This avoids duplication of code across fail2ban-regex and samples test
cases. This also now more neatly resolves the issue of double counting
date templates matches in fail2ban-regex.
In addition, the samples test cases now also print a warning message
that not all regexs have samples for them, with future plan to change
this to an assertion.
IMHO there is no good reason to capture only gaierror.
on my network it was consistent to error out with
======================================================================
ERROR: testIgnoreIPNOK (testcases.filtertestcase.IgnoreIP)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/yoh/deb/gits/fail2ban/testcases/filtertestcase.py", line 166, in testIgnoreIPNOK
self.assertFalse(self.filter.inIgnoreIPList(ip))
File "/home/yoh/deb/gits/fail2ban/server/filter.py", line 277, in inIgnoreIPList
ips = DNSUtils.dnsToIp(i)
File "/home/yoh/deb/gits/fail2ban/server/filter.py", line 625, in dnsToIp
return socket.gethostbyname_ex(dns)[2]
error: [Errno 11] Resource temporarily unavailable
with this commit tests would pass normally as they should
Previous code would store md5sum of an empty line as the one
identifying the monitored file. That file then was read and possibly
failures were found. Upon next "container.open()", md5 digest of now
present first line was compared against previous digest of an empty
line, which was different, thus file was assumed to be rotated and all
the log lines were read once again.
The History
-----------
In rare cases various tests failed somewhat consistently. Below you
can find one case in test_move_file where such failure really made no
sense -- we should have not had 4 failures by that point.
Fail2ban 0.8.10.dev test suite. Python 2.4.6 (#2, Sep 25 2009, 22:22:06) [GCC 4.3.4]. Please wait...
I: Skipping gamin backend testing. Got exception 'No module named gamin'
I: Skipping pyinotify backend testing. Got exception 'No module named pyinotify'
D: fn=/home/yoh/test/monitorfailures_FilterPoll9nUKoCfail2ban-0 hashes=d41d8cd98f00b204e9800998ecf8427e/d41d8cd98f00b204e9800998ecf8427e inos=5398862/5398862 pos=0 rotate=False
D: Adding a ticket for ('193.168.0.128', 1124013599.0, ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128\n'])
D: Adding a ticket for ('193.168.0.128', 1124013599.0, ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128\n'])
D: Closed <closed file '/home/yoh/test/monitorfailures_FilterPoll9nUKoCfail2ban-0', mode 'r' at 0x7f472b2efdc8> with pos 1231
D: fn=/home/yoh/test/monitorfailures_FilterPoll9nUKoCfail2ban-0 hashes=d41d8cd98f00b204e9800998ecf8427e/aeb4e73e6922a746d027eb365ece2149 inos=5398862/5398862 pos=1231 rotate=True
D: Adding a ticket for ('193.168.0.128', 1124013599.0, ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128\n'])
D: Adding a ticket for ('193.168.0.128', 1124013599.0, ['Aug 14 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 193.168.0.128\n'])
D: Closed <closed file '/home/yoh/test/monitorfailures_FilterPoll9nUKoCfail2ban-0', mode 'r' at 0x7f472b2ef558> with pos 1231
F
======================================================================
FAIL: test_move_file (testcases.filtertestcase.MonitorFailures<FilterPoll>(/home/yoh/test/monitorfailures_FilterPoll9nUKoCfail2ban))
----------------------------------------------------------------------
Traceback (most recent call last):
File "/home/yoh/deb/gits/fail2ban/testcases/filtertestcase.py", line 451, in test_move_file
"Queue must be empty but it is not: %s."
AssertionError: Queue must be empty but it is not: server.ticket.FailTicket: ip=193.168.0.128 time=1124013599.0 #attempts=4.
----------------------------------------------------------------------
N.B.1 I preserved here and in the code corresponding additional debug
print statements, which are commented out by default. sensible md5
digest was generated by using hexdigest() instead of current a bit
faster digest(). Running tests with all the debug output simply
breaks the race loose and failure doesn't trigger.
N.B.2 d41d8cd98f00b204e9800998ecf8427e is an md5sum of an empty
string, and aeb4e73e6922a746d027eb365ece2149 of the first line in that
file.
is None is generally faster than == and from looking at those places
should be adequate.
Also while at those files removed unneded duplicate author listing +
expanded copyright/authors with myself where applicable
* 001-fail2ban-server-socket-close-on-exec-no-leak.diff
Add code that marks server and client sockets with FD_CLOEXEC flags.
Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
Unix sockets managed by fail2ban-server don't need to be passed to any
child process. Fail2ban already uses the FD_CLOEXEC flags in the filter
code.
This patch also avoids giving iptables access to fail2ban UNIX socket in
a SELinux environment (A sane SELinux policy should trigger an audit
event because "iptables" will be given read/write access to the fail2ban
control socket).
Some random references related to this bug:
http://sourceforge.net/tracker/?func=detail&atid=689044&aid=2086568&group_id=121032http://www.redhat.com/archives/fedora-selinux-list/2009-June/msg00124.htmlhttp://forums.fedoraforum.org/showthread.php?t=234230
* 002-fail2ban-filters-close-on-exec-typo-fix.diff
There is a typo in the fail2ban server/filter.py source code. The
FD_CLOEXEC is correctly set but additional *random* flags are also set.
It has no side-effect as long as the fd doesn't match a valid flag :)
"fcntl.fcntl(fd, fcntl.F_SETFD, fd | fcntl.FD_CLOEXEC)" <== the 3rd
parameter should be flags, not a file descriptor.
