]>
Commit | Line | Data |
---|---|---|
896749cf JR |
1 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-allports.conf fail2ban-0.8.11/config/action.d/iptables-allports.conf |
2 | --- fail2ban-0.8.11.orig/config/action.d/iptables-allports.conf 2013-11-12 22:06:54.000000000 +0100 | |
3 | +++ fail2ban-0.8.11/config/action.d/iptables-allports.conf 2014-01-06 11:20:42.599243574 +0100 | |
4 | @@ -2,7 +2,8 @@ | |
5 | # | |
6 | # Author: Cyril Jaquier | |
7 | # Modified: Yaroslav O. Halchenko <debian@onerussian.com> | |
8 | -# made active on all ports from original iptables.conf | |
9 | +# made active on all ports from original fail2ban-iptables.conf | |
10 | +# Modified by Paul J aka Thanat0s for ipv6 support | |
11 | # | |
12 | # | |
13 | ||
14 | @@ -17,23 +18,23 @@ | |
15 | # Notes.: command executed once at the start of Fail2Ban. | |
16 | # Values: CMD | |
17 | # | |
18 | -actionstart = iptables -N fail2ban-<name> | |
19 | - iptables -A fail2ban-<name> -j RETURN | |
20 | - iptables -I <chain> -p <protocol> -j fail2ban-<name> | |
21 | +actionstart = fail2ban-iptables -N fail2ban-<name> | |
22 | + fail2ban-iptables -A fail2ban-<name> -j RETURN | |
23 | + fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name> | |
24 | ||
25 | # Option: actionstop | |
26 | # Notes.: command executed once at the end of Fail2Ban | |
27 | # Values: CMD | |
28 | # | |
29 | -actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> | |
30 | - iptables -F fail2ban-<name> | |
31 | - iptables -X fail2ban-<name> | |
32 | +actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name> | |
33 | + fail2ban-iptables -F fail2ban-<name> | |
34 | + fail2ban-iptables -X fail2ban-<name> | |
35 | ||
36 | # Option: actioncheck | |
37 | # Notes.: command executed once before each actionban command | |
38 | # Values: CMD | |
39 | # | |
40 | -actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
41 | +actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
42 | ||
43 | # Option: actionban | |
44 | # Notes.: command executed when banning an IP. Take care that the | |
45 | @@ -41,7 +42,7 @@ | |
46 | # Tags: See jail.conf(5) man page | |
47 | # Values: CMD | |
48 | # | |
49 | -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
50 | +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
51 | ||
52 | # Option: actionunban | |
53 | # Notes.: command executed when unbanning an IP. Take care that the | |
54 | @@ -49,7 +50,7 @@ | |
55 | # Tags: See jail.conf(5) man page | |
56 | # Values: CMD | |
57 | # | |
58 | -actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
59 | +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
60 | ||
61 | [Init] | |
62 | ||
63 | @@ -64,7 +65,7 @@ | |
64 | protocol = tcp | |
65 | ||
66 | # Option: chain | |
67 | -# Notes specifies the iptables chain to which the fail2ban rules should be | |
68 | +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be | |
69 | # added | |
70 | # Values: STRING Default: INPUT | |
71 | chain = INPUT | |
72 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-blocktype.conf fail2ban-0.8.11/config/action.d/iptables-blocktype.conf | |
73 | --- fail2ban-0.8.11.orig/config/action.d/iptables-blocktype.conf 2013-11-12 22:06:54.000000000 +0100 | |
74 | +++ fail2ban-0.8.11/config/action.d/iptables-blocktype.conf 2014-01-06 15:50:20.525793123 +0100 | |
75 | @@ -18,5 +18,5 @@ | |
76 | # as per the iptables man page (section 8). Common values are DROP | |
77 | # REJECT, REJECT --reject-with icmp-port-unreachable | |
78 | # Values: STRING | |
79 | -blocktype = REJECT --reject-with icmp-port-unreachable | |
80 | +blocktype = REJECT | |
81 | ||
82 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables.conf fail2ban-0.8.11/config/action.d/iptables.conf | |
83 | --- fail2ban-0.8.11.orig/config/action.d/iptables.conf 2013-11-12 22:06:54.000000000 +0100 | |
84 | +++ fail2ban-0.8.11/config/action.d/iptables.conf 2014-01-06 11:29:00.235906639 +0100 | |
85 | @@ -1,6 +1,7 @@ | |
