mirror of https://github.com/fail2ban/fail2ban
352 lines
11 KiB
Python
352 lines
11 KiB
Python
# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*-
|
|
# vi: set ft=python sts=4 ts=4 sw=4 noet :
|
|
|
|
# This file is part of Fail2Ban.
|
|
#
|
|
# Fail2Ban is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Fail2Ban is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Fail2Ban; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
# Author: Cyril Jaquier
|
|
|
|
__author__ = "Cyril Jaquier, Lee Clemens, Yaroslav Halchenko"
|
|
__copyright__ = "Copyright (c) 2004 Cyril Jaquier, 2011-2012 Lee Clemens, 2012 Yaroslav Halchenko"
|
|
__license__ = "GPL"
|
|
|
|
import logging
|
|
import math
|
|
import random
|
|
import Queue
|
|
|
|
from .actions import Actions
|
|
from ..helpers import getLogger, _as_bool, extractOptions, MyTime
|
|
from .mytime import MyTime
|
|
|
|
# Gets the instance of the logger.
|
|
logSys = getLogger(__name__)
|
|
|
|
|
|
class Jail(object):
|
|
"""Fail2Ban jail, which manages a filter and associated actions.
|
|
|
|
The class handles the initialisation of a filter, and actions. It's
|
|
role is then to act as an interface between the filter and actions,
|
|
passing bans detected by the filter, for the actions to then act upon.
|
|
|
|
Parameters
|
|
----------
|
|
name : str
|
|
Name assigned to the jail.
|
|
backend : str
|
|
Backend to be used for filter. "auto" will attempt to pick
|
|
the most preferred backend method. Default: "auto"
|
|
db : Fail2BanDb
|
|
Fail2Ban persistent database instance. Default: `None`
|
|
|
|
Attributes
|
|
----------
|
|
name
|
|
database
|
|
filter
|
|
actions
|
|
idle
|
|
status
|
|
"""
|
|
|
|
#Known backends. Each backend should have corresponding __initBackend method
|
|
# yoh: stored in a list instead of a tuple since only
|
|
# list had .index until 2.6
|
|
_BACKENDS = ['pyinotify', 'gamin', 'polling', 'systemd']
|
|
|
|
def __init__(self, name, backend = "auto", db=None):
|
|
self.__db = db
|
|
# 26 based on iptable chain name limit of 30 less len('f2b-')
|
|
if len(name) >= 26:
|
|
logSys.warning("Jail name %r might be too long and some commands "
|
|
"might not function correctly. Please shorten"
|
|
% name)
|
|
self.__name = name
|
|
self.__queue = Queue.Queue()
|
|
self.__filter = None
|
|
# Extra parameters for increase ban time
|
|
self._banExtra = {};
|
|
logSys.info("Creating new jail '%s'" % self.name)
|
|
if backend is not None:
|
|
self._setBackend(backend)
|
|
self.backend = backend
|
|
|
|
def __repr__(self):
|
|
return "%s(%r)" % (self.__class__.__name__, self.name)
|
|
|
|
def _setBackend(self, backend):
|
|
backend, beArgs = extractOptions(backend)
|
|
backend = backend.lower() # to assure consistent matching
|
|
|
|
backends = self._BACKENDS
|
|
if backend != 'auto':
|
|
# we have got strict specification of the backend to use
|
|
if not (backend in self._BACKENDS):
|
|
logSys.error("Unknown backend %s. Must be among %s or 'auto'"
|
|
% (backend, backends))
|
|
raise ValueError("Unknown backend %s. Must be among %s or 'auto'"
|
|
% (backend, backends))
|
|
# so explore starting from it till the 'end'
|
|
backends = backends[backends.index(backend):]
|
|
|
|
for b in backends:
|
|
initmethod = getattr(self, '_init%s' % b.capitalize())
|
|
try:
|
|
initmethod(**beArgs)
|
|
if backend != 'auto' and b != backend:
|
|
logSys.warning("Could only initiated %r backend whenever "
|
|
"%r was requested" % (b, backend))
|
|
else:
|
|
logSys.info("Initiated %r backend" % b)
|
|
self.__actions = Actions(self)
|
|
return # we are done
|
|
except ImportError as e: # pragma: no cover
|
|
# Log debug if auto, but error if specific
|
|
logSys.log(
|
|
logging.DEBUG if backend == "auto" else logging.ERROR,
|
|
"Backend %r failed to initialize due to %s" % (b, e))
|
|
# pragma: no cover
|
|
# log error since runtime error message isn't printed, INVALID COMMAND
|
|
logSys.error(
|
|
"Failed to initialize any backend for Jail %r" % self.name)
|
|
raise RuntimeError(
|
|
"Failed to initialize any backend for Jail %r" % self.name)
|
|
|
|
def _initPolling(self, **kwargs):
|
|
from filterpoll import FilterPoll
|
|
logSys.info("Jail '%s' uses poller %r" % (self.name, kwargs))
|
|
self.__filter = FilterPoll(self, **kwargs)
|
|
|
|
def _initGamin(self, **kwargs):
|
|
# Try to import gamin
|
|
from filtergamin import FilterGamin
|
|
logSys.info("Jail '%s' uses Gamin %r" % (self.name, kwargs))
|
|
self.__filter = FilterGamin(self, **kwargs)
|
|
|
|
def _initPyinotify(self, **kwargs):
|
|
# Try to import pyinotify
|
|
from filterpyinotify import FilterPyinotify
|
|
logSys.info("Jail '%s' uses pyinotify %r" % (self.name, kwargs))
|
|
self.__filter = FilterPyinotify(self, **kwargs)
|
|
|
|
def _initSystemd(self, **kwargs): # pragma: systemd no cover
|
|
# Try to import systemd
|
|
from filtersystemd import FilterSystemd
|
|
logSys.info("Jail '%s' uses systemd %r" % (self.name, kwargs))
|
|
self.__filter = FilterSystemd(self, **kwargs)
|
|
|
|
@property
|
|
def name(self):
|
|
"""Name of jail.
