From ec4c4b12c1f86769f021216482f4a380ca02d4bc Mon Sep 17 00:00:00 2001 From: Ben RUBSON Date: Sun, 19 Aug 2018 22:35:09 +0200 Subject: [PATCH 1/7] Add yes/no log option to badips.py --- config/action.d/badips.py | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 4e50890c..95bfbe14 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -70,6 +70,9 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) + log : str, optional + Whether or not to log when an IP id (un)banned. + Default `yes`. agent : str, optional User agent transmitted to server. Default `Fail2Ban/ver.` @@ -86,7 +89,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", + banaction=None, bancategory=None, bankey=None, updateperiod=900, log="yes", agent="Fail2Ban", timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) @@ -99,6 +102,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey + self.log = log self.updateperiod = updateperiod self._bannedips = set() @@ -289,9 +293,10 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: self._bannedips.add(ip) - self._logSys.debug( - "Banned IP %s for jail '%s' with action '%s'", - ip, self._jail.name, self.banaction) + if self.log is "yes": + self._logSys.notice( + "Banned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) def _unbanIPs(self, ips): for ip in ips: @@ -304,14 +309,15 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable 'ipjailmatches': "", }) except Exception as e: - self._logSys.info( + self._logSys.error( "Error unbanning IP %s for jail '%s' with action '%s': %s", ip, self._jail.name, self.banaction, e, exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: - self._logSys.debug( - "Unbanned IP %s for jail '%s' with action '%s'", - ip, self._jail.name, self.banaction) + if self.log is "yes": + self._logSys.notice( + "Unbanned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) finally: self._bannedips.remove(ip) From 70e53b55c558e9ccdb1a59d86031385dcd3023b0 Mon Sep 17 00:00:00 2001 From: Ben RUBSON Date: Sun, 19 Aug 2018 22:39:18 +0200 Subject: [PATCH 2/7] Typo --- config/action.d/badips.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 95bfbe14..c1c46ae3 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -71,7 +71,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) log : str, optional - Whether or not to log when an IP id (un)banned. + Whether or not to log when an IP is (un)banned. Default `yes`. agent : str, optional User agent transmitted to server. From 9d7c0e00c132c04a4d77eb5d684116780300e207 Mon Sep 17 00:00:00 2001 From: Ben RUBSON Date: Sat, 8 Sep 2018 09:28:42 +0200 Subject: [PATCH 3/7] Also log number of IPs removed/added --- config/action.d/badips.py | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index c1c46ae3..97b45fa8 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -343,13 +343,16 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable ips = self.getList( self.bancategory, self.score, self.age, self.bankey) # Remove old IPs no longer listed - self._unbanIPs(self._bannedips - ips) + s = self._bannedips - ips + m = len(s) + self._unbanIPs(s) # Add new IPs which are now listed - self._banIPs(ips - self._bannedips) - - self._logSys.debug( - "Updated IPs for jail '%s'. Update again in %i seconds", - self._jail.name, self.updateperiod) + s = ips - self._bannedips + p = len(s) + self._banIPs(s) + self._logSys.info( + "Updated IPs for jail '%s' (-%d/+%d). Update again in %i seconds", + self._jail.name, m, p, self.updateperiod) finally: self._timer = threading.Timer(self.updateperiod, self.update) self._timer.start() From 4b751c84c353ac0254addad6bb89167df2dcdd25 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 2 Oct 2018 12:32:15 +0200 Subject: [PATCH 4/7] badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG). --- config/action.d/badips.py | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 97b45fa8..0d03f1d1 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -32,6 +32,8 @@ else: # pragma: 3.x no cover from urllib import urlencode from fail2ban.server.actions import ActionBase +from fail2ban.helpers import str2LogLevel + class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable @@ -70,9 +72,9 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) - log : str, optional - Whether or not to log when an IP is (un)banned. - Default `yes`. + loglevel : int/str, optional + Log level of the message when an IP is (un)banned. + Default `DEBUG`. agent : str, optional User agent transmitted to server. Default `Fail2Ban/ver.