86 | # Fail2Ban configuration file | |
87 | # | |
88 | # Author: Cyril Jaquier | |
89 | +# Modified by Paul J aka Thanat0s for ipv6 support | |
90 | # | |
91 | # | |
92 | ||
93 | @@ -14,23 +15,23 @@ | |
94 | # Notes.: command executed once at the start of Fail2Ban. | |
95 | # Values: CMD | |
96 | # | |
97 | -actionstart = iptables -N fail2ban-<name> | |
98 | - iptables -A fail2ban-<name> -j RETURN | |
99 | - iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> | |
100 | +actionstart = fail2ban-iptables -N fail2ban-<name> | |
101 | + fail2ban-iptables -A fail2ban-<name> -j RETURN | |
102 | + fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name> | |
103 | ||
104 | # Option: actionstop | |
105 | # Notes.: command executed once at the end of Fail2Ban | |
106 | # Values: CMD | |
107 | # | |
108 | -actionstop = iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> | |
109 | - iptables -F fail2ban-<name> | |
110 | - iptables -X fail2ban-<name> | |
111 | +actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name> | |
112 | + fail2ban-iptables -F fail2ban-<name> | |
113 | + fail2ban-iptables -X fail2ban-<name> | |
114 | ||
115 | # Option: actioncheck | |
116 | # Notes.: command executed once before each actionban command | |
117 | # Values: CMD | |
118 | # | |
119 | -actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
120 | +actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
121 | ||
122 | # Option: actionban | |
123 | # Notes.: command executed when banning an IP. Take care that the | |
124 | @@ -38,7 +39,7 @@ | |
125 | # Tags: See jail.conf(5) man page | |
126 | # Values: CMD | |
127 | # | |
128 | -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
129 | +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
130 | ||
131 | # Option: actionunban | |
132 | # Notes.: command executed when unbanning an IP. Take care that the | |
133 | @@ -46,7 +47,7 @@ | |
134 | # Tags: See jail.conf(5) man page | |
135 | # Values: CMD | |
136 | # | |
137 | -actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
138 | +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
139 | ||
140 | [Init] | |
141 | ||
142 | @@ -67,7 +68,7 @@ | |
143 | protocol = tcp | |
144 | ||
145 | # Option: chain | |
146 | -# Notes specifies the iptables chain to which the fail2ban rules should be | |
147 | +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be | |
148 | # added | |
149 | # Values: STRING Default: INPUT | |
150 | chain = INPUT | |
151 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto4.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto4.conf | |
152 | --- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto4.conf 2013-11-12 22:06:54.000000000 +0100 | |
153 | +++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto4.conf 2014-01-06 11:38:22.515902568 +0100 | |
154 | @@ -28,13 +28,13 @@ | |
155 | # Values: CMD | |
156 | # | |
157 | actionstart = ipset --create fail2ban-<name> iphash | |
158 | - iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
159 | + fail2ban-iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
160 | ||
161 | # Option: actionstop | |
162 | # Notes.: command executed once at the end of Fail2Ban | |
163 | # Values: CMD | |
164 | # | |
165 | -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
166 | +actionstop = fail2ban-iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
167 | ipset --flush fail2ban-<name> | |
168 | ipset --destroy fail2ban-<name> | |
169 | ||
170 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6-allports.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto6-allports.conf | |
171 | --- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6-allports.conf 2013-11-12 22:06:54.000000000 +0100 | |
172 | +++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto6-allports.conf 2014-01-06 11:39:21.855902139 +0100 | |
173 | @@ -25,13 +25,13 @@ | |
174 | # Values: CMD | |
175 | # | |
176 | actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> | |