* 003-fail2ban-gamin-socket-close-on-exec-no-leak.diff
Add code that marks the Gamin monitor file descriptor with FD_CLOEXEC
flags. Avoid leaking file descriptors to processes spawned when handling
fail2ban actions (ex: iptables).
---
File descriptors in action process before patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lrwx------ 1 root root 64 3 -> socket:[116361] <== NOK (fail2ban.sock leak)
lr-x------ 1 root root 64 4 -> /proc/20090/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
lrwx------ 1 root root 64 6 -> socket:[115608] <== NOK (gamin sock leak)
File descriptors in action process after patches:
dr-x------ 2 root root 0 .
dr-xr-xr-x 8 root root 0 ..
lr-x------ 1 root root 64 0 -> /dev/null <== OK
l-wx------ 1 root root 64 1 -> /tmp/test.log <== used by test action
lrwx------ 1 root root 64 2 -> /dev/null <== OK
lr-x------ 1 root root 64 3 -> /proc/18284/fd <== used by test action
l-wx------ 1 root root 64 5 -> /var/log/fail2ban.log <== OK
* all of the *Filters had too much of common logic in their *LogPath
methods, which is now handled by FileFilter and derived classes only
add custom actions in corresponding _(add|del)LogPath methods
pyinotify:
* upon CREATE event:
- unknown files should not be handled at all
- "watcher" for the monitored files should be recreated.
Lead to adding _(add|del)FileWatcher helper methods
* callback now obtains full event to judge what to do
following commits were squashed from feature branch use_dns
commit 068c105eb5
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 22:19:04 2012 -0500
Prevent warning when IP is read from log
commit 635ed36a8c
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 22:17:08 2012 -0500
Removed logDebug
commit 24656d2812
Merge: 7957fbec429f5c
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 21:13:11 2012 -0500
Merge branch 'enh/use_dns' of github:leeclemens/fail2ban into enh/use_dns
Conflicts:
testcases/filtertestcase.py
commit 7957fbe821
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 21:09:58 2012 -0500
filtertestcase fixes from yarikoptic
commit 6ce9d04640
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Jan 10 19:26:05 2012 -0500
RF: for consistency use_dns -> usedns
I guess it was might fault of inconsistency suggesting that name.
Other options/commands do not have _ in the names, so let it be
consistent with the rest for now
commit cfb2c75b49
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 19:18:41 2012 -0500
Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp
commit f6186eff14
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 19:02:04 2012 -0500
Changed wording of 'DNS Reverse lookup used' message
commit 82c62d29dc
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 18:53:17 2012 -0500
Removed extraneous "n"
commit dc0ae21932
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 23:07:59 2012 -0500
ENH: use_dns - removed debugging statements
commit 594e25818c
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 22:53:39 2012 -0500
Added use_dns protocol to set and get per jail during runtime
commit 48ff80ffac
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 22:41:18 2012 -0500
Completed use_dns for initial startup - with debugging statements
commit 0bdab4c2d7
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 20:05:35 2012 -0500
ENH: Added use_dns option
commit 6d6b734ea5
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 20:01:34 2012 -0500
ENH: Added use_dns option
commit 11ad2b6125
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 19:17:30 2012 -0500
Added useDns flag to testcase
commit b48fa9b6af
Author: Lee Clemens <java@leeclemens.net>
Date: Sun Jan 8 15:13:27 2012 -0500
Added use_dns option in jail.conf
commit c429f5c91a
Merge: 4b18afb0021906
Author: leeclemens <java@leeclemens.net>
Date: Tue Jan 10 16:32:22 2012 -0800
Merge pull request #3 from yarikoptic/enh/use_dns
let's be consistent ;-)
commit 0021906358
Author: Yaroslav Halchenko <debian@onerussian.com>
Date: Tue Jan 10 19:26:05 2012 -0500
RF: for consistency use_dns -> usedns
I guess it was might fault of inconsistency suggesting that name.
Other options/commands do not have _ in the names, so let it be
consistent with the rest for now
commit 4b18afb28a
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 19:18:41 2012 -0500
Updated DNSUtilsTests to test use_dns and added positive test to testTextToIp
commit 4fae37e46f
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 19:02:04 2012 -0500
Changed wording of 'DNS Reverse lookup used' message
commit e94806ce48
Author: Lee Clemens <java@leeclemens.net>
Date: Tue Jan 10 18:53:17 2012 -0500
Removed extraneous "n"
commit 4d30c52907
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 23:07:59 2012 -0500
ENH: use_dns - removed debugging statements
commit 76696d452a
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 22:53:39 2012 -0500
Added use_dns protocol to set and get per jail during runtime
commit 0631618087
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 22:41:18 2012 -0500
Completed use_dns for initial startup - with debugging statements
commit d23d495547
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 20:05:35 2012 -0500
ENH: Added use_dns option
commit 9538553bc5
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 20:01:34 2012 -0500
ENH: Added use_dns option
commit ae1e857e53
Author: Lee Clemens <java@leeclemens.net>
Date: Mon Jan 9 19:17:30 2012 -0500
Added useDns flag to testcase
commit ace43eb941
Author: Lee Clemens <java@leeclemens.net>
Date: Sun Jan 8 15:13:27 2012 -0500
Added use_dns option in jail.conf
The address has changed from "59 Temple Place, Suite 330, Boston,
MA 02111-1307 USA" to "51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, USA" some time ago.
Steven Hiscocks