mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
256 lines
6.6 KiB
256 lines
6.6 KiB
#! /bin/sh
|
|
### BEGIN INIT INFO
|
|
# Provides: fail2ban
|
|
# Required-Start: $local_fs $remote_fs
|
|
# Required-Stop: $local_fs $remote_fs
|
|
# Should-Start: $time $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
|
|
# Should-Stop: $network $syslog $named iptables firehol shorewall ipmasq arno-iptables-firewall iptables-persistent ferm ufw
|
|
# Default-Start: 2 3 4 5
|
|
# Default-Stop: 0 1 6
|
|
# Short-Description: Start/stop fail2ban
|
|
# Description: Start/stop fail2ban, a daemon scanning the log files and
|
|
# banning potential attackers.
|
|
### END INIT INFO
|
|
|
|
# Author: Aaron Isotton <aaron@isotton.com>
|
|
# Modified: by Yaroslav Halchenko <debian@onerussian.com>
|
|
# reindented + minor corrections + to work on sarge without modifications
|
|
# Modified: by Glenn Aaldering <glenn@openvideo.nl>
|
|
# added exit codes for status command
|
|
# Modified: by Juan Karlo de Guzman <jkarlodg@gmail.com>
|
|
# corrected the DAEMON's path and the SOCKFILE
|
|
# rename this file: (sudo) mv /etc/init.d/fail2ban.init /etc/init.d/fail2ban
|
|
# same with the logrotate file: (sudo) mv /etc/logrotate.d/fail2ban.logrotate /etc/logrotate.d/fail2ban
|
|
#
|
|
PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin
|
|
DESC="authentication failure monitor"
|
|
NAME=fail2ban
|
|
|
|
# fail2ban-client is not a daemon itself but starts a daemon and
|
|
# loads its with configuration
|
|
DAEMON=/usr/local/bin/$NAME-client
|
|
SCRIPTNAME=/etc/init.d/$NAME
|
|
|
|
# Ad-hoc way to parse out socket file name
|
|
SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \
|
|
| tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'`
|
|
[ -z "$SOCKFILE" ] && SOCKFILE='/var/run/fail2ban.sock'
|
|
|
|
# Exit if the package is not installed
|
|
[ -x "$DAEMON" ] || exit 0
|
|
|
|
# Run as root by default.
|
|
FAIL2BAN_USER=root
|
|
|
|
# Read configuration variable file if it is present
|
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
|
DAEMON_ARGS="$FAIL2BAN_OPTS"
|
|
|
|
# Load the VERBOSE setting and other rcS variables
|
|
[ -f /etc/default/rcS ] && . /etc/default/rcS
|
|
|
|
# Predefine what can be missing from lsb source later on -- necessary to run
|
|
# on sarge. Just present it in a bit more compact way from what was shipped
|
|
log_daemon_msg () {
|
|
[ -z "$1" ] && return 1
|
|
echo -n "$1:"
|
|
[ -z "$2" ] || echo -n " $2"
|
|
}
|
|
|
|
# Define LSB log_* functions.
|
|
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
|
|
# Actually has to (>=2.0-7) present in sarge. log_daemon_msg is predefined
|
|
# so we must be ok
|
|
. /lib/lsb/init-functions
|
|
|
|
#
|
|
# Shortcut function for abnormal init script interruption
|
|
#
|
|
report_bug()
|
|
{
|
|
echo $*
|
|
echo "Please submit a bug report to Debian BTS (reportbug fail2ban)"
|
|
exit 1
|
|
}
|
|
|
|
#
|
|
# Helper function to check if socket is present, which is often left after
|
|
# abnormal exit of fail2ban and needs to be removed
|
|
#
|
|
check_socket()
|
|
{
|
|
# Return
|
|
# 0 if socket is present and readable
|
|
# 1 if socket file is not present
|
|
# 2 if socket file is present but not readable
|
|
# 3 if socket file is present but is not a socket
|
|
[ -e "$SOCKFILE" ] || return 1
|
|
[ -r "$SOCKFILE" ] || return 2
|
|
[ -S "$SOCKFILE" ] || return 3
|
|
return 0
|
|
}
|
|
|
|
#
|
|
# Function that starts the daemon/service
|
|
#
|
|
do_start()
|
|
{
|
|
# Return
|
|
# 0 if daemon has been started
|
|
# 1 if daemon was already running
|
|
# 2 if daemon could not be started
|
|
do_status && return 1
|
|
|
|
if [ -e "$SOCKFILE" ]; then
|
|
log_failure_msg "Socket file $SOCKFILE is present"
|
|
[ "$1" = "force-start" ] \
|
|
&& log_success_msg "Starting anyway as requested" \
|
|
|| return 2
|
|
DAEMON_ARGS="$DAEMON_ARGS -x"
|
|
fi
|
|
|
|
# Assure that /var/run/fail2ban exists
|
|
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
|
|
|
|
if [ "$FAIL2BAN_USER" != "root" ]; then
|
|
# Make the socket directory, IP lists and fail2ban log
|
|
# files writable by fail2ban
|
|
chown "$FAIL2BAN_USER" /var/run/fail2ban
|
|
# Create the logfile if it doesn't exist
|
|
touch /var/log/fail2ban.log
|
|
chown "$FAIL2BAN_USER" /var/log/fail2ban.log
|
|
find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
|
|
fi
|
|
|
|
start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
|
|
$DAEMON_ARGS start > /dev/null\
|
|
|| return 2
|
|
|
|
return 0
|
|
}
|
|
|
|
|
|
#
|
|
# Function that checks the status of fail2ban and returns
|
|
# corresponding code
|
|
#
|
|
do_status()
|
|
{
|
|
$DAEMON ping > /dev/null 2>&1
|
|
return $?