|
|
"""
|
|
return self.__name
|
|
|
|
@property
|
|
def database(self):
|
|
"""The database used to store persistent data for the jail.
|
|
"""
|
|
return self.__db
|
|
|
|
@database.setter
|
|
def database(self, value):
|
|
self.__db = value;
|
|
|
|
@property
|
|
def filter(self):
|
|
"""The filter which the jail is using to monitor log files.
|
|
"""
|
|
return self.__filter
|
|
|
|
@property
|
|
def actions(self):
|
|
"""Actions object used to manage actions for jail.
|
|
"""
|
|
return self.__actions
|
|
|
|
@property
|
|
def idle(self):
|
|
"""A boolean indicating whether jail is idle.
|
|
"""
|
|
return self.filter.idle or self.actions.idle
|
|
|
|
@idle.setter
|
|
def idle(self, value):
|
|
self.filter.idle = value
|
|
self.actions.idle = value
|
|
|
|
def status(self, flavor="basic"):
|
|
"""The status of the jail.
|
|
"""
|
|
return [
|
|
("Filter", self.filter.status(flavor=flavor)),
|
|
("Actions", self.actions.status(flavor=flavor)),
|
|
]
|
|
|
|
@property
|
|
def hasFailTickets(self):
|
|
"""Retrieve whether queue has tickets to ban.
|
|
"""
|
|
return not self.__queue.empty()
|
|
|
|
def putFailTicket(self, ticket):
|
|
"""Add a fail ticket to the jail.
|
|
|
|
Used by filter to add a failure for banning.
|
|
"""
|
|
self.__queue.put(ticket)
|
|
# add ban to database moved to observer (should previously check not already banned
|
|
# and increase ticket time if "bantime.increment" set)
|
|
|
|
def getFailTicket(self):
|
|
"""Get a fail ticket from the jail.
|
|
|
|
Used by actions to get a failure for banning.
|
|
"""
|
|
try:
|
|
ticket = self.__queue.get(False)
|
|
return ticket
|
|
except Queue.Empty:
|
|
return False
|
|
|
|
def setBanTimeExtra(self, opt, value):
|
|
# merge previous extra with new option:
|
|
be = self._banExtra;
|
|
if value == '':
|
|
value = None
|
|
if value is not None:
|
|
be[opt] = value;
|
|
elif opt in be:
|
|
del be[opt]
|
|
logSys.info('Set banTime.%s = %s', opt, value)
|
|
if opt == 'increment':
|
|
be[opt] = _as_bool(value)
|
|
if be.get(opt) and self.database is None:
|
|
logSys.warning("ban time increment is not available as long jail database is not set")
|
|
if opt in ['maxtime', 'rndtime']:
|
|
if not value is None:
|
|
be[opt] = MyTime.str2seconds(value)
|
|
# prepare formula lambda:
|
|
if opt in ['formula', 'factor', 'maxtime', 'rndtime', 'multipliers'] or be.get('evformula', None) is None:
|
|
# split multifiers to an array begins with 0 (or empty if not set):
|
|
if opt == 'multipliers':
|
|
be['evmultipliers'] = [int(i) for i in (value.split(' ') if value is not None and value != '' else [])]
|
|
# if we have multifiers - use it in lambda, otherwise compile and use formula within lambda
|
|
multipliers = be.get('evmultipliers', [])
|
|
banFactor = eval(be.get('factor', "1"))
|
|
if len(multipliers):
|
|
evformula = lambda ban, banFactor=banFactor: (
|
|
ban.Time * banFactor * multipliers[ban.Count if ban.Count < len(multipliers) else -1]
|
|
)
|
|
else:
|
|
formula = be.get('formula', 'ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor')
|
|
formula = compile(formula, '~inline-conf-expr~', 'eval')
|
|
evformula = lambda ban, banFactor=banFactor, formula=formula: max(ban.Time, eval(formula))
|
|
# extend lambda with max time :
|
|
if not be.get('maxtime', None) is None:
|
|
maxtime = be['maxtime']
|
|
evformula = lambda ban, evformula=evformula: min(evformula(ban), maxtime)
|
|
# mix lambda with random time (to prevent bot-nets to calculate exact time IP can be unbanned):
|
|
if not be.get('rndtime', None) is None:
|
|
rndtime = be['rndtime']
|
|
evformula = lambda ban, evformula=evformula: (evformula(ban) + random.random() * rndtime)
|
|
# set to extra dict:
|
|
be['evformula'] = evformula
|
|
#logSys.info('banTimeExtra : %s' % json.dumps(be))
|
|
|
|
def getBanTimeExtra(self, opt=None):
|
|
if opt is not None:
|
|
return self._banExtra.get(opt, None)
|
|
return self._banExtra
|
|
|
|
def getMaxBanTime(self):
|
|
"""Returns max possible ban-time of jail.
