Commit Graph

3398 Commits (9d4f163e8826fce5182bb7d3be65795e6831fa52)

Author SHA1 Message Date
sebres 9d4f163e88 code review and minor repair after merge with performance branch (changed naming convention, wrong resolved conflicts, etc) 2015-12-29 17:36:00 +01:00
sebres 21f058a9f7 Merge remote-tracking branch 'remotes/gh-origin/f2b-perfom-prepare-716' into ban-time-incr 2015-12-29 14:04:41 +01:00
sebres da51fbf9c6 code review and performance optimization:
- default date templates cache + regexp compiling on the fly (if required);
- better usage of shared config over all test cases;
- obsolete test cases removed (simple test of memleak/gc);
- skip some slow test cases in fast mode (setup test, etc.);
2015-12-29 12:49:53 +01:00
sebres 3f2b58e973 datedetector: matchTime, template list etc. rewritten because of performance degradation (without sorting templates now) - in-place reordering using hits and last used time;
todo: rewrite "reGroupDictStrptime" because may be too slow;
2015-12-29 12:49:51 +01:00
sebres e065941ac5 use "maxEntries" (currently 50 as default) as range for max number of the last matches/failures, fail2ban will hold per IP in the list of failures in failmanager resp. in the database;
prevents out of memory situation if many IP's makes extremely many failures (or very large files since last fail2ban run);
closes gh-1277
todo: parameter `maxentries` should be configurable (jail.conf resp. fail2ban.conf);
todo: adjust ban-time-incr branch by merge (table "bips").
2015-12-29 12:49:48 +01:00
sebres 935d79eaae 1) prevents a bug by logging stdout/stderr if retcode still None:
```
in executeCmd
    if retcode < 0:
TypeError: unorderable types: NoneType() < int()
```
2) prevents a rarely test case bug of testExecuteTimeoutWithNastyChildren, because no stdout (Resource temporarily unavailable), possible no flush by IO of the killing process;
2015-12-29 12:49:46 +01:00
sebres 6406f6f560 background servicing (temporally executed from failmanager): prevents memory leak on some platforms/python versions, using forced GC in periodic intervals (latency and threshold);
Side effect: GC is disabled now inside fail2ban-server (to avoid multiple garbage collect)
2015-12-29 12:49:44 +01:00
sebres a10eb39bbe test cases extended with memory leakage check 2015-12-29 12:49:41 +01:00
sebres f7cc55103c optimized FailManager: increase performance, try to prevent memory leakage (don't copy failures resp. it list on some operations) 2015-12-29 12:49:39 +01:00
sebres f143ae479c code and config review after rebase to current master 2015-12-29 12:49:37 +01:00
sebres 72f29e9061 asyncserver (asyncore) code fixed and test cases repaired (always delete temp files, wait for end of thread/server, etc)
definitely closes gh-161, also other usage of asyncore event loop (in test_smtp.py)
repair cache in ipToName (can returns None), precaching of invalid IPs (according to RFC 5737) to stop endless wait for resolving it in test cases.
2015-12-29 12:49:34 +01:00
sebres 770c219ab6 SetupTest should run at version of python currently installed (resp. active one), skip if started with another version. 2015-12-29 12:49:32 +01:00
sebres cf3cf27fa3 - filtering of test cases extended for method additionally to class (matches method only not whole class for regexp matched method name);
- new options for "fail2ban-testcases" introduced: "-g" or "--no-gamin" and "-m" or "--memory-db", both are true also if "-f" or "--fast" specified,
  for example: `fail2ban-testcases -ngm` will runs faster (because no network, no gamin, memory database)
  but will use the same default sleep intervals as in production (in comparison to -nf);
- seekToTime rewritten, accuracy increased by seekToTime, extended for all FileFilter (PyInotify, Gamin also), test cases extended etc.
