This commit was manufactured by cvs2svn to create branch 'FAIL2BAN-0_5'.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_5@114 a942ae1a-1317-0410-a47c-b1dcaea8d605

CHANGELOG

@@ -0,0 +1,71 @@
+               __      _ _ ___ _               
+              / _|__ _(_) |_  ) |__  __ _ _ _  
+             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+
+=============================================================
+Fail2Ban (version 0.?.?)                           ??/??/2005
+=============================================================
+
+ver. 0.?.? (??/??/2005) - ???
+----------
+- Added an initd script for RedHat/Fedora. Thanks to Andrey
+  G. Grozin
+
+ver. 0.4.1 (06/30/2005) - stable
+----------
+- Fixed textToDNS method which generated wrong matches for
+  "rhost=12-xyz...". Thanks to Tom Pike
+- fail2ban.conf modified for readability. Thanks to Iain Lea
+- Added an initd script for Gentoo
+- Changed default PID lock file location from /tmp to
+  /var/run
+
+ver. 0.4.0 (04/24/2005) - stable
+----------
+- Fixed textToDNS which did not recognize strings like
+  "12-345-67-890.abcd.mnopqr.xyz"
+
+ver. 0.3.1 (03/31/2005) - beta
+----------
+- Corrected level of messages
+- Added DNS lookup support
+- Improved parsing speed. Only parse the new log messages
+- Added a second verbose level (-vv)
+
+ver. 0.3.0 (02/24/2005) - beta
+----------
+- Re-writting of parts of the code in order to handle several
+  log files with different rules
+- Removed sshd.py because it is no more needed
+- Fixed a bug when exiting with IP in the ban list
+- Added PID lock file
+- Improved some parts of the code
+- Added ipfw-start-rule option (thanks to Robert Edeker)
+- Added -k option which kills a currently running Fail2Ban
+
+ver. 0.1.2 (11/21/2004) - beta
+----------
+- Add ipfw and ipfwadm support. The rules are taken from
+  BlockIt. Thanks to Robert Edeker
+- Add -e option which allows to set the interface. Thanks to
+  Robert Edeker who reminded me this
+- Small code cleaning
+
+ver. 0.1.1 (10/23/2004) - beta
+----------
+- Add SIGTERM handler in order to exit nicely when in daemon
+  mode
+- Add -r option which allows to set the maximum number of
+  login failures
+- Remove the Metalog class as the log file are not so syslog
+  daemon specific
+- Rewrite log reader to be service centered. Sshd support
+  added. Match "Failed password" and "Illegal user"
+- Add /etc/fail2ban.conf configuration support
+- Code documentation
+
+
+ver. 0.1.0 (10/12/2004) - alpha
+----------
+- Initial release

MANIFEST

@@ -0,0 +1,21 @@
+README
+CHANGELOG
+TODO
+setup.cfg
+setup.py
+version.py
+fail2ban.py
+firewall/__init__.py
+firewall/firewall.py
+firewall/iptables.py
+firewall/ipfw.py
+firewall/ipfwadm.py
+logreader/__init__.py
+logreader/logreader.py
+confreader/__init__.py
+confreader/configreader.py
+utils/__init__.py
+utils/dns.py
+config/fail2ban.conf.default
+config/gentoo-initd
+config/gentoo-confd

README

@@ -0,0 +1,145 @@
+               __      _ _ ___ _               
+              / _|__ _(_) |_  ) |__  __ _ _ _  
+             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+
+=============================================================
+Fail2Ban (version 0.4.1)                           06/30/2005
+=============================================================
+
+Fail2Ban scans log files like /var/log/pwdfail and bans IP
+that makes too many password failures. It updates firewall
+rules to reject the IP address. Currently iptables, ipfw and
+ipfwadm are supported. Fail2Ban can read multiple log files
+such as sshd or Apache web server ones. It needs log4py.
+
+This is my first Python program. Moreover, English is not my
+mother tongue...
+
+
+More details:
+-------------
+
+Fail2Ban is rather simple. I have a home server connected to
+the Internet which runs apache, samba, sshd, ... I see in my
+logs that people are trying to log into my box using "manual"
+brute force or scripts. They try 10, 20 and sometimes more
+user/password (without success anyway). In order to
+discourage these script kiddies, I wanted that sshd refuse
+login from a specific ip after 3 password failures. After
+some Google searches, I found that sshd was not able of that.
+So I search for a script or program that do it. I found
+nothing :-( So I decide to write mine and to learn Python :-)
+
+For each sections defined in the configuration file, Fail2Ban
+tries to find lines which match the failregex. Then it
+retrieves the message time using timeregex and timepattern.
+It finally gets the ip and if it has already done 3 or more
+password failures in the last banTime, the ip is banned for
+banTime using a firewall rule. After banTime, the rule is
+deleted. Notice that if no "plain" ip is available, Fail2Ban
+try to do DNS lookup in order to found one or several ip's to
+ban.
+
+Sections can be freely added so it is possible to monitor
+several daemons at the same time.
+
+Runs on my server and does its job rather well :-) The idea
+is to make fail2ban usable with daemons and services that
+require a login (sshd, telnetd, ...). It should also support
+others firewalls than iptables.
+
+
+Installation:
+-------------
+
+Require: python-2.3 (http://www.python.org)
+         log4py-1.1 (http://sourceforge.net/projects/log4py)
+
+To install, just do:
+
+> tar xvfj fail2ban-0.4.1.tar.bz2
+> cd fail2ban-0.4.1
+> python setup.py install
+
+This will install Fail2Ban into /usr/lib/fail2ban. The
+fail2ban.py executable is placed into /usr/bin.
+
+For Gentoo users, an ebuild is available on the website.
+
+Fail2Ban should now be correctly installed. Just type:
+
+> fail2ban.py -h
+
+to see if everything is alright. You can configure fail2ban
+with a config file. Copy config/fail2ban.conf.default to
+/etc/fail2ban.conf.
+
+Gentoo users can use the initd script available in config/.
+Copy gentoo-initd to /etc/init.d/fail2ban and gentoo-confd
+to /etc/conf.d/fail2ban. You can start fail2ban and add it
+to your default runlevel:
+
+> /etc/init.d/fail2ban start
+> rc-update add fail2ban default
+
+Configuration:
+--------------
+
+You can configure fail2ban using the file /etc/fail2ban.conf
+or using command line options. Command line options override
+the value stored in fail2ban.conf. Here are the command line
+options:
+
+  -b         start fail2ban in background
+  -d         start fail2ban in debug mode
+  -e <INTF>  ban IP on the INTF interface
+  -c <FILE>  read configuration file FILE
+  -p <FILE>  create PID lock in FILE
+  -h         display this help message
+  -i <IP(s)> IP(s) to ignore
+  -k         kill a currently running Fail2Ban instance
+  -l <FILE>  log message in FILE
+  -r <VALUE> allow a max of VALUE password failure
+  -t <TIME>  ban IP for TIME seconds
+  -v         verbose. Use twice for greater effect
+  -w <FIWA>  select the firewall to use. Can be iptables,
+             ipfwadm or ipfw
+
+Contact:
+--------
+
+You need some new features, you found bugs or you just
+appreciate this program, you can contact me at :
+
+Website: http://www.sourceforge.net/projects/fail2ban
+
+Cyril Jaquier: <lostcontrol@users.sourceforge.net>
+
+
+Thanks:
+-------
+
+Kévin Drapel, Marvin Rouge, Sireyessire, Robert Edeker,
+Tom Pike, Iain Lea
+
+
+License:
+--------
+
+Fail2Ban is free software; you can redistribute it
+and/or modify it under the terms of the GNU General Public
+License as published by the Free Software Foundation; either
+version 2 of the License, or (at your option) any later
+version.
+
+Fail2Ban is distributed in the hope that it will be
+useful, but WITHOUT ANY WARRANTY; without even the implied
+warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+PURPOSE.  See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public
+License along with Fail2Ban; if not, write to the Free
+Software Foundation, Inc., 59 Temple Place, Suite 330,
+Boston, MA  02111-1307  USA

TODO

@@ -0,0 +1,15 @@
+               __      _ _ ___ _               
+              / _|__ _(_) |_  ) |__  __ _ _ _  
+             |  _/ _` | | |/ /| '_ \/ _` | ' \ 
+             |_| \__,_|_|_/___|_.__/\__,_|_||_|
+
+=============================================================
+ToDo
+=============================================================
+
+- cleanup fail2ban.py
+- improve configuration file and command line options
+  handling
+- improve installation process
+- add init script
+- use FAM (inotify, gamin, ...)

config/fail2ban.conf.default

@@ -0,0 +1,143 @@
+# Fail2Ban configuration file
+#
+# $Revision$
+#
+# 2005.06.21  modified for readability  Iain Lea  iain@bricbrac.de
+
+[DEFAULT]
+# Option:  firewall
+# Notes.:  select the firewall system to use.
+# Values:  [iptables | ipfwadm | ipfw]  Default:  iptables
+#
+firewall = iptables
+
+# Option:  ipfw-start-rule
+# Notes.:  set first firewall rule number used (only used if firewall = ipfw).
+# Values:  NUM  Default:  100
+#
+ipfw-start-rule = 100
+
+# Option:  background
+# Notes.:  start fail2ban as a daemon. Output is redirect to logfile.
+# Values:  [true | false]  Default:  false
+#
+background = false
+
+# Option:  debug
+# Notes.:  enable debug mode. More verbose output and bypass root user test.
+# Values:  [true | false]  Default:  false
+#
+debug = false
+
+# Option:  pidlock
+# Notes.:  path of the PID lock file (must be able to write to file).
+# Values:  FILE  Default:  /var/run/fail2ban.pid
+#
+pidlock = /var/run/fail2ban.pid
+
+# Option:  logfile
+# Notes.:  logfile for logging fail2ban messages.
+# Values:  FILE  Default:  /var/log/fail2ban.log
+#
+logfile = /var/log/fail2ban.log
+
+# Option:  maxretry
+# Notes.:  number of retrys before IP gets banned.
+# Values:  NUM  Default:  3
+#
+maxretry = 3
+
+# Option:  bantime
+# Notes.:  number of seconds an IP will be banned.
+# Values:  NUM  Default:  600
+#
+bantime = 600
+
+# Option:  ignoreip
+# Notes.:  space separated list of IP's to be ignored by fail2ban
+#          Example:  ignoreip = 192.168.0.1 123.45.235.65
+# Values:  IP  Default:  
+#
+ignoreip = 
+
+# Option:  interface
+# Notes.:  interface name on which the IP will be banned.
+# Values:  INT  Default:  eth0
+#
+interface = eth0
+
+# Option:  polltime
+# Notes.:  number of seconds fail2ban sleeps between iterations.
+# Values:  NUM  Default:  1
+#
+polltime = 1
+
+# You can define a new section for each log file to check for
+# password failure. Each section has to define the following
+# options: logfile, timeregex, timepattern, failregex.
+
+[Apache]
+# Option:  enabled
+# Notes.:  enable monitoring for this section.
+# Values:  [true | false]  Default:  false
+#
+enabled = false
+
+# Option:  logfile
+# Notes.:  logfile to monitor.
+# Values:  FILE  Default:  /var/log/httpd/access_log
+#
+logfile = /var/log/httpd/access_log
+
+# Option:  timeregex
+# Notes.:  regex to match timestamp in Apache logfile.
+# Values:  [Wed Jan 05 15:08:01 2005]  
+# Default  \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
+#
+timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}
+
+# Option:  timepattern
+# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
+#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
+# Values:  TEXT  Default:  %%a %%b %%d %%H:%%M:%%S %%Y
+#
+timepattern = %%a %%b %%d %%H:%%M:%%S %%Y
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile.
+# Values:  TEXT  Default:  authentication failure|user .* not found
+#
+failregex = authentication failure|user .* not found
+
+[SSH]
+# Option:  enabled
+# Notes.:  enable monitoring for this section.
+# Values:  [true | false]  Default:  true
+#
+enabled = true
+
+# Option:  logfile
+# Notes.:  logfile to monitor.
+# Values:  FILE  Default:  /var/log/secure
+#
+logfile = /var/log/secure
+
+# Option:  timeregex
+# Notes.:  regex to match timestamp in SSH logfile.
+# Values:  [Mar  7 17:53:28]  
+# Default  \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
+#
+timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
+
+# Option:  timepattern
+# Notes.:  format used in "timeregex" fields definition. Note that '%' must be
+#          escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule)
+# Values:  TEXT  Default:  %%b %%d %%H:%%M:%%S
+#
+timepattern = %%b %%d %%H:%%M:%%S
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile.
+# Values:  TEXT  Default:  Authentication failure|Failed password|Invalid user
+#
+failregex = Authentication failure|Failed password|Invalid user

