mirror of https://github.com/fail2ban/fail2ban
87 lines
3.1 KiB
Plaintext
Executable File
87 lines
3.1 KiB
Plaintext
Executable File
#!/sbin/openrc-run
|
|
# This file is part of Fail2Ban.
|
|
#
|
|
# Fail2Ban is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Fail2Ban is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Fail2Ban; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
#
|
|
# Author: Sireyessire, Cyril Jaquier
|
|
#
|
|
|
|
description="Ban hosts that cause multiple authentication errors"
|
|
description_reload="reload configuration without dropping bans"
|
|
extra_started_commands="reload"
|
|
|
|
# Can't (and shouldn't) be changed by the end-user.
|
|
#
|
|
# Note that @BINDIR@ is already supplied by the build system. Some
|
|
# day, it might be nice to have @RUNDIR@ supplied by the build system
|
|
# as well, so that we don't have to hard-code /run here.
|
|
FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}"
|
|
FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock"
|
|
|
|
# The fail2ban-client program is also capable of starting and stopping
|
|
# the server, but things are simpler if we let start-stop-daemon do it.
|
|
command="@BINDIR@/fail2ban-server"
|
|
pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid"
|
|
|
|
# We force the pidfile/socket location in this service script because
|
|
# we're taking responsibility for ensuring that their parent directory
|
|
# exists and has the correct permissions (which we can't do if the
|
|
# user is allowed to change them).
|
|
command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}"
|
|
retry="30"
|
|
|
|
depend() {
|
|
use logger
|
|
after iptables
|
|
}
|
|
|
|
checkconfig() {
|
|
"${command}" ${command_args} --test
|
|
}
|
|
|
|
start_pre() {
|
|
# If this isn't a restart, make sure that the user's config isn't
|
|
# busted before we try to start the daemon (this will produce
|
|
# better error messages than if we just try to start it blindly).
|
|
#
|
|
# If, on the other hand, this *is* a restart, then the stop_pre
|
|
# action will have ensured that the config is usable and we don't
|
|
# need to do that again.
|
|
if [ "${RC_CMD}" != "restart" ] ; then
|
|
checkconfig || return $?
|
|
fi
|
|
checkpath -d "${FAIL2BAN_RUNDIR}"
|
|
}
|
|
|
|
stop_pre() {
|
|
# If this is a restart, check to make sure the user's config
|
|
# isn't busted before we stop the running daemon.
|
|
if [ "${RC_CMD}" = "restart" ] ; then
|
|
checkconfig || return $?
|
|
fi
|
|
}
|
|
|
|
reload() {
|
|
# The fail2ban-client uses an undocumented protocol to tell
|
|
# the server to reload(), so we have to use it here rather
|
|
# than e.g. sending a signal to the server daemon. Note that
|
|
# the reload will fail (on the server side) if the new config
|
|
# is invalid; we therefore don't need to test it ourselves
|
|
# with checkconfig() before initiating the reload.
|
|
ebegin "Reloading ${RC_SVCNAME}"
|
|
"@BINDIR@/fail2ban-client" ${command_args} reload
|
|
eend $? "Failed to reload ${RC_SVCNAME}"
|
|
}
|