Two new firewalld actions #1367
Conversation
Current coverage is
|
| # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$' | ||
|
|
||
| actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$' | ||
|
|
||
| actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j <blocktype> | ||
| actionban = firewall-cmd --direct --add-rule ipv4 filter f2b-<name> 0 -s <ip> -j REJECT |
There was a problem hiding this comment.
and also fixed firewallcmd allports and multiport.
??? What was fixed here?
Block type can also be specified in Init block as default, and can be rewritten in jail or in includes (if expected):
[Init]
blocktype = REJECT
BTW, I do not understand why following test does not fail by this action (
)There was a problem hiding this comment.
Sorry that was a mistake. I wasn't synced with eed1a0d and was testing dependencies and copied the wrong file since I have three versions of fail2ban in my environment(gcm, xmpp, i18n).
| @@ -29,10 +25,9 @@ actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b-<name> 0 -s <i | |||
|
|
|||
| [Init] | |||
|
|
|||
| # Default name of the chain | |||
| # | |||
| name = default | |||
There was a problem hiding this comment.
It is a default name for the fail2ban chain ;-)
There was a problem hiding this comment.
I'll fix that. I don't know why I got the input chain mixed up with the f2b chains.
|
Sorry about all the commits my grammar is terrible today. If someone could write something that executes the command for every port if a comma delimiter is used between ports that would be awesome. Since these new rich actions are limited to a single port or a range of ports. |
Something like this (should work in default shell): ports="80,8080,88,8088" ; for p in $(echo $ports | tr "," " "); do echo execute command for port "$p"; doneor this ( ports="80,8080,88,8088" ; for p in ${ports//,/ }; do echo execute command for port "$p"; done |
|
I'm sorry but could you please give me an example that works in the config file since I can't for the life of me get it working in the config. I can only echo the commands in terminal but nothing is executed... My bash knowledge is poor. |
|
Python seems to have a bug in ConfigParser with spaces in front of semicolon (I think it's a bug, because imho the comments should begin with new line...) >>> s = '[def]\ntest1=1; 2\ntest2=3 ;-) 4\n'; print(s); p = ConfigParser.ConfigParser(); p.readfp(StringIO.StringIO(s)); p.items('def')
[def]
test1=1; 2
test2=3 ;-) 4
[('test1', '1; 2'), ('test2', '3')]No way to escape, we can prospective extend our config reader to replace something like So either remove leading space for each >>> s = '[def]\nactionban = ports="<port>"; for p in $(echo $ports | tr "," " "); do ban <HOST> --port "$p"; done\n'; print(s); p = ConfigParser.ConfigParser(); p.readfp(StringIO.StringIO(s)); p.items('def') |
|
I was able to get it working and it's awesome. Thank you. This is now ready to be committed if you guys want to. |
|
Sorry I'm done editing them now. |
|
👍 |
|
I have a question regarding "state" should we not be banning established connections too. Since blocking new connections works for a stateless connection but what about an established connection that has passed the queue and authentication and is now generating fail logs? Also I just noticed firewallcmd-new has changed to multiports so besides the action check it is identical to my firewallcmd-multiport. |
|
Too many irrelevant commits, so I've rebased it onto current master (as single commit)... Use |
ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.
