Commit Graph

6080 Commits (f8a269eaadf3040ee026bb1f68a614eaf3afe781)

Author SHA1 Message Date
Hasan ÇALIŞIR f8a269eaad
fix convert_bantime
- Swapped returns for echoes — Bash, not PHP
2025-03-05 21:15:10 +03:00
Hasan ÇALIŞIR 00bb41b864
refactor AbuseIPDB integration with improved concurrency and error handling
This refactors the AbuseIPDB integration for Fail2Ban with major improvements:
- Introduced separate lock files (LOCK_INIT, LOCK_BAN, LOCK_DONE) to better handle concurrent
  initialization and prevent race conditions during restarts.
- LOCK_BAN → serializes ban reports to the API (during actionban).
- LOCK_DONE → can signal completion or be used for future synchronization (like restart-safe exits).
- LOCK_INIT with flock in actionstart to prevent concurrent
  initialization, ensuring SQLite and log file integrity during parallel
  Fail2Ban restarts or multiple jail startups.
- Enhanced argument validation for both actionstart and actionban to prevent silent failures.
- Improved database initialization checks, ensuring proper creation of directories and log files.
- Added persistent SQLite pragmas for performance optimization under concurrent access.
- Refined error handling and logging for API interactions, including better detection of
  rate-limiting (HTTP 429) and invalid responses.
- Implemented consistent whitespace trimming and sanitization on IP addresses and bantime inputs.
- Improved modularity with dedicated helper functions, reducing code duplication and improving
  maintainability.
- Ensured background execution with better log redirection and failure tracking.
- Verify local DB insertions, aborting the process on failure to prevent
  incomplete or invalid state.
- Roll back local DB entries if AbuseIPDB reporting fails, ensuring no
  orphaned records remain.
- Replace basic info logs with clear status and error messages to improve
  traceability and debugging.
- Maintain high integrity between the local database and AbuseIPDB by
  only proceeding when all previous steps succeed.
- Shift from a "continue regardless" flow to a controlled stop on any
  critical error, ensuring system reliability.

Previously, the script assumed success of key steps, risking stale database
entries, silent API call failures, and duplicate reports after Fail2Ban
restarts. These changes improve reliability, prevent data corruption under
high concurrency, and ensure accurate synchronization between local db and
AbuseIPDB API.
2025-03-05 20:04:46 +03:00
Hasan ÇALIŞIR 4a1e854080
Merge branch 'fail2ban:master' into feature-abuseipdb-integration 2025-03-05 13:56:04 +03:00
Sergey G. Brester 505d51fd5d
Update PULL_REQUEST_TEMPLATE.md 2025-03-04 19:19:57 +01:00
sebres 4bb1fd519d test-suite: if failed, sample regexs factory would show responsible header line (failJSON) together with the error line 2025-03-04 14:39:24 +01:00
sebres cf9c8f1e9b test-suite: fixed sample regexs factory counting of line number (if it errors, the line number showing in error line was incorrect, because of missing increment) 2025-03-04 14:27:21 +01:00
Sergey G. Brester c035428535
Merge pull request #3954 from luckylittle/feature/systemd-journal-vsftpd
`filter.d/vsftpd.conf` - fixed regex (if failures generated by systemd-journal)
2025-03-04 14:20:01 +01:00
sebres 79346e4f2c updated ChangeLog 2025-03-04 14:15:14 +01:00
sebres 94fe9cf4a8 more fixes, capture user names, more tests...
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
2025-03-04 14:13:07 +01:00
sebres 1e06ab68b4 fixed filter (new regex is unneeded), tests format of failures produced by system journal 2025-03-04 13:47:59 +01:00
Sergey G. Brester e9a42847bc
Merge pull request #3955 from luckylittle/feature/systemd-journal-lighttpd
`filter.d/lighttpd-auth.conf` - fixed regex (if failures generated by systemd-journal), bypass several prefixes now
2025-03-04 13:21:43 +01:00
Sergey G. Brester 3e9a4b4a48
Update ChangeLog 2025-03-04 13:20:54 +01:00
Sergey G. Brester 95cdf553f5
fixes test in lighttpd-auth: added failJSON to match the line 2025-03-04 13:09:21 +01:00
Sergey G. Brester 13a74feaad
2nd RE unneeded, fix single RE - bypass everything before open parenthesis 2025-03-04 13:02:50 +01:00
Lucian Maly 6e3bfd800c
Added author 2025-03-04 12:26:14 +11:00
Lucian Maly 9d7646e6c0
Added author 2025-03-04 12:25:27 +11:00
Lucian Maly f5ba525cd2
Added sample log line 2025-03-04 12:22:35 +11:00
Lucian Maly fd1d0d25a8
Added regex for systemd-journal matches of lighttpd-auth 2025-03-04 12:20:24 +11:00
Lucian Maly bd4cb606e5
Added sample log line 2025-03-04 11:47:49 +11:00
Lucian Maly 65d473fc8e
Added regex for systemd-journal matches of vsftpd 2025-03-04 11:43:38 +11:00
sebres e3ab969047 increase interval for up-to-date check (to 1 minute) after error, to avoid continuous flood in log on further possible errors 2025-03-04 00:07:31 +01:00
sebres 9145db8de3 small code review of FileIPAddrSet: encapsulate check for changed logic to _isModified and slightly increase coverage for it (latency, changed, unchanged) 2025-03-03 23:59:36 +01:00
sebres 7233edd0bf amend ChangeLog updated: `ignoreip` extended with `file:...` syntax to ignore IPs from file-ip-set;
+ silence codespell
2025-03-03 20:07:05 +01:00
sebres c54f1a4603 Merge branch 'ignore-file-ip-addr-set':
configuration `ignoreip` and fail2ban-client commands `addignoreip`/`delignoreip` extended with `file:...` syntax to ignore IPs from file-ip-set (containing IP, subnet, dns/fqdn or raw strings);
the file would be read lazy on demand, by first ban (and automatically reloaded by update after small latency to avoid expensive stats check on every compare);
the entries inside the file can be separated by comma, space or new line with optional comments (text following chars # or ; after space or newline would be ignored up to next newline)
2025-03-03 20:00:32 +01:00
sebres 5bea1c87f1 add few comments to test-ign-ips-file for the sake of completeness and coverage 2025-03-03 19:52:23 +01:00
Hasan ÇALIŞIR 28c2d6685d
fix script naming
- rename fail2ban_abuseipdb.sh --> fail2ban-abuseipdb.sh
- update descriptions
2025-03-03 21:21:44 +03:00
sebres 6efa3a3144 man extended (`ignoreip` supports file://path/file-with-ip-set) 2025-03-03 19:19:21 +01:00
sebres fe37047061 test coverage for FileIPAddrSet and ignoreip for file://... 2025-03-03 19:06:08 +01:00
sebres 81a5b1596b filter and configuration `ignoreip` extended with file:... to ignore IPs from file-ip-set (containing IP, subnet, dns/fqdn or raw strings); the file would be read lazy on demand, by first ban (and automatically reloaded by update after small latency) 2025-03-03 19:03:48 +01:00
sebres d684339edd allow comments in file with ip-set: text followed # or ; chars after space or newline would be ignored 2025-03-03 19:00:09 +01:00
sebres bdae15b522 ipdns.py: implemented FileIPAddrSet supporting file with IP-set, what may contain IP, subnet, or dns, with lazy load and dynamically reloaded by changes (with small latency to avoid expensive stats check on every compare) 2025-03-03 18:40:15 +01:00
Hasan ÇALIŞIR fa4ce4acba
update abuseipdb.local accordingly
- Replace local file storage with AbuseIPDB SQLite database.
- Add info about preventing leaking sensitive information on reports
2025-03-03 18:28:46 +03:00
Hasan ÇALIŞIR d13660c588
migrate banned IPs to SQLite DB and prevent actionban latency
- Replace local file storage with AbuseIPDB SQLite database.
- Offload heavy tasks to background to avoid latency during concurrent actionban calls.
- Add global lock to ensure actionstart runs only once across all jails.
2025-03-03 18:13:45 +03:00
Hasan ÇALIŞIR b5314961e8
Merge branch 'fail2ban:master' into feature-abuseipdb-integration 2025-03-03 18:04:19 +03:00
Sergey G. Brester c9b5e845ba
`action.d/cloudflare-token.conf`: fixes `actionunban` retrieving of CF-ID from IP:
force adding parameters to URL as query string (add `-G` to curl);
closes gh-3952
2025-03-01 20:19:35 +01:00
Sergey G. Brester e5199aee92
action.d/ufw.conf: update comment:
fix syntax in example, because `dst` as command parameter doesn't have precedence over or-expression, so second `sport` would ignore `dst` and kill any connection for https regardless the IP
2025-03-01 00:23:55 +01:00
Hasan ÇALIŞIR 63788d02d6
re-organized script for both actionstart & actionban
- Reorganized script to be used by both 'actionstart' and 'actionban' in 'abuseipdb.local'
- Isolated heavy 'actionstart' tasks using nohup to prevent latency
- Removed redundant API checks to improve performance and reduce overhead
- Implemented a lock mechanism to prevent 'actionban' execution if 'actionstart' fails
- Ensured 'actionban' does not run at runtime due to missing dependencies or permission issues
2025-02-26 13:01:31 +03:00
Hasan ÇALIŞIR 2962bb0e56
Fail2Ban AbuseIPDB: Override main config with enhancements
- Added an override configuration to enhance Fail2Ban’s AbuseIPDB integration.  
- Introduced a local banned IP list for better isolation from Fail2Ban.  
- Optimized API calls (`/v2/check` → `/v2/report`) to reduce redundant reports.  
- Ensured `norestored=1` handling to prevent re-reporting after restarts.  
- Improved logging and added custom comments to avoid sensitive data exposure.  

