o ;s*b]@sdZdZdZddlZddlZddlZddlZddlZddlZddl Z ddl m Z m Z m Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlm Z m!Z!m"Z"ddl#m$Z$m%Z%m&Z&ddl'm(Z(zddlm)Z)Wn e*ydZ)Ynwej+,ej+-e.dZ/dZ0e$dZ1GdddeZ2Gddde Z3Gddde3Z4Gddde3Z5Gdd d ej6Z7Gd!d"d"ej6Z8Gd#d$d$eZ9Gd%d&d&e Z:dd'l;mZ>Gd(d)d)e Z?dS)*z Cyril Jaquierz Copyright (c) 2004 Cyril JaquierGPLN)Regex FailRegexRegexException)actions)Server)IPAddr)Jail) JailThread) BanTicket)Utils) DummyJail)LogCaptureTestCase with_alt_timeMyTime) getLoggerextractOptions PREFER_ENC)version) filtersystemdfilespollingfail2banc@seZdZddZddZdS) TestServercOdSNselfargskwargsrr?/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py setLogLevel<zTestServer.setLogLevelcOrrrrrrr# setLogTarget?r