BdpdZdZdZdZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddlZ ddlmZmZddlmZmZmZ dd lmZn #e$rdZYnwxYwdd lmZmZd d lmZdd lmZmZm Z ddl!m"Z"m#Z#ddl$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*e(dZ+d%dZ,dZ-d&dZ.d'dZ/dZ0dZ1dZ2GddeZ3dZ4Gdde5Z6Gd d!e5Z7Gd"d#e5Z8d$Z9dS)(z Fail2Ban reads log file that contains password failure report and bans the corresponding IP addresses using firewall rules. This tools can test regular expressions for "fail2ban". zFail2Ban DevelopersaICopyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors Copyright of modifications held by their respective authors. Licensed under the GNU General Public License v2 (GPL). Written by Cyril Jaquier . Many contributions by Yaroslav O. Halchenko, Steven Hiscocks, Sergey G. Brester (sebres).GPLN) OptionParserOption) NoOptionErrorNoSectionErrorMissingSectionHeaderError) FilterSystemd)version normVersion) FilterReader)Filter FileContainerMyTime)RegexRegexException) str2LogLevelgetVerbosityFormatFormatterWithTraceBack getLoggerextractOptions PREFER_ENCfail2banFyesctj|||dd}|rd|d<dtj|zS)N)useDnspython)restrflavormflagszhttps://www.debuggex.com/?)r_resolveHostTagurllibparse urlencode)sampleregex multilinerargss ?/usr/lib/python3/dist-packages/fail2ban/client/fail2banregex.py debuggexURLr-?sR eF333     "stG}$v|'='=d'C'CCCc$t|dSN)printr+s r,outputr3Hstr.5cLt||kr|d|dz dzS|S)zReturn shortened string N...)len)sls r,shortstrr;Ks.FFQJJ 4AaC45 r.ct|sdS|rd|z}nd}t|dzd|zdzdS)Nz|- %s z| z | z `-)r8r3join)r:headerr9s r, pprint_listr@RsZ A &  &!!!UW\\!__ $v -/////r.c#K |}n#t$rY#wxYw|sdS||VBr0)get_nextOSErrorformatJournalEntry)flt myjournalentrys r,journal_lines_genrH[so&     55     8  5 u%%%%%&s  ''cdtttjddSNr)r3r sysexitr2s r,dumpNormVersionrMes% !r.c,dtjdzS)Nz(%s [OPTIONS] [IGNOREREGEX]r)rKargvr.r,rQis:SXa[Hr.ceZdZdZdS) _f2bOptParsercd|_dtzdztzdztj|g|Ri|zdztzdzS)z, Overwritten format helper with full ussage.r=zUsage:  a LOG: string a string representing a log line filename path to a log file (/var/log/auth.log) systemd-journal search systemd journal (systemd-python required), optionally with backend parameters, see `man jail.conf` for usage and examples (systemd-journal[journalflags=1]). REGEX: string a string representing a 'failregex' filter name of filter, optionally with options (sshd[mode=aggressive]) filename path to a filter file (filter.d/sshd.conf) IGNOREREGEX: string a string representing an 'ignoreregex' filename path to a filter file (filter.d/sshd.conf) z> Report bugs to https://github.com/fail2ban/fail2ban/issues )usage__doc__r format_help __copyright__)selfr+kwargss r,rXz_f2bOptParser.format_helplsq$* UWW t #g -1   777777! 