config/gentoo-confd

@@ -0,0 +1,23 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+# Command line options for Fail2Ban. Refer to "fail2ban.py -h" for
+# valid options.
+FAIL2BAN_OPTS="-v"

config/gentoo-initd

@@ -0,0 +1,50 @@
+#!/sbin/runscript
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+# Author: Sireyessire, Cyril Jaquier
+# 
+# $Revision$
+
+opts="start stop restart showlog"
+
+FAIL2BAN="/usr/bin/fail2ban.py"
+
+depend() {
+	need net
+	need logger
+	after iptables
+}
+
+start() {
+	ebegin "Starting fail2ban"
+	${FAIL2BAN} -b ${FAIL2BAN_OPTS}
+	eend $? "Failed to start fail2ban"
+}
+
+stop() {
+	ebegin "Stopping fail2ban"
+	${FAIL2BAN} -k
+	eend $? "Failed to stop fail2ban"
+}
+
+zap() {
+	rm /var/run/fail2ban.pid
+}
+
+showlog(){
+	less /var/log/fail2ban.log
+}

config/redhat-initd

@@ -0,0 +1,78 @@
+#!/bin/bash
+#
+# fail2ban
+#
+# chkconfig: 345 91 9
+# description: if many unsuccessfull login attempts from some ip address \
+#              during a short period happen, this address is banned \
+#              by the firewall
+#
+# Author: Andrey G. Grozin
+# 
+# $Revision$
+
+# Source function library.
+. /etc/init.d/functions
+
+# Get config.
+. /etc/sysconfig/network
+
+# Check that networking is up.
+[ "${NETWORKING}" = "no" ] && exit 0
+[ -f /etc/fail2ban.conf ] || exit 0
+
+FAIL2BAN="/usr/bin/fail2ban.py"
+PIDFILE="/var/run/fail2ban.pid"
+
+RETVAL=0
+
+start() {
+    echo -n $"Starting fail2ban: "
+    "${FAIL2BAN}" -b
+    RETVAL=$?
+    echo
+}
+
+stop() {
+    if [ -f "${PIDFILE}" ]; then
+	echo -n $"Stopping fail2ban: "
+	"${FAIL2BAN}" -k
+	echo
+    fi
+}
+
+restart() {
+    stop
+    start
+}
+
+# See how we were called.
+case "$1" in
+  start)
+        start
+        ;;
+  stop)
+        stop
+        ;;
+  status)
+        status fail2ban.py
+        RETVAL=$?
+        ;;
+  reload)
+        restart
+        ;;
+  restart)
+        restart
+        ;;
+  condrestart)
+        if [ -f "${PIDFILE}" ]; then
+            restart
+        fi
+        ;;
+  *)
+        echo $"Usage: $0 {start|stop|status|restart|condrestart}"
+        exit 1
+        ;;
+esac
+
+exit $RETVAL

confreader/__init__.py

@@ -0,0 +1,25 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"

confreader/configreader.py

@@ -0,0 +1,80 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+from ConfigParser import *
+
+class ConfigReader:
+	""" This class allow the handling of the configuration options.
+		The DEFAULT section contains the global information about
+		Fail2Ban. Each other section is for a different log file.
+	"""
+	
+	# Each optionValues entry is composed of an array with:
+	# 0 -> the type of the option
+	# 1 -> the name of the option
+	# 2 -> the default value for the option
+	optionValues = (["bool", "enabled", True],
+					["str", "logfile", "/dev/null"],
+					["str", "timeregex", ""],
+					["str", "timepattern", ""],
+					["str", "failregex", ""])
+	
+	def __init__(self, logSys, confPath):
+		self.confPath = confPath
+		self.configParser = SafeConfigParser()
+		self.logSys = logSys
+		
+	def openConf(self):
+		""" Opens the configuration file.
+		"""
+		self.configParser.read(self.confPath)
+	
+	def getSections(self):
+		""" Returns all the sections present in the configuration
+			file except the DEFAULT section.
+		"""
+		return self.configParser.sections()
+		
+	def getLogOptions(self, sec):
+		""" Gets all the options of a given section. The options
+			are defined in the optionValues list.
+		"""
+		values = dict()
+		for option in self.optionValues:
+			try:
+				if option[0] == "bool":
+					v = self.configParser.getboolean(sec, option[1])
+				elif option[0] == "int":
+					v = self.configParser.getint(sec, option[1])
+				else:
+					v = self.configParser.get(sec, option[1])
+				
+				values[option[1]] = v
+			except NoOptionError:
+				self.logSys.warn("No '"+option[1]+"' defined in '"+sec+"'")
+				values[option[1]] = option[2]
+		return values
+		

