mirror of https://github.com/fail2ban/fail2ban
fixed action_ shortcuts
adjusted initd script to be verbose on start if socketfile existspull/3/head
Yaroslav Halchenko
parent
7fa686a7f2
commit
f01c74581d
|
|
@ -4,16 +4,16 @@ fail2ban (0.7.6-1~pre1) UNRELEASED; urgency=low
|
|||
non-released versions (which were suggested to the users to overcome
|
||||
problems reported in bug reports). In particular attention should be paid
|
||||
to upstream changelog entries
|
||||
|
||||
|
||||
- Several "failregex" and "ignoreregex" are now accepted.
|
||||
Creation of rules should be easier now.
|
||||
|
||||
|
||||
This is an alternative solution to 'multiple <HOST>' entries fix,
|
||||
which is not applied to this shipped version - pay cautios if upgrading
|
||||
from 0.7.5-3~pre?
|
||||
|
||||
|
||||
- Allow comma in action options. The value of the option must
|
||||
be escaped with " or '.
|
||||
be escaped with " or '.
|
||||
|
||||
That allowed to implement requested ability to ban multiple ports
|
||||
at once (See 373592). README.Debian and jail.conf adjusted to reflect
|
||||
|
|
@ -28,10 +28,13 @@ fail2ban (0.7.6-1~pre1) UNRELEASED; urgency=low
|
|||
- Added option banaction which is to incorporate banning agent
|
||||
(usually some flavor of iptables rule), which can then be easily
|
||||
overriden globally or per section
|
||||
|
||||
|
||||
- Multiple actions are defined as action_* to serve as shortcuts
|
||||
|
||||
-- Yaroslav Halchenko <debian@onerussian.com> Thu, 4 Jan 2007 12:21:30 -0500
|
||||
|
||||
* Initd script was modified to inform about present socket file which
|
||||
would forbid fail2ban-server from starting.
|
||||
|
||||
-- Yaroslav Halchenko <debian@onerussian.com> Thu, 4 Jan 2007 12:21:30 -0500
|
||||
|
||||
fail2ban (0.7.5-3~pre6) unstable; urgency=low
|
||||
|
||||
|
|
|
|||
|
|
@ -23,9 +23,13 @@ NAME=fail2ban
|
|||
# fail2ban-client is not a daemon itself but starts a daemon and
|
||||
# loads its with configuration
|
||||
DAEMON=/usr/bin/$NAME-client
|
||||
SOCKFILE=/tmp/$NAME.sock
|
||||
SCRIPTNAME=/etc/init.d/$NAME
|
||||
|
||||
# Ad-hoc way to parse out socket file name
|
||||
SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
|
||||
| tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
|
||||
[ -z "$SOCKFILE" ] && SOCKFILE='/tmp/fail2ban.sock'
|
||||
|
||||
# Exit if the package is not installed
|
||||
[ -x "$DAEMON" ] || exit 0
|
||||
|
||||
|
|
@ -50,21 +54,6 @@ log_daemon_msg () {
|
|||
# so we must be ok
|
||||
. /lib/lsb/init-functions
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
do_status && return 1
|
||||
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
|
||||
$DAEMON_ARGS start > /dev/null\
|
||||
|| return 2
|
||||
}
|
||||
|
||||
#
|
||||
# Shortcut function for abnormal init script interruption
|
||||
#
|
||||
|
|
@ -75,6 +64,47 @@ report_bug()
|
|||
exit 1
|
||||
}
|
||||
|
||||
#
|
||||
# Helper function to check if socket is present, which is often left after
|
||||
# abnormal exit of fail2ban and needs to be removed
|
||||
#
|
||||
check_socket()
|
||||
{
|
||||
# Return
|
||||
# 0 if socket is present and readable
|
||||
# 1 if socket file is not present
|
||||
# 2 if socket file is present but not readable
|
||||
# 3 if socket file is present but is not a socket
|
||||
[ -e "$SOCKFILE" ] || return 1
|
||||
[ -r "$SOCKFILE" ] || return 2
|
||||
[ -S "$SOCKFILE" ] || return 3
|
||||
return 0
|
||||
}
|
||||
|
||||
#
|
||||
# Function that starts the daemon/service
|
||||
#
|
||||
do_start()
|
||||
{
|
||||
# Return
|
||||
# 0 if daemon has been started
|
||||
# 1 if daemon was already running
|
||||
# 2 if daemon could not be started
|
||||
do_status && return 1
|
||||
|
||||
if [ -e "$SOCKFILE" ]; then
