Bdw~dZdZdZddlZddlmZmZddlZddlZddlZddl Z ddl Z ddl m Z m Z ddlmZdd lmZmZmZdd lmZdd lmZmZd d lmZd dlmZmZmZmZm Z m!Z!m"Z"ee#Z$dZ%dZ&dZ' ddl(m)Z)n #e*$rdZ)YnwxYwdZ+ e,n #e-$re.Z,YnwxYwdZ/GddZ0Gdde1Z2dS)z Cyril Jaquierz Copyright (c) 2004 Cyril JaquierGPLN)LockRLock) ObserversObserverThread)Jails)DNSUtils FileFilter JournalFilter) Transmitter) AsyncServerAsyncServerException)version) getLogger_as_boolextractOptions str2LogLevelgetVerbosityFormat excepthookprctl_set_th_nameautoINFOSTDOUT) Fail2BanDbc<tjjjSN) threadingcurrent_thread __class____name__8/usr/lib/python3/dist-packages/fail2ban/server/server.py _thread_namer&:s "",55r$ctj|}tj|rB tj|dS#t t f$r}|jdkrYd}~dSd}~wwxYwdS)z0Creates path of file (last level only) on demandN)ospathdirnameisabsmkdirOSErrorFileExistsErrorerrno)namees r%_make_file_pathr3Bs GMM$  8D>>>>> ? #   gmm mmmmm   sAA>' A99A>cJeZdZdZdZdZdZdZddifdZdZd Z d[d Z d Z d Z d Z dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZd Z d!Z!d"Z"d#Z#d$Z$d%Z%d&Z&d'Z'd(Z(d)Z)d*Z*dZd+Z+d\d-Z,d.Z-dZd/Z.d0Z/d1Z0d2Z1d3Z2d4Z3d5Z4d6Z5d7Z6d8Z7d9Z8d:Z9d;Z:d<Z;d=ZZ=d?Z>d@Z?d]dAZ@d^dBZAdCZBdZdDZCdEZDdFZEdGZFd\dHZGdIZHd_dKZIdLZJdMZKdNZLdOZMdPZNdQZOdRZPeQdSZRdTZSdUZTdVZUdWZVeQdXZWdYZXd,S)`ServerFc4t|_t|_t |_d|_||_t||_ i|_ d|_ d|_ d|_ d|_d|_dddd|_i|_dS)Nz/var/run/syslogz /var/run/logz/dev/log)DarwinFreeBSDLinux)r_Server__loggingLockr _Server__lockr _Server__jails _Server__db_Server__daemonr _Server__transm_Server__reload_state_Server__asyncServer_Server__logLevel_Server__logTarget_Server__verbose_Server__syslogSocket_Server__autoSyslogSocketPaths_Server__prev_signals)selfdaemons r%__init__zServer.__init__Qsvv$$+$,$)$-d##$-$$$/$$.$ ""$ $r$cdtd||dS)NzCaught signal %d. Exiting)logSysdebugquit)rHsignumframes r%__sigTERMhandlerzServer.__sigTERMhandlerfs(,,*F333))+++++r$cdtd||dS)NzCaught signal %d. Flushing logs)rLrM flushLogs)rHrOfnames r%__sigUSR1handlerzServer.__sigUSR1handlerjs-,,0&999..r$chtj||j|<tj||dS)z>Bind new signal handler while storing old one in _prev_signalsN)signal getsignalrG)rHsnews r% _rebindSignalzServer._rebindSignalns2!+A..$a-3r$Tc tjd|jrotd|}|dS|ds5d|ddf}t|t|t| dd| d d|_ | | d |j |j nt|| d |j|jnt || d |j|jnt&td tdt(j|jrtdt+dkr[t,jt,jfD]}|||j|t,j|jt:t<_ td|tA|tC|d} | "dtj#z| $n9#tJtLf$r%} td| Yd} ~ nd} ~ wwxYw|rBtNj(6tStN_(tNj(*td tA|tW|j,|_-| d|j-_.