This override provides more control, efficiency, and security while maintaining compatibility with the main configuration.
2025-02-26 12:47:31 +03:00
Hasan ÇALIŞIR 05f20c4b65
Merge branch 'fail2ban:master' into feature-abuseipdb-integration 2025-02-26 12:17:15 +03:00
sebres 1c61836169 main.yml: merge branch 'gha-try-new-runner':
- update runner image (20.04 gets end of date)
- update python versions (v.3.7 is unsupported for 24.04, bump v.3.14 to next alpha)
2025-02-25 18:38:19 +01:00
Sergey G. Brester fdac34a3ee
main.yml: update python versions
v.3.7 is unsupported for 24.04, bump v.3.14 to next alpha
2025-02-25 18:29:26 +01:00
Sergey G. Brester c340fb0ef4
main.yml: update runner image
(20.04 gets end of date)
2025-02-25 18:24:40 +01:00
Hasan ÇALIŞIR b423631825
fail2ban: Update AbuseIPDB actionban script instructions
- Clarified integration steps for placing the script in 'action.d'
- Updated example configuration with correct script name 'fail2ban-abuseipdb.sh'
- Emphasized the need to set 'abuseipdb_apikey' in the config file
- Improved formatting and readability for better user understanding

No functional changes, just documentation updates.
2025-02-22 22:27:40 +03:00
Hasan ÇALIŞIR b468593e93
Create fail2ban-abuseipdb.sh 2025-02-22 21:34:17 +03:00
sebres 882e6d5e00 `filter.d/exim.conf` - mode `aggressive` extended to catch dropped by ACL failures, e.g. "ACL: Country is banned" 2025-02-10 17:30:07 +01:00
Sergey G. Brester 2d736ad755 small amend 2025-01-31 19:54:24 +01:00
Sergey G. Brester a44c8dc3ec
Update FILTERS: clarify and improve docu, update some urls, etc
(related #3934)
2025-01-31 19:51:29 +01:00
Sergey G. Brester 6fb3532c45
Merge pull request #3931 from brianjmurrell/patch-2
`from '[^']*'` is not always present …
2025-01-30 14:06:00 +01:00
sebres a1268f37c3 amend (move ChangeLog entry) 2025-01-30 14:04:00 +01:00
sebres b55c20594e `paths-common.conf`: changed default `mysql_log` path (default `logpath` of `mysqld-auth` jail without maintainer overrides); adjusted comments (`log_error_verbosity = 3` instead of `log-warnings = 2`)
closes gh-3932
2025-01-30 14:00:43 +01:00