Commit Graph

544 Commits (fix-pythonic-build-install)

Author SHA1 Message Date
sebres c7a86b4616 action.d/firewallcmd-ipset.conf: amend to #2620:
- combines actions `firewallcmd-ipset` and `firewallcmd-ipset-native` (parameter `ipsettype=firewalld`);
- IPv6-capability for firewalld ipset;
- no internal timeout handling by default;
- no permanent rules yet
2021-05-29 22:59:55 +02:00
Sergey G. Brester 2a508da5a0
Merge pull request #2620 from mspolitaev/master
Using native firewalld ipset implementation
2021-05-29 21:30:55 +02:00
usernamepi 4f8427178a
Missing comment "#" (#3022)
Missed this ... but the logs showed it.
2021-05-07 18:23:40 +02:00
usernamepi 88f779ed24
ufw.conf, amend to #3018 - add missing option for comment (#3019) 2021-05-06 23:23:39 +02:00
Sergey G. Brester 8f6a8df3a4
added new options `kill-mode` and `kill`, which makes the drop of all connections optional 2021-05-06 21:47:06 +02:00
Sergey G. Brester 5debaa4cac
option "add", can be set to "insert <num>" instead of prepend (customization or backwards compat) 2021-05-06 20:23:58 +02:00
usernamepi e4e7a83cff
Update ufw.conf
Prerequisites:
* The ss command is available, kernel is compiled with option CONFIG_INET_DIAG_DESTROY.
* Ufw version is => 0.36 (released in 2018)

* Now using "prepend" instead of "insert" to be able to handle IPv6 addresses correctly. The current action will fail for IPv6 addresses.
* Now application names containing a space should handled correctly, solves https://github.com/fail2ban/fail2ban/pull/1532
* Now closing IPv4 and IPv6 connections (if any) from the ip that is being banned. The current action will leave them open.
   Using ss to accomplish this. For this to work the kernel needs to be compiled with the CONFIG_INET_DIAG_DESTROY option.
   My system apparently is compiled that way.
2021-05-06 13:44:36 +02:00
Sergey G. Brester d74dd9321b
Merge pull request #2565 from caronc/0.11
Add Apprise Support (50+ Notifications)
2021-04-04 00:24:21 +02:00
sebres 3eaefe8da0 Merge branch '0.10' into 0.11 2021-03-03 18:16:47 +01:00
sebres 63acc862b1 `action.d/nginx-block-map.conf`: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949) and better test coverage for the action 2021-02-24 18:21:42 +01:00
sebres fb6315ea5e Merge branch '0.10' into 0.11 2021-02-24 13:16:36 +01:00
sebres 6f4b6ec8cc action.d/badips.* removed (badips.com is no longer active, gh-2889) 2021-02-24 13:05:04 +01:00
sebres dbc77c47c3 Merge branch '0.10' into 0.11 2021-01-21 19:11:01 +01:00
Sergey G. Brester 5f3f4d1e2f
action.d/cloudflare.conf: better IPv6 capability
closes gh-2891
2021-01-11 15:23:40 +01:00
sebres 6ef69b48ca Merge branch '0.10' into 0.11 2020-11-05 16:12:31 +01:00
sebres 2817a8144c `action.d/bsd-ipfw.conf`: small amend (gh-2836) simplifying awk condition/code (position starts from `<lowest_rule_num>` and increases whilst used) 2020-09-29 13:33:40 +02:00
sebres 1418bcdf5b `action.d/bsd-ipfw.conf`: fixed selection of rule-no by large list or initial `lowest_rule_num`, exit code can't be larger than 255 (gh-2836) 2020-09-29 12:35:49 +02:00
sebres d253e60a8b Merge branch '0.10' into 0.11 2020-09-23 19:39:50 +02:00
Sergey G. Brester d977d81ef7
action.d/abuseipdb.conf: removed broken link, simplified usage example, fixed typos 2020-09-17 12:39:08 +02:00
sebres 74b73bce8a Merge branch '0.10' into 0.11 2020-09-04 13:09:47 +02:00
sebres a038fd5dfe `action.d/firewallcmd-*.conf` (multiport only): fixed port range selector, replacing `:` with `-`;
small optimizations on `firewallcmd-rich-rules.conf` and `firewallcmd-rich-logging.conf` simplifying both and provide a dependency (rich-logging is a derivative of rich-rules);
closes gh-2821