|j-*||n2#t^$r%} td| Yd} ~ nd} ~ wwxYw|0 td|tj1|dS#tJtLf$r&} td| Yd} ~ dSd} ~ wwxYw)N?zStarting in daemon modeFrzCould not create daemon %srpnamezfail2ban-serververbose syslogsocketloglevel logtargetz2--------------------------------------------------zStarting Fail2ban v%szDaemon started _MainThreadzCreating PID file %swz%s zUnable to create PID file: %szStarting communicationonstartzCould not start server: %szRemove PID file %szUnable to remove PID file: %s)2r)umaskr>rLinfo_Server__createDaemonerrorServerInitializationErrorrgetrDsetSyslogSocketrEDEF_SYSLOGSOCKET setLogLevelrB DEF_LOGLEVEL setLogTargetrC DEF_LOGTARGETrr&rWSIGTERMSIGINTr[_Server__sigTERMhandlerSIGUSR1_Server__sigUSR1handlerrsysrMr3openwritegetpidcloser.IOErrorrMainrstartrr?rArerrNremove) rHsockpidfileforceobserverconfreterrrYpidFiler2s r%r~z Server.startssH(5/// ] ) ;;()))    3 k 5 a&) &ABB /C LL #C ( ((DHHW&78899988It,,$.txx-94?OQQRRR488Jo14??|EEFFFDHH['34HHIII ++f++%w777 ]! ;;   ^^}$$ ^V] +11qq$/0000fnd&;<<<#.4 <<&0007 '3  7 ==")++%&&& ==???? 7 444 <</333333334n#%%IN N ,,'(((14#DM224 $ 3 34D%(((( 111 <<,a000000001))+++4 <<$g...9W 7 444 <</3333333334sJA7KL %LL ,A"O O>O99O>/QQ>Q99Q>cd|_td|j|jt dkr4|jD]\}}tj||tj }|$| drd}dt_ | || |j r |j d|_ |j |j d|_tddS)NcdS)NFr#r#r$r%zServer.quit..ser$zShutdown in progress...rcF) forceQuitzExiting Fail2ban)rNrLrgrAstop_communicationr&rGitemsrWrr}stop stopAllJailr=r{)rHrYshobsMains r%rNz Server.quitsFm$)++'((( #((***^^}$$#))++uq" M!R N'  llUl##G9>  <<>>> Y9??49 #4++ !!!!!r$cd}|j|r|j|r|j|}|j|kr(d}t d|d|j|<nAt d||j|||d|j|=|r!|j|||j |j '|j |j|dSdS)NTFzReload jail %rz"Restart jail %r (reason: %r != %r)r) r@rkr<existsbackendrLrgdelJailaddr=addJail)rHr1raddflgjails r%rzServer.addJails  & T"" "t|':':4'@'@ " ,t 4 lg F KK $''' $D KK4dDL'RRRLLDL!!! D! .<D'49--- Y9T\$'(((((r$c|j|}|s|r||||r+|j|j||j|=dSdS)Nrjoin)r<isAliverr=r)rHr1rrrs r%rzServer.delJails{ d $ #T\\^^#99$T9"""  iId |Dr$c&|j5|j|}|s|n,||jvr#t d||j|=|jrd|_ddddS#1swxYwYdS)NzJail %r reloadedF)r;r<rr~r@rLrgidle)rHr1rs r% startJailzServer.startJails { ,t 4 ,,.."JJLLLL ### KK"D))) D! iDIsA1BB  B ct|j5||dddddS#1swxYwYdS)NTr)r;rrHr1s r%stopJailzServer.stopJails {!!