fail2ban.py

@@ -0,0 +1,551 @@
+#!/usr/bin/env python
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+import time, sys, getopt, os, signal, string
+from ConfigParser import *
+
+# Checks if log4py is present.
+try:
+	import log4py
+except:
+	print "log4py is needed (see README)"
+	sys.exit(-1)
+
+# Appends our own modules path
+sys.path.append('/usr/lib/fail2ban')
+
+from firewall.iptables import Iptables
+from firewall.ipfw import Ipfw
+from firewall.ipfwadm import Ipfwadm
+from logreader.logreader import LogReader
+from confreader.configreader import ConfigReader
+from version import version
+
+def usage():
+	print "Usage: fail2ban.py [OPTIONS]"
+	print
+	print "Fail2Ban v"+version+" reads log file that contains password failure report"
+	print "and bans the corresponding IP address using iptables."
+	print
+	print "  -b         start fail2ban in background"
+	print "  -d         start fail2ban in debug mode"
+	print "  -e <INTF>  ban IP on the INTF interface"
+	print "  -c <FILE>  read configuration file FILE"
+	print "  -p <FILE>  create PID lock in FILE"
+	print "  -h         display this help message"
+	print "  -i <IP(s)> IP(s) to ignore"
+	print "  -k         kill a currently running Fail2Ban instance"
+	print "  -l <FILE>  log message in FILE"
+	print "  -r <VALUE> allow a max of VALUE password failure"
+	print "  -t <TIME>  ban IP for TIME seconds"
+	print "  -v         verbose. Use twice for greater effect"
+	print "  -w <FIWA>  select the firewall to use. Can be iptables,"
+	print "             ipfwadm or ipfw"
+	print
+	print "Report bugs to <lostcontrol@users.sourceforge.net>"
+	sys.exit(0)
+
+def checkForRoot():
+	""" Check for root user.
+	"""
+	uid = `os.getuid()`
+	if uid == '0':
+		return True
+	else:
+		return False
+
+def createDaemon():
+	"""Detach a process from the controlling terminal and run it in the
+	background as a daemon.
+	
+	http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731
+	"""
+
+	try:
+		# Fork a child process so the parent can exit.  This will return control
+		# to the command line or shell.  This is required so that the new process
+		# is guaranteed not to be a process group leader.  We have this guarantee
+		# because the process GID of the parent is inherited by the child, but
+		# the child gets a new PID, making it impossible for its PID to equal its
+		# PGID.
+		pid = os.fork()
+	except OSError, e:
+		return((e.errno, e.strerror))	 # ERROR (return a tuple)
+
+	if (pid == 0):	   # The first child.
+
+		# Next we call os.setsid() to become the session leader of this new
+		# session.  The process also becomes the process group leader of the
+		# new process group.  Since a controlling terminal is associated with a
+		# session, and this new session has not yet acquired a controlling
+		# terminal our process now has no controlling terminal.  This shouldn't
+		# fail, since we're guaranteed that the child is not a process group
+		# leader.
+		os.setsid()
+	
+		# When the first child terminates, all processes in the second child
+		# are sent a SIGHUP, so it's ignored.
+		signal.signal(signal.SIGHUP, signal.SIG_IGN)
+	
+		try:
+			# Fork a second child to prevent zombies.  Since the first child is
+			# a session leader without a controlling terminal, it's possible for
+			# it to acquire one by opening a terminal in the future.  This second
+			# fork guarantees that the child is no longer a session leader, thus
+			# preventing the daemon from ever acquiring a controlling terminal.
+			pid = os.fork()		# Fork a second child.
+		except OSError, e:
+			return((e.errno, e.strerror))  # ERROR (return a tuple)
+	
+		if (pid == 0):	  # The second child.
+			# Ensure that the daemon doesn't keep any directory in use.  Failure
+			# to do this could make a filesystem unmountable.
+			os.chdir("/")
+			# Give the child complete control over permissions.
+			os.umask(0)
+		else:
+			os._exit(0)	  # Exit parent (the first child) of the second child.
+	else:
+		os._exit(0)		 # Exit parent of the first child.
+
+	# Close all open files.  Try the system configuration variable, SC_OPEN_MAX,
+	# for the maximum number of open files to close.  If it doesn't exist, use
+	# the default value (configurable).
+	try:
+		maxfd = os.sysconf("SC_OPEN_MAX")
+	except (AttributeError, ValueError):
+		maxfd = 256	   # default maximum
+
+	for fd in range(0, maxfd):
+		try:
+			os.close(fd)
+		except OSError:   # ERROR (ignore)
+			pass
+
+	# Redirect the standard file descriptors to /dev/null.
+   	os.open("/dev/null", os.O_RDONLY)	# standard input (0)
+	os.open("/dev/null", os.O_RDWR)		# standard output (1)
+	os.open("/dev/null", os.O_RDWR)		# standard error (2)
+
+	return True
+
+def sigTERMhandler(signum, frame):
+	""" Handles the TERM signal when in daemon mode in order to
+		exit properly.
+	"""
+	logSys.debug("Signal handler called with sig "+`signum`)
+	killApp()
+
+def killApp():
+	""" Flush the ban list, remove the PID lock file and exit
+		nicely.
+	"""
+	logSys.warn("Restoring firewall rules...")
+	fireWall.flushBanList(conf["debug"])
+	removePID(conf["pidlock"])
+	logSys.info("Exiting...")
+	sys.exit(0)
+	
+def checkForPID(lockfile):
+	""" Checks for running Fail2Ban.
+	
+		Returns the current PID if Fail2Ban is running or False
+		if no instance found.
+	"""
+	try:
+		fileHandler = open(lockfile)
+		pid = fileHandler.readline()
+		return pid
+	except IOError:
+		return False
+		
+def createPID(lockfile):
+	""" Creates a PID lock file with the current PID.
+	"""
+	fileHandler = open(lockfile, mode='w')
+	pid = os.getpid()
+	fileHandler.write(`pid`+'\n')
+	fileHandler.close()
+	logSys.debug("Created PID lock ("+`pid`+") in "+lockfile)
+		
+def removePID(lockfile):
+	""" Remove PID lock.
+	"""
+	os.remove(lockfile)
+	logSys.debug("Removed PID lock "+lockfile)
+
+def killPID(pid):
+	""" Kills the process with the given PID using the
+		INT signal (same effect as <ctrl>+<c>).
+	"""
+	try:
+		return os.kill(pid, 2)
+	except OSError:
+		logSys.error("Can not kill process " + `pid` + ". Please check that " +
+					"Fail2Ban is not running and remove the file " +
+					"'/tmp/fail2ban.pid'")
+
+if __name__ == "__main__":
+	
+	# Gets an instance of log4py.
+	logSys = log4py.Logger().get_instance()
+	logSys.set_formatstring("%T %L %M")
+	
+	conf = dict()
+	conf["verbose"] = 0
+	conf["background"] = False
+	conf["debug"] = False
+	conf["conffile"] = "/etc/fail2ban.conf"
+	conf["pidlock"] = "/var/run/fail2ban.pid"
+	conf["logging"] = False
+	conf["logfile"] = "/var/log/fail2ban.log"
+	conf["maxretry"] = 3
+	conf["bantime"] = 600
+	conf["ignoreip"] = ''
+	conf["interface"] = "eth0"
+	conf["firewall"] = "iptables"
+	conf["ipfw-start-rule"] = 0
+	conf["polltime"] = 1
+	
+	# Reads the command line options.
+	try:
+		optList, args = getopt.getopt(sys.argv[1:], 'hvbdkc:l:t:i:r:e:w:p:')
+	except getopt.GetoptError:
+		usage()
+	
+	# Pre-parsing of command line options for the -c option
+	for opt in optList:
+		if opt[0] == "-c":
+			conf["conffile"] = opt[1]
+	
+	# Config file
+	configParser = SafeConfigParser()
+	configParser.read(conf["conffile"])
+	
+	# background
+	try:
+		conf["background"] = configParser.getboolean("DEFAULT", "background")
+	except ValueError:
+		logSys.warn("background option should be a boolean")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("background option not in config file")
+		logSys.warn("Using default value")
+
+	# debug
+	try:
+		conf["debug"] = configParser.getboolean("DEFAULT", "debug")
+	except ValueError:
+		logSys.warn("debug option should be a boolean")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("debug option not in config file")
+		logSys.warn("Using default value")
+
+	# logfile
+	try:
+		conf["logfile"] = configParser.get("DEFAULT", "logfile")
+	except ValueError:
+		logSys.warn("logfile option should be a string")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("logfile option not in config file")
+		logSys.warn("Using default value")
+		
+	# pidlock
+	try:
+		conf["pidlock"] = configParser.get("DEFAULT", "pidlock")
+	except ValueError:
+		logSys.warn("pidlock option should be a string")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("pidlock option not in config file")
+		logSys.warn("Using default value")
+		
+	# maxretry
+	try:
+		conf["maxretry"] = configParser.getint("DEFAULT", "maxretry")
+	except ValueError:
+		logSys.warn("maxretry option should be an integer")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("maxretry option not in config file")
+		logSys.warn("Using default value")
+
+	# bantime
+	try:
+		conf["bantime"] = configParser.getint("DEFAULT", "bantime")
+	except ValueError:
+		logSys.warn("bantime option should be an integer")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("bantime option not in config file")
+		logSys.warn("Using default value")
+
+	# ignoreip
+	try:
+		conf["ignoreip"] = configParser.get("DEFAULT", "ignoreip")
+	except ValueError:
+		logSys.warn("ignoreip option should be a string")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("ignoreip option not in config file")
+		logSys.warn("Using default value")
+		
+	# interface
+	try:
+		conf["interface"] = configParser.get("DEFAULT", "interface")
+	except ValueError:
+		logSys.warn("interface option should be a string")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("interface option not in config file")
+		logSys.warn("Using default value")
+		
+	# firewall
+	try:
+		conf["firewall"] = configParser.get("DEFAULT", "firewall")
+	except ValueError:
+		logSys.warn("firewall option should be a string")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("firewall option not in config file")
+		logSys.warn("Using default value")
+	
+	# ipfw-start-rule
+	try:
+		conf["ipfw-start-rule"] = configParser.getint("DEFAULT",
+													"ipfw-start-rule")
+	except ValueError:
+		logSys.warn("ipfw-start-rule option should be an integer")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("ipfw-start-rule option not in config file")
+		logSys.warn("Using default value")
+
+	# polltime
+	try:
+		conf["polltime"] = configParser.getint("DEFAULT", "polltime")
+	except ValueError:
+		logSys.warn("polltime option should be an integer")
+		logSys.warn("Using default value")
+	except NoOptionError:
+		logSys.warn("polltime option not in config file")
+		logSys.warn("Using default value")
+	
+	for opt in optList:
+		if opt[0] == "-h":
+			usage()
+		if opt[0] == "-v":
+			conf["verbose"] = conf["verbose"] + 1
+		if opt[0] == "-b":
+			conf["background"] = True
+		if opt[0] == "-d":
+			conf["debug"] = True
+		if opt[0] == "-e":
+			conf["interface"] = opt[1]
+		if opt[0] == "-l":
+			conf["logging"] = True
+			conf["logfile"] = opt[1]
+		if opt[0] == "-t":
+			try:
+				conf["bantime"] = int(opt[1])
+			except ValueError:
+				logSys.warn("banTime must be an integer")
+				logSys.warn("Using default value")
+		if opt[0] == "-i":
+			conf["ignoreip"] = opt[1]
+		if opt[0] == "-r":
+			conf["retrymax"] = int(opt[1])
+		if opt[0] == "-w":
+			conf["firewall"] = opt[1]
+		if opt[0] == "-p":
+			conf["pidlock"] = opt[1]
+		if opt[0] == "-k":
+			pid = checkForPID(conf["pidlock"])
+			if pid:
+				killPID(int(pid))
+				logSys.warn("Killed Fail2Ban with PID "+pid)
+				sys.exit(0)
+			else:
+				logSys.error("No running Fail2Ban found")
+				sys.exit(-1)
+
+	# Process some options
+	for c in conf:
+		if c == "verbose":
+			logSys.warn("Verbose level is "+`conf[c]`)
+			if conf[c] == 1:
+				logSys.set_loglevel(log4py.LOGLEVEL_VERBOSE)
+			elif conf[c] > 1:
+				logSys.set_loglevel(log4py.LOGLEVEL_DEBUG)
+		elif c == "debug" and conf[c]:
+			logSys.set_loglevel(log4py.LOGLEVEL_DEBUG)
+			logSys.set_formatstring(log4py.FMT_DEBUG)
+		elif c == "background" and conf[c]:
+			retCode = createDaemon()
+			signal.signal(signal.SIGTERM, sigTERMhandler)
+			logSys.set_target(conf["logfile"])
+			if not retCode:
+				logSys.error("Unable to start daemon")
+				sys.exit(-1)
+		elif c == "logging" and conf[c]:
+			try:
+				open(conf["logfile"], "a")
+				logSys.set_target(conf["logfile"])
+			except IOError:
+				logSys.warn("Unable to log to "+conf["logfile"])
+				logSys.warn("Using default output for logging")
+		elif c == "ignoreip":
+			ignoreIPList = conf[c].split(' ')
+		elif c == "firewall":
+			conf[c] = string.lower(conf[c])
+			if conf[c] == "ipfw":
+				fireWallName = "Ipfw"
+			elif conf[c] == "ipfwadm":
+				fireWallName = "Ipfwadm"
+			else:
+				fireWallName = "Iptables"
+	
+	# Checks for root user. This is necessary because log files
+	# are owned by root and firewall needs root access.
+	if not checkForRoot():
+		logSys.error("You must be root")
+		if not conf["debug"]:
+			sys.exit(-1)
+			
+	# Checks that no instance of Fail2Ban is currently running.
+	pid = checkForPID(conf["pidlock"])
+	if pid:
+		logSys.error("Fail2Ban already running with PID "+pid)
+		sys.exit(-1)
+	else:
+		createPID(conf["pidlock"])
+	
+	logSys.debug("ConfFile is "+conf["conffile"])
+	logSys.debug("BanTime is "+`conf["bantime"]`)
+	logSys.debug("retryAllowed is "+`conf["maxretry"]`)
+	
+	# Reads the config file and create a LogReader instance for
+	# each log file to check.
+	confReader = ConfigReader(logSys, conf["conffile"]);
+	confReader.openConf()
+	logList = list()
+	for t in confReader.getSections():
+		l = confReader.getLogOptions(t)
+		if l["enabled"]:
+			lObj = LogReader(logSys, l["logfile"], l["timeregex"],
+							l["timepattern"], l["failregex"], conf["bantime"])
+			lObj.setName(t)
+			logList.append(lObj)
+	
+	# Creates one instance of Iptables (thanks to Pyhton dynamic
+	# features).
+	fireWallObj = eval(fireWallName)
+	fireWall = fireWallObj(conf["bantime"], logSys, conf["interface"])
+	
+	# IPFW needs rules number. The configuration option "ipfw-start-rule"
+	# defines the first rule number used by Fail2Ban.
+	if fireWallName == "Ipfw":
+		fireWall.setCrtRuleNbr(conf["ipfw-start-rule"])
+	
+	# We add 127.0.0.1 to the ignore list has we do not want
+	# to be ban ourself.
+	for element in logList:
+		element.addIgnoreIP("127.0.0.1")
+	while len(ignoreIPList) > 0:
+		ip = ignoreIPList.pop()
+		for element in logList:
+			element.addIgnoreIP(ip)
+	
+	logSys.info("Fail2Ban v"+version+" is running")
+	failListFull = dict()
+	# Main loop
+	while True:
+		try:
+			sys.stdout.flush()
+			sys.stderr.flush()
+			
+			# Checks if some IP have to be remove from ban
+			# list.
+			fireWall.checkForUnBan(conf["debug"])
+			
+			# If the log file has not been modified since the
+			# last time, we sleep for 1 second. This is active
+			# polling so not very effective.
+			modList = list()
+			for element in logList:
+				if element.isModified():
+					modList.append(element)
+			
+			if len(modList) == 0:
+				time.sleep(conf["polltime"])
+				continue
+			
+			# Gets the failure list from the log file. For a given IP,
+			# takes only the service which has the most password failures.
+			failList = dict()
+			for element in modList:
+				e = element.getFailures()
+				for key in e.iterkeys():
+					if failList.has_key(key):
+						if failList[key][0] < e[key][0]:
+							failList[key] = (e[key][0], e[key][1], element)
+					else:
+						failList[key] = (e[key][0], e[key][1], element)
+				
+			# Add the last log failures to the global failure list.
+			for key in failList.iterkeys():
+				if failListFull.has_key(key):
+					failListFull[key] = (failListFull[key][0] + 1,
+										failList[key][1], failList[key][2])
+				else:
+					failListFull[key] = failList[key]
+			
+			# Remove the oldest failure attempts from the global list.
+			unixTime = time.time()
+			failListFullTemp = failListFull.copy()
+			for key in failListFullTemp.iterkeys():
+				failTime = failListFullTemp[key][2].getFindTime()
+				if failListFullTemp[key][1] < unixTime - failTime:
+					del failListFull[key]
+			
+			# We iterate the failure list and ban IP that make
+			# *retryAllowed* login failures.
+			failListFullTemp = failListFull.copy()
+			for key in failListFullTemp.iterkeys():
+				element = failListFullTemp[key]
+				if element[0] >= conf["maxretry"]:
+					logSys.info(element[2].getName()+": "+key+" has "+
+								`element[0]`+" login failure(s). Banned.")
+					fireWall.addBanIP(key, conf["debug"])
+					del failListFull[key]
+			
+		except KeyboardInterrupt:
+			# When the user press <ctrl>+<c> we exit nicely.
+			killApp()

firewall/firewall.py

@@ -0,0 +1,98 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+import time, os
+
+class Firewall:
+	""" Manages the ban list and executes the command that ban
+		the IP.
+	"""
+	
+	banList = dict()
+	
+	def __init__(self, banTime, logSys, interface):
+		self.banTime = banTime
+		self.logSys = logSys
+		self.interface = interface
+	
+	def addBanIP(self, ip, debug):
+		""" Bans an IP.
+		"""
+		if not self.inBanList(ip):
+			self.logSys.warn("Ban "+ip)
+			self.banList[ip] = time.time()
+			self.__executeCmd(self.banIP(ip), debug)
+		else:
+			self.logSys.error(ip+" already in ban list")
+	
+	def delBanIP(self, ip, debug):
+		""" Unban an IP.
+		"""
+		if self.inBanList(ip):
+			self.logSys.warn("Unban "+ip)
+			del self.banList[ip]
+			self.__executeCmd(self.unBanIP(ip), debug)
+		else:
+			self.logSys.error(ip+" not in ban list")
+	
+	def inBanList(self, ip):
+		""" Checks if IP is in ban list.
+		"""
+		return self.banList.has_key(ip)
+	
+	def checkForUnBan(self, debug):
+		""" Check for IP to remove from ban list.
+		"""
+		banListTemp = self.banList.copy()
+		for element in banListTemp.iteritems():
+			ip = element[0]
+			btime = element[1]
+			if btime < time.time()-self.banTime:
+				self.delBanIP(ip, debug)
+	
+	def flushBanList(self, debug):
+		""" Flushes the ban list and of course the firewall rules.
+			Called when fail2ban exits.
+		"""
+		banListTemp = self.banList.copy()
+		for element in banListTemp.iteritems():
+			ip = element[0]
+			self.delBanIP(ip, debug)
+	
+	def __executeCmd(self, cmd, debug):
+		""" Executes an OS command.
+		"""
+		self.logSys.debug(cmd)
+		if not debug:
+			return os.system(cmd)
+		else:
+			return None
+		
+	def viewBanList(self):
+		""" Prints the ban list on screen. Usefull for debugging.
+		"""
+		for element in self.banList.iteritems():
+			print element