|
||||
log_failure_msg "Socket file $SOCKFILE is present"
|
||||
return 2
|
||||
fi
|
||||
|
||||
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
|
||||
$DAEMON_ARGS start > /dev/null\
|
||||
|| return 2
|
||||
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
#
|
||||
# Function that checks the status of fail2ban and returns
|
||||
# corresponding code
|
||||
|
|
@ -82,23 +112,7 @@ report_bug()
|
|||
do_status()
|
||||
{
|
||||
$DAEMON ping > /dev/null
|
||||
case $? in
|
||||
0) return 0
|
||||
;;
|
||||
255)
|
||||
if [ -S $SOCKFILE ]; then
|
||||
if [ -r $SOCKFILE ]; then
|
||||
return 1
|
||||
else
|
||||
return 4
|
||||
fi
|
||||
else
|
||||
return 3
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
report_bug "Unknown return code from fail2ban."
|
||||
esac
|
||||
return $?
|
||||
}
|
||||
|
||||
#
|
||||
|
|
@ -182,10 +196,17 @@ case "$1" in
|
|||
do_status
|
||||
case $? in
|
||||
0) log_success_msg " $NAME is running" ;;
|
||||
1) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;;
|
||||
3) log_warning_msg " $NAME is not running" ;;
|
||||
4) log_failure_msg " $SOCKFILE not readable, status of $NAME unknown";;
|
||||
*) report_bug "Unknown status code"
|
||||
255)
|
||||
check_socket
|
||||
case $? in
|
||||
1) log_warning_msg " $NAME is not running" ;;
|
||||
0) log_failure_msg " $NAME is not running but $SOCKFILE exists" ;;
|
||||
2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown";;
|
||||
3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown";;
|
||||
*) report_bug "Unknown return code from $NAME:check_socket.";;
|
||||
esac
|
||||
;;
|
||||
*) report_bug "Unknown $NAME status code"
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
|
|
|
|||
|
|
@ -38,28 +38,31 @@ destemail = root@localhost
|
|||
#
|
||||
|
||||
# Default banning action (e.g. iptables, iptables-new,
|
||||
# iptables-multiport, etc) It is used to define action_* variables. Can
|
||||
# be overriden globally or per section within jail.local file
|
||||
# iptables-multiport, shorewall, etc) It is used to define
|
||||
# action_* variables. Can be overriden globally or per
|
||||
# section within jail.local file
|
||||
banaction = iptables
|
||||
|
||||
|
||||
#
|
||||
# Action shortcuts. To be used to define action parameter
|
||||
|
||||
# The simplest action to take: ban only
|
||||
action_i = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
|
||||
# Following actions can be chosen as an alternatives to the above action.
|
||||
|
||||
# Action to take: ban & send an e-mail with whois report to the destemail.
|
||||
action_i_mw = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
# ban & send an e-mail with whois report to the destemail.
|
||||
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
mail-whois[name=%(__name__)s, dest="%(destemail)s"]
|
||||
|
||||
# Action to take: ban & send an e-mail with whois report
|
||||
# and relevant log lines to the destemail.
|
||||
action_i_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
# ban & send an e-mail with whois report and relevant log lines
|
||||
# to the destemail.
|
||||
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s"]
|
||||
mail-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
|
||||
|
||||
# Choose default action. To change, just override value of 'action' with the
|
||||
# chosen action (e.g. action_i_mw, action_i_mwl, etc) in jail.local
|
||||
# globally (section [DEFAULT]) or per specific section (e.g. ssh)
|
||||
action = action_i
|
||||
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
||||
# globally (section [DEFAULT]) or per specific section
|
||||
action = %(action_)s
|
||||
|
||||
#
|
||||
# JAILS
|
||||
|
|
|
|||
Loading…
Reference in New Issue