Add whitelist function to Fail2ban

data/Dockerfiles/fail2ban/logwatch.py

@@ -12,7 +12,7 @@ import redis
 import time
 import json
 
-r = redis.StrictRedis(host='172.22.1.249', port=6379, db=0)
+r = redis.StrictRedis(host='172.22.1.249', decode_responses=True, port=6379, db=0)
 RULES = {
 	'mailcowdockerized_postfix-mailcow_1': 'warning: .*\[([0-9a-f\.:]+)\]: SASL .* authentication failed',
 	'mailcowdockerized_dovecot-mailcow_1': '-login: Disconnected \(auth failed, .*\): user=.*, method=.*, rip=([0-9a-f\.:]+),',
@@ -32,6 +32,7 @@ def ban(address):
 	BAN_TIME = int(r.get("F2B_BAN_TIME"))
 	MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS"))
 	RETRY_WINDOW = int(r.get("F2B_RETRY_WINDOW"))
+	WHITELIST = r.hgetall("F2B_WHITELIST")
 
 	ip = ipaddress.ip_address(address.decode('ascii'))
 	if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:
@@ -40,6 +41,18 @@ def ban(address):
 	if ip.is_private or ip.is_loopback:
 		return
 
+	self_network = ipaddress.ip_network(address.decode('ascii'))
+	if WHITELIST:
+		for wl_key in WHITELIST:
+			wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)
+			if wl_net.overlaps(self_network):
+				log['time'] = int(round(time.time()))
+				log['priority'] = "info"
+				log['message'] = "Address %s is whitelisted by rule %s" % (self_network, wl_net)
+				r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False))
+				print "Address %s is whitelisted by rule %s" % (self_network, wl_net)
+				return
+
 	net = ipaddress.ip_network((address + ('/24' if type(ip) is ipaddress.IPv4Address else '/64')).decode('ascii'), strict=False)
 	net = str(net)
 
@@ -66,6 +79,7 @@ def ban(address):
 		else:
 			subprocess.call(["ip6tables", "-I", "INPUT", "-s", net, "-j", "REJECT"])
 			subprocess.call(["ip6tables", "-I", "FORWARD", "-s", net, "-j", "REJECT"])
+		r.hset("F2B_ACTIVE_BANS", "%s" % net, log['time'] + BAN_TIME)
 	else:
 		log['time'] = int(round(time.time()))
 		log['priority'] = "warn"
@@ -76,6 +90,13 @@ def ban(address):
 def unban(net):
 	log['time'] = int(round(time.time()))
 	log['priority'] = "info"
+	r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False))
+	if not net in bans:
+		log['message'] = "%s is not banned, skipping unban and deleting from queue (if any)" % net
+		r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False))
+		print "%s is not banned, skipping unban and deleting from queue (if any)" % net
+		r.hdel("F2B_QUEUE_UNBAN", "%s" % net)
+		return
 	log['message'] = "Unbanning %s" % net
 	r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False))
 	print "Unbanning %s" % net
@@ -85,6 +106,8 @@ def unban(net):
 	else:
 		subprocess.call(["ip6tables", "-D", "INPUT", "-s", net, "-j", "REJECT"])
 		subprocess.call(["ip6tables", "-D", "FORWARD", "-s", net, "-j", "REJECT"])
+	r.hdel("F2B_ACTIVE_BANS", "%s" % net)
+	r.hdel("F2B_QUEUE_UNBAN", "%s" % net)
 	del bans[net]
 
 def quit(signum, frame):
@@ -117,11 +140,15 @@ def autopurge():
 	while not quit_now:
 		BAN_TIME = int(r.get("F2B_BAN_TIME"))
 		MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS"))
+		QUEUE_UNBAN = r.hgetall("F2B_QUEUE_UNBAN")
+		if QUEUE_UNBAN:
+			for net in QUEUE_UNBAN:
+				unban(str(net))
 		for net in bans.copy():
 			if bans[net]['attempts'] >= MAX_ATTEMPTS:
 				if time.time() - bans[net]['last_attempt'] > BAN_TIME:
 					unban(net)
-		time.sleep(60)
+		time.sleep(30)
 
 if __name__ == '__main__':
 	threads = []

data/web/admin.php

@@ -289,6 +289,10 @@ $tfa_data = get_tfa();
             <label for="retry_window">Retry window (s) for max. attempts:</label>
             <input type="number" class="form-control" id="retry_window" name="retry_window" value="<?=$f2b_data['retry_window'];?>" required>
           </div>
+          <div class="form-group">
+            <label for="retry_window">Whitelisted networks/hosts</label>
+            <textarea class="form-control" id="whitelist" name="whitelist" rows="5"><?=$f2b_data['whitelist'];?></textarea>
+          </div>
           <button class="btn btn-default" id="add_item" data-id="f2b" data-api-url='edit/fail2ban' data-api-attr='{}' href="#"><span class="glyphicon glyphicon-check"></span> <?=$lang['admin']['save'];?></button>
         </form>
       </div>

data/web/inc/functions.inc.php

@@ -1446,6 +1446,16 @@ function get_f2b_parameters() {
     $data['ban_time'] = $redis->Get('F2B_BAN_TIME');
     $data['max_attempts'] = $redis->Get('F2B_MAX_ATTEMPTS');
     $data['retry_window'] = $redis->Get('F2B_RETRY_WINDOW');
+    $wl = $redis->hGetAll('F2B_WHITELIST');
+    if (is_array($wl)) {
+      foreach ($wl as $key => $value) {
+        $tmp_data[] = $key;
+      }
+      $data['whitelist'] = implode(PHP_EOL, $tmp_data);
+    }
+    else {
+      $data['whitelist'] = "";
+    }
   }
   catch (RedisException $e) {
     $_SESSION['return'] = array(
@@ -1479,6 +1489,7 @@ function edit_f2b_parameters($postarray) {
     );
     return false;
   }
+  $wl = $postarray['whitelist'];
   $ban_time = ($ban_time < 60) ? 60 : $ban_time;
   $max_attempts = ($max_attempts < 1) ? 1 : $max_attempts;
   $retry_window = ($retry_window < 1) ? 1 : $retry_window;
@@ -1486,6 +1497,21 @@ function edit_f2b_parameters($postarray) {
     $redis->Set('F2B_BAN_TIME', $ban_time);
     $redis->Set('F2B_MAX_ATTEMPTS', $max_attempts);
     $redis->Set('F2B_RETRY_WINDOW', $retry_window);
+    $redis->Del('F2B_WHITELIST');
+    if(!empty($wl)) {
+      $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));
+      if (is_array($wl_array)) {
+        foreach ($wl_array as $wl_item) {
+          $cidr = explode('/', $wl_item);
+          if (filter_var($cidr[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) && (!isset($cidr[1]) || ($cidr[1] >= 8 && $cidr[1] <= 32))) {
+            $redis->hSet('F2B_WHITELIST', $wl_item, 1);
+          }
+          elseif (filter_var($cidr[0], FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) && (!isset($cidr[1]) || ($cidr[1] >= 16 && $cidr[1] <= 128))) {
+            $redis->hSet('F2B_WHITELIST', $wl_item, 1);
+          }
+        }
+      }
+    }
   }
   catch (RedisException $e) {
     $_SESSION['return'] = array(