firewall/ipfw.py

@@ -0,0 +1,72 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+import os
+
+from firewall import Firewall
+
+class Ipfw(Firewall):
+	""" This class contains specific methods and variables for the
+		iptables firewall. Must implements the 'abstracts' methods
+		banIP(ip) and unBanIP(ip).
+		
+		Must adds abstract methods definition:
+		http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/266468
+	"""
+	
+	crtRuleNbr = 0
+	
+	def getCrtRuleNbr(self):
+		""" Gets the current rule number.
+		"""
+		return self.crtRuleNbr
+		
+	def setCrtRuleNbr(self, value):
+		""" Sets the current rule number.
+		"""
+		self.crtRuleNbr = value
+	
+	def banIP(self, ip):
+		""" Returns query to ban IP.
+		"""
+		query = "ipfw -q add "+`self.crtRuleNbr`+" deny ip from "+ip+" to any"
+		self.crtRuleNbr = self.crtRuleNbr + 1
+		return query
+	
+	def unBanIP(self, ip):
+		""" Returns query to unban IP.
+		"""
+		ruleNbr = str(self.__findRuleNumber(ip))
+		query = "ipfw -q delete "+ruleNbr
+		return query
+		
+	def __findRuleNumber(self, ip):
+		""" Uses shell commands in order to find the rule
+			number we want to delete.
+		"""
+		output = os.popen("ipfw list|grep \"from "+ip+" to\"|awk '{print $1}'",
+						  "r");
+		return output.read()

firewall/ipfwadm.py

@@ -0,0 +1,48 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+from firewall import Firewall
+
+class Ipfwadm(Firewall):
+	""" This class contains specific methods and variables for the
+		iptables firewall. Must implements the 'abstracts' methods
+		banIP(ip) and unBanIP(ip).
+		
+		Must adds abstract methods definition:
+		http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/266468
+	"""
+	
+	def banIP(self, ip):
+		""" Returns query to ban IP.
+		"""
+		query = "ipfwadm -I -a deny -W "+self.interface+" -S "+ip
+		return query
+	
+	def unBanIP(self, ip):
+		""" Returns query to unban IP.
+		"""
+		query = "ipfwadm -I -d deny -W "+self.interface+" -S "+ip
+		return query

firewall/iptables.py

@@ -0,0 +1,48 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+from firewall import Firewall
+
+class Iptables(Firewall):
+	""" This class contains specific methods and variables for the
+		iptables firewall. Must implements the 'abstracts' methods
+		banIP(ip) and unBanIP(ip).
+		
+		Must adds abstract methods definition:
+		http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/266468
+	"""
+	
+	def banIP(self, ip):
+		""" Returns query to ban IP.
+		"""
+		query = "iptables -I INPUT 1 -i "+self.interface+" -s "+ip+" -j DROP"
+		return query
+	
+	def unBanIP(self, ip):
+		""" Returns query to unban IP.
+		"""
+		query = "iptables -D INPUT -i "+self.interface+" -s "+ip+" -j DROP"
+		return query

log-test/apache

@@ -0,0 +1,102 @@
+[Mon Jan 03 05:02:15 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:20 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:20 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:21 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:22 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:22 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:22 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msadc
+[Mon Jan 03 05:02:22 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/\xe0
+[Mon Jan 03 05:02:23 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msdac
+[Mon Jan 03 05:02:23 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/msdac
+[Mon Jan 03 05:02:24 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/PBServer
+[Mon Jan 03 05:02:24 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/PBServer
+[Mon Jan 03 05:02:27 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/Rpc
+[Mon Jan 03 05:02:27 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/Rpc
+[Mon Jan 03 05:02:27 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/samples
+[Mon Jan 03 05:02:27 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/samples
+[Mon Jan 03 05:02:28 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts..\xc1\x9c..
+[Mon Jan 03 05:02:28 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:28 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:28 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:32 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:32 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:33 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:33 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:33 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:34 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:34 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:38 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:38 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:38 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:38 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:39 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 05:02:39 2005] [error] [client 81.83.248.17] File does not exist: /var/www/jaquier.dyndns.org/htdocs/scripts
+[Mon Jan 03 11:08:29 2005] [error] [client 128.178.150.127] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Mon Jan 03 20:08:52 2005] [error] [client 83.76.202.195] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:19:50 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:19:55 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:01 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:05 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:08 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:12 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:16 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:22 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:26 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:28 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 15:20:38 2005] [error] [client 213.221.138.70] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 20:54:59 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 20:55:04 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 20:55:29 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 21:34:29 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Tue Jan 04 21:34:32 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 00:17:41 2005] [error] [client 217.251.126.37] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 00:18:03 2005] [error] [client 217.251.126.37] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 00:18:12 2005] [error] [client 217.251.126.37] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:24:38 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:24:40 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:24:46 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:24:48 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:25:58 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:26:34 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 01:26:37 2005] [error] [client 81.63.51.202] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 10:13:02 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 10:13:07 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 10:13:10 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 10:17:07 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 14:41:40 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 14:41:45 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 14:41:47 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 14:41:51 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 14:55:30 2005] [error] [client 212.101.4.200] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:03:44 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:03:48 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:03:52 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:03:57 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:06:45 2005] [error] [client 212.101.4.200] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Mar 05 15:07:28 2005] [error] [client 192.168.0.128] user cyril: authentication failure for "/phpinfo": Password Mismatch
+[Wed Jan 05 15:08:01 2005] [error] [client 192.168.0.128] user  not found: /phpinfo
+[Wed Jan 05 15:10:45 2005] [crit] [client 192.168.0.128] (13)Permission denied: /var/www/jaquier.dyndns.org/htdocs/css/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://earth/phpinfo
+[Wed Jan 05 15:10:45 2005] [crit] [client 192.168.0.128] (13)Permission denied: /var/www/jaquier.dyndns.org/htdocs/images/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://earth/phpinfo
+[Wed Jan 05 15:10:45 2005] [error] [client 192.168.0.128] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:11:09 2005] [error] [client 192.168.0.128] user test not found: /phpinfo
+[Wed Jan 05 15:11:10 2005] [error] [client 192.168.0.128] user test not found: /phpinfo
+[Wed Jan 06 15:11:11 2005] [error] [client 192.168.0.128] user test not found: /phpinfo
+[Wed Jan 06 15:11:13 2005] [error] [client 192.168.0.128] user test not found: /phpinfo
+[Wed Jan 06 15:11:14 2005] [error] [client 192.168.0.128] user test not found: /phpinfo
+[Wed Jan 05 15:11:15 2005] [crit] [client 192.168.0.128] (13)Permission denied: /var/www/jaquier.dyndns.org/htdocs/css/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://earth/phpinfo
+[Wed Jan 05 15:11:15 2005] [crit] [client 192.168.0.128] (13)Permission denied: /var/www/jaquier.dyndns.org/htdocs/images/.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable, referer: http://earth/phpinfo
+[Wed Jan 05 15:11:15 2005] [error] [client 192.168.0.128] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:12:32 2005] [error] [client 212.101.4.200] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:48 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:51 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:52 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:52 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:54 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:56 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:13:59 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:14:20 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:14:24 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:14:29 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Jan 05 15:14:34 2005] [error] [client 192.168.0.129] File does not exist: /var/www/jaquier.dyndns.org/htdocs/favicon.ico
+[Wed Mar 05 15:08:28 2005] [error] [client 192.168.0.128] user cyril: authentication failure for "/phpinfo": Password Mismatch
+[Wed Mar 05 15:09:28 2005] [error] [client 192.168.0.128] user cyril: authentication failure for "/phpinfo": Password Mismatch

log-test/current

@@ -0,0 +1,5 @@
+Jan  7 17:53:15 [sshd] (pam_unix) 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.220.137.36  user=kevin
+Jan  7 17:53:26 [sshd] (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=62.220.137.36  user=kevin
+Mar  7 17:53:28 [sshd] error: PAM: Authentication failure for kevin from 62.220.137.36
+Mar  7 17:55:28 [sshd] error: PAM: Authentication failure for kevin from 62.220.137.36
+Mar  7 17:57:28 [sshd] error: PAM: Authentication failure for kevin from 62.220.137.36