2020-09-03 16:41:23 +02:00
Sergey G. Brester 70c601e9e5
involve config parameter (replaces hard-coded path); fixed typo in actionban (looks like copy&paste from trimmed tty) 2020-09-02 20:47:05 +02:00
Chris Caron 2216fd8da4 Add Apprise Support (50+ Notifications) 2020-08-04 19:04:05 -04:00
sebres 067b76fc9e Merge branch '0.10' into 0.11 2020-08-04 15:40:59 +02:00
sebres 9100d07c03 Merge branch '0.10-ipset-tout' into 0.10, amend to #2703: resolves names conflict (command action timeout and ipset timeout); closes #2790 2020-08-04 13:53:21 +02:00
sebres 73a8175bb0 resolves names conflict (command action timeout and ipset timeout); closes gh-2790 2020-08-04 13:22:02 +02:00
sebres 309c8dddd7 action.d/nftables.conf (type=multiport only): fixed port range selector (replacing `:` with `-`) 2020-06-24 19:20:36 +02:00
sebres 1588200274 Merge branch '0.10' into 0.11 2020-05-25 18:58:05 +02:00
Sergey G. Brester 01e92ce4a6 added fallback using tr and sed (jq is optional now) 2020-04-27 19:26:46 +02:00
Sergey G. Brester 1c1b671c74 Update cloudflare.conf 2020-04-27 19:26:44 +02:00
Sergey G. Brester 5b8fc3b51a cloudflare: fixes ip to id conversion by unban using jq
normalized URIs and parameters, notes gets a jail-name (should be possible to differentiate the same IP across several jails)
2020-04-27 19:26:43 +02:00
Viktor Szépe 852670bc99 CloudFlare started to indent their API responses
We need to use https://github.com/stedolan/jq to parse it.
2020-04-27 19:26:39 +02:00
Ilya 8b3b9addd1 Change tool from 'cut' to 'sed'
Sed regex was tested - it works.
2020-04-27 19:12:36 +02:00
Ilya 5da2422f61 Fix actionunban
Add command to remove new line character. Needed for working removing rule from cloudflare firewall.
2020-04-27 19:12:35 +02:00
sebres 87a1a2f1a1 action.d/*-ipset*.conf: several ipset actions fixed (no timeout per default anymore), so no discrepancy between ipset and fail2ban (removal from ipset will be managed by fail2ban only) 2020-04-25 14:52:38 +02:00
sebres ceeba99f25 replace internals of several iptables-ipset actions using internals of iptables include:
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables-ipset is a common action for iptables-ipset-proto6-* now (which become obsolete now);
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
- tests adjusted.
2020-02-14 12:16:26 +01:00
sebres d26209e2c6 first attempt to make certain standard actions breakdown safe starting with iptables:
- better check mechanism (using `-C`, option `--check` is available long time);
- additionally iptables is a replacement for iptables-common now, several actions using this as include now become obsolete;
- many features of different iptables actions are combinable as single chain/rule (can be supplied to action as parameters);
2020-02-14 12:16:25 +01:00
Mihail Politaev 303861d7c7
Using native firewalld ipset implementation
By creating additional action file firewallcmd-ipset-native.conf
2020-01-30 21:17:32 +02:00
sebres 70e47c9621 Merge branch '0.10' into 0.11 2020-01-14 11:44:35 +01:00
sebres ec37b1942c action.d/nginx-block-map.conf: fixed backslash substitution (different echo behavior in some shells, gh-2596) 2020-01-14 11:39:13 +01:00
sebres 3515d06979 Merge branch '0.10' into 0.11 2019-10-18 19:19:21 +02:00
sebres 85ec605358 nftables: amend to gh-2254 - implemented shutdown of action (proper clean-up) - at stop it checks now the last set was deleted and removes table completely (if table does not contain any set);
this is avoided if some sets were added manually or can be avoided via overwriting of parameter `_nft_shutdown_table`, for example:
banaction = nftables[_nft_shutdown_table=''][...]
2019-10-18 19:01:16 +02:00
sebres 51af193402 nftables: add options allowing to specify own table (default `f2b-table`) and chain (default `f2b-chain`) 2019-10-18 18:54:02 +02:00
sebres 955d690e56 regrouping expressions with curly braces, added more escapes (better handling in posix shell) 2019-10-18 18:34:48 +02:00
sebres 0824ad0d73 Merge branch '0.10' into 0.11 2019-10-18 12:04:38 +02:00
sebres 8ea00c1d5d fixed mistake in config (semicolon after space as comment in configs?) and coverage, suppress errors by unsupported flush, better space handling in helper _nft_get_handle_id, etc 2019-09-25 13:47:29 +02:00
sebres 492205d30e action.d/nftables.conf: implemented `actionflush` (allows flushing nftables sets resp. fast unban of all jail tickets at all) 2019-09-24 20:00:29 +02:00
sebres abc4d9fe37 allow to use multiple protocols in multiport (single set with multiple rules in chain):
`banaction = nftables[type=multiport]` with `protocol="tcp,udp,sctp"` in jail replace 3 separate actions.
more robust if deleting multiple references to set (rules in chain)
2019-09-24 19:44:59 +02:00
sebres c753ffb11d combine nftables actions to single action:
- nftables-common is removed
- nftables-allports  is obsolete, replaced by nftables[type=allports]
- nftables-multiport is obsolete, replaced by nftables[type=multiport]
2019-09-24 18:53:38 +02:00
sebres c59d49da22 nftables-allports: support multiple protocols in single rule;
tests/servertestcase.py: added coverage for nftables actions
2019-09-24 18:46:41 +02:00
Ririsoft dde51b4682 fix actionban/unban ip definition syntax 2019-09-24 13:01:14 +02:00
Monson Shao 1cda50ce05 Rewrite nftables variables based on nftables' logic.
Add an example for redirecting.
2019-09-24 13:01:13 +02:00
sebres 581f13c2db Merge branch '0.10' into 0.11 2019-07-22 19:07:15 +02:00
Sergey G. Brester 846b3316db
amend, remove NL 2019-06-29 12:04:02 +02:00
Sergey G. Brester 4ae00485b0
revert acktionban back, use norestored option 2019-06-29 12:03:01 +02:00
Noel Kuntze 9327218843
Improved blocklist_de action to not resend bans that were already reported 2019-06-29 01:39:38 +02:00
benrubson 8b171f7d25 Badips key is only used to retrieve list 2019-06-26 18:34:20 +02:00
sebres 80f97eaf02 Merge branch '0.10' into 0.11 2019-06-26 17:29:08 +02:00
sebres e751be2c13 normalize, simplify and fix several mail actions (mail and sendmail actions are more similar now, sendmail is configurable via parameter `mailcmd`, etc);
added test covering sendmail-whois-lines
2019-06-15 23:14:41 +02:00
sebres 2e7a600851 Merge branch '0.10' into 0.11 2019-06-12 11:44:05 +02:00
sebres 22b9304562 action.d/badips.py: fix start of banaction on demand (which may be IP-family related), supplied action info with ticket instead of simulating it with dict;
(closes gh-2390)
2019-06-12 11:23:52 +02:00
sebres 3d4044084a Merge branch '0.10' into 0.11 2019-06-07 14:48:10 +02:00
Sergey G. Brester 7dbd3a07eb cut comment to limit documented on abuseipdb, additionally use curl in quiet mode 2019-06-07 14:39:55 +02:00
Carlos Ferreira 7b73cb7639 Switch to AbuseIPDB API v2 2019-06-07 14:39:52 +02:00
sebres ca85ddc866 Merge branch '0.10' into 0.11 2019-05-10 16:23:50 +02:00
sebres d8d71c5a22 action.d/helpers-common.conf: grep arguments are rewritten - using options `-wF` to match only whole words and fixed string (not as pattern) 2019-05-10 16:17:13 +02:00
chtheis fa727586ff Fix grep pattern to deal with Apache's error log
Apache's error log appends the port to the IP address, other logs don't.
