github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity
5,521 Commits
34 Branches
229 Tags
21 MiB
Commit Graph

5521 Commits (467024797f07f2c488d12cafd8fd84f079a310a9)

Author SHA1 Message Date
Michael Orlitzky 654fda8a50 files/fail2ban-openrc*: let start-stop-daemon manage the server. 
There are two ways that it would make sense to write the OpenRC
service script for fail2ban:

  1. Use the fail2ban-client program to stop, start, reload, etc. the
     server; and try to figure out whether or not it worked afterwards.

  2. Use the start-stop-daemon program built into OpenRC to manage the
     fail2ban-server process. This works only for starting and stopping,
     because the "reload" command is sent over an undocumented protocol,
     but has the benefit that you get immediate feedback about the result
     of calling fail2ban-server.

The existing service script combined the two in a way that appeared to
work, but didn't make too much sense. It used start-stop-daemon to
initiate the fail2ban-client program with either a "start" or "stop"
argument. So long as everything goes fine, that appears to work. But
the start-stop-daemon is not actually monitoring the fail2ban-client
program; it's supposed to be monitoring the fail2ban-server process
that gets started as side-effect.

The existing stop() function does not do quite what you'd expect; for
example the "stop" command is never sent. Again, the daemon does
ultimately get stopped so long as the hard-coded PID file contains
what you think it does -- so it "works" -- but is misleading.

This commit changes everything to use the second approach above, where
start-stop-daemon manages everything. This was done mainly to simplify
the service script, because now the default start() and stop() phases
can be used, allowing us to delete them from our copy. One might worry
that there is some special magic behind "fail2ban-client start" and
"fail2ban-client stop", however that does not appear to be the
case. Admittedly, if in the future those two commands begin to do
something nonstandard, the service script would need to be changed
again to take the first approach above and use fail2ban-client for
everything.
 2021-05-14 07:38:00 -04:00
Michael Orlitzky 80b1007a8f files/fail2ban-openrc.init: remove the "showlog" command. 
The extra "showlog" command in our OpenRC service script was more
trouble than it was worth: the only thing it did was call "less" on a
log file, and the service script is only guessing at the location of
the log file (only the fail2ban server knows its true location).