` @@ -89,7 +91,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, - banaction=None, bancategory=None, bankey=None, updateperiod=900, log="yes", agent="Fail2Ban", + banaction=None, bancategory=None, bankey=None, updateperiod=900, loglevel='DEBUG', agent="Fail2Ban", timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) @@ -102,7 +104,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey - self.log = log + self.loglevel = str2LogLevel(loglevel) if isinstance(val, basestring) else loglevel self.updateperiod = updateperiod self._bannedips = set() @@ -293,10 +295,9 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: self._bannedips.add(ip) - if self.log is "yes": - self._logSys.notice( - "Banned IP %s for jail '%s' with action '%s'", - ip, self._jail.name, self.banaction) + self._logSys.log(self.loglevel, + "Banned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) def _unbanIPs(self, ips): for ip in ips: @@ -314,10 +315,9 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable ip, self._jail.name, self.banaction, e, exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: - if self.log is "yes": - self._logSys.notice( - "Unbanned IP %s for jail '%s' with action '%s'", - ip, self._jail.name, self.banaction) + self._logSys.log(self.loglevel, + "Unbanned IP %s for jail '%s' with action '%s'", + ip, self._jail.name, self.banaction) finally: self._bannedips.remove(ip) From 65676baf8c5eb3917269f99e6f8fb2fb8e422291 Mon Sep 17 00:00:00 2001 From: "Sergey G. Brester" Date: Tue, 2 Oct 2018 12:38:29 +0200 Subject: [PATCH 5/7] fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel --- config/action.d/badips.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/badips.py b/config/action.d/badips.py index 0d03f1d1..1ad711f4 100644 --- a/config/action.d/badips.py +++ b/config/action.d/badips.py @@ -104,7 +104,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey - self.loglevel = str2LogLevel(loglevel) if isinstance(val, basestring) else loglevel + self.loglevel = str2LogLevel(loglevel) self.updateperiod = updateperiod self._bannedips = set() @@ -350,7 +350,7 @@ class BadIPsAction(ActionBase): # pragma: no cover - may be unavailable s = ips - self._bannedips p = len(s) self._banIPs(s) - self._logSys.info( + self._logSys.log(self.loglevel, "Updated IPs for jail '%s' (-%d/+%d). Update again in %i seconds", self._jail.name, m, p, self.updateperiod) finally: From aa565eb80ec6043317e8430cabcaf9c3f4e61578 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 4 Oct 2018 11:26:22 +0200 Subject: [PATCH 6/7] release 0.10.4 - ten-four-on-due-date-ten-four --- ChangeLog | 2 +- fail2ban/version.py | 2 +- man/fail2ban-client.1 | 20 +++++++++----------- man/fail2ban-python.1 | 2 +- man/fail2ban-regex.1 | 5 ++++- man/fail2ban-server.1 | 11 +++-------- man/fail2ban-testcases.1 | 2 +- 7 files changed, 20 insertions(+), 24 deletions(-) diff --git a/ChangeLog b/ChangeLog index 30cffd14..02634e72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,7 @@ Incompatibility list (compared to v.0.9): IPv6-capable now. -ver. 0.10.4-dev-1 (20??/??