* `filter.d/monit.conf`
- Extended failregex with new monit "access denied" version (fail2bangh-1355)
- failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
- Extended failregex daemon part, matching also `postfix/smtps/smtpd`
now (fail2bangh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks
the actual list of the already substituted tags (per tag instead
of single list)
* `filter.d/common.conf`
- Unexpected extra regex-space in generic `__prefix_line` (fail2bangh-1405)
- All optional spaces normalized in `common.conf`, test covered now
- Generic `__prefix_line` extended with optional brackets for the
date ambit (fail2bangh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
`start-stop-daemon`, not argument of fail2ban (see fail2bangh-1434)
* `filter.d/asterisk.conf`
- Fixed security log support for PJSIP and Asterisk 13+ (fail2bangh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different
callID (fail2bangh-1458)
* New Actions:
- `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
(fail2bangh-1367)
* New filters:
- slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (fail2bangh-1478)
* Extreme speedup of all sqlite database operations (fail2bangh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (fail2bangh-1362)
* Added additional regex filter for dovecot ldap authentication failures (fail2bangh-1370)
* `filter.d/exim*conf`
- Added additional regexes (fail2bangh-1371)
- Made port entry optional
* tag '0.9.5': (70 commits)
DOC: preparations for 0.9.5 release
Added missing files to MANIFEST
another variant of regex
add trailing anchor to failregex
DOC: Reformatted ChangeLog into legit Markdown (Closes fail2ban#962)
DOC: tuned up ChangeLog entries for 0.9.5
add PR id to ChangeLog
improved failregex according to @sebres recomendations
Improved changes of fail2bangh-1458: `[^']*` after callid was wrong, changed to `[^\)]*`; regexp anchored at the end; almost the same regex grouped to one;
Improve PJSIP log support for asterisk 13+ with different callID (Squash fail2bangh-1458) Change the asterisk pjsip filter to don't take the callId part Add optional part between "Request" and "from" Listed all log message from asterisk
* add `__prefix_line` to regex * fix time in log file
add info to log file
added sample log lines for slapd
adding openldap slapd filter
badip timeout option introduced, set to 30 seconds in our test cases (fail2ban#1463)
DOC: changelog for recent exim filters tune up
Asterisk pjsip (fail2ban#1456)
BF: finalize that sample log line for exim4
amend for new option of `usedns=raw` - forgotten validation fix inside setUseDns
RF: for consistency use (?:XXX)? instead of (?:|XXX)
...
ver. 0.9.5 (2016/07/15) - old-not-obsolete
-----------
0.9.x line is no longer heavily developed. If you are interested in
new features (e.g. IPv6 support), please consider 0.10 branch and its
releases.
* `filter.d/monit.conf`
- Extended failregex with new monit "access denied" version (gh-1355)
- failregex of previous monit version merged as single expression
* `filter.d/postfix.conf`, `filter.d/postfix-sasl.conf`
- Extended failregex daemon part, matching also `postfix/smtps/smtpd`
now (gh-1391)
* Fixed a grave bug within tags substitutions because of incorrect
detection of recursion in case of multiple inline substitutions
of the same tag (affected actions: `bsd-ipfw`, etc). Now tracks
the actual list of the already substituted tags (per tag instead
of single list)
* `filter.d/common.conf`
- Unexpected extra regex-space in generic `__prefix_line` (gh-1405)
- All optional spaces normalized in `common.conf`, test covered now
- Generic `__prefix_line` extended with optional brackets for the
date ambit (gh-1421), added new parameter `__date_ambit`
* `gentoo-initd` fixed `--pidfile` bug: `--pidfile` is option of
`start-stop-daemon`, not argument of fail2ban (see gh-1434)
* `filter.d/asterisk.conf`
- Fixed security log support for PJSIP and Asterisk 13+ (gh-1456)
- Improved log support for PJSIP and Asterisk 13+ with different
callID (gh-1458)
* New Actions:
- `action.d/firewallcmd-rich-rules` and `action.d/firewallcmd-rich-logging`
(gh-1367)
* New filters:
- slapd - ban hosts, that were failed to connect with invalid
credentials: error code 49 (gh-1478)
* Extreme speedup of all sqlite database operations (gh-1436),
by using of following sqlite options:
- (synchronous = OFF) write data through OS without syncing
- (journal_mode = MEMORY) use memory for the transaction logging
- (temp_store = MEMORY) temporary tables and indices are kept in memory
* journald journalmatch for pure-ftpd (gh-1362)
* Added additional regex filter for dovecot ldap authentication failures (gh-1370)
* `filter.d/exim*conf`
- Added additional regexes (gh-1371)
- Made port entry optional
* tag '0.9.5':
Added missing files to MANIFEST
BF: do not rely on long relative path to upstairs config - symlink common.conf
Added two new firewalld actions for a cleaner iptables layout and also fixed firewallcmd allports and multiport.