IP addresses using firewall rules." - print - print " -b start in background" - print " -c read configuration file FILE" - print " -p create PID lock in FILE" - print " -h display this help message" - print " -i IP(s) to ignore" - print " -k kill a currently running instance" - print " -r allow a max of VALUE password failure [maxfailures]" - print " -t