177 | - iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype> | |
178 | + fail2ban-iptables -I INPUT -m set --match-set fail2ban-<name> src -j <blocktype> | |
179 | ||
180 | # Option: actionstop | |
181 | # Notes.: command executed once at the end of Fail2Ban | |
182 | # Values: CMD | |
183 | # | |
184 | -actionstop = iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype> | |
185 | +actionstop = fail2ban-iptables -D INPUT -m set --match-set fail2ban-<name> src -j <blocktype> | |
186 | ipset flush fail2ban-<name> | |
187 | ipset destroy fail2ban-<name> | |
188 | ||
189 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6.conf fail2ban-0.8.11/config/action.d/iptables-ipset-proto6.conf | |
190 | --- fail2ban-0.8.11.orig/config/action.d/iptables-ipset-proto6.conf 2013-11-12 22:06:54.000000000 +0100 | |
191 | +++ fail2ban-0.8.11/config/action.d/iptables-ipset-proto6.conf 2014-01-06 11:38:58.449235641 +0100 | |
192 | @@ -25,13 +25,13 @@ | |
193 | # Values: CMD | |
194 | # | |
195 | actionstart = ipset create fail2ban-<name> hash:ip timeout <bantime> | |
196 | - iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
197 | + fail2ban-iptables -I INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
198 | ||
199 | # Option: actionstop | |
200 | # Notes.: command executed once at the end of Fail2Ban | |
201 | # Values: CMD | |
202 | # | |
203 | -actionstop = iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
204 | +actionstop = fail2ban-iptables -D INPUT -p <protocol> -m multiport --dports <port> -m set --match-set fail2ban-<name> src -j <blocktype> | |
205 | ipset flush fail2ban-<name> | |
206 | ipset destroy fail2ban-<name> | |
207 | ||
208 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-multiport.conf fail2ban-0.8.11/config/action.d/iptables-multiport.conf | |
209 | --- fail2ban-0.8.11.orig/config/action.d/iptables-multiport.conf 2013-11-12 22:06:54.000000000 +0100 | |
210 | +++ fail2ban-0.8.11/config/action.d/iptables-multiport.conf 2014-01-06 11:25:24.019241537 +0100 | |
211 | @@ -2,6 +2,7 @@ | |
212 | # | |
213 | # Author: Cyril Jaquier | |
214 | # Modified by Yaroslav Halchenko for multiport banning | |
215 | +# Modified by Paul J aka Thanat0s for ipv6 support | |
216 | # | |
217 | ||
218 | [INCLUDES] | |
219 | @@ -14,23 +15,23 @@ | |
220 | # Notes.: command executed once at the start of Fail2Ban. | |
221 | # Values: CMD | |
222 | # | |
223 | -actionstart = iptables -N fail2ban-<name> | |
224 | - iptables -A fail2ban-<name> -j RETURN | |
225 | - iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
226 | +actionstart = fail2ban-iptables -N fail2ban-<name> | |
227 | + fail2ban-iptables -A fail2ban-<name> -j RETURN | |
228 | + fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
229 | ||
230 | # Option: actionstop | |
231 | # Notes.: command executed once at the end of Fail2Ban | |
232 | # Values: CMD | |
233 | # | |
234 | -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
235 | - iptables -F fail2ban-<name> | |
236 | - iptables -X fail2ban-<name> | |
237 | +actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
238 | + fail2ban-iptables -F fail2ban-<name> | |
239 | + fail2ban-iptables -X fail2ban-<name> | |
240 | ||
241 | # Option: actioncheck | |
242 | # Notes.: command executed once before each actionban command | |
243 | # Values: CMD | |
244 | # | |
245 | -actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
246 | +actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
247 | ||
248 | # Option: actionban | |
249 | # Notes.: command executed when banning an IP. Take care that the | |
250 | @@ -38,7 +39,7 @@ | |
251 | # Tags: See jail.conf(5) man page | |
252 | # Values: CMD | |
253 | # | |
254 | -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
255 | +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
256 | ||
257 | # Option: actionunban | |
258 | # Notes.: command executed when unbanning an IP. Take care that the | |
259 | @@ -46,7 +47,7 @@ | |
260 | # Tags: See jail.conf(5) man page | |