- common performance optimized and code reviewed;
2015-12-29 12:49:30 +01:00
sebres 6faffe3201 test cases extended, code review (+ python 3.x compatibility);
database test cases extended - enable deleted (disabled) jail in addJail;
2015-12-29 12:49:27 +01:00
Yaroslav Halchenko 0e61b7586a RF: use descriptive loop variable (oldticket) and matching associated variable suffixes (old) 2015-12-29 12:49:26 +01:00
Yaroslav Halchenko e2a68bb02d RF: make Jail new style class, avoiding multiple inheritance with object 2015-12-29 12:49:24 +01:00
Yaroslav Halchenko 78eb4d95eb RF: is_alive -> isAlive to stay consistent in camelCasing 2015-12-29 12:49:21 +01:00
sebres 59bf5013c0 - performance of fail2ban optimized
-- cache dnsToIp, ipToName to prevent long wait during retrieving of ip/name for wrong dns or lazy dns-system;
   -- instead of simple "sleep" used conditional wait "wait_for", that internal increases sleep interval up to sleeptime;
   -- ticket / banmanager / failmanager modules are performance optimized;
   -- api of filter (log files), jail, etc. rewritten and extended for performance purposes;
- performance of test cases optimized:
   -- added option "--fast" to decrease wait intervals, avoid passive waiting, and skip few very slow test cases;
- code review after partially cherry pick of branch 'ban-time-incr' (see gh-716)
   -- ticket module prepared to easy merge with newest version of 'ban-time-incr', now additionally holds banTime, banCount and json-data;
   -- executeCmd partially moved from action to new module utils, etc.
   -- python 2.6 compatibility;
- testExecuteTimeoutWithNastyChildren: test case repaired - wait for pid file inside bash, kill tree in any case (gh-1155);
- testSocket: test case repaired - wait for server thread starts a socket (listener)
2015-12-29 12:49:19 +01:00
sebres 3540619a73 code review, test case extended; 2015-12-29 12:49:17 +01:00
sebres d23d103f96 code review and few new test cases 2015-12-29 12:49:15 +01:00
sebres db5ee0842a increase code coverage 2015-12-29 12:49:13 +01:00
sebres d22b2498d4 normalizing time config entries: use time abbreviation (str2seconds) for all time options such 'dbpurgeage', 'bantime', 'findtime', ex.: default '1d' instead '86400';
code review and test case extended;
2015-12-29 12:49:10 +01:00
sebres dad4234beb The tricky bug fixed - last position of log file will be never retrieved (#795):
addJail (executed before addLog) early uses a "INSERT OR REPLACE" statement to update "enabled" to 1 (and add jail the first time used at once), but this syntax in sqlite always deletes an entry (cause of constraint) and inserts it again, so because of CASCADE all log entries with this jail will be also deleted from logs table.
2015-12-29 12:49:08 +01:00
sebres 410f9d7c10 filter, datedetector, datetemplate: performance optimizing of combination datedetector.matchTime/getTime2, because early getTime search a template and call template.matchTime again (so the date parsing was really executed twice, now just once);
debug logging optimized;
added info line log "Start Fail2ban ..." after changed logging target;
2015-12-29 12:49:06 +01:00
sebres 42199957d0 prevent completely read of big files first time (after start of service), initial seek to start time using half-interval search algorithm (see issue #795):
now polling backend only (currently not implemented for gamin and pyinotify backends);
python3/pypy compatibility fix + removing obsolete code
2015-12-29 12:48:15 +01:00
sebres 3cfdc5ecb3 test cases extended;
code review
2015-12-29 12:48:14 +01:00
sebres a3e0cc9830 introduced string to seconds (str2seconds) for configuration entries with time;
todo: expands it for all time config entries;
2015-12-29 12:48:11 +01:00
Yaroslav Halchenko 26dd6d7425 Merge pull request #1258 from aleksandrs-ledovskis/feature/postfix-domain-not-found-failregex
Add 'Sender address rejected: Domain not found' Postfix failregex
2015-12-18 09:23:54 -05:00
Yaroslav Halchenko 9f15d02910 Merge pull request #1251 from fastest963/master
Added PartOf to service file so f2b restarts when deps do
2015-12-18 09:21:43 -05:00
Yaroslav Halchenko edcbdf6eab Merge pull request #1264 from rbrownwsws/master
Added filter and jail for murmur/mumble-server.