|
|
"""
|
|
return self._banExtra.get("maxtime", -1) \
|
|
if self._banExtra.get('increment') else self.actions.getBanTime()
|
|
|
|
def restoreCurrentBans(self, correctBanTime=True):
|
|
"""Restore any previous valid bans from the database.
|
|
"""
|
|
try:
|
|
if self.database is not None:
|
|
if self._banExtra.get('increment'):
|
|
forbantime = None;
|
|
if correctBanTime:
|
|
correctBanTime = self.getMaxBanTime()
|
|
else:
|
|
# use ban time as search time if we have not enabled a increasing:
|
|
forbantime = self.actions.getBanTime()
|
|
for ticket in self.database.getCurrentBans(jail=self, forbantime=forbantime,
|
|
correctBanTime=correctBanTime, maxmatches=self.filter.failManager.maxMatches
|
|
):
|
|
try:
|
|
#logSys.debug('restored ticket: %s', ticket)
|
|
if self.filter.inIgnoreIPList(ticket.getID(), log_ignore=True): continue
|
|
# mark ticked was restored from database - does not put it again into db:
|
|
ticket.restored = True
|
|
# correct start time / ban time (by the same end of ban):
|
|
btm = ticket.getBanTime(forbantime)
|
|
diftm = MyTime.time() - ticket.getTime()
|
|
if btm != -1 and diftm > 0:
|
|
btm -= diftm
|
|
# ignore obsolete tickets:
|
|
if btm != -1 and btm <= 0:
|
|
continue
|
|
self.putFailTicket(ticket)
|
|
except Exception as e: # pragma: no cover
|
|
logSys.error('Restore ticket failed: %s', e,
|
|
exc_info=logSys.getEffectiveLevel()<=logging.DEBUG)
|
|
except Exception as e: # pragma: no cover
|
|
logSys.error('Restore bans failed: %s', e,
|
|
exc_info=logSys.getEffectiveLevel()<=logging.DEBUG)
|
|
|
|
def start(self):
|
|
"""Start the jail, by starting filter and actions threads.
|
|
|
|
Once stated, also queries the persistent database to reinstate
|
|
any valid bans.
|
|
"""
|
|
logSys.debug("Starting jail %r", self.name)
|
|
self.filter.start()
|
|
self.actions.start()
|
|
self.restoreCurrentBans()
|
|
logSys.info("Jail %r started", self.name)
|
|
|
|
def stop(self, stop=True, join=True):
|
|
"""Stop the jail, by stopping filter and actions threads.
|
|
"""
|
|
if stop:
|
|
logSys.debug("Stopping jail %r", self.name)
|
|
for obj in (self.filter, self.actions):
|
|
try:
|
|
## signal to stop filter / actions:
|
|
if stop:
|
|
obj.stop()
|
|
## wait for end of threads:
|
|
if join:
|
|
obj.join()
|
|
except Exception as e:
|
|
logSys.error("Stop %r of jail %r failed: %s", obj, self.name, e,
|
|
exc_info=logSys.getEffectiveLevel()<=logging.DEBUG)
|
|
if join:
|
|
logSys.info("Jail %r stopped", self.name)
|
|
|
|
def isAlive(self):
|
|
"""Check jail "isAlive" by checking filter and actions threads.
|
|
"""
|
|
return self.filter.isAlive() or self.actions.isAlive()
|