261 | # Values: CMD | |
262 | # | |
263 | -actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
264 | +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
265 | ||
266 | [Init] | |
267 | ||
268 | @@ -67,7 +68,7 @@ | |
269 | protocol = tcp | |
270 | ||
271 | # Option: chain | |
272 | -# Notes specifies the iptables chain to which the fail2ban rules should be | |
273 | +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be | |
274 | # added | |
275 | # Values: STRING Default: INPUT | |
276 | chain = INPUT | |
277 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-multiport-log.conf fail2ban-0.8.11/config/action.d/iptables-multiport-log.conf | |
278 | --- fail2ban-0.8.11.orig/config/action.d/iptables-multiport-log.conf 2013-11-12 22:06:54.000000000 +0100 | |
279 | +++ fail2ban-0.8.11/config/action.d/iptables-multiport-log.conf 2014-01-06 11:23:13.682575814 +0100 | |
280 | @@ -2,6 +2,7 @@ | |
281 | # | |
282 | # Author: Guido Bozzetto | |
283 | # Modified: Cyril Jaquier | |
284 | +# Modified by Paul J aka Thanat0s for ipv6 support | |
285 | # | |
286 | # make "fail2ban-<name>" chain to match drop IP | |
287 | # make "fail2ban-<name>-log" chain to log and drop | |
288 | @@ -19,28 +20,28 @@ | |
289 | # Notes.: command executed once at the start of Fail2Ban. | |
290 | # Values: CMD | |
291 | # | |
292 | -actionstart = iptables -N fail2ban-<name> | |
293 | - iptables -A fail2ban-<name> -j RETURN | |
294 | - iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
295 | - iptables -N fail2ban-<name>-log | |
296 | - iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 | |
297 | - iptables -A fail2ban-<name>-log -j <blocktype> | |
298 | +actionstart = fail2ban-iptables -N fail2ban-<name> | |
299 | + fail2ban-iptables -A fail2ban-<name> -j RETURN | |
300 | + fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
301 | + fail2ban-iptables -N fail2ban-<name>-log | |
302 | + fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 | |
303 | + fail2ban-iptables -A fail2ban-<name>-log -j <blocktype> | |
304 | ||
305 | # Option: actionstop | |
306 | # Notes.: command executed once at the end of Fail2Ban | |
307 | # Values: CMD | |
308 | # | |
309 | -actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
310 | - iptables -F fail2ban-<name> | |
311 | - iptables -F fail2ban-<name>-log | |
312 | - iptables -X fail2ban-<name> | |
313 | - iptables -X fail2ban-<name>-log | |
314 | +actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
315 | + fail2ban-iptables -F fail2ban-<name> | |
316 | + fail2ban-iptables -F fail2ban-<name>-log | |
317 | + fail2ban-iptables -X fail2ban-<name> | |
318 | + fail2ban-iptables -X fail2ban-<name>-log | |
319 | ||
320 | # Option: actioncheck | |
321 | # Notes.: command executed once before each actionban command | |
322 | # Values: CMD | |
323 | # | |
324 | -actioncheck = iptables -n -L fail2ban-<name>-log >/dev/null | |
325 | +actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null | |
326 | ||
327 | # Option: actionban | |
328 | # Notes.: command executed when banning an IP. Take care that the | |
329 | @@ -48,7 +49,7 @@ | |
330 | # Tags: See jail.conf(5) man page | |
331 | # Values: CMD | |
332 | # | |
333 | -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log | |
334 | +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log | |
335 | ||
336 | # Option: actionunban | |
337 | # Notes.: command executed when unbanning an IP. Take care that the | |
338 | @@ -56,7 +57,7 @@ | |
339 | # Tags: See jail.conf(5) man page | |
340 | # Values: CMD | |
341 | # | |
342 | -actionunban = iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log | |
343 | +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log | |
344 | ||
345 | [Init] | |
346 | ||
347 | @@ -77,7 +78,7 @@ | |
348 | protocol = tcp | |
349 | ||
350 | # Option: chain | |
351 | -# Notes specifies the iptables chain to which the fail2ban rules should be | |
352 | +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be | |