2019-05-10 16:04:27 +02:00
sebres 74eac6c94f Merge branch '0.10' into 0.11 2019-05-02 15:28:44 +02:00
sebres 23d2281e57 action.d/nginx-block-map.conf: small fix with better RE-rule for removal of ID (token/session) via sed (anchored now) 2019-05-02 15:22:45 +02:00
Sergey G. Brester b318eb7e33
closes gh-2408: prevent execution of action `abuseipdb` for restored tickets 2019-04-29 10:45:37 +02:00
sebres 17a4f81e23 Merge branch '0.10' into 0.11 2019-03-27 13:46:56 +01:00
sebres e8401a7e65 action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);
2019-03-16 00:05:06 +01:00
sebres 324f0ed7cc Merge branch '0.10' into 0.11 2019-03-01 12:36:07 +01:00
sebres 5126068099 loglevel and shortloglevel combined to single parameter loglevel, below an example logging summary with NOTICE and rest with DEBUG log-levels:
action = badips.py[... , loglevel="debug, notice"]
2019-02-22 14:05:19 +01:00
benrubson 689938ee99 Add a shortloglevel badips.py option 2019-02-22 13:32:46 +01:00
sebres a3b7a0525a Merge branch '0.10' into 0.11 2019-02-22 13:22:52 +01:00
sebres 140243328f coverage: try to avoid sporadic "coverage decreased" in CI 2019-02-22 13:20:40 +01:00
todgru 39ed016a1e fix: correct spelling category 2019-01-14 22:08:38 -08:00
sebres b49c1ab4b3 Merge branch '0.10' into 0.11 2018-11-21 13:06:44 +01:00
sebres 555b29e8e6 Merge remote-tracking branch 'remotes/gh-upstream/master' into 0.10 2018-11-21 13:05:42 +01:00
dienteperro 0df221b54b
"be" instead of "me" in shorewall.conf 2018-11-15 14:34:51 -05:00
sebres f9f7e29295 Merge branch '0.10' into 0.11 (version bump after r.0.10.4) 2018-10-04 13:08:25 +02:00
Sergey G. Brester 1752c19b6f
Merge pull request #2205 from benrubson/patch-1
Add loglevel option to badips.py
2018-10-02 13:12:03 +02:00
Sergey G. Brester 65676baf8c fixed py3 incompatibility (for some reasons this file seems to be excluded from 2to3), anyway not needed, because int-type is already checked in str2LogLevel 2018-10-02 13:00:20 +02:00
Sergey G. Brester 4b751c84c3
badips.py: Rewrite new bool option "log" as "loglevel" and revert default to log-level (DEBUG). 2018-10-02 12:32:15 +02:00
sebres 8a0c06ba9e Merge branch '0.10' into 0.11 2018-09-14 11:01:40 +02:00
sebres d01fe9d22a action.d/*.conf: correct comments for actionstart/actionstop 2018-09-12 16:01:57 +02:00
Ben RUBSON 9d7c0e00c1
Also log number of IPs removed/added 2018-09-08 09:28:42 +02:00
Ben RUBSON 70e53b55c5
Typo 2018-08-19 22:39:18 +02:00
Ben RUBSON ec4c4b12c1
Add yes/no log option to badips.py 2018-08-19 22:35:09 +02:00
sebres 9de1657aab Merge branch '0.10' into 0.11 2018-07-06 11:43:56 +02:00
sebres 6ce67a6d21 coverage 2018-07-05 16:27:36 +02:00
sebres 0eaa0ecd86 Merge branch '0.10' into 0.11 2018-06-14 12:36:22 +02:00
sebres 8cbe1e6b13 Merge pull request #2155 2018-06-14 12:35:57 +02:00
cheese1 43db4411de small typo 2018-06-14 12:35:04 +02:00
sebres 0d40dd42b1 Merge branch '0.10' into 0.11 2018-04-26 13:43:15 +02:00
sebres bba7a6c5cf amend to (gh-2067) / b34ae5999e0d8ee1af8939527305c13152844b3d: fix parameter in config (dynamic parameters stating with '_' are protected and don't allowed in command-actions);
the interpolation of hostsdeny is test-covered now;
closes gh-2114.
2018-04-17 18:59:24 +02:00
sebres 0707695146 Merge branch '0.10' into 0.11, version bump
# Conflicts resolved:
#	fail2ban/server/database.py
2018-04-05 12:58:11 +02:00
sebres 8069eef50c badips: try to fix sporadic test errors if badips-server timed out resp. not available (502 bad gateway or similar). 2018-04-05 12:31:29 +02:00
sebres 1fdad90b4d Merge branch '0.10' into 0.11 2018-04-04 16:49:57 +02:00