log-test/test

@@ -0,0 +1,432 @@
+Sep 28 13:18:43 [sshd] Failed password for illegal user test from 211.112.229.69 port 59506 ssh2
+Sep 28 13:18:45 [sshd] Failed password for illegal user guest from 211.112.229.69 port 59584 ssh2
+Sep 28 13:18:48 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59668 ssh2
+Sep 28 13:18:51 [sshd] Failed password for illegal user admin from 211.112.229.69 port 59746 ssh2
+Sep 28 13:18:54 [sshd] Failed password for illegal user user from 211.112.229.69 port 59809 ssh2
+Sep 28 13:18:57 [sshd] Failed password for illegal user root from 211.112.229.69 port 59881 ssh2
+Sep 28 13:19:00 [sshd] Failed password for illegal user root from 211.112.229.69 port 59944 ssh2
+Sep 28 13:19:03 [sshd] Failed password for illegal user root from 211.112.229.69 port 59999 ssh2
+Sep 28 13:19:06 [sshd] Failed password for illegal user test from 211.112.229.69 port 60055 ssh2
+Sep 28 21:05:25 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.128.local.home  user=cyril
+Sep 28 21:05:27 [sshd] error: PAM: Authentication failure for cyril from 192.168.0.128.local.home
+Sep 29 03:45:18 [sshd] Failed password for illegal user nobody from 203.198.168.66 port 55927 ssh2
+Sep 29 03:45:21 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 55973 ssh2
+Sep 29 03:45:23 [sshd] Failed password for illegal user patrick from 203.198.168.66 port 56010 ssh2
+Sep 29 03:45:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 56060 ssh2
+Sep 29 03:45:29 [sshd] Failed password for illegal user root from 203.198.168.66 port 56107 ssh2
+Sep 29 03:45:32 [sshd] Failed password for illegal user root from 203.198.168.66 port 56152 ssh2
+Sep 29 03:45:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 56200 ssh2
+Sep 29 03:45:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 56243 ssh2
+Sep 29 03:45:40 [sshd] Failed password for illegal user rolo from 203.198.168.66 port 56288 ssh2
+Sep 29 03:45:43 [sshd] Failed password for illegal user iceuser from 203.198.168.66 port 56333 ssh2
+Sep 29 03:45:46 [sshd] Failed password for illegal user horde from 203.198.168.66 port 56379 ssh2
+Sep 29 03:45:48 [sshd] Failed password for illegal user cyrus from 203.198.168.66 port 56425 ssh2
+Sep 29 03:45:52 [sshd] Failed password for illegal user www from 203.198.168.66 port 56470 ssh2
+Sep 29 03:45:55 [sshd] Failed password for illegal user wwwrun from 203.198.168.66 port 56534 ssh2
+Sep 29 03:45:58 [sshd] Failed password for illegal user matt from 203.198.168.66 port 56572 ssh2
+Sep 29 03:46:01 [sshd] Failed password for illegal user test from 203.198.168.66 port 56616 ssh2
+Sep 29 03:46:03 [sshd] Failed password for illegal user test from 203.198.168.66 port 56660 ssh2
+Sep 29 03:46:06 [sshd] Failed password for illegal user test from 203.198.168.66 port 56704 ssh2
+Sep 29 03:46:09 [sshd] Failed password for illegal user test from 203.198.168.66 port 56752 ssh2
+Sep 29 03:46:12 [sshd] Failed password for illegal user www-data from 203.198.168.66 port 56795 ssh2
+Sep 29 03:46:15 [sshd] Failed password for illegal user mysql from 203.198.168.66 port 56839 ssh2
+Sep 29 03:46:17 [sshd] Failed password for illegal user operator from 203.198.168.66 port 56882 ssh2
+Sep 29 03:46:20 [sshd] Failed password for illegal user adm from 203.198.168.66 port 56929 ssh2
+Sep 29 03:46:23 [sshd] Failed password for illegal user apache from 203.198.168.66 port 56971 ssh2
+Sep 29 03:46:26 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57011 ssh2
+Sep 29 03:46:29 [sshd] Failed password for illegal user irc from 203.198.168.66 port 57060 ssh2
+Sep 29 03:46:31 [sshd] Failed password for illegal user adm from 203.198.168.66 port 57100 ssh2
+Sep 29 03:46:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 57148 ssh2
+Sep 29 03:46:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 57194 ssh2
+Sep 29 03:46:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 57236 ssh2
+Sep 29 03:46:43 [sshd] Failed password for illegal user jane from 203.198.168.66 port 57281 ssh2
+Sep 29 03:46:45 [sshd] Failed password for illegal user pamela from 203.198.168.66 port 57328 ssh2
+Sep 29 03:46:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 57372 ssh2
+Sep 29 03:46:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 57418 ssh2
+Sep 29 03:46:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 57463 ssh2
+Sep 29 03:46:57 [sshd] Failed password for illegal user root from 203.198.168.66 port 57506 ssh2
+Sep 29 03:46:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 57549 ssh2
+Sep 29 03:47:02 [sshd] Failed password for illegal user cosmin from 203.198.168.66 port 57594 ssh2
+Sep 29 03:47:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 57637 ssh2
+Sep 29 03:47:08 [sshd] Failed password for illegal user root from 203.198.168.66 port 57689 ssh2
+Sep 29 03:47:11 [sshd] Failed password for illegal user root from 203.198.168.66 port 57730 ssh2
+Sep 29 03:47:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 57774 ssh2
+Sep 29 03:47:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 57820 ssh2
+Sep 29 03:47:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 57866 ssh2
+Sep 29 03:47:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 57901 ssh2
+Sep 29 03:47:25 [sshd] Failed password for illegal user root from 203.198.168.66 port 57944 ssh2
+Sep 29 03:47:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 57990 ssh2
+Sep 29 03:47:31 [sshd] Failed password for illegal user root from 203.198.168.66 port 58031 ssh2
+Sep 29 03:47:34 [sshd] Failed password for illegal user root from 203.198.168.66 port 58098 ssh2
+Sep 29 03:47:37 [sshd] Failed password for illegal user root from 203.198.168.66 port 58137 ssh2
+Sep 29 03:47:40 [sshd] Failed password for illegal user root from 203.198.168.66 port 58183 ssh2
+Sep 29 03:47:42 [sshd] Failed password for illegal user root from 203.198.168.66 port 58228 ssh2
+Sep 29 03:47:45 [sshd] Failed password for illegal user root from 203.198.168.66 port 58273 ssh2
+Sep 29 03:47:48 [sshd] Failed password for illegal user root from 203.198.168.66 port 58314 ssh2
+Sep 29 03:47:51 [sshd] Failed password for illegal user root from 203.198.168.66 port 58358 ssh2
+Sep 29 03:47:54 [sshd] Failed password for illegal user root from 203.198.168.66 port 58401 ssh2
+Sep 29 03:47:56 [sshd] Failed password for illegal user root from 203.198.168.66 port 58443 ssh2
+Sep 29 03:47:59 [sshd] Failed password for illegal user root from 203.198.168.66 port 58484 ssh2
+Sep 29 03:48:02 [sshd] Failed password for illegal user root from 203.198.168.66 port 58528 ssh2
+Sep 29 03:48:05 [sshd] Failed password for illegal user root from 203.198.168.66 port 58574 ssh2
+Sep 29 03:48:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 58613 ssh2
+Sep 29 03:48:10 [sshd] Failed password for illegal user root from 203.198.168.66 port 58662 ssh2
+Sep 29 03:48:13 [sshd] Failed password for illegal user root from 203.198.168.66 port 58703 ssh2
+Sep 29 03:48:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 58748 ssh2
+Sep 29 03:48:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 58792 ssh2
+Sep 29 03:48:21 [sshd] Failed password for illegal user root from 203.198.168.66 port 58839 ssh2
+Sep 29 03:48:24 [sshd] Failed password for illegal user root from 203.198.168.66 port 58880 ssh2
+Sep 29 03:48:27 [sshd] Failed password for illegal user root from 203.198.168.66 port 58926 ssh2
+Sep 29 03:48:30 [sshd] Failed password for illegal user root from 203.198.168.66 port 58967 ssh2
+Sep 29 03:48:33 [sshd] Failed password for illegal user root from 203.198.168.66 port 59012 ssh2
+Sep 29 03:48:35 [sshd] Failed password for illegal user root from 203.198.168.66 port 59052 ssh2
+Sep 29 03:48:38 [sshd] Failed password for illegal user root from 203.198.168.66 port 59095 ssh2
+Sep 29 03:48:41 [sshd] Failed password for illegal user root from 203.198.168.66 port 59140 ssh2
+Sep 29 03:48:44 [sshd] Failed password for illegal user root from 203.198.168.66 port 59182 ssh2
+Sep 29 03:48:47 [sshd] Failed password for illegal user cip52 from 203.198.168.66 port 59222 ssh2
+Sep 29 03:48:49 [sshd] Failed password for illegal user cip51 from 203.198.168.66 port 59264 ssh2
+Sep 29 03:48:52 [sshd] Failed password for illegal user root from 203.198.168.66 port 59309 ssh2
+Sep 29 03:48:55 [sshd] Failed password for illegal user noc from 203.198.168.66 port 59351 ssh2
+Sep 29 03:48:58 [sshd] Failed password for illegal user root from 203.198.168.66 port 59395 ssh2
+Sep 29 03:49:01 [sshd] Failed password for illegal user root from 203.198.168.66 port 59432 ssh2
+Sep 29 03:49:04 [sshd] Failed password for illegal user root from 203.198.168.66 port 59479 ssh2
+Sep 29 03:49:07 [sshd] Failed password for illegal user root from 203.198.168.66 port 59951 ssh2
+Sep 29 03:49:11 [sshd] Failed password for illegal user webmaster from 203.198.168.66 port 60006 ssh2
+Sep 29 03:49:14 [sshd] Failed password for illegal user data from 203.198.168.66 port 60463 ssh2
+Sep 29 03:49:17 [sshd] Failed password for illegal user user from 203.198.168.66 port 60880 ssh2
+Sep 29 03:49:20 [sshd] Failed password for illegal user user from 203.198.168.66 port 60947 ssh2
+Sep 29 03:49:23 [sshd] Failed password for illegal user user from 203.198.168.66 port 33137 ssh2
+Sep 29 03:49:26 [sshd] Failed password for illegal user web from 203.198.168.66 port 33572 ssh2
+Sep 29 03:49:31 [sshd] Failed password for illegal user web from 203.198.168.66 port 33630 ssh2
+Sep 29 03:49:34 [sshd] Failed password for illegal user oracle from 203.198.168.66 port 34129 ssh2
+Sep 29 03:49:39 [sshd] Failed password for illegal user sybase from 203.198.168.66 port 34558 ssh2
+Sep 29 03:49:42 [sshd] Failed password for illegal user master from 203.198.168.66 port 35018 ssh2
+Sep 29 03:49:45 [sshd] Failed password for illegal user account from 203.198.168.66 port 35095 ssh2
+Sep 29 03:49:48 [sshd] Failed password for illegal user backup from 203.198.168.66 port 35506 ssh2
+Sep 29 03:49:51 [sshd] Failed password for illegal user server from 203.198.168.66 port 35935 ssh2
+Sep 29 03:49:54 [sshd] Failed password for illegal user adam from 203.198.168.66 port 36016 ssh2
+Sep 29 03:49:57 [sshd] Failed password for illegal user alan from 203.198.168.66 port 36399 ssh2
+Sep 29 03:49:59 [sshd] Failed password for illegal user frank from 203.198.168.66 port 36488 ssh2
+Sep 29 03:50:04 [sshd] Failed password for illegal user george from 203.198.168.66 port 36876 ssh2
+Sep 29 03:50:07 [sshd] Failed password for illegal user henry from 203.198.168.66 port 37333 ssh2
+Sep 29 03:50:11 [sshd] Failed password for illegal user john from 203.198.168.66 port 37423 ssh2
+Sep 29 03:50:14 [sshd] Failed password for illegal user root from 203.198.168.66 port 37837 ssh2
+Sep 29 03:50:16 [sshd] Failed password for illegal user root from 203.198.168.66 port 38210 ssh2
+Sep 29 03:50:19 [sshd] Failed password for illegal user root from 203.198.168.66 port 38286 ssh2
+Sep 29 03:50:22 [sshd] Failed password for illegal user root from 203.198.168.66 port 38653 ssh2
+Sep 29 03:50:26 [sshd] Failed password for illegal user root from 203.198.168.66 port 38749 ssh2
+Sep 29 03:50:29 [sshd] Failed password for illegal user test from 203.198.168.66 port 39162 ssh2
+Sep 29 10:19:26 [sshd] Failed password for illegal user test from 24.19.0.105 port 3765 ssh2
+Sep 29 10:19:32 [sshd] Failed password for illegal user guest from 24.19.0.105 port 3846 ssh2
+Sep 29 10:19:39 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3929 ssh2
+Sep 29 10:19:45 [sshd] Failed password for illegal user admin from 24.19.0.105 port 3992 ssh2
+Sep 29 10:19:49 [sshd] Failed password for illegal user user from 24.19.0.105 port 4057 ssh2
+Sep 29 10:19:54 [sshd] Failed password for illegal user root from 24.19.0.105 port 4115 ssh2
+Sep 29 10:19:58 [sshd] Failed password for illegal user root from 24.19.0.105 port 4170 ssh2
+Sep 29 10:20:01 [sshd] Failed password for illegal user root from 24.19.0.105 port 4202 ssh2
+Sep 29 10:20:04 [sshd] Failed password for illegal user test from 24.19.0.105 port 4242 ssh2
+Oct  1 15:53:46 [sshd] Failed password for illegal user test from 210.51.173.75 port 40940 ssh2
+Oct  1 15:53:53 [sshd] Failed password for illegal user guest from 210.51.173.75 port 41196 ssh2
+Oct  1 15:53:59 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41480 ssh2
+Oct  1 15:54:05 [sshd] Failed password for illegal user admin from 210.51.173.75 port 41738 ssh2
+Oct  1 15:54:12 [sshd] Failed password for illegal user user from 210.51.173.75 port 42036 ssh2
+Oct  1 15:54:18 [sshd] Failed password for illegal user root from 210.51.173.75 port 42393 ssh2
+Oct  1 15:54:24 [sshd] Failed password for illegal user root from 210.51.173.75 port 42721 ssh2
+Oct  1 15:54:30 [sshd] Failed password for illegal user root from 210.51.173.75 port 42984 ssh2
+Oct  1 15:54:36 [sshd] Failed password for illegal user test from 210.51.173.75 port 43299 ssh2
+Oct  2 20:24:36 [sshd] Failed password for illegal user test from 220.64.223.249 port 2460 ssh2
+Oct  2 20:24:39 [sshd] Failed password for illegal user guest from 220.64.223.249 port 2527 ssh2
+Oct  2 20:24:42 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2584 ssh2