|
|
}
|
|
|
|
#
|
|
# Function that stops the daemon/service
|
|
#
|
|
do_stop()
|
|
{
|
|
# Return
|
|
# 0 if daemon has been stopped
|
|
# 1 if daemon was already stopped
|
|
# 2 if daemon could not be stopped
|
|
# other if a failure occurred
|
|
$DAEMON status > /dev/null 2>&1 || return 1
|
|
$DAEMON stop > /dev/null || return 2
|
|
|
|
# now we need actually to wait a bit since it might take time
|
|
# for server to react on client's stop request. Especially
|
|
# important for restart command on slow boxes
|
|
count=1
|
|
while do_status && [ $count -lt 60 ]; do
|
|
sleep 1
|
|
count=$(($count+1))
|
|
done
|
|
[ $count -lt 60 ] || return 3 # failed to stop
|
|
|
|
return 0
|
|
}
|
|
|
|
#
|
|
# Function to reload configuration
|
|
#
|
|
do_reload() {
|
|
$DAEMON reload > /dev/null && return 0 || return 1
|
|
return 0
|
|
}
|
|
|
|
# yoh:
|
|
# shortcut function to don't duplicate case statements and to don't use
|
|
# bashisms (arrays). Fixes #368218
|
|
#
|
|
log_end_msg_wrapper()
|
|
{
|
|
if [ $1 != 0 ] && [ $1 != $2 ]; then
|
|
value=1
|
|
else
|
|
value=0
|
|
fi
|
|
if [ "$3" != "no" ]; then
|
|
log_end_msg $value
|
|
fi
|
|
if [ $value != "0" ]; then
|
|
exit $1
|
|
fi
|
|
}
|
|
|
|
command="$1"
|
|
case "$command" in
|
|
start|force-start)
|
|
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
|
|
do_start "$command"
|
|
log_end_msg_wrapper $? 255 "$VERBOSE"
|
|
;;
|
|
|
|
stop)
|
|
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
|
|
do_stop
|
|
log_end_msg_wrapper $? 255 "$VERBOSE"
|
|
;;
|
|
|
|
restart|force-reload)
|
|
log_daemon_msg "Restarting $DESC" "$NAME"
|
|
do_stop
|
|
case "$?" in
|
|
0|1)
|
|
do_start
|
|
log_end_msg_wrapper $? 0 "always"
|
|
;;
|
|
*)
|
|
# Failed to stop
|
|
log_end_msg 1
|
|
;;
|
|
esac
|
|
;;
|
|
|
|
reload|force-reload)
|
|
log_daemon_msg "Reloading $DESC" "$NAME"
|
|
do_reload
|
|
log_end_msg $?
|
|
;;
|
|
|
|
status)
|
|
log_daemon_msg "Status of $DESC"
|
|
do_status
|
|
case $? in
|
|
0) log_success_msg " $NAME is running" ;;
|
|
255)
|
|
check_socket
|
|
case $? in
|
|
1) log_failure_msg " $NAME is not running" && exit 3 ;;
|
|
0) log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;;
|
|
2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;;
|
|
3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;;
|
|
*) report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;;
|
|
esac
|
|
;;
|
|
*) report_bug "Unknown $NAME status code" && exit 4
|
|
esac
|
|
;;
|
|
*)
|
|
echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2
|
|
exit 3
|
|
;;
|
|
esac
|
|
|
|
:
|