353 | # added | |
354 | # Values: STRING Default: INPUT | |
355 | chain = INPUT | |
356 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-new.conf fail2ban-0.8.11/config/action.d/iptables-new.conf | |
357 | --- fail2ban-0.8.11.orig/config/action.d/iptables-new.conf 2013-11-12 22:06:54.000000000 +0100 | |
358 | +++ fail2ban-0.8.11/config/action.d/iptables-new.conf 2014-01-06 11:27:19.569240701 +0100 | |
359 | @@ -1,8 +1,9 @@ | |
360 | # Fail2Ban configuration file | |
361 | # | |
362 | # Author: Cyril Jaquier | |
363 | -# Copied from iptables.conf and modified by Yaroslav Halchenko | |
364 | +# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko | |
365 | # to fullfill the needs of bugreporter dbts#350746. | |
366 | +# Modified by Paul J aka Thanat0s for ipv6 support | |
367 | # | |
368 | # | |
369 | ||
370 | @@ -17,23 +18,23 @@ | |
371 | # Notes.: command executed once at the start of Fail2Ban. | |
372 | # Values: CMD | |
373 | # | |
374 | -actionstart = iptables -N fail2ban-<name> | |
375 | - iptables -A fail2ban-<name> -j RETURN | |
376 | - iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> | |
377 | +actionstart = fail2ban-iptables -N fail2ban-<name> | |
378 | + fail2ban-iptables -A fail2ban-<name> -j RETURN | |
379 | + fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> | |
380 | ||
381 | # Option: actionstop | |
382 | # Notes.: command executed once at the end of Fail2Ban | |
383 | # Values: CMD | |
384 | # | |
385 | -actionstop = iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> | |
386 | - iptables -F fail2ban-<name> | |
387 | - iptables -X fail2ban-<name> | |
388 | +actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name> | |
389 | + fail2ban-iptables -F fail2ban-<name> | |
390 | + fail2ban-iptables -X fail2ban-<name> | |
391 | ||
392 | # Option: actioncheck | |
393 | # Notes.: command executed once before each actionban command | |
394 | # Values: CMD | |
395 | # | |
396 | -actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
397 | +actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
398 | ||
399 | # Option: actionban | |
400 | # Notes.: command executed when banning an IP. Take care that the | |
401 | @@ -41,7 +42,7 @@ | |
402 | # Tags: See jail.conf(5) man page | |
403 | # Values: CMD | |
404 | # | |
405 | -actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
406 | +actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
407 | ||
408 | # Option: actionunban | |
409 | # Notes.: command executed when unbanning an IP. Take care that the | |
410 | @@ -49,7 +50,7 @@ | |
411 | # Tags: See jail.conf(5) man page | |
412 | # Values: CMD | |
413 | # | |
414 | -actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
415 | +actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j <blocktype> | |
416 | ||
417 | [Init] | |
418 | ||
419 | @@ -70,7 +71,7 @@ | |
420 | protocol = tcp | |
421 | ||
422 | # Option: chain | |
423 | -# Notes specifies the iptables chain to which the fail2ban rules should be | |
424 | +# Notes specifies the fail2ban-iptables chain to which the fail2ban rules should be | |
425 | # added | |
426 | # Values: STRING Default: INPUT | |
427 | chain = INPUT | |
428 | diff -urN fail2ban-0.8.11.orig/config/action.d/iptables-xt_recent-echo.conf fail2ban-0.8.11/config/action.d/iptables-xt_recent-echo.conf | |
429 | --- fail2ban-0.8.11.orig/config/action.d/iptables-xt_recent-echo.conf 2013-11-12 22:06:54.000000000 +0100 | |
430 | +++ fail2ban-0.8.11/config/action.d/iptables-xt_recent-echo.conf 2014-01-06 11:40:07.539235142 +0100 | |
431 | @@ -33,7 +33,7 @@ | |
432 | # own rules. The 3600 second timeout is independent and acts as a | |
433 | # safeguard in case the fail2ban process dies unexpectedly. The | |
434 | # shorter of the two timeouts actually matters. | |
435 | -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype> | |
436 | +actionstart = fail2ban-iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j <blocktype> | |
