paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow hostnames for fail2ban whitelist.

master
Kraeutergarten 2019-05-17 19:38:34 +02:00
parent 885b79f06f
commit 4cc63ceeb7
2 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
data/Dockerfiles/netfilter/server.py
View File

@ -5,6 +5,7 @@ import os
import time import time
import atexit import atexit
import signal import signal
import socket
import ipaddress import ipaddress
from random import randint from random import randint
from threading import Thread from threading import Thread
@ -39,6 +40,13 @@ log = {}
quit_now = False quit_now = False
lock = Lock() lock = Lock()
def is_ip_network(address):
try:
ipaddress.ip_network(address.decode('ascii'), False)
except ValueError:
return False
return True
def refreshF2boptions(): def refreshF2boptions():
global f2boptions global f2boptions
global quit_now global quit_now
@ -119,6 +127,19 @@ def ban(address):
self_network = ipaddress.ip_network(address.decode('ascii')) self_network = ipaddress.ip_network(address.decode('ascii'))
if WHITELIST: if WHITELIST:
for wl_key in WHITELIST: for wl_key in WHITELIST:
if not is_ip_network(wl_key):
hostname = wl_key
try:
wl_key = socket.gethostbyname(hostname)
except socket.gaierror as err:
continue
log['time'] = int(round(time.time()))
log['priority'] = 'info'
log['message'] = 'Hostname %s is resolved to %s' % (hostname, wl_key)
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print 'Hostname %s is resolved to %s' % (hostname, wl_key)
wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False) wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)
if wl_net.overlaps(self_network): if wl_net.overlaps(self_network):
log['time'] = int(round(time.time())) log['time'] = int(round(time.time()))

7
data/web/inc/functions.fail2ban.inc.php
View File

@ -9,6 +9,11 @@ function valid_network($network) {
} }
return false; return false;
} }
function valid_hostname($hostname) {
return filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
}
function fail2ban($_action, $_data = null) { function fail2ban($_action, $_data = null) {
global $redis; global $redis;
global $lang; global $lang;
@ -188,7 +193,7 @@ function fail2ban($_action, $_data = null) {
$wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl)); $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));
if (is_array($wl_array)) { if (is_array($wl_array)) {
foreach ($wl_array as $wl_item) { foreach ($wl_array as $wl_item) {
if (valid_network($wl_item)) { if (valid_network($wl_item) || valid_hostname($wl_item)) {
$redis->hSet('F2B_WHITELIST', $wl_item, 1); $redis->hSet('F2B_WHITELIST', $wl_item, 1);
} }
} }