8 ;! $% $% r.N)__name__ __module__ __qualname__rXrPr.r,rSrSks#r.rScttdtz}|t ddddt dd d t d d dddt ddt dt dddddt ddddt ddt ddt d d!d" t d#d$d%d&d'(t d)d*td+,t d-d.d/d0dd12t d3dd0t d45t d6d7dd89t d:d;dd<9t d=d>d?d@dA2t dBdCddDddE2t dFddG9t dHddI9t dJddK9t dLddM9t dNddO9t dPdQddR9t dSddT9g|S)UNz%prog )rVr z-cz--configz /etc/fail2banzset alternate config directory)defaulthelpz-dz --datepatternz+set custom pattern used to match date/times)raz --timezonez--TZstorez)set time-zone used by convert time format)actionr`raz-ez --encodingz%File encoding. Default: system localez-rz--raw store_trueFzRaw hosts, don't resolve dnsz--usednszpDNS specified replacement of tags in regexp ('yes' - matches all form of hosts, 'no' - IP addresses only)z-Lz --maxlinesrzmaxlines for multi-line regex.)typer`raz-mz--journalmatchzGjournalctl style matches overriding filter file. "systemd-journal" onlyz-lz --log-level log_levelcriticalz(Log level for the Fail2Ban logger to use)destr`raz-Vcallbackz,get version in machine-readable short format)rcriraz-vz --verbosecountverbosezIncrease verbosity)rcrhr`raz --verbosityz'Set numerical level of verbosity (0..4))rcrhreraz--verbose-datez--VDz%Verbose date patterns/regex in output)rcraz-Dz --debuggexz-Produce debuggex.com urls for debugging therez--no-check-all store_false checkAllRegexTzDisable check for all regex'sz-oz--outoutzaSet token to print failure information only (row, id, ip, msg, host, ip4, ip6, dns, matches, ...)z--print-no-missedzDo not print any missed linesz--print-no-ignoredzDo not print any ignored linesz--print-all-matchedzPrint all matched linesz--print-all-missedz*Print all missed lines, no matter how manyz--print-all-ignoredz+Print all ignored lines, no matter how manyz-tz--log-tracebackz.Enrich log-messages with compressed tracebacksz--full-tracebackzBEither to make the tracebacks full, not compressed (as by default))rSrVr add_optionsrrintrM)ps r,get_opt_parserrrs '' w    z? +--- 8:::vgt 6888|Z 2444w|U )+++GT KLLL |#q +--- !""" }  5777 j? 9;;;{7 !!! wYS 4666 6, 2444|L :<<< -ot *,,,wwUD nppp \ *,,, l +--- | $&&& l 7999 | 8:::  ;=== L OQQQe4444l r.c8eZdZdZdZdZdZdZdZdZ dS) RegexStatcHd|_||_t|_dSrJ)_stats _failregexlist_ipList)rZ failregexs r,__init__zRegexStat.__init__s$+$/$,,,r.c<d|j|j|j|jfzS)Nz%s(%r) %d failed: %s) __class__rwrvryrZs r,__str__zRegexStat.__str__s%  ~t T\B CCr.c&|xjdz c_dSNr rvr~s r,incz RegexStat.incs++++++r.c|jSr0rr~s r,getStatszRegexStat.getStatss r.c|jSr0)rwr~s r, getFailRegexzRegexStat.getFailRegexs r.c:|j|dSr0)ryappend)rZvalues r,appendIPzRegexStat.appendIPs,er.c|jSr0)ryr~s r, getIPListzRegexStat.getIPLists r.N) r\r]r^r{rrrrrrrPr.r,rtrts CCCr.rtc$eZdZdZdZdZdZdS) LineStatsz(Just a convenience container for stats cdx|_|_g|_d|_g|_d|_g|_|jrg|_g|_ g|_ dSdSrJ) testedmatched matched_linesmissed missed_linesignored ignored_linesdebuggexmatched_lines_timeextractedmissed_lines_timeextractedignored_lines_timeextracted)rZoptss r,r{zLineStats.__init__sh  $+ $$+$$,$ ])&(4#%'4"&(4###))r.c d|zS)NzM%(tested)d lines, %(ignored)d ignored, %(matched)d matched, %(missed)d missedrPr~s r,rzLineStats.__str__s X[_ __r.cFt||rt||ndS)Nr=)hasattrgetattr)rZkeys r, __getitem__zLineStats.__getitem__s&&tS11 9s   r9r.N)r\r]r^rWr{rrrPr.r,rrsN ) ) )```:::::r.rcjeZdZdZdZdZdZdZdZdZ dZ d Z dd Z d Z d ZdZdZdZd S) Fail2banRegexc|jtd|jD||_d|_d|_d|_t|_td|_ d|_ t|_ t|_t|_d|_t#||_|jr||jnd|_|j,|t1j|j|jr|j |jd|j _ t;jdddlm }||j!r|"|j!|j#r|j $|j#|j%|j _&|j'o|j( |j _'tS|j(|j _*|j+|j _,d|_-dS) Nc3*K|]\}}d|z|fVdS)_NrP).0ovs r, z)Fail2banRegex.__init__..s.GG#!ASU1IGGGGGGr.FrTr ) _updateTimeREauto).__dict__updatedictitems_opts _maxlines_set_datepattern_set _journalmatch share_configr_filter_prefREMatchedrx _prefREGroups _ignoreregexrw _time_elapsedr _line_statsmaxlines setMaxLines _maxlines journalmatchsetJournalMatchshlexsplittimezonesetLogTimeZone checkFindTimersetAlternateNowserver.strptimer datepatternsetDatePatternusedns setUseDnsraw returnRawHostrmrnbool ignorePending_onIgnoreRegex onIgnoreRegex_backend)rZrrs r,r{zFail2banRegex.__init__s-tGG1D1D1F1FGGGGGHHH$*$$$FF$$,$vv$ff$FF$/$t__$ ]DM""""4> " D$566777 ].<t}---$$, !......=??? )t'((( ['<$+&&&#x$,#1B$(l$,#DH~~$,#2$,$---r.c@|jjst|dSdSr0)rrnr3rZlines r,r3zFail2banRegex.output!s %%%r.c8||jdS)Nignore)encode _encodingrs r, encode_linezFail2banRegex.encode_line$s T^X . ..r.c|js]|j|d|_|<|d|d|jddSdSdS)NTzUse datepattern : z : r )rrrr3getDatePattern)rZpatterns r,rzFail2banRegex.setDatePattern's 4<w'''4 KKK WWdl))++A..244444 44r.c|js_|jt|d|_|d|jzdSdS)NTzUse maxlines : %d)rrrrpr3 getMaxLinesrZrs r,rzFail2banRegex.setMaxLines/sj K<CFF###4;;+dl.F.F.H.HHJJJJJKKr.c||_dSr0)rrs r,rzFail2banRegex.setJournalMatch5s$r.c i}|}ddgt|zD]8} ||vr||n|d|||<)#t$rY5wxYw|d|zdS)Nlogtyper DefinitionzReal filter options : %r) getCombinedrxkeysgetrr3)rZreaderfltOptrealoptscomboptsks r,_dumpRealOptionszFail2banRegex._dumpRealOptions8s (    ! !( } %V[[]](;(; ;  a !"h(1++FJJ|Q4O4OHQKK    D ++)H455555s%A&& A32A3c  |dvsJ|dz}|jj}|}d}i}|dkrHtjd|r2 t |\}}d|ddvr|f}n ||dz|dzf}|D]}d |vrft j|d kr!t j||}nAt j|d |}nt j |}t j |rnd}nR#t$rE} td t| td ||jr| Yd} ~ d Sd} ~ wwxYw|b||jjks3t j|d ksd|ddvrd |vrt j|d krt j |}t jt j|d}| d|dd|d|n\| d|dd|d}t j|st j|}|r| d|zt%|d||j|} d} || } n)| d| } n?#t$r2} tdt| |jr| Yd} ~ nd} ~ wwxYw| std|zd S| |j| d|jdks't4t8jkr|| || } i} | D]}|ddkr |d}n|ddkr |dd}n0 |ddkr|D]}||j _!n7|ddkrR| "d}|stGx}| d<|D]$}|$tK|%n|dd krR| "d!}|stGx}| d!<|D]$}|$tK|%n{|dd"kr|D]}|&|nT|dd#kr|D]}|'|n-|dd$kr!|jj(|)|#tT$r-} td%|dd&|d'|d(| Yd} ~ d Sd} ~ wwxYwn;| d|dd)tW||tK|gi} | ,D]h\}} |dz}t[|d*|z| | D]G}t]|j d+|/z|0Hid,S)-N)failrr)rz"(?ms)^/{0,3}[\w/_\-.]+(?:\[.*\])?$.iz.confz.local/zfilter.dz%ERROR: Wrong filter name or options: z while parsing: FrzUse z>11z filter file : z , basedir: z file : zUse filter options : %rzfail2ban-regex-jail)rbasedirzWrong config file: zERROR: failed to load filter %sr z multi-setr6setr prefregex addfailregexaddignoreregexrrraddjournalmatchzERROR: Invalid value for z (z ) read from : z line : rz add%sRegexT)1rconfigrsearchrospathbasenamer>dirnameisfile Exceptionr3r _verbosesplitextisabsabspathrrread setBaseDir readexplicitapplyAutoOptionsr getOptionslogSysgetEffectiveLevelloggingDEBUGrconvertr prefRegexrrxrrtrrrr ValueErrorr;rsetattrrtitler)rZr regextyper)rfltNamefltFilertryNameserretreadercommands regex_valuesoptoptvalstors r, readRegexzFail2banRegex.readRegexEs ( ( ( ( ( g % J ' ' ' &&i5u==%e,,_Wf wrss|hh7W,g.@Ah   G^^ '  7 # #z 1 1',,w00',,w G<<))w    ugg  VQ ABBB V%% 1222 Qx EEEEE   $*### w  J.. 7233<Cw$6$6 w  J..ww''Wgrw//8899!<##s 1v!fVV Q5!""gVV  A+''& &t|' a&N " "   f % %d 774,v.&&& {{9V$$%%%%& a&$ $ $   h ' 'd 946694,x0&&& {{9V$$%%%%& a&J    &  a&M ! !##& 6""""# a&% % %  ( F###  V!!ffffffeeeQQ8::: EEEEEEA#L;;;x?AAAy//01 _debuggexrr_print_all_matchedrrr processedLine)rZrdate orgLineBuffer fullBuffer is_ignoredfoundlinesrmatchr)prerbufLines r, testRegexzFail2banRegex.testRegexs,2- \!## #==!!T\%=%=%?%??*#((*t  < # #D$ / /5 5 3  u :> \\#c((1* _U1X &U YY[[[ ^^E 8<< ! !ZZZZ jn d? l ) , C ~~) A ) T  4> 1 1   1111 d ! !T^ 3 3 !!%(((  ;? ----- \!##J 0 01""wdl666  #'' $**2777+;+;<<>>> ! 266 399 1    !!!     d  - ^- %,,RWWW-=-=>>>> ||GAJ+,,, " ! << **,,--- ))E  4 sZ44#4 55s3(CH>CH H* H%%H*5B.L$$ L10L1c|jjdvrd}n>dkrd}n4dkrd}n*dkrd}n d vrfd }nd d lmmmd fd}|S)zOPrepares output- and fetch-function corresponding given '--out' option (format))idfidc:|D]}t|ddSr)r3rrs r,_outz+Fail2banRegex._prepaireOutput.._out s,  AaD\\\\r.ipcn|D]1}t|dd|d2dS)Nr6rBr r3rr?s r,rAz+Fail2banRegex._prepaireOutput.._outsB "" AaDHHT1Q4 !!!!""r.msgc|D]c}|ddD]E}t|tsdd|D}t |FddS)Nr6matchesr=c3K|]}|VdSr0rPrr@s r,rz>Fail2banRegex._prepaireOutput.._out....1......r.)r isinstancer r>r3r?s r,rAz+Fail2banRegex._prepaireOutput.._outsy dhhy!! 3  ! 77..a... q Qiiiir.rowc |D]V}td|dd|ddtd|dDdWdS)N[r z, r c30K|]\}}|dk ||fVdS)rGNrP)rrrs r,rz>Fail2banRegex._prepaireOutput.._out..s6/a/a$!QRSW`R`R`1R`R`R`R`/a/ar.r6z],)r3rrr?s r,rAz+Fail2banRegex._prepaireOutput.._outsr dd V1addd4/a/a!A$**,,/a/a/a+a+a+a+a bccccddr.._outs;  AaDHHTNNr.r )Actions CommandAction BanTicketc:|dvr|ddS|S)N)rEz\x00)replace)trs r,_escOutz.Fail2banRegex._prepaireOutput.._escOut$s& IIfg & && Hr.c.g}ddi|D] ddd}|}fd}||d<  | }dr||fzt||D]|\}dd D][t t sd d D|d t\}dS)NNLrr r r6)timedatacds5tddgdkr|dSdd<dS)Nr\r6rGr msg)r8r)rZr@wraps r,_get_msgz=Fail2banRegex._prepaireOutput.._out.._get_msg0sK $ZC!B 7 788A==9otDzmr.rE) escapeValrGr=c3K|]}|VdSr0rPrIs r,rz>Fail2banRegex._prepaireOutput.._out..ArJr.r`) ActionInforeplaceDynamicTagsrr3rrKr r>rX) rrowsticketaInforbrr@rarSrUrTrZrRs @@r,rAz+Fail2banRegex._prepaireOutput.._out)sZ D 8D i!1Q4ad333V    ' 'U U5\  ) )$ ) I IQ T  kk1a& AYYYY1dhhy!! 3  ! 77..a... q ))M1 % %a Qiiii r.)rrnserver.actionsrSrTrU)rZrArSrUrTrZrRs @@@@@r,_prepaireOutputzFail2banRegex._prepaireOutputs $ ] t||"""" u}}  u}}dddd $BAAAAAAAAA   6 +r.c^tj}|jjr|}|D]Z}t |t rB||d|d\}}}d|d}nF|d}| ds|s||\}}}|jjr!t|dkr |s |||r|j xj dz c_ |j sd|js|j j |jdzkrE|j j||jr|j j|nt|dkrb|j xjdz c_|jrE|j j||jr|j j|n|j xjdz c_|jsd|js|j j|jdzkrE|j j||jr|j j||j xjdz c_\tj|z |_dS)Nrr r=z #)r]rrnrkrKtupler:r>rstrip startswithr8rr_print_no_ignored_print_all_ignoredrrrr.rrr/rrr_print_no_missed_print_all_missedrrrr)rZ test_linest0rnrline_datetimestrippedrr4s r,processzFail2banRegex.processGs y{{" Z^    3! ! duB-1^^DGT!W-M-M*3 7747  DD ;;v  D s4 -1^^D-A-A*3  jn  3xx!||J|C P!  !Qt'>Q$BRBZ^b^lop^pBpBp #**4000 Q 299:OPPP C1 ! Q #**4000 Q 299:OPPPq   Pd&<P@P@W[_[ilm[m@m@m "))$/// P 1889NOOOay{{R'$r.c j}|j|j|j|jzz ksJ||}||dz}jdk |r |d}jr|dks|dkrj }nj }||dz}|j kstd|zrCgg}||fD] fd|D} fd |D}td |D|dStd |||fzdS|j kstd|zrtd |D|dStd |||fzdSdS) N_linesr z line(s):rr_lines_timeextracted _print_all_c&g|] }D]}||gz SrPrP)rxyargs r, z,Fail2banRegex.printLines..s, 1 1 1!C 1 1qa1#g 1 1 1 1r.c g|]y}|ddz|dzdzt|d|djjzzS)rz | r z | )rr-rrr)rar*rZs r,rz,Fail2banRegex.printLines..s 3 3 3)* A$%-!A$++-- - 6$""1Q4((!A$*;*;*=*=$*#%% % 3 3 3r.c6g|]}|SrProrr~s r,rz,Fail2banRegex.printLines..s (((!((**(((r.z?