/??) - development edition +ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four ----------- ### Fixes diff --git a/fail2ban/version.py b/fail2ban/version.py index 2a515592..78a40761 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,7 +24,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2016 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.10.4.dev1" +version = "0.10.4" def normVersion(): """ Returns fail2ban version in normalized machine-readable format""" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index 6ed4ea4c..d11c4ee8 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-CLIENT "1" "April 2018" "fail2ban-client v0.10.4.dev1" "User Commands" +.TH FAIL2BAN-CLIENT "1" "October 2018" "fail2ban-client v0.10.4" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fI\,OPTIONS\/\fR] \fI\,\/\fR .SH DESCRIPTION -Fail2Ban v0.10.4.dev1 reads log file that contains password failure report +Fail2Ban v0.10.4 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP @@ -67,7 +67,7 @@ convert time abbreviation format to seconds display this help message .TP \fB\-V\fR, \fB\-\-version\fR -print the version +print the version (\fB\-V\fR returns machine\-readable short format) .SH COMMAND .IP BASIC @@ -210,6 +210,12 @@ adds to the ignore list of removes from the ignore list of .TP +\fBset ignorecommand \fR +sets ignorecommand of +.TP +\fBset ignorecache \fR +sets ignorecache of +.TP \fBset addlogpath ['tail']\fR adds to the monitoring list of , optionally starting at @@ -241,9 +247,6 @@ for removes the regular expression at for failregex .TP -\fBset ignorecommand \fR -sets ignorecommand of -.TP \fBset addignoreregex \fR adds the regular expression which should match pattern @@ -438,11 +441,6 @@ the action for \fI/etc/fail2ban/*\fR .SH "REPORTING BUGS" Report bugs to https://github.com/fail2ban/fail2ban/issues -.SH COPYRIGHT -Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors -.br -Copyright of modifications held by their respective authors. -Licensed under the GNU General Public License v2 (GPL). .SH "SEE ALSO" .br fail2ban-server(1) diff --git a/man/fail2ban-python.1 b/man/fail2ban-python.1 index 9880726e..137bc5c6 100644 --- a/man/fail2ban-python.1 +++ b/man/fail2ban-python.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-PYTHON "1" "April 2018" "fail2ban-python f2bversion" "User Commands" +.TH FAIL2BAN-PYTHON "1" "October 2018" "fail2ban-python f2bversion" "User Commands" .SH NAME fail2ban-python \- a helper for Fail2Ban to assure that the same Python is used .SH DESCRIPTION diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index ebc9fa4c..0ef8056e 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-REGEX "1" "April 2018" "fail2ban-regex 0.10.4.dev1" "User Commands" +.TH FAIL2BAN-REGEX "1" "October 2018" "fail2ban-regex 0.10.4" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS @@ -72,6 +72,9 @@ journalctl style matches overriding filter file. \fB\-l\fR LOG_LEVEL, \fB\-\-log\-level\fR=\fI\,LOG_LEVEL\/\fR Log level for the Fail2Ban logger to use .TP +\fB\-V\fR +get version in machine\-readable short format +.TP \fB\-v\fR, \fB\-\-verbose\fR Increase verbosity .TP diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 075fb378..6390c991 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-SERVER "1" "April 2018" "fail2ban-server v0.10.4.dev1" "User Commands" +.TH FAIL2BAN-SERVER "1" "October 2018" "fail2ban-server v0.10.4" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fI\,OPTIONS\/\fR] .SH DESCRIPTION -Fail2Ban v0.10.4.dev1 reads log file that contains password failure report +Fail2Ban v0.10.4 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP @@ -67,14 +67,9 @@ convert time abbreviation format to seconds display this help message .TP \fB\-V\fR, \fB\-\-version\fR -print the version +print the version (\fB\-V\fR returns machine\-readable short format) .SH "REPORTING BUGS" Report bugs to https://github.com/fail2ban/fail2ban/issues -.SH COPYRIGHT -Copyright \(co 2004\-2008 Cyril Jaquier, 2008\- Fail2Ban Contributors -.br -Copyright of modifications held by their respective authors. -Licensed under the GNU General Public License v2 (GPL). .SH "SEE ALSO" .br fail2ban-client(1) diff --git a/man/fail2ban-testcases.1 b/man/fail2ban-testcases.1 index 56abc600..95a3604c 100644 --- a/man/fail2ban-testcases.1 +++ b/man/fail2ban-testcases.