<<4<   !!!!!!!!!!!!!!!!!!s -11ctd|j5t|jD]}||ddt|jD]}||dd ddddS#1swxYwYdS)NzStopping all jailsTFr)rLrgr;listr<keysrrs r%rzServer.stopAllJails++"### {..DL%%''((..tLLDuL----DL%%''((..tLLEL----. ..................sBB33B7:B7c~tjtjdSr)r CACHE_nameToIpclearCACHE_ipToNamerHs r% clearCacheszServer.clearCaches(s2 !!! !!!!!r$c|r|jr/|dks|j|rtdtd|dkrd|zndz|j5|dkrbd}d|vs|j|r |j|}|r2d|vr||d|vr| |nD| d|vr|d|vr| |j D]X\}}|dks||krGd |_ ||j|<|jd |jd Y ddddS#1swxYwYdS|j5g}|j D]Z\}}||jvr||$|jd |jd [|D]}|| dddn #1swxYwYi|_td dS) Nz--allzReload already in progresszReload zjail %sz all jailsz --if-existsz--unbanz --restartT)beginFzReload finished.)r@rk ValueErrorrLrgr;r<r setUnbanIPrrrrrfilterreloadactionsappendr)rHr1optsrrjndeljailss r% reloadJailszServer.reloadJails-sG 4# 3tw$2E2I2I$2O2O 1 2 22 ;;y$'//Y--{STTT    w TT!!T\%8%8%>%>! \$ d  d   t    }}T T oot L&&((&&D 2::di $d" kt$$$ l%%%=                  B  HL&&((''D d!!!oob ku%%% l&&&& \\"               4 ;;!"""""s&)DFFF*BII I c*||j|_dS)NTr<rrHr1values r% setIdleJailzServer.setIdleJailds!$,t r$c&|j|jSrrrs r% getIdleJailzServer.getIdleJailhs d   r$cNt||j|j_dSr)rr<r ignoreSelfrs r% setIgnoreSelfzServer.setIgnoreSelfls )1%$,t&&&r$c0|j|jjSr)r<rrrs r% getIgnoreSelfzServer.getIgnoreSelfos d  " --r$cP|j|j|dSr)r<r addIgnoreIPrHr1ips r%rzServer.addIgnoreIPr&,t''+++++r$cP|j|j|dSr)r<r delIgnoreIPrs r%rzServer.delIgnoreIPurr$cJ|j|jSr)r<r getIgnoreIPrs r%rzServer.getIgnoreIPx d  " . . 0 00r$c|j|j}t|tr|||dSdSr)r<r isinstancer addLogPath)rHr1fileNametailfilter_s r%rzServer.addLogPath{sI L  %'$$& h%%%%%&&r$c|j|j}t|tr||dSdSr)r<rrr delLogPath)rHr1rrs r%rzServer.delLogPathsG L  %'$$  h  r$c|j|j}t|tr|St d|zgS)Nz$Jail %s is not a FileFilter instance)r<rrr getLogPathsrLrMrHr1rs r% getLogPathzServer.getLogPathsR L  %'$$      <<6=>>> 9r$c|j|j}t|tr||dSdSr)r<rrr addJournalMatchrHr1matchrs r%rzServer.addJournalMatchG L  %'''" 5!!!!!""r$c|j|j}t|tr||dSdSr)r<rrr delJournalMatchrs r%rzServer.delJournalMatchrr$c|j|j}t|tr|St d|zgS)Nz'Jail %s is not a JournalFilter instance)r<rrr getJournalMatchrLrMrs r%rzServer.getJournalMatchsR L  %'''  ! ! # ## <<9D@AAA 9r$cT|j|j}||dSr)r<rsetLogEncoding)rHr1encodingrs r%rzServer.setLogEncodings+ L  %' """""r$cN|j|j}|Sr)r<rgetLogEncodingrs r%rzServer.getLogEncodings# L  %'    ! !!r$cP|j|j|dSr)r<r setFindTimers r%rzServer.setFindTime&,t''.....r$cJ|j|jSr)r<r getFindTimers r%rzServer.getFindTimerr$cP|j|j|dSr)r<rsetDatePattern)rHr1patterns