2015-12-18 09:20:45 -05:00
Yaroslav Halchenko 39d202b623 Merge pull request #1273 from yarikoptic/enh-log-matchtuple
ENH: log at heavydebug level what actually we are matching for failregex
2015-12-18 09:20:02 -05:00
Ross Brown 8d12dba245 Merge remote-tracking branch 'upstream/master' 2015-12-17 18:01:17 +00:00
Ross Brown 16aa2fa13e Updated ChangeLog to include new murmur jail. 2015-12-17 17:57:45 +00:00
Ross Brown ead2d509dc Updated 'murmur' filter to use new double-anchored regex based on @yarikoptic's suggestions. 2015-12-17 17:45:24 +00:00
Yaroslav Halchenko 61b2653f9e Merge pull request #1274 from yarikoptic/enh-new-sshd-too-many
ENH: sshd filter -- match new "maximum auth attempts exceeded"
2015-12-16 06:58:47 -05:00
Ross Brown fd36b058ce Changed usernames in sample log file for 'murmur' filter. 2015-12-15 21:55:07 +00:00
Ross Brown ba535826a8 Updated ChangeLog to include new murmur filter. 2015-12-15 21:46:35 +00:00
Yaroslav Halchenko 5d6cead996 ENH: sshd filter -- match new "maximum auth attempts exceeded" (Closes #1269) 2015-12-13 23:21:04 -05:00
Yaroslav Halchenko 9ee08fed48 ENH: log at heavydebug level what actually we are matching for failregex 2015-12-13 23:06:02 -05:00
sebres 6d984717b5 ordered dict replaced with dict + change log entry fix
# Conflicts:
#	fail2ban/server/filter.py
2015-12-12 15:48:49 +01:00
Yaroslav Halchenko 48202f998d RF: prefer log over container in getLog and local variables
Even though I have left FileContainer class name intact
2015-12-02 22:57:40 -05:00
Yaroslav Halchenko 59da27b9f6 ENH: add a check to testTail to assure correct test logic below it 2015-12-02 22:53:28 -05:00
Yaroslav Halchenko dd9d1912e8 RF: Filter.getLogPaths -> getLogs
Since it returns log containers not paths per se
2015-12-02 22:49:47 -05:00
sebres 6ce7522d3c unordered (python 2.6) compatibility fix and coverage extended; 2015-12-02 21:29:27 +01:00
sebres 3a179ec5d7 small code review: (much pretty) handling of filename as key - FileFilter contains (ordered) dict of files (not list), as discussed in gh-1265 2015-12-02 20:45:01 +01:00
Ross Brown 4c837f0333 Added sample log file for 'murmur' filter. 2015-11-29 16:28:47 +00:00
Ross Brown 106c3eab9a Added filter and jail for murmur/mumble-server. 2015-11-29 15:56:56 +00:00
Serg G. Brester 1b0560d2f1 Merge pull request #1262 from sarneaud/gentoo-initd
Small fixes for Gentoo initd script
2015-11-28 21:00:28 +01:00
sarneaud 5b88a84fe8 Small fixes for Gentoo initd script
These fixes are pretty pedantic, but they do simplify the script a
little.

* Checking the existence of a file/directory before creating/deleting
  it adds complexity and raciness.  There are better options.
* mkdir -p does the job of making sure a directory exists.  (It only
  fails if there's a filesystem error or something.)
* Likewise, rm -f doesn't fail if the file doesn't exist.
* rm -r isn't neccessary because the socket shouldn't be a directory.
  (If it is for some reason, that should be an error.)
2015-11-28 15:03:09 +11:00
Aleksandrs Ļedovskis fa59a6850f Add 'Sender address rejected: Domain not found' Postfix failregex
Signed-off-by: Aleksandrs Ļedovskis <aleksandrs@ledovskis.lv>
2015-11-22 12:01:15 +02:00