437 | ||
438 | # Option: actionstop | |
439 | # Notes.: command executed once at the end of Fail2Ban | |
440 | diff -urN fail2ban-0.8.11.orig/config/fail2ban.conf fail2ban-0.8.11/config/fail2ban.conf | |
441 | --- fail2ban-0.8.11.orig/config/fail2ban.conf 2013-11-12 22:06:54.000000000 +0100 | |
442 | +++ fail2ban-0.8.11/config/fail2ban.conf 2014-01-06 11:31:27.709238905 +0100 | |
443 | @@ -47,3 +47,10 @@ | |
444 | # | |
445 | pidfile = /var/run/fail2ban/fail2ban.pid | |
446 | ||
447 | +# Option: ipv6 | |
448 | +# Notes.: Activate IPv6 support | |
449 | +# Warning : only with iptables action supported | |
450 | +# Values: BOOLEAN Default: disabled | |
451 | +# | |
452 | +ipv6 = enabled | |
453 | + | |
454 | diff -urN fail2ban-0.8.11.orig/fail2ban-iptables fail2ban-0.8.11/fail2ban-iptables | |
455 | --- fail2ban-0.8.11.orig/fail2ban-iptables 1970-01-01 01:00:00.000000000 +0100 | |
456 | +++ fail2ban-0.8.11/fail2ban-iptables 2014-01-06 11:32:30.559238449 +0100 | |
457 | @@ -0,0 +1,50 @@ | |
458 | +#!/usr/bin/python | |
459 | +# This file is part of Fail2Ban. | |
460 | +# | |
461 | +# Fail2Ban is free software; you can redistribute it and/or modify | |
462 | +# it under the terms of the GNU General Public License as published by | |
463 | +# the Free Software Foundation; either version 2 of the License, or | |
464 | +# (at your option) any later version. | |
465 | +# | |
466 | +# Fail2Ban is distributed in the hope that it will be useful, | |
467 | +# but WITHOUT ANY WARRANTY; without even the implied warranty of | |
468 | +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
469 | +# GNU General Public License for more details. | |
470 | +# | |
471 | +# You should have received a copy of the GNU General Public License | |
472 | +# along with Fail2Ban; if not, write to the Free Software | |
473 | +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. | |
474 | + | |
475 | + | |
476 | +# Iptable wrapper, call the right iptables depending of the ip proposed | |
477 | +# Author: Paul J Aka "Thanat0s" | |
478 | + | |
479 | +import sys, re, subprocess | |
480 | + | |
481 | +# Main procedure | |
482 | +def main(argv): | |
483 | + concat_argv = ' '.join(argv) | |
484 | + regv4 = re.compile('([0-9]{1,3}\.){3}[0-9]{1,3}') | |
485 | + if regv4.search(concat_argv): | |
486 | + # we are facing to a ipv4 | |
487 | + ret = subprocess.call(['iptables'] + argv) | |
488 | + sys.exit(ret) | |
489 | + else: | |
490 | + # if not, maybe it's a ipv6 | |
491 | + regv6 = re.compile('::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,}') | |
492 | + if regv6.search(concat_argv): | |
493 | + ret6 = subprocess.call(['ip6tables'] + argv) | |
494 | + sys.exit(ret6) | |
495 | + else: | |
496 | + # if it's not a ipv6 either, we call both iptables | |
497 | + ret = subprocess.call(['iptables'] + argv) | |
498 | + ret6 = subprocess.call(['ip6tables'] + argv) | |
499 | + # return worst error code | |
500 | + if ret > ret6: | |
501 | + sys.exit(ret) | |
502 | + else: | |
503 | + sys.exit(ret6) | |
504 | + | |
505 | +# Main call, pass all variables | |
506 | +if __name__ == "__main__": | |
507 | + main(sys.argv[1:]) | |
508 | diff -urN fail2ban-0.8.11.orig/server/failregex.py fail2ban-0.8.11/server/failregex.py | |
509 | --- fail2ban-0.8.11.orig/server/failregex.py 2013-11-12 22:06:54.000000000 +0100 | |
510 | +++ fail2ban-0.8.11/server/failregex.py 2014-01-06 11:12:39.602580405 +0100 | |
511 | @@ -41,7 +41,7 @@ | |
512 | self._matchCache = None | |
513 | # Perform shortcuts expansions. | |
514 | # Replace "<HOST>" with default regular expression for host. | |
515 | - regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_]*\w)") | |
516 | + regex = regex.replace("<HOST>", "(?:::f{4,6}:)?(?P<host>[\w\-.^_:]*\w)") | |
517 | if regex.lstrip() == '': | |
518 | raise RegexException("Cannot add empty regex") | |
519 | try: | |
520 | diff -urN fail2ban-0.8.11.orig/server/filter.py fail2ban-0.8.11/server/filter.py | |