r%rzServer.setDatePatterns&,t**733333r$cJ|j|jSr)r<rgetDatePatternrs r%rzServer.getDatePattern d  " 1 1 3 33r$cP|j|j|dSr)r<rsetLogTimeZone)rHr1tzs r%rzServer.setLogTimeZones&,t**2.....r$cJ|j|jSr)r<rgetLogTimeZoners r%rzServer.getLogTimeZonerr$c4||j|j_dSrr<r ignoreCommandrs r%setIgnoreCommandzServer.setIgnoreCommands,1$,t)))r$c0|j|jjSrrrs r%getIgnoreCommandzServer.getIgnoreCommands d  " 00r$cdtd|zdz\}}||j|j_dS)Nzcache[])rr<r ignoreCache)rHr1roptionss r%setIgnoreCachezServer.setIgnoreCaches4!(5."455.%*1$,t'''r$c0|j|jjSr)r<rrrs r%getIgnoreCachezServer.getIgnoreCaches d  " ..r$cn|j|j}td|||_dS)Nz prefregex: %r)r<rrLrM prefRegex)rHr1rflts r% setPrefRegexzServer.setPrefRegexs1 T!#,, %(((#---r$c0|j|jjSr)r<rrrs r% getPrefRegexzServer.getPrefRegexs d  " ,,r$c|j|j}|s|f}|D]2}td|||3dS)Nz failregex: %r)r<rrLrM addFailRegexrHr1rmultipler s r%rzServer.addFailRegexsb T!# #E85e <<!5)))Er$NcP|j|j|dSr)r<r delFailRegexrHr1indexs r%rzServer.delFailRegexs&,t((/////r$cJ|j|jSr)r<r getFailRegexrs r%rzServer.getFailRegexs d  " / / 1 11r$c|j|j}|s|f}|D]2}td|||3dS)Nz ignoreregex: %r)r<rrLrMaddIgnoreRegexrs r%rzServer.addIgnoreRegexsb T!# #E85e <<#U+++er$cP|j|j|dSr)r<rdelIgnoreRegexrs r%rzServer.delIgnoreRegexs&,t**511111r$cJ|j|jSr)r<rgetIgnoreRegexrs r%rzServer.getIgnoreRegexrr$cP|j|j|dSr)r<r setUseDnsrs r%rzServer.setUseDnss&,t%%e,,,,,r$cJ|j|jSr)r<r getUseDnsrs r%r zServer.getUseDnss d  " , , . ..r$c>||j|jj_dSrr<r failManager maxMatchesrs r% setMaxMatcheszServer.setMaxMatchess5:$,t'222r$c:|j|jjjSrr"rs r% getMaxMatcheszServer.getMaxMatchess d  " . 99r$cP|j|j|dSr)r<r setMaxRetryrs r%r)zServer.setMaxRetryrr$cJ|j|jSr)r<r getMaxRetryrs r%r+zServer.getMaxRetryrr$cP|j|j|dSr)r<r setMaxLinesrs r%r-zServer.setMaxLinesrr$cJ|j|jSr)r<r getMaxLinesrs r%r/zServer.getMaxLinesrr$cV|j|jj|g|Rd||jvidS)Nr)r<rrr@)rHr1rargss r% addActionzServer.addActionsP $,t '''' $% %'''''r$c&|j|jSrr<rrs r% getActionszServer.getActionss d  ##r$c,|j|j|=dSrr4rs r% delActionzServer.delAction s l4 '''r$c2|j|j|Srr4rs r% getActionzServer.getAction s d  #E **r$cP|j|j|dSr)r<r setBanTimers r%r;zServer.setBanTimes&,t''.....r$c6|j|jj|Sr)r<r addAttempt)rHr1r1s r% addAttemptIPzServer.addAttemptIPs -d  " -t 44r$cL|j|j|Sr)r<r addBannedIPrs r%setBanIPzServer.setBanIPs d  # / / 6 66r$c||j|g}n&t|j}d}||duz}|D]!}||j||z }"|S)Nr)ifexists)r<rvaluesrremoveBannedIP)rHr1rrCjailscntrs r%rzServer.setUnbanIPs  L  55  ##%% & &5 # tt|(@@d$, % %eh % ? ??33 *r$c||j|g}n&t|j}g}|Y|rW|D]S}g}|D]7}|j|gr||j8||TnA|D]>}|j|}||cS||j|i?|Sr)r<rrDr getBannedrr1)rHr1idsrFresrrrs r%bannedz Server.banned&s  L  55  ##%% & &5 # \c\ r C t$$ jjJJsOOOO ""t ,  % %C  ZZZ ZZC !!!! *r$cJ|j|jSr)r<r getBanTimers r%rNzServer.getBanTime@s d  # . . 0 00r$cL|j|j|S)zReturns the list of banned IP addresses for a jail. Parameters ---------- name : str The name of a jail. Returns ------- list The list of banned IP addresses. )r<r getBanList)rHr1withTimes r%rPzServer.getBanListCs" d  # . .x 8 88r$cH|j|||dSr)r<setBanTimeExtra)rHr1optrs r%rSzServer.setBanTimeExtraRs%,t$$S%00000r$cB|j||Sr)r<getBanTimeExtra)rHr1rTs r%rVzServer.getBanTimeExtraUs d  + +C 0 00r$cF|jduo|jSr)rAisActivers r% isStartedzServer.isStartedXs$ 4 ' ID,>,G,G,I,IIr$c|t|j|krdSt|jD]}|sdSdS)Nrr)lenr<rrDr)rHjailnumrs r%rzServer.isAlive[sg S..'99 !4<&&(())  d ,,.. 11 r$cV |jt|j}|d|}dt |jfd|fg}||jS#|jwxYw)Nz, zNumber of jailz Jail list)r;acquirerr<sortrr[release)rHrFjailListrs r%statusz Server.statusds ;   5::<<<ii8 S.. /X 3 ;4;s A1B B(basiccD|j||S)N)flavor)r<rb)rHr1res r% statusJailzServer.statusJailps d  " "& " 1 11r$cT|}|j5|j|kr ddddSt|}t dt dks|tjkr|nt||_ddddS#1swxYwYdS)Nfail2ban INHERITED) upperr:rBrrsetLevelrqloggingDEBUGro)rHrlls r%rnzServer.setLogLevels  ++--%  o  U2 Z!! ; & &"w}*<*J 7 7 7DDX~~j(3399;;H#:(68IJJXX ::: \\=z~~j?Y?YZZZ .9XXX: f$$___7;;ooT & '.., - -' - $ & &'   * * H + . .TT \\"12333 IhhhhhhhhJ )))   , ,DDX   , ,DD &#   0 0 8 8TT  \\'000 [[0$2BCCC chhhhhhhh\ j ! !6/$$B$'   w !!!  ]]___ ]]____  !    43#3v#=#= $>#=    GM11 ~mf&>&>&@&@@1DT^ ^^J ' '7 wGG33G wGGGnnXr""b(( .. " "CCG ~!dnq&8&8~aW Wgw G G GC !!!g',,--- T " KK$go666 KKK 8    664&&& ( ( (  4 Qhhhhhhhhhhhhhhhhhhs UU#A"U"C)(U)AD:7U9D::C)U0AU9AJ;:U;ALUL9U (M21U22N'$U&N''F'UU"Uc|j5|j|kr ddddS||_dddn #1swxYwY|jdkp||jS)NTrw)r:rErCrp)rHr`s r%rlzServer.setSyslogSockets && \)) &&&&&&&&&4&&&&&&&&&&&&&&&  X % -  4+ , ,-s 5599cR|j5|jcdddS#1swxYwYdSr)r:rCrs r% getLogTargetzServer.getLogTargetsu   rqcR|j5|jcdddS#1swxYwYdSr)r:rErs r%getSyslogSocketzServer.getSyslogSocketsu   rqc|jdvrtdjD]} |td|jz:#t $r9|td|jzY|wxYwdStdjD]8}|td|jz9dS)N)r}rrwrtrhzrollover performed on %szflush performed on %sz rolled overflushed)rCrr doRolloverrLrgrr)rHrs r%rSzServer.flushLogss NNNJ''0==w=  [[+d.