%s too many to print. Use --print-all-%s to print all %d linesc6g|]}|SrPrrs r,rz,Fail2banRegex.printLines..s ''''''r.)rrrrrrr capitalizer.rwrrrr@r3) rZltypelstatsr6r:r? regexlistansbrr*s ` @@r, printLineszFail2banRegex.printLinesps  & &-6>FN+JK K K K K -% UX !l&&((1,) :"--//// 16 n: EY..YY"Yu--.A t~}u/D!E!E 4SI22 1 1 1 1s 1 1 1cc 3 3 3 3 3.1 3 3 3Q((a(((&11111  #)5%"89;;;;; '$ 0E"F"F''Q'''00000  "(%!7 8:::::-::r.c jjrdStdtdtdfd}jjrrjj}|g}jr"jD]}|d|tddj fzt||d j }|d j }jj td g}jj jD]}js|jr|d |j|jfzjr`|d |j|jjt)|ddfz|dt)|ddt|dtdjzjtdjztdjrdjsdjsddS)NTr=Resultsz=======c \dg}}t|D]\}}|}||z }|s jr0|d|dz||fz jrt |rs|D]^}tj|d}tj d|} |d|dd| |drd pd _td ||fzt|d |S) Nrz %2d) [%d] %sr r z%a %b %d %H:%M:%S %Y z z (multiple regex matched)r= %s: %d totalz" #) [# of hits] regular expression) enumeraterrrrr8rr] localtimestrftimer3r@) r failregexestotalrncntrzr7rB timeTuple timeStringrZs r,print_failregexesz3Fail2banRegex.printStats..print_failregexess_2#5";//77~sI    E UNE KKZZ#a% 0F0F0H0H!IIJJJ }7Y0022337""$$77.A''i=!7CCj jjj 1  2..4"467777  uen ,...s8999 2.2rz`-r=r0)rprr r8rr3rrrrrIOErrorr rsetLogEncodinggetJournalReaderrraddJournalMatchr>rHrrr;rXrrrxr) rZr+cmd_log cmd_regexrrubackendbeArgsrErFrir:s r,startzFail2banRegex.startsBQBx'9 )**4= ..F + + 5 $ii1nnT^^DGX>>n 5  ;? %%%%%W^^G%wtDDDJKK,w6888KK,t~=????  AKKK 55555+,,  :<<< 5;;-///;;+dn<>>>#G,,?7F  & &v & &3dn%%%##%%9$<tH %%%KK,sxx /E/EEGGG!#y11:: l  A%%$g*=*=KK,xe8T8T/U/UUWWWJJt$$JKK3c*ooEGGG*%%771 Q kk7ee [[[1Q3333 46666KK++r,,z    % s6A5/A55 B?BB?A D D1D,,D1r0)r\r]r^r{r3rrrrrr rr:rkrxrrrrPr.r,rrs (((T&&&///444KKK  6 6 6}}}~>6>6>6>6@<<<~'('('(R:::>FFFP>>>>>r.rcdt_t}|j|\}}g}|jr|jr|d|jr|jr|dt|dvr|d|r`| tj dd|zdztjd|js and .rUr=z Running testsz =============r z%(levelname)-1.1s: %(message)sz %(message)sz %(tb)sz %(tbc)s)exc_infor')&r exitOnIOErrorrr parse_argsprint_no_missedprint_all_missedrprint_no_ignoredprint_all_ignoredr8 print_helprKstderrwriter>rLrnr3rrfr setLevel StreamHandlerstdoutrk log_tracebackrfull_traceback Formatter setFormatterr addHandlerrrr rrgr) r+parserrerrorsrfmtr fail2banRegexrs r,exec_command_liners   !!4($ [T2[--YZZZ]d4]--[\\\ D V--8999 *4$))F+++d2333(3--- ",,,//",,,t~..      + ++/<1+<+<''. $)  * 8jC?##)YY1$,DDEEFFF6%%-- \V--//>> ??1t?$$$$ ;?(3--------  D!!(3-----sH%% J*/A1J%%J*)Fr)r4r0):rW __author__rY __license__getoptrrrrrKr]urllib.requestr% urllib.parse urllib.erroroptparserr configparserrrrserver.filtersystemdr ImportErrorr r filterreaderr server.filterrrrserver.failregexrrhelpersrrrrrrr r-r3r;r@rHrMrVrSrrobjectrtrrrrPr.r,rs&# ]   111111111111))))))))QQQQQQQQQQ1111111+*******&&&&&&999999999944444444 :  DDDD       0000&&&    IHL2< < < ~6::::::::.`````F```F55555sA AA