mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
170 lines
5.0 KiB
170 lines
5.0 KiB
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
|
|
# vi: set ft=python sts=4 ts=4 sw=4 noet :
|
|
|
|
# This file is part of Fail2Ban.
|
|
#
|
|
# Fail2Ban is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Fail2Ban is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Fail2Ban; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
# Author: Cyril Jaquier
|
|
#
|
|
|
|
__author__ = "Cyril Jaquier"
|
|
__copyright__ = "Copyright (c) 2004 Cyril Jaquier"
|
|
__license__ = "GPL"
|
|
|
|
from threading import Lock
|
|
import logging
|
|
|
|
from .ticket import FailTicket, BanTicket
|
|
from ..helpers import getLogger, BgService
|
|
|
|
# Gets the instance of the logger.
|
|
logSys = getLogger(__name__)
|
|
logLevel = logging.DEBUG
|
|
|
|
|
|
class FailManager:
|
|
|
|
def __init__(self):
|
|
self.__lock = Lock()
|
|
self.__failList = dict()
|
|
self.__maxRetry = 3
|
|
self.__maxTime = 600
|
|
self.__failTotal = 0
|
|
self.maxMatches = 5
|
|
self.__bgSvc = BgService()
|
|
|
|
def setFailTotal(self, value):
|
|
self.__failTotal = value
|
|
|
|
def getFailTotal(self):
|
|
return self.__failTotal
|
|
|
|
def getFailCount(self):
|
|
# may be slow on large list of failures, should be used for test purposes only...
|
|
with self.__lock:
|
|
return len(self.__failList), sum([f.getRetry() for f in list(self.__failList.values())])
|
|
|
|
def setMaxRetry(self, value):
|
|
self.__maxRetry = value
|
|
|
|
def getMaxRetry(self):
|
|
return self.__maxRetry
|
|
|
|
def setMaxTime(self, value):
|
|
self.__maxTime = value
|
|
|
|
def getMaxTime(self):
|
|
return self.__maxTime
|
|
|
|
def addFailure(self, ticket, count=1, observed=False):
|
|
attempts = 1
|
|
with self.__lock:
|
|
fid = ticket.getID()
|
|
try:
|
|
fData = self.__failList[fid]
|
|
# if the same object - the same matches but +1 attempt:
|
|
if fData is ticket:
|
|
matches = None
|
|
attempt = 1
|
|
else:
|
|
# will be incremented / extended (be sure we have at least +1 attempt):
|
|
matches = ticket.getMatches() if self.maxMatches else None
|
|
attempt = ticket.getAttempt()
|
|
if attempt <= 0:
|
|
attempt += 1
|
|
unixTime = ticket.getTime()
|
|
fData.adjustTime(unixTime, self.__maxTime)
|
|
fData.inc(matches, attempt, count)
|
|
# truncate to maxMatches:
|
|
if self.maxMatches:
|
|
matches = fData.getMatches()
|
|
if len(matches) > self.maxMatches:
|
|
fData.setMatches(matches[-self.maxMatches:])
|
|
else:
|
|
fData.setMatches(None)
|
|
except KeyError:
|
|
# not found - already banned - prevent to add failure if comes from observer:
|
|
if observed or isinstance(ticket, BanTicket):
|
|
return ticket.getRetry()
|
|
# if already FailTicket - add it direct, otherwise create (using copy all ticket data):
|
|
if isinstance(ticket, FailTicket):
|
|
fData = ticket;
|
|
else:
|
|
fData = FailTicket.wrap(ticket)
|
|
if count > ticket.getAttempt():
|
|
fData.setRetry(count)
|
|
self.__failList[fid] = fData
|
|
|
|
attempts = fData.getRetry()
|
|
self.__failTotal += 1
|
|
|
|
if logSys.getEffectiveLevel() <= logLevel:
|
|
# yoh: Since composing this list might be somewhat time consuming
|
|
# in case of having many active failures, it should be ran only
|
|
# if debug level is "low" enough
|
|
failures_summary = ', '.join(['%s:%d' % (k, v.getRetry())
|
|
for k,v in self.__failList.items()])
|
|
logSys.log(logLevel, "Total # of detected failures: %d. Current failures from %d IPs (IP:count): %s"
|
|
% (self.__failTotal, len(self.__failList), failures_summary))
|
|
|
|
self.__bgSvc.service()
|
|
return attempts
|
|
|
|
def size(self):
|
|
return len(self.__failList)
|
|
|
|
def cleanup(self, time):
|
|
time -= self.__maxTime
|
|
with self.__lock:
|
|
todelete = [fid for fid,item in self.__failList.items() \
|
|
if item.getTime() <= time]
|
|
if len(todelete) == len(self.__failList):
|
|
# remove all:
|
|
self.__failList = dict()
|
|
elif not len(todelete):
|
|
# nothing:
|
|
return
|
|
if len(todelete) / 2.0 <= len(self.__failList) / 3.0:
|
|
# few as 2/3 should be removed - remove particular items:
|
|
for fid in todelete:
|
|
del self.__failList[fid]
|
|
else:
|
|
# create new dictionary without items to be deleted:
|
|
self.__failList = dict((fid,item) for fid,item in self.__failList.items() \
|
|
if item.getTime() > time)
|
|
self.__bgSvc.service()
|
|
|
|
def delFailure(self, fid):
|
|
with self.__lock:
|
|
try:
|
|
del self.__failList[fid]
|
|
except KeyError:
|
|
pass
|
|
|
|
def toBan(self, fid=None):
|
|
with self.__lock:
|
|
for fid in ([fid] if fid is not None and fid in self.__failList else self.__failList):
|
|
data = self.__failList[fid]
|
|
if data.getRetry() >= self.__maxRetry:
|
|
del self.__failList[fid]
|
|
return data
|
|
self.__bgSvc.service()
|
|
raise FailManagerEmpty
|
|
|
|
|
|
class FailManagerEmpty(Exception):
|
|
pass
|