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-TESTCASES "1" "April 2018" "fail2ban-testcases 0.10.4.dev1" "User Commands" +.TH FAIL2BAN-TESTCASES "1" "October 2018" "fail2ban-testcases 0.10.4" "User Commands" .SH NAME fail2ban-testcases \- run Fail2Ban unit-tests .SH SYNOPSIS From 0ae02ba2a1d7ab842278a8bb8d5f5481c8d04bf5 Mon Sep 17 00:00:00 2001 From: sebres Date: Thu, 4 Oct 2018 11:57:56 +0200 Subject: [PATCH 7/7] version bump (back to dev-version) --- ChangeLog | 10 ++++++++++ fail2ban/version.py | 2 +- man/fail2ban-client.1 | 4 ++-- man/fail2ban-regex.1 | 2 +- man/fail2ban-server.1 | 4 ++-- man/fail2ban-testcases.1 | 2 +- 6 files changed, 17 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 02634e72..0cda45fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,6 +31,16 @@ Incompatibility list (compared to v.0.9): IPv6-capable now. +ver. 0.10.5-dev-1 (20??/??/??) - development edition +----------- + +### Fixes + +### New Features + +### Enhancements + + ver. 0.10.4 (2018/10/04) - ten-four-on-due-date-ten-four ----------- diff --git a/fail2ban/version.py b/fail2ban/version.py index 78a40761..42adf49b 100644 --- a/fail2ban/version.py +++ b/fail2ban/version.py @@ -24,7 +24,7 @@ __author__ = "Cyril Jaquier, Yaroslav Halchenko, Steven Hiscocks, Daniel Black" __copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2005-2016 Yaroslav Halchenko, 2013-2014 Steven Hiscocks, Daniel Black" __license__ = "GPL-v2+" -version = "0.10.4" +version = "0.10.5.dev1" def normVersion(): """ Returns fail2ban version in normalized machine-readable format""" diff --git a/man/fail2ban-client.1 b/man/fail2ban-client.1 index d11c4ee8..a2d8d999 100644 --- a/man/fail2ban-client.1 +++ b/man/fail2ban-client.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-CLIENT "1" "October 2018" "fail2ban-client v0.10.4" "User Commands" +.TH FAIL2BAN-CLIENT "1" "October 2018" "fail2ban-client v0.10.5.dev1" "User Commands" .SH NAME fail2ban-client \- configure and control the server .SH SYNOPSIS .B fail2ban-client [\fI\,OPTIONS\/\fR] \fI\,\/\fR .SH DESCRIPTION -Fail2Ban v0.10.4 reads log file that contains password failure report +Fail2Ban v0.10.5.dev1 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-regex.1 b/man/fail2ban-regex.1 index 0ef8056e..fe7d37ab 100644 --- a/man/fail2ban-regex.1 +++ b/man/fail2ban-regex.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-REGEX "1" "October 2018" "fail2ban-regex 0.10.4" "User Commands" +.TH FAIL2BAN-REGEX "1" "October 2018" "fail2ban-regex 0.10.5.dev1" "User Commands" .SH NAME fail2ban-regex \- test Fail2ban "failregex" option .SH SYNOPSIS diff --git a/man/fail2ban-server.1 b/man/fail2ban-server.1 index 6390c991..098c3eac 100644 --- a/man/fail2ban-server.1 +++ b/man/fail2ban-server.1 @@ -1,12 +1,12 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-SERVER "1" "October 2018" "fail2ban-server v0.10.4" "User Commands" +.TH FAIL2BAN-SERVER "1" "October 2018" "fail2ban-server v0.10.5.dev1" "User Commands" .SH NAME fail2ban-server \- start the server .SH SYNOPSIS .B fail2ban-server [\fI\,OPTIONS\/\fR] .SH DESCRIPTION -Fail2Ban v0.10.4 reads log file that contains password failure report +Fail2Ban v0.10.5.dev1 reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. .SH OPTIONS .TP diff --git a/man/fail2ban-testcases.1 b/man/fail2ban-testcases.1 index 95a3604c..c61d4b3f 100644 --- a/man/fail2ban-testcases.1 +++ b/man/fail2ban-testcases.1 @@ -1,5 +1,5 @@ .\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.47.4. -.TH FAIL2BAN-TESTCASES "1" "October 2018" "fail2ban-testcases 0.10.4" "User Commands" +.TH FAIL2BAN-TESTCASES "1" "October 2018" "fail2ban-testcases 0.10.5.dev1" "User Commands" .SH NAME fail2ban-testcases \- run Fail2Ban unit-tests .SH SYNOPSIS