>>???? === ]]___ [[(4+;;<<<<<= -J''0<s Y 49%11 6  x~~''611 6! 9 ; ;; ^^499H8$$DII LL^ >##### r$c|jSr)r=rs r% getDatabasezServer.getDatabaseUs r$cdD]2tjrfd}|cS3td)zGenerate a list of open file descriptors. This wouldn't work on some platforms, or if proc/fdescfs not mounted, or a chroot environment, then it'd raise a FileExistsError. )z /proc/self/fdz/proc/fdc3KtjD]'}|rt|V(dSr)r)listdirisdigitr)r1r*s r%fdlistz#Server.__get_fdlist..fdlistdsJD!!  YYr$zfd-list not found)r)r*rr/)rr*s @r% __get_fdlistzServer.__get_fdlistXsl  d gnnT 688OOO  +,,,r$c|tjtj t j}n'#t $r}d|j|jffcYd}~Sd}~wwxYw|dkrt j  t j}n'#t $r}d|j|jffcYd}~Sd}~wwxYw|dkrt j dnt j dndS | }d}nH# t j d}n#ttf$rd}YnwxYwt!|dz}YnxYwt"jdd d kr~t jd tj}|D]G} tj||st j|8#t $rYDwxYwt j|nF|dkr+|D]'} t j|#t $rY$wxYwnt jd|t jd tjt jd tjt jd tjd S)z Detach a process from the controlling terminal and run it in the background as a daemon. http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/278731 FNr/r SC_OPEN_MAXrr)rrz /dev/urandomz /dev/null)T)r[rWSIGHUPSIG_IGNr)forkr.r0strerrorsetsidchdir_exit_Server__get_fdlistsysconfrrrangerwrrxO_RDONLYr* sameopenfiler{ closerangeO_RDWR)rHpidr2rmaxfd urandom_fdfds r%__createDaemonzServer.__createDaemonlsV]FN333 ) 33 ))) 17AJ' ((((((() AXX9;;;* '))CC *** AGQZ( )))))))* axxHSMMMMHQKKKK $      6 55 J} % %EE : & EEE %'NN666 aci'' 44:   r G R 0 0hrlll     T 8J {{   r Xb\\\\     T  =E'+r{###'+ry!!!'+ry!!! sA A$ AA$A$B B9B4.B94B9/DE  DE D41E 3D44E  4F?? G  G /H HH)F)TTr)NNT)NN)rc)Yr" __module__ __qualname__rJrtrvr[r~rNrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r rrrrrrrr r%r'r)r+r-r/r2r5r7r9r;r>rArrLrNrPrSrVrYrrbrfrnrprprlrrrS staticmethodrrrrrrrhr#r$r%r5r5Os* ',dN4N4N4N4`,",","^)))(   !!!...""" 5#5#5#n!!!999...,,,,,,111&&&&       """ """    ###"""///111444444///444222111222/// ---0000222222444---///;;;:::///111///111''' $$$(((+++///555777         4111 9 9 9 9111111JJJ       2222   "lllf--- **,*,,,777$$$.--,-&_____r$r5ceZdZdS)rjN)r"rrr#r$r%rjrjsr$rj)3 __author__ __copyright__ __license__rrrrlr)rWrrwrrrrFr rr r r transmitterr asyncserverrrrrhelpersrrrrrrrr"rLrmrorqdatabaser ImportErrorr&r/ NameErrorr.r3r5 Exceptionrjr#r$r%rsW. 2  !!!!!!!! ////////7777777777$$$$$$::::::::333333333333333333 8    !!!!!!! 666    | | | | | | | | ~ s$7A>>BBBBB