+Oct  2 20:24:45 [sshd] Failed password for illegal user admin from 220.64.223.249 port 2645 ssh2
+Oct  2 20:24:48 [sshd] Failed password for illegal user user from 220.64.223.249 port 2708 ssh2
+Oct  2 20:24:51 [sshd] Failed password for illegal user root from 220.64.223.249 port 2794 ssh2
+Oct  2 20:24:54 [sshd] Failed password for illegal user root from 220.64.223.249 port 2868 ssh2
+Oct  2 20:24:58 [sshd] Failed password for illegal user root from 220.64.223.249 port 2931 ssh2
+Oct  2 20:25:01 [sshd] Failed password for illegal user test from 220.64.223.249 port 2994 ssh2
+Oct  3 02:17:47 [sshd] Failed password for illegal user nobody from 216.65.197.170 port 54324 ssh2
+Oct  3 02:17:48 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54491 ssh2
+Oct  3 02:17:50 [sshd] Failed password for illegal user patrick from 216.65.197.170 port 54669 ssh2
+Oct  3 02:17:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 54845 ssh2
+Oct  3 02:17:53 [sshd] Failed password for illegal user root from 216.65.197.170 port 55021 ssh2
+Oct  3 02:17:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 55201 ssh2
+Oct  3 02:17:57 [sshd] Failed password for illegal user root from 216.65.197.170 port 55381 ssh2
+Oct  3 02:17:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 55553 ssh2
+Oct  3 02:18:00 [sshd] Failed password for illegal user rolo from 216.65.197.170 port 55730 ssh2
+Oct  3 02:18:02 [sshd] Failed password for illegal user iceuser from 216.65.197.170 port 55892 ssh2
+Oct  3 02:18:04 [sshd] Failed password for illegal user horde from 216.65.197.170 port 56054 ssh2
+Oct  3 02:18:05 [sshd] Failed password for illegal user cyrus from 216.65.197.170 port 56231 ssh2
+Oct  3 02:18:07 [sshd] Failed password for illegal user www from 216.65.197.170 port 56412 ssh2
+Oct  3 02:18:09 [sshd] Failed password for illegal user wwwrun from 216.65.197.170 port 56594 ssh2
+Oct  3 02:18:11 [sshd] Failed password for illegal user matt from 216.65.197.170 port 56755 ssh2
+Oct  3 02:18:12 [sshd] Failed password for illegal user test from 216.65.197.170 port 56928 ssh2
+Oct  3 02:18:14 [sshd] Failed password for illegal user test from 216.65.197.170 port 57112 ssh2
+Oct  3 02:18:16 [sshd] Failed password for illegal user test from 216.65.197.170 port 57292 ssh2
+Oct  3 02:18:17 [sshd] Failed password for illegal user test from 216.65.197.170 port 57465 ssh2
+Oct  3 02:18:19 [sshd] Failed password for illegal user www-data from 216.65.197.170 port 57631 ssh2
+Oct  3 02:18:21 [sshd] Failed password for illegal user mysql from 216.65.197.170 port 57802 ssh2
+Oct  3 02:18:22 [sshd] Failed password for illegal user operator from 216.65.197.170 port 57989 ssh2
+Oct  3 02:18:24 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58151 ssh2
+Oct  3 02:18:26 [sshd] Failed password for illegal user apache from 216.65.197.170 port 58319 ssh2
+Oct  3 02:18:28 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58492 ssh2
+Oct  3 02:18:29 [sshd] Failed password for illegal user irc from 216.65.197.170 port 58662 ssh2
+Oct  3 02:18:31 [sshd] Failed password for illegal user adm from 216.65.197.170 port 58818 ssh2
+Oct  3 02:18:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 58976 ssh2
+Oct  3 02:18:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 59147 ssh2
+Oct  3 02:18:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 59306 ssh2
+Oct  3 02:18:38 [sshd] Failed password for illegal user jane from 216.65.197.170 port 59474 ssh2
+Oct  3 02:18:40 [sshd] Failed password for illegal user pamela from 216.65.197.170 port 59644 ssh2
+Oct  3 02:18:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 59797 ssh2
+Oct  3 02:18:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 59963 ssh2
+Oct  3 02:18:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 60139 ssh2
+Oct  3 02:18:47 [sshd] Failed password for illegal user root from 216.65.197.170 port 60308 ssh2
+Oct  3 02:18:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 60479 ssh2
+Oct  3 02:18:50 [sshd] Failed password for illegal user cosmin from 216.65.197.170 port 60654 ssh2
+Oct  3 02:18:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 60830 ssh2
+Oct  3 02:18:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 60992 ssh2
+Oct  3 02:18:55 [sshd] Failed password for illegal user root from 216.65.197.170 port 32945 ssh2
+Oct  3 02:18:58 [sshd] Failed password for illegal user root from 216.65.197.170 port 33101 ssh2
+Oct  3 02:18:59 [sshd] Failed password for illegal user root from 216.65.197.170 port 33343 ssh2
+Oct  3 02:19:02 [sshd] Failed password for illegal user root from 216.65.197.170 port 33501 ssh2
+Oct  3 02:19:03 [sshd] Failed password for illegal user root from 216.65.197.170 port 33733 ssh2
+Oct  3 02:19:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 33892 ssh2
+Oct  3 02:19:07 [sshd] Failed password for illegal user root from 216.65.197.170 port 34066 ssh2
+Oct  3 02:19:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 34212 ssh2
+Oct  3 02:19:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 34376 ssh2
+Oct  3 02:19:12 [sshd] Failed password for illegal user root from 216.65.197.170 port 34535 ssh2
+Oct  3 02:19:14 [sshd] Failed password for illegal user root from 216.65.197.170 port 34704 ssh2
+Oct  3 02:19:16 [sshd] Failed password for illegal user root from 216.65.197.170 port 34853 ssh2
+Oct  3 02:19:18 [sshd] Failed password for illegal user root from 216.65.197.170 port 35092 ssh2
+Oct  3 02:19:19 [sshd] Failed password for illegal user root from 216.65.197.170 port 35261 ssh2
+Oct  3 02:19:21 [sshd] Failed password for illegal user root from 216.65.197.170 port 35425 ssh2
+Oct  3 02:19:23 [sshd] Failed password for illegal user root from 216.65.197.170 port 35583 ssh2
+Oct  3 02:19:24 [sshd] Failed password for illegal user root from 216.65.197.170 port 35753 ssh2
+Oct  3 02:19:26 [sshd] Failed password for illegal user root from 216.65.197.170 port 35901 ssh2
+Oct  3 02:19:28 [sshd] Failed password for illegal user root from 216.65.197.170 port 36068 ssh2
+Oct  3 02:19:30 [sshd] Failed password for illegal user root from 216.65.197.170 port 36227 ssh2
+Oct  3 02:19:33 [sshd] Failed password for illegal user root from 216.65.197.170 port 36453 ssh2
+Oct  3 02:19:34 [sshd] Failed password for illegal user root from 216.65.197.170 port 36673 ssh2
+Oct  3 02:19:36 [sshd] Failed password for illegal user root from 216.65.197.170 port 36823 ssh2
+Oct  3 02:19:38 [sshd] Failed password for illegal user root from 216.65.197.170 port 36981 ssh2
+Oct  3 02:19:39 [sshd] Failed password for illegal user root from 216.65.197.170 port 37152 ssh2
+Oct  3 02:19:41 [sshd] Failed password for illegal user root from 216.65.197.170 port 37310 ssh2
+Oct  3 02:19:43 [sshd] Failed password for illegal user root from 216.65.197.170 port 37484 ssh2
+Oct  3 02:19:45 [sshd] Failed password for illegal user root from 216.65.197.170 port 37644 ssh2
+Oct  3 02:19:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 37827 ssh2
+Oct  3 02:19:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 37989 ssh2
+Oct  3 02:19:50 [sshd] Failed password for illegal user root from 216.65.197.170 port 38163 ssh2
+Oct  3 02:19:52 [sshd] Failed password for illegal user root from 216.65.197.170 port 38329 ssh2
+Oct  3 02:19:54 [sshd] Failed password for illegal user root from 216.65.197.170 port 38559 ssh2
+Oct  3 02:19:56 [sshd] Failed password for illegal user root from 216.65.197.170 port 38735 ssh2
+Oct  3 02:19:58 [sshd] Failed password for illegal user cip52 from 216.65.197.170 port 38893 ssh2
+Oct  3 02:20:00 [sshd] Failed password for illegal user cip51 from 216.65.197.170 port 39109 ssh2
+Oct  3 02:20:01 [sshd] Failed password for illegal user root from 216.65.197.170 port 39282 ssh2
+Oct  3 02:20:03 [sshd] Failed password for illegal user noc from 216.65.197.170 port 39448 ssh2
+Oct  3 02:20:05 [sshd] Failed password for illegal user root from 216.65.197.170 port 39621 ssh2
+Oct  3 02:20:06 [sshd] Failed password for illegal user root from 216.65.197.170 port 39781 ssh2
+Oct  3 02:20:08 [sshd] Failed password for illegal user root from 216.65.197.170 port 39958 ssh2
+Oct  3 02:20:10 [sshd] Failed password for illegal user root from 216.65.197.170 port 40125 ssh2
+Oct  3 02:20:12 [sshd] Failed password for illegal user webmaster from 216.65.197.170 port 40316 ssh2
+Oct  3 02:20:13 [sshd] Failed password for illegal user data from 216.65.197.170 port 40473 ssh2
+Oct  3 02:20:15 [sshd] Failed password for illegal user user from 216.65.197.170 port 40645 ssh2
+Oct  3 02:20:17 [sshd] Failed password for illegal user user from 216.65.197.170 port 40800 ssh2
+Oct  3 02:20:19 [sshd] Failed password for illegal user user from 216.65.197.170 port 40965 ssh2
+Oct  3 02:20:20 [sshd] Failed password for illegal user web from 216.65.197.170 port 41120 ssh2
+Oct  3 02:20:22 [sshd] Failed password for illegal user web from 216.65.197.170 port 41300 ssh2
+Oct  3 02:20:24 [sshd] Failed password for illegal user oracle from 216.65.197.170 port 41468 ssh2
+Oct  3 02:20:25 [sshd] Failed password for illegal user sybase from 216.65.197.170 port 41642 ssh2
+Oct  3 02:20:27 [sshd] Failed password for illegal user master from 216.65.197.170 port 41809 ssh2
+Oct  3 02:20:29 [sshd] Failed password for illegal user account from 216.65.197.170 port 41987 ssh2
+Oct  3 02:20:31 [sshd] Failed password for illegal user backup from 216.65.197.170 port 42143 ssh2
+Oct  3 02:20:32 [sshd] Failed password for illegal user server from 216.65.197.170 port 42316 ssh2
+Oct  3 02:20:34 [sshd] Failed password for illegal user adam from 216.65.197.170 port 42481 ssh2
+Oct  3 02:20:36 [sshd] Failed password for illegal user alan from 216.65.197.170 port 42647 ssh2
+Oct  3 02:20:37 [sshd] Failed password for illegal user frank from 216.65.197.170 port 42817 ssh2
+Oct  3 02:20:39 [sshd] Failed password for illegal user george from 216.65.197.170 port 42993 ssh2
+Oct  3 02:20:41 [sshd] Failed password for illegal user henry from 216.65.197.170 port 43170 ssh2
+Oct  3 02:20:43 [sshd] Failed password for illegal user john from 216.65.197.170 port 43319 ssh2
+Oct  3 02:20:44 [sshd] Failed password for illegal user root from 216.65.197.170 port 43504 ssh2
+Oct  3 02:20:46 [sshd] Failed password for illegal user root from 216.65.197.170 port 43664 ssh2
+Oct  3 02:20:48 [sshd] Failed password for illegal user root from 216.65.197.170 port 43844 ssh2
+Oct  3 02:20:49 [sshd] Failed password for illegal user root from 216.65.197.170 port 44008 ssh2
+Oct  3 02:20:51 [sshd] Failed password for illegal user root from 216.65.197.170 port 44182 ssh2
+Oct  3 02:20:53 [sshd] Failed password for illegal user test from 216.65.197.170 port 44338 ssh2
+Oct  3 06:37:34 [sshd] Failed password for illegal user nobody from 217.56.33.194 port 1969 ssh2
+Oct  3 06:37:36 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2002 ssh2
+Oct  3 06:37:37 [sshd] Failed password for illegal user patrick from 217.56.33.194 port 2039 ssh2
+Oct  3 06:37:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 2070 ssh2
+Oct  3 06:37:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 2109 ssh2
+Oct  3 06:37:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 2142 ssh2
+Oct  3 06:37:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 2173 ssh2
+Oct  3 06:37:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 2211 ssh2
+Oct  3 06:37:45 [sshd] Failed password for illegal user rolo from 217.56.33.194 port 2244 ssh2
+Oct  3 06:37:46 [sshd] Failed password for illegal user iceuser from 217.56.33.194 port 2272 ssh2
+Oct  3 06:37:48 [sshd] Failed password for illegal user horde from 217.56.33.194 port 2305 ssh2
+Oct  3 06:37:49 [sshd] Failed password for illegal user cyrus from 217.56.33.194 port 2337 ssh2
+Oct  3 06:37:50 [sshd] Failed password for illegal user www from 217.56.33.194 port 2373 ssh2
+Oct  3 06:37:52 [sshd] Failed password for illegal user wwwrun from 217.56.33.194 port 2407 ssh2
+Oct  3 06:37:53 [sshd] Failed password for illegal user matt from 217.56.33.194 port 2439 ssh2
+Oct  3 06:37:55 [sshd] Failed password for illegal user test from 217.56.33.194 port 2466 ssh2
+Oct  3 06:37:56 [sshd] Failed password for illegal user test from 217.56.33.194 port 2501 ssh2
+Oct  3 06:37:57 [sshd] Failed password for illegal user test from 217.56.33.194 port 2533 ssh2
+Oct  3 06:37:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 2567 ssh2
+Oct  3 06:38:00 [sshd] Failed password for illegal user www-data from 217.56.33.194 port 2605 ssh2
+Oct  3 06:38:01 [sshd] Failed password for illegal user mysql from 217.56.33.194 port 2635 ssh2
+Oct  3 06:38:03 [sshd] Failed password for illegal user operator from 217.56.33.194 port 2667 ssh2
+Oct  3 06:38:04 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2697 ssh2
+Oct  3 06:38:05 [sshd] Failed password for illegal user apache from 217.56.33.194 port 2733 ssh2
+Oct  3 06:38:07 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2768 ssh2
+Oct  3 06:38:08 [sshd] Failed password for illegal user irc from 217.56.33.194 port 2804 ssh2
+Oct  3 06:38:09 [sshd] Failed password for illegal user adm from 217.56.33.194 port 2837 ssh2
+Oct  3 06:38:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 2872 ssh2
+Oct  3 06:38:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 2907 ssh2
+Oct  3 06:38:14 [sshd] Failed password for illegal user root from 217.56.33.194 port 2950 ssh2
+Oct  3 06:38:16 [sshd] Failed password for illegal user jane from 217.56.33.194 port 2986 ssh2
+Oct  3 06:38:17 [sshd] Failed password for illegal user pamela from 217.56.33.194 port 3019 ssh2
+Oct  3 06:38:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 3053 ssh2
+Oct  3 06:38:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 3085 ssh2
+Oct  3 06:38:21 [sshd] Failed password for illegal user root from 217.56.33.194 port 3115 ssh2
+Oct  3 06:38:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 3147 ssh2
+Oct  3 06:38:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 3177 ssh2
+Oct  3 06:38:25 [sshd] Failed password for illegal user cosmin from 217.56.33.194 port 3208 ssh2
+Oct  3 06:38:26 [sshd] Failed password for illegal user root from 217.56.33.194 port 3239 ssh2
+Oct  3 06:38:28 [sshd] Failed password for illegal user root from 217.56.33.194 port 3272 ssh2
+Oct  3 06:38:29 [sshd] Failed password for illegal user root from 217.56.33.194 port 3302 ssh2
+Oct  3 06:38:30 [sshd] Failed password for illegal user root from 217.56.33.194 port 3336 ssh2
+Oct  3 06:38:32 [sshd] Failed password for illegal user root from 217.56.33.194 port 3367 ssh2
+Oct  3 06:38:33 [sshd] Failed password for illegal user root from 217.56.33.194 port 3403 ssh2
+Oct  3 06:38:34 [sshd] Failed password for illegal user root from 217.56.33.194 port 3432 ssh2
+Oct  3 06:38:36 [sshd] Failed password for illegal user root from 217.56.33.194 port 3458 ssh2
+Oct  3 06:38:37 [sshd] Failed password for illegal user root from 217.56.33.194 port 3494 ssh2
+Oct  3 06:38:38 [sshd] Failed password for illegal user root from 217.56.33.194 port 3525 ssh2
+Oct  3 06:38:40 [sshd] Failed password for illegal user root from 217.56.33.194 port 3554 ssh2
+Oct  3 06:38:41 [sshd] Failed password for illegal user root from 217.56.33.194 port 3590 ssh2
+Oct  3 06:38:42 [sshd] Failed password for illegal user root from 217.56.33.194 port 3623 ssh2
+Oct  3 06:38:44 [sshd] Failed password for illegal user root from 217.56.33.194 port 3654 ssh2
+Oct  3 06:38:45 [sshd] Failed password for illegal user root from 217.56.33.194 port 3690 ssh2
+Oct  3 06:38:46 [sshd] Failed password for illegal user root from 217.56.33.194 port 3720 ssh2
+Oct  3 06:38:48 [sshd] Failed password for illegal user root from 217.56.33.194 port 3752 ssh2
+Oct  3 06:38:49 [sshd] Failed password for illegal user root from 217.56.33.194 port 3785 ssh2
+Oct  3 06:38:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 3817 ssh2
+Oct  3 06:38:52 [sshd] Failed password for illegal user root from 217.56.33.194 port 3853 ssh2
+Oct  3 06:38:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 3886 ssh2
+Oct  3 06:38:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 3923 ssh2
+Oct  3 06:38:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 3955 ssh2
+Oct  3 06:38:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 3983 ssh2
+Oct  3 06:38:59 [sshd] Failed password for illegal user root from 217.56.33.194 port 4016 ssh2
+Oct  3 06:39:00 [sshd] Failed password for illegal user root from 217.56.33.194 port 4045 ssh2
+Oct  3 06:39:01 [sshd] Failed password for illegal user root from 217.56.33.194 port 4073 ssh2
+Oct  3 06:39:03 [sshd] Failed password for illegal user root from 217.56.33.194 port 4110 ssh2
+Oct  3 06:39:04 [sshd] Failed password for illegal user root from 217.56.33.194 port 4140 ssh2
+Oct  3 06:39:05 [sshd] Failed password for illegal user root from 217.56.33.194 port 4171 ssh2
+Oct  3 06:39:07 [sshd] Failed password for illegal user root from 217.56.33.194 port 4201 ssh2
+Oct  3 06:39:08 [sshd] Failed password for illegal user root from 217.56.33.194 port 4235 ssh2
+Oct  3 06:39:09 [sshd] Failed password for illegal user root from 217.56.33.194 port 4267 ssh2
+Oct  3 06:39:11 [sshd] Failed password for illegal user root from 217.56.33.194 port 4300 ssh2
+Oct  3 06:39:12 [sshd] Failed password for illegal user root from 217.56.33.194 port 4326 ssh2
+Oct  3 06:39:13 [sshd] Failed password for illegal user root from 217.56.33.194 port 4358 ssh2
+Oct  3 06:39:15 [sshd] Failed password for illegal user cip52 from 217.56.33.194 port 4390 ssh2
+Oct  3 06:39:16 [sshd] Failed password for illegal user cip51 from 217.56.33.194 port 4427 ssh2
+Oct  3 06:39:18 [sshd] Failed password for illegal user root from 217.56.33.194 port 4459 ssh2
+Oct  3 06:39:19 [sshd] Failed password for illegal user noc from 217.56.33.194 port 4492 ssh2
+Oct  3 06:39:20 [sshd] Failed password for illegal user root from 217.56.33.194 port 4526 ssh2
+Oct  3 06:39:22 [sshd] Failed password for illegal user root from 217.56.33.194 port 4557 ssh2
+Oct  3 06:39:23 [sshd] Failed password for illegal user root from 217.56.33.194 port 4588 ssh2
+Oct  3 06:39:24 [sshd] Failed password for illegal user root from 217.56.33.194 port 4618 ssh2
+Oct  3 06:39:26 [sshd] Failed password for illegal user webmaster from 217.56.33.194 port 4652 ssh2
+Oct  3 06:39:27 [sshd] Failed password for illegal user data from 217.56.33.194 port 4679 ssh2
+Oct  3 06:39:28 [sshd] Failed password for illegal user user from 217.56.33.194 port 4716 ssh2
+Oct  3 06:39:30 [sshd] Failed password for illegal user user from 217.56.33.194 port 4744 ssh2
+Oct  3 06:39:31 [sshd] Failed password for illegal user user from 217.56.33.194 port 4777 ssh2
+Oct  3 06:39:32 [sshd] Failed password for illegal user web from 217.56.33.194 port 4808 ssh2
+Oct  3 06:39:34 [sshd] Failed password for illegal user web from 217.56.33.194 port 4842 ssh2
+Oct  3 06:39:35 [sshd] Failed password for illegal user oracle from 217.56.33.194 port 4869 ssh2
+Oct  3 06:39:36 [sshd] Failed password for illegal user sybase from 217.56.33.194 port 4899 ssh2
+Oct  3 06:39:38 [sshd] Failed password for illegal user master from 217.56.33.194 port 4933 ssh2
+Oct  3 06:39:39 [sshd] Failed password for illegal user account from 217.56.33.194 port 4969 ssh2
+Oct  3 06:39:40 [sshd] Failed password for illegal user backup from 217.56.33.194 port 4999 ssh2
+Oct  3 06:39:42 [sshd] Failed password for illegal user server from 217.56.33.194 port 1051 ssh2
+Oct  3 06:39:43 [sshd] Failed password for illegal user adam from 217.56.33.194 port 1082 ssh2
+Oct  3 06:39:44 [sshd] Failed password for illegal user alan from 217.56.33.194 port 1114 ssh2
+Oct  3 06:39:46 [sshd] Failed password for illegal user frank from 217.56.33.194 port 1141 ssh2
+Oct  3 06:39:47 [sshd] Failed password for illegal user george from 217.56.33.194 port 1174 ssh2
+Oct  3 06:39:49 [sshd] Failed password for illegal user henry from 217.56.33.194 port 1205 ssh2
+Oct  3 06:39:50 [sshd] Failed password for illegal user john from 217.56.33.194 port 1236 ssh2
+Oct  3 06:39:51 [sshd] Failed password for illegal user root from 217.56.33.194 port 1271 ssh2
+Oct  3 06:39:53 [sshd] Failed password for illegal user root from 217.56.33.194 port 1300 ssh2
+Oct  3 06:39:55 [sshd] Failed password for illegal user root from 217.56.33.194 port 1332 ssh2
+Oct  3 06:39:56 [sshd] Failed password for illegal user root from 217.56.33.194 port 1380 ssh2
+Oct  3 06:39:57 [sshd] Failed password for illegal user root from 217.56.33.194 port 1412 ssh2
+Oct  3 06:39:59 [sshd] Failed password for illegal user test from 217.56.33.194 port 1449 ssh2
+Oct  4 04:43:59 [sshd] Failed password for illegal user test from 212.204.226.21 port 60349 ssh2
+Oct  4 04:44:03 [sshd] Failed password for illegal user guest from 212.204.226.21 port 60394 ssh2
+Oct  4 04:44:06 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60540 ssh2
+Oct  4 04:44:08 [sshd] Failed password for illegal user admin from 212.204.226.21 port 60620 ssh2
+Oct  4 04:44:11 [sshd] Failed password for illegal user user from 212.204.226.21 port 60679 ssh2
+Oct  4 04:44:14 [sshd] Failed password for illegal user root from 212.204.226.21 port 60773 ssh2
+Oct  4 04:44:15 [sshd] Failed password for illegal user root from 212.204.226.21 port 60828 ssh2
+Oct  4 04:44:18 [sshd] Failed password for illegal user root from 212.204.226.21 port 60880 ssh2
+Oct  4 04:44:21 [sshd] Failed password for illegal user test from 212.204.226.21 port 60957 ssh2
+Oct  4 09:32:21 [sshd] Failed password for illegal user test from 62.141.56.70 port 45600 ssh2
+Oct  4 09:32:27 [sshd] Failed password for illegal user guest from 62.141.56.70 port 47635 ssh2
+Oct  4 09:32:32 [sshd] Failed password for illegal user admin from 62.141.56.70 port 49967 ssh2
+Oct  4 09:32:37 [sshd] Failed password for illegal user admin from 62.141.56.70 port 52093 ssh2
+Oct  4 09:32:42 [sshd] Failed password for illegal user user from 62.141.56.70 port 53840 ssh2
+Oct  4 09:32:47 [sshd] Failed password for illegal user root from 62.141.56.70 port 55568 ssh2
+Oct  4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 57526 ssh2
+Oct  4 09:32:51 [sshd] Failed password for illegal user root from 62.141.56.70 port 58454 ssh2
+Oct  4 09:32:52 [sshd] Failed password for illegal user test from 62.141.56.70 port 58819 ssh2
+Oct  4 14:09:11 [sshd] Failed password for illegal user test from 211.234.125.100 port 46642 ssh2
+Oct  4 14:09:18 [sshd] Failed password for illegal user guest from 211.234.125.100 port 46788 ssh2
+Oct  4 14:09:23 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46886 ssh2
+Oct  4 14:09:30 [sshd] Failed password for illegal user admin from 211.234.125.100 port 46960 ssh2
+Oct  4 14:09:43 [sshd] Failed password for illegal user user from 211.234.125.100 port 47025 ssh2
+Oct  6 04:13:11 [sshd] Failed password for illegal user test from 64.246.30.17 port 58277 ssh2
+Oct  6 04:13:13 [sshd] Failed password for illegal user guest from 64.246.30.17 port 58360 ssh2
+Oct  6 04:13:15 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58428 ssh2
+Oct  6 04:13:17 [sshd] Failed password for illegal user admin from 64.246.30.17 port 58514 ssh2
+Oct  6 22:13:56 [sshd] Failed password for illegal user test from 61.11.98.217 port 45434 ssh2
+Oct  6 22:14:00 [sshd] Failed password for illegal user guest from 61.11.98.217 port 45586 ssh2
+Oct  6 22:14:05 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45672 ssh2
+Oct  6 22:14:10 [sshd] Failed password for illegal user admin from 61.11.98.217 port 45748 ssh2
+Oct  6 22:14:18 [sshd] Failed password for illegal user user from 61.11.98.217 port 45833 ssh2
+Oct  7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2
+Oct  7 00:25:34 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37086 ssh2
+                - Last output repeated twice -
+Oct  7 00:26:27 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37089 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:26:37 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37092 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:27:21 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37095 ssh2
+                - Last output repeated twice -
+Oct  7 00:51:31 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37130 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:51:48 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37138 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:52:02 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37141 ssh2
+Oct  7 00:56:10 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37153 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:56:41 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37156 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:57:00 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37159 ssh2
+Oct  7 00:58:17 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37162 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:58:29 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37165 ssh2
+                - Last output repeated 2 times -
+Oct  7 00:58:39 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37168 ssh2
+Oct  7 01:00:32 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37171 ssh2
+                - Last output repeated 2 times -
+Oct  7 01:00:44 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37175 ssh2
+                - Last output repeated 2 times -
+Oct  7 01:01:23 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37178 ssh2
+                - Last output repeated 2 times -
+Oct  7 01:03:01 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37181 ssh2
+                - Last output repeated 2 times -
+Oct  7 01:03:12 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37184 ssh2
+                - Last output repeated 2 times -
+Oct  7 01:03:20 [sshd] Failed password for illegal user tata from 128.178.164.52 port 37187 ssh2
+                - Last output repeated 2 times -
+Nov 14 11:47:08 [sshd] Failed password for illegal user test from 69.182.27.122 port 34015 ssh2
+Nov 14 11:47:09 [sshd] Failed password for illegal user guest from 69.182.27.122 port 34068 ssh2
+Nov 14 11:47:11 [sshd] Failed password for illegal user admin from 69.182.27.122 port 34127 ssh2
+Nov 15 11:12:11 yellow sshd[16069]: Failed password for cyril from 212.41.79.210 port 29404 ssh2
+Nov 15 21:54:11 yellow sshd[16069]: Illegal user for cyril from 212.41.79.210 port 29404 ssh2

logreader/logreader.py

@@ -0,0 +1,189 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+import os, sys, time, re
+
+from utils.dns import *
+
+class LogReader:
+	""" Reads a log file and reports information about IP that make password
+		failure, bad user or anything else that is considered as doubtful login
+		attempt.	
+	"""
+	
+	def __init__(self, logSys, logPath, timeregex, timepattern, failregex,
+		findTime = 3600):
+		self.logPath = logPath
+		self.timeregex = timeregex
+		self.timepattern = timepattern
+		self.failregex = failregex
+		self.findTime = findTime
+		self.ignoreIpList = []
+		self.lastModTime = 0
+		self.logSys = logSys
+		self.lastPos = 0
+		self.lastDate = 0
+		self.logStats = None
+		
+	def setName(self, name):
+		""" Sets the name of the log reader.
+		"""
+		self.name = name
+		
+	def getName(self):
+		""" Gets the name of the log reader.
+		"""
+		return self.name
+	
+	def getFindTime(self):
+		""" Gets the find time.
+		"""
+		return self.findTime
+	
+	def addIgnoreIP(self, ip):
+		""" Adds an IP to the ignore list.
+		"""
+		self.logSys.debug("Add "+ip+" to ignore list")
+		self.ignoreIpList.append(ip)
+		
+	def inIgnoreIPList(self, ip):
+		""" Checks if IP is in the ignore list.
+		"""
+		return ip in self.ignoreIpList
+	
+	def openLogFile(self):
+		""" Opens the log file specified on init.
+		"""
+		try:
+			fileHandler = open(self.logPath)
+		except OSError:
+			self.logSys.error("Unable to open "+self.logPath)
+			sys.exit(-1)
+		return fileHandler
+		
+	def isModified(self):
+		""" Checks if the log file has been modified using os.stat().
+		"""
+		try:
+			self.logStats = os.stat(self.logPath)
+		except OSError:
+			self.logSys.error("Unable to get stat on "+self.logPath)
+			sys.exit(-1)
+		
+		if self.lastModTime == self.logStats.st_mtime:
+			return False
+		else:
+			self.logSys.debug(self.logPath+" has been modified")
+			self.lastModTime = self.logStats.st_mtime
+			return True
+	
+	def setFilePos(self, file):
+		""" Sets the file position. We must take care of log file rotation
+			and reset the position to 0 in that case. Use the log message
+			timestamp in order to detect this.		
+		"""
+		line = file.readline()
+		if self.lastDate < self.getTime(line):
+			self.logSys.debug("Date " + `self.lastDate` + " is " +
+							"smaller than " + `self.getTime(line)`)
+			self.logSys.debug("Log rotation detected for " + self.logPath)
+			self.lastPos = 0
+		
+		self.logSys.debug("Setting file position to " + `self.lastPos` + " for "
+						+ self.logPath)
+		file.seek(self.lastPos)
+	
+	def getFailures(self):
+		""" Gets all the failure in the log file which are
+			newer than time.time()-self.findTime.
+			
+			Returns a dict with the IP, the number of failure
+			and the latest failure time.
+		"""
+		ipList = dict()
+		self.logSys.debug(self.logPath)
+		logFile = self.openLogFile()
+		self.setFilePos(logFile)
+		lastLine = ''
+		for line in logFile.readlines():
+			lastLine = line
+			failList = self.findFailure(line)
+			for element in failList:
+				ip = element[0]
+				unixTime = element[1]
+				if unixTime < time.time()-self.findTime:
+					break
+				if self.inIgnoreIPList(ip):
+					self.logSys.debug("Ignore "+ip)
+					continue
+				self.logSys.debug("Found "+ip)
+				if ipList.has_key(ip):
+					ipList[ip] = (ipList[ip][0]+1, unixTime)
+				else:
+					ipList[ip] = (1, unixTime)
+		self.lastPos = logFile.tell()
+		self.lastDate = self.getTime(lastLine)
+		logFile.close()
+		return ipList
+
+	def findFailure(self, line):
+		""" Finds the failure in line. Uses the failregex pattern
+			to find it and timeregex in order to find the logging
+			time.
+			
+			Returns a dict with IP and timestamp.
+		"""
+		failList = list()
+		match = re.search(self.failregex, line)
+		if match:
+			timeMatch = re.search(self.timeregex, match.string)
+			if timeMatch:
+				date = self.getUnixTime(timeMatch.group())
+				ipMatch = textToIp(match.string)
+				if ipMatch:
+					for ip in ipMatch:
+						failList.append([ip, date])
+		return failList
+	
+	def getTime(self, line):
+		""" Gets the time of a log message.
+		"""
+		date = 0
+		timeMatch = re.search(self.timeregex, line)
+		if timeMatch:
+			date = self.getUnixTime(timeMatch.group())
+		return date
+		
+	def getUnixTime(self, value):
+		""" Returns the Unix timestamp of the given value.
+			Pattern should describe the date construction of
+			value.
+		"""
+		date = list(time.strptime(value, self.timepattern))
+		if date[0] < 2000:
+			date[0] = time.gmtime()[0]
+		unixTime = time.mktime(date)
+		return unixTime

setup.cfg

@@ -0,0 +1,5 @@
+[install]
+install-purelib=/usr/lib/fail2ban
+
+[sdist]
+formats=bztar

setup.py

@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+from distutils.core import setup
+from version import version
+
+setup(
+        name = "fail2ban",
+        version = version,
+        description = "Ban IPs that make too many password failure",
+        author = "Cyril Jaquier",
+        author_email = "lostcontrol@users.sourceforge.net",
+        url = "http://www.sourceforge.net/projects/fail2ban",
+        scripts = ['fail2ban.py'],
+        py_modules = ['version'],
+        packages = ['firewall', 'logreader', 'confreader', 'utils']
+)

utils/__init__.py

@@ -0,0 +1,25 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"

utils/dns.py

@@ -0,0 +1,73 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+import os, re, socket
+
+def dnsToIp(dns):
+	""" Convert a DNS into an IP address using the Python socket module.
+		Thanks to Kevin Drapel.
+	"""
+	try:
+		return socket.gethostbyname_ex(dns)[2]
+	except socket.gaierror:
+		return list()
+
+def textToDns(text):
+	""" Search for possible DNS in an arbitrary text.
+		Thanks to Tom Pike.
+	"""
+	match = re.findall("(?:(?:\w|-)+\.){2,}\w+", text)
+	if match:
+		return match
+	else:
+		return []
+
+def searchIP(text):
+	""" Search if an IP address if directly available and return
+		it.
+	"""
+	match = re.findall("(?:\d{1,3}\.){3}\d{1,3}", text)
+	if match:
+		return match
+	else:
+		return []
+
+def textToIp(text):
+	""" Return the IP of DNS found in a given text.
+	"""
+	ipList = list()
+	# Search for plain IP
+	plainIP = searchIP(text)
+	for element in plainIP:
+		ipList.append(element)
+	if not ipList:
+		# Try to get IP from possible DNS
+		dnsList = textToDns(text)
+		for element in dnsList:
+			dns = dnsToIp(element)
+			for e in dns:
+				ipList.append(e)
+	return ipList

version.py

@@ -0,0 +1,27 @@
+# This file is part of Fail2Ban.
+#
+# Fail2Ban is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Fail2Ban is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Fail2Ban; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+# Author: Cyril Jaquier
+# 
+# $Revision$
+
+__author__ = "Cyril Jaquier"
+__version__ = "$Revision$"
+__date__ = "$Date$"
+__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
+__license__ = "GPL"
+
+version = "0.4.1"