It's not like "/etc/init.d/fail2ban showlog" is that much easier to type
than "less /var/log/fail2ban.log" in the first place, so I think the
extra complexity (5 more lines in the service script) is not worth it.
 2021-05-14 07:37:56 -04:00
sebres 3e1aa03037 Merge branch '0.10' into 0.11 2021-05-07 01:46:46 +02:00
sebres ef5c826c74 fixes search for the best datepattern (gh-3020) - e. g. if line is too short, boundaries check for previously known unprecise pattern may fail on incomplete lines (logging break-off, no flush, etc) 2021-05-07 01:18:54 +02:00
sebres 2918849f9e fixes precise year pattern %ExY - accept years 20xx up to current century (using almost the same pattern in tests and production now) 2021-05-07 01:10:26 +02:00
sebres b5b615731e Merge branch '0.10' into 0.11 2021-04-27 14:03:49 +02:00
sebres 319cfefac2 fix travis build (unsupported pythons and pypy versions), update 3.10 in GH actions 2021-04-27 13:41:57 +02:00
sebres d3f5d2d52b documentation (interpolation tags) 2021-04-21 11:50:07 +02:00
sebres f0214b3d36 filter.d/sendmail-reject.conf: fixed regex to consider "Connection rate limit exceeded" with different combination of arguments 2021-04-20 18:13:40 +02:00
Sergey G. Brester d74dd9321b
Merge pull request #2565 from caronc/0.11 
Add Apprise Support (50+ Notifications)
 2021-04-04 00:24:21 +02:00
Sergey G. Brester b2f6a3a658
remove unneeded substitution 
it is enough to add `apprise` to action
 2021-04-04 00:21:59 +02:00
sebres 6cf4669dee Merge branch '0.10' into 0.11 2021-03-24 14:18:22 +01:00
sebres d135aeea16 fixes restore of original logging withing tests (`LogCaptureTestCase.tearDown`) - python 3 seemed still to log wordy after tear down (setting of log.level does not restore the level for related log objects - e. g. for logger of `fail2ban.jail` etc, so `fail2ban-testcases '(testVersion|testLongName).*servertest'` generating messages in stdout handler in testLongName) 2021-03-24 14:14:47 +01:00
sebres 8757563be1 close fork 2021-03-23 14:20:10 +01:00
sebres 061fab898a Merge branch '0.10' into 0.11 2021-03-22 00:58:03 +01:00
sebres e587526ede tests: add missing constraint (causing incomplete comparison in below cycle if fewer lines as expected was found) 2021-03-22 00:56:40 +01:00
sebres 3eaefe8da0 Merge branch '0.10' into 0.11 2021-03-03 18:16:47 +01:00
sebres 04aba6168c fixed typo, `--` is not expected in options declaration, so `--dump-pretty` did never work (only `--dp` is working) 2021-03-03 13:02:00 +01:00
sebres a45b1c974c filter.d/ignorecommands/apache-fakegooglebot: added timeout parameter (default 55 seconds) - avoid fail with timeout (default 1 minute) by reverse lookup on some slow DNS services (googlebots must be resolved fast); 
closes gh-2951
 2021-03-02 19:35:27 +01:00
sebres 63acc862b1 `action.d/nginx-block-map.conf`: reload nginx only if it is running (also avoid error in nginx-errorlog, gh-2949) and better test coverage for the action 2021-02-24 18:21:42 +01:00
sebres fb6315ea5e Merge branch '0.10' into 0.11 2021-02-24 13:16:36 +01:00
sebres 6f4b6ec8cc action.d/badips.* removed (badips.com is no longer active, gh-2889) 2021-02-24 13:05:04 +01:00
sebres e3d43d1241 Merge branch 'fix-rc-on-too-many-failures' into 0.10: resolves RC with uncontrolled growth of failure list (jail with too many matches that did not cause ban, gh-2945) 2021-02-24 12:45:15 +01:00
sebres 92a2242174 amend fixing journal tests (systemd backend only) 2021-02-23 15:54:48 +01:00
sebres e353fb8024 fixed test cases (ban ASAP also followed in test suite now, so failure reached maxretry causes immediate ban now) 2021-02-23 02:46:44 +01:00
sebres 55d7d9e214 *WiP* try to solve RC on jails with too many failures without ban, gh-2945 ... 2021-02-22 18:39:58 +01:00
sebres a0352182e8 Merge branch '0.10' into 0.11 2021-02-17 18:57:38 +01:00
sebres 294ec73f62 Merge branch 'py-3-10-alpha-5' into 0.10 2021-02-17 18:49:06 +01:00
Sergey G. Brester 9f1d1f4fbd amend for `Mapping` (jails) 2021-02-17 18:47:42 +01:00
Sergey G. Brester 42dee38ad2 amend for `Mapping` 2021-02-17 18:47:40 +01:00
Sergey G. Brester 2b6bb2c1be follow bpo-37324: :ref:`collections-abstract-base-classes` moved to the :mod:`collections.abc` module 
(since 3.10-alpha.5 `MutableMapping` is missing in collections module)
 2021-02-17 18:47:38 +01:00
Sergey G. Brester 8ae9208454 try to provide coverage for 3.10-alpha.5 (#2931) 2021-02-17 18:47:32 +01:00
sebres 6198b4566c Merge branch '0.10' into 0.11 2021-02-03 14:47:56 +01:00
sebres 366c64cb9d extractOptions: ensure options are parsed completely - avoids unexpected skip or truncate of parameters, produces more verbose error message in case of incorrect syntax; added more tests covering several cases 
WARN: potential incompatibility (since it doesn't silently ignore wrong syntax anymore)
 2021-02-03 14:45:30 +01:00
sebres c75748c5d3 fail2ban.conf: added new fail2ban configuration option "allowipv6" (default auto), can be used to allow or disallow IPv6 interface in fail2ban immediately by start (e. g. if fail2ban starts before network interfaces). 
closes gh-2804
 2021-01-27 17:06:14 +01:00
sebres 3700a9e523 invalidate IP/DNS caches by reload, so inter alia would allow to recognize IPv6IsAllowed immediately, previously retarded up to cache max-time (5m); 
closes gh-2804
 2021-01-26 20:35:14 +01:00
sebres dbc77c47c3 Merge branch '0.10' into 0.11 2021-01-21 19:11:01 +01:00
sebres 913c37db80 more fixes and optimizations, better RE's for patterns, allow parse date without time with such a datepattern (assume 00:00:00 then), etc 2021-01-21 19:00:56 +01:00
sebres 0f44a3408a amend to 747d4683221b5584f9663695fb48145689b42ceb: 
fail2ban-regex: loosen up date patterns %ExY, %Exy - let accept every year from 19xx up to current century (+3 years)
 2021-01-21 19:00:53 +01:00
Sergey G. Brester 164105fab1
added new parameter `namespace` for systemd backend 
closes gh-2910
 2021-01-16 17:10:12 +01:00
Sergey G. Brester 5f3f4d1e2f
action.d/cloudflare.conf: better IPv6 capability 
closes gh-2891
 2021-01-11 15:23:40 +01:00
sebres 9df332fdef filter.d/apache-overflows.conf: extended to match AH00126 error (Invalid URI ...); 
closes gh-2908
 2021-01-11 15:10:53 +01:00
sebres f259dac747 Merge branch '0.10' into 0.11 2021-01-04 02:48:49 +01:00
sebres 747d468322 fixes century selector of %ExY and %Exy in datepattern for tests, considering interval from 2005 (alternate now) to now; + better grouping algorithm for resulting century RE 2021-01-04 02:45:16 +01:00
sebres fe334590cd Merge branch '0.10' into 0.11 2020-12-29 21:25:09 +01:00
sebres 73b39e0894 filter.d/named-refused.conf: fixes prefix for messages from systemd journal (no mandatory space ahead, because don't have timestamp) 
closes gh-2899
 2020-12-29 21:22:47 +01:00
sebres 567039f261 Merge branch '0.10' into 0.11 2020-12-22 20:40:52 +01:00
sebres 27e435a7f5 fix cymru test cases 2020-12-22 20:36:01 +01:00
sebres eea1881b73 release 0.11.2 -- heal-the-world-with-security-tools 2020-11-23 21:43:03 +01:00
sebres b78d1e439a Merge branch '0.10' into 0.11 2020-11-23 21:35:32 +01:00