521 | --- fail2ban-0.8.11.orig/server/filter.py 2013-11-12 22:06:54.000000000 +0100 | |
522 | +++ fail2ban-0.8.11/server/filter.py 2014-01-06 12:25:40.509215356 +0100 | |
523 | @@ -267,7 +267,10 @@ | |
524 | s = i.split('/', 1) | |
525 | # IP address without CIDR mask | |
526 | if len(s) == 1: | |
527 | - s.insert(1, '32') | |
528 | + if re.match(":", s[0]): | |
529 | + s.insert(1, '128') | |
530 | + else: | |
531 | + s.insert(1, '32') | |
532 | s[1] = long(s[1]) | |
533 | try: | |
534 | a = DNSUtils.cidr(s[0], s[1]) | |
535 | @@ -623,6 +626,7 @@ | |
536 | class DNSUtils: | |
537 | ||
538 | IP_CRE = re.compile("^(?:\d{1,3}\.){3}\d{1,3}$") | |
539 | + IP_CRE6 = re.compile("^(?:[0-9:A-Fa-f]{3,})$") | |
540 | ||
541 | #@staticmethod | |
542 | def dnsToIp(dns): | |
543 | @@ -646,19 +650,31 @@ | |
544 | if match: | |
545 | return match | |
546 | else: | |
547 | - return None | |
548 | + match = DNSUtils.IP_CRE6.match(text) | |
549 | + if match: | |
550 | + """ Right Here, we faced to a ipv6 | |
551 | + """ | |
552 | + return match | |
553 | + else: | |
554 | + return None | |
555 | searchIP = staticmethod(searchIP) | |
556 | ||
557 | #@staticmethod | |
558 | def isValidIP(string): | |
559 | - """ Return true if str is a valid IP | |
560 | - """ | |
561 | + # Return true if str is a valid IP | |
562 | s = string.split('/', 1) | |
563 | + # try to convert to ipv4 | |
564 | try: | |
565 | socket.inet_aton(s[0]) | |
566 | return True | |
567 | except socket.error: | |
568 | - return False | |
569 | + # if it had failed try to convert ipv6 | |
570 | + try: | |
571 | + socket.inet_pton(socket.AF_INET6, s[0]) | |
572 | + return True | |
573 | + except socket.error: | |
574 | + # not a valid address in both stacks | |
575 | + return False | |
576 | isValidIP = staticmethod(isValidIP) | |
577 | ||
578 | #@staticmethod | |
579 | @@ -687,11 +703,14 @@ | |
580 | ||
581 | #@staticmethod | |
582 | def cidr(i, n): | |
583 | - """ Convert an IP address string with a CIDR mask into a 32-bit | |
584 | - integer. | |
585 | + """ Convert an IP address string with a CIDR mask into an integer. | |
586 | """ | |
587 | - # 32-bit IPv4 address mask | |
588 | - MASK = 0xFFFFFFFFL | |
589 | + if re.match(":", i): | |
590 | + # 128-bit IPv6 address mask | |
591 | + MASK = ((1 << 128) - 1) | |
592 | + else: | |
593 | + # 32-bit IPv4 address mask | |
594 | + MASK = 0xFFFFFFFFL | |
595 | return ~(MASK >> n) & MASK & DNSUtils.addr2bin(i) | |
596 | cidr = staticmethod(cidr) | |
597 | ||
598 | @@ -699,12 +718,21 @@ | |
599 | def addr2bin(string): | |
600 | """ Convert a string IPv4 address into an unsigned integer. | |
601 | """ | |
602 | - return struct.unpack("!L", socket.inet_aton(string))[0] | |
603 | + try: | |
604 | + return struct.unpack("!L", socket.inet_aton(string))[0] | |
605 | + except socket.error: | |
606 | + hi, lo = struct.unpack('!QQ', socket.inet_pton(socket.AF_INET6, string)) | |
607 | + return (hi << 64) | lo | |
608 | addr2bin = staticmethod(addr2bin) | |
609 | ||
610 | #@staticmethod | |
611 | def bin2addr(addr): | |
612 | """ Convert a numeric IPv4 address into string n.n.n.n form. | |
613 | """ | |
614 | - return socket.inet_ntoa(struct.pack("!L", addr)) | |
615 | + try: | |
616 | + return socket.inet_ntoa(struct.pack("!L", addr)) | |
617 | + except socket.error: | |
618 | + hi = addr >> 64 | |
619 | + lo = addr & ((1 << 64) - 1) | |
620 | + return socket.inet_ntop(socket.AF_INET6, struct.pack('!QQ', hi, lo)) | |
621 | bin2addr = staticmethod(bin2addr) | |
622 | diff -urN fail2ban-0.8.11.orig/setup.py fail2ban-0.8.11/setup.py | |
623 | --- fail2ban-0.8.11.orig/setup.py 2013-11-12 22:06:54.000000000 +0100 | |
624 | +++ fail2ban-0.8.11/setup.py 2014-01-06 11:15:41.519245754 +0100 | |
625 | @@ -48,7 +48,8 @@ | |
626 | scripts = [ | |
627 | 'fail2ban-client', | |
628 | 'fail2ban-server', | |
629 | - 'fail2ban-regex' | |
630 | + 'fail2ban-regex', | |
631 | + 'fail2ban-iptables' | |
632 | ], | |
633 | packages = [ | |
634 | 'common', |