diff --git a/data/Dockerfiles/fail2ban/logwatch.py b/data/Dockerfiles/fail2ban/logwatch.py index 6be96023..10024772 100644 --- a/data/Dockerfiles/fail2ban/logwatch.py +++ b/data/Dockerfiles/fail2ban/logwatch.py @@ -14,9 +14,9 @@ import json yes_regex = re.compile(r'([yY][eE][sS]|[yY])+$') if re.search(yes_regex, os.getenv('SKIP_FAIL2BAN', 0)): - print "SKIP_FAIL2BAN=y, Skipping Fail2ban container..." - time.sleep(31536000) - raise SystemExit + print "SKIP_FAIL2BAN=y, Skipping Fail2ban container..." + time.sleep(31536000) + raise SystemExit r = redis.StrictRedis(host='172.22.1.249', decode_responses=True, port=6379, db=0) pubsub = r.pubsub() @@ -38,151 +38,151 @@ log = {} quit_now = False def ban(address): - BAN_TIME = int(r.get("F2B_BAN_TIME")) - MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS")) - RETRY_WINDOW = int(r.get("F2B_RETRY_WINDOW")) - WHITELIST = r.hgetall("F2B_WHITELIST") + BAN_TIME = int(r.get("F2B_BAN_TIME")) + MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS")) + RETRY_WINDOW = int(r.get("F2B_RETRY_WINDOW")) + WHITELIST = r.hgetall("F2B_WHITELIST") - ip = ipaddress.ip_address(address.decode('ascii')) - if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped: - ip = ip.ipv4_mapped - address = str(ip) - if ip.is_private or ip.is_loopback: - return + ip = ipaddress.ip_address(address.decode('ascii')) + if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped: + ip = ip.ipv4_mapped + address = str(ip) + if ip.is_private or ip.is_loopback: + return - self_network = ipaddress.ip_network(address.decode('ascii')) - if WHITELIST: - for wl_key in WHITELIST: - wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False) - if wl_net.overlaps(self_network): - log['time'] = int(round(time.time())) - log['priority'] = "info" - log['message'] = "Address %s is whitelisted by rule %s" % (self_network, wl_net) - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "Address %s is whitelisted by rule %s" % (self_network, wl_net) - return + self_network = ipaddress.ip_network(address.decode('ascii')) + if WHITELIST: + for wl_key in WHITELIST: + wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False) + if wl_net.overlaps(self_network): + log['time'] = int(round(time.time())) + log['priority'] = "info" + log['message'] = "Address %s is whitelisted by rule %s" % (self_network, wl_net) + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "Address %s is whitelisted by rule %s" % (self_network, wl_net) + return - net = ipaddress.ip_network((address + ('/24' if type(ip) is ipaddress.IPv4Address else '/64')).decode('ascii'), strict=False) - net = str(net) + net = ipaddress.ip_network((address + ('/24' if type(ip) is ipaddress.IPv4Address else '/64')).decode('ascii'), strict=False) + net = str(net) - if not net in bans or time.time() - bans[net]['last_attempt'] > RETRY_WINDOW: - bans[net] = { 'attempts': 0 } - active_window = RETRY_WINDOW - else: - active_window = time.time() - bans[net]['last_attempt'] + if not net in bans or time.time() - bans[net]['last_attempt'] > RETRY_WINDOW: + bans[net] = { 'attempts': 0 } + active_window = RETRY_WINDOW + else: + active_window = time.time() - bans[net]['last_attempt'] - bans[net]['attempts'] += 1 - bans[net]['last_attempt'] = time.time() + bans[net]['attempts'] += 1 + bans[net]['last_attempt'] = time.time() - active_window = time.time() - bans[net]['last_attempt'] + active_window = time.time() - bans[net]['last_attempt'] - if bans[net]['attempts'] >= MAX_ATTEMPTS: - log['time'] = int(round(time.time())) - log['priority'] = "crit" - log['message'] = "Banning %s" % net - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "Banning %s for %d minutes" % (net, BAN_TIME / 60) - if type(ip) is ipaddress.IPv4Address: - subprocess.call(["iptables", "-I", "INPUT", "-s", net, "-j", "REJECT"]) - subprocess.call(["iptables", "-I", "FORWARD", "-s", net, "-j", "REJECT"]) - else: - subprocess.call(["ip6tables", "-I", "INPUT", "-s", net, "-j", "REJECT"]) - subprocess.call(["ip6tables", "-I", "FORWARD", "-s", net, "-j", "REJECT"]) - r.hset("F2B_ACTIVE_BANS", "%s" % net, log['time'] + BAN_TIME) - else: - log['time'] = int(round(time.time())) - log['priority'] = "warn" - log['message'] = "%d more attempts in the next %d seconds until %s is banned" % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net) - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "%d more attempts in the next %d seconds until %s is banned" % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net) + if bans[net]['attempts'] >= MAX_ATTEMPTS: + log['time'] = int(round(time.time())) + log['priority'] = "crit" + log['message'] = "Banning %s" % net + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "Banning %s for %d minutes" % (net, BAN_TIME / 60) + if type(ip) is ipaddress.IPv4Address: + subprocess.call(["iptables", "-I", "INPUT", "-s", net, "-j", "REJECT"]) + subprocess.call(["iptables", "-I", "FORWARD", "-s", net, "-j", "REJECT"]) + else: + subprocess.call(["ip6tables", "-I", "INPUT", "-s", net, "-j", "REJECT"]) + subprocess.call(["ip6tables", "-I", "FORWARD", "-s", net, "-j", "REJECT"]) + r.hset("F2B_ACTIVE_BANS", "%s" % net, log['time'] + BAN_TIME) + else: + log['time'] = int(round(time.time())) + log['priority'] = "warn" + log['message'] = "%d more attempts in the next %d seconds until %s is banned" % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net) + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "%d more attempts in the next %d seconds until %s is banned" % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net) def unban(net): - log['time'] = int(round(time.time())) - log['priority'] = "info" - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - if not net in bans: - log['message'] = "%s is not banned, skipping unban and deleting from queue (if any)" % net - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "%s is not banned, skipping unban and deleting from queue (if any)" % net - r.hdel("F2B_QUEUE_UNBAN", "%s" % net) - return - log['message'] = "Unbanning %s" % net - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "Unbanning %s" % net - if type(ipaddress.ip_network(net.decode('ascii'))) is ipaddress.IPv4Network: - subprocess.call(["iptables", "-D", "INPUT", "-s", net, "-j", "REJECT"]) - subprocess.call(["iptables", "-D", "FORWARD", "-s", net, "-j", "REJECT"]) - else: - subprocess.call(["ip6tables", "-D", "INPUT", "-s", net, "-j", "REJECT"]) - subprocess.call(["ip6tables", "-D", "FORWARD", "-s", net, "-j", "REJECT"]) - r.hdel("F2B_ACTIVE_BANS", "%s" % net) - r.hdel("F2B_QUEUE_UNBAN", "%s" % net) - del bans[net] + log['time'] = int(round(time.time())) + log['priority'] = "info" + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + if not net in bans: + log['message'] = "%s is not banned, skipping unban and deleting from queue (if any)" % net + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "%s is not banned, skipping unban and deleting from queue (if any)" % net + r.hdel("F2B_QUEUE_UNBAN", "%s" % net) + return + log['message'] = "Unbanning %s" % net + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "Unbanning %s" % net + if type(ipaddress.ip_network(net.decode('ascii'))) is ipaddress.IPv4Network: + subprocess.call(["iptables", "-D", "INPUT", "-s", net, "-j", "REJECT"]) + subprocess.call(["iptables", "-D", "FORWARD", "-s", net, "-j", "REJECT"]) + else: + subprocess.call(["ip6tables", "-D", "INPUT", "-s", net, "-j", "REJECT"]) + subprocess.call(["ip6tables", "-D", "FORWARD", "-s", net, "-j", "REJECT"]) + r.hdel("F2B_ACTIVE_BANS", "%s" % net) + r.hdel("F2B_QUEUE_UNBAN", "%s" % net) + del bans[net] def quit(signum, frame): - global quit_now - quit_now = True + global quit_now + quit_now = True def clear(): - log['time'] = int(round(time.time())) - log['priority'] = "info" - log['message'] = "Clearing all bans" - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - print "Clearing all bans" - for net in bans.copy(): - unban(net) - pubsub.unsubscribe() + log['time'] = int(round(time.time())) + log['priority'] = "info" + log['message'] = "Clearing all bans" + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + print "Clearing all bans" + for net in bans.copy(): + unban(net) + pubsub.unsubscribe() def watch(): - log['time'] = int(round(time.time())) - log['priority'] = "info" - log['message'] = "Watching Redis channel F2B_CHANNEL" - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - pubsub.subscribe("F2B_CHANNEL") - print "Subscribing to Redis channel F2B_CHANNEL" - while True: - for item in pubsub.listen(): - for rule_id, rule_regex in RULES.iteritems(): - if item['data'] and item['type'] == 'message': - result = re.search(rule_regex, item['data']) - if result: - addr = result.group(1) + log['time'] = int(round(time.time())) + log['priority'] = "info" + log['message'] = "Watching Redis channel F2B_CHANNEL" + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + pubsub.subscribe("F2B_CHANNEL") + print "Subscribing to Redis channel F2B_CHANNEL" + while True: + for item in pubsub.listen(): + for rule_id, rule_regex in RULES.iteritems(): + if item['data'] and item['type'] == 'message': + result = re.search(rule_regex, item['data']) + if result: + addr = result.group(1) ip = ipaddress.ip_address(addr.decode('ascii')) if ip.is_private or ip.is_loopback: continue - print "%s matched rule id %d" % (addr, rule_id) - log['time'] = int(round(time.time())) - log['priority'] = "warn" - log['message'] = "%s matched rule id %d" % (addr, rule_id) - r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) - ban(addr) + print "%s matched rule id %d" % (addr, rule_id) + log['time'] = int(round(time.time())) + log['priority'] = "warn" + log['message'] = "%s matched rule id %d" % (addr, rule_id) + r.lpush("F2B_LOG", json.dumps(log, ensure_ascii=False)) + ban(addr) def autopurge(): - while not quit_now: - BAN_TIME = int(r.get("F2B_BAN_TIME")) - MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS")) - QUEUE_UNBAN = r.hgetall("F2B_QUEUE_UNBAN") - if QUEUE_UNBAN: - for net in QUEUE_UNBAN: - unban(str(net)) - for net in bans.copy(): - if bans[net]['attempts'] >= MAX_ATTEMPTS: - if time.time() - bans[net]['last_attempt'] > BAN_TIME: - unban(net) - time.sleep(10) + while not quit_now: + BAN_TIME = int(r.get("F2B_BAN_TIME")) + MAX_ATTEMPTS = int(r.get("F2B_MAX_ATTEMPTS")) + QUEUE_UNBAN = r.hgetall("F2B_QUEUE_UNBAN") + if QUEUE_UNBAN: + for net in QUEUE_UNBAN: + unban(str(net)) + for net in bans.copy(): + if bans[net]['attempts'] >= MAX_ATTEMPTS: + if time.time() - bans[net]['last_attempt'] > BAN_TIME: + unban(net) + time.sleep(10) if __name__ == '__main__': - watch_thread = Thread(target=watch) - watch_thread.daemon = True - watch_thread.start() + watch_thread = Thread(target=watch) + watch_thread.daemon = True + watch_thread.start() - autopurge_thread = Thread(target=autopurge) - autopurge_thread.daemon = True - autopurge_thread.start() + autopurge_thread = Thread(target=autopurge) + autopurge_thread.daemon = True + autopurge_thread.start() - signal.signal(signal.SIGTERM, quit) - atexit.register(clear) + signal.signal(signal.SIGTERM, quit) + atexit.register(clear) - while not quit_now: - time.sleep(0.5) + while not quit_now: + time.sleep(0.5) diff --git a/docker-compose.yml b/docker-compose.yml index 478f8718..8dd37c46 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -275,7 +275,7 @@ services: - acme fail2ban-mailcow: - image: mailcow/fail2ban:1.8 + image: mailcow/fail2ban:1.9 build: ./data/Dockerfiles/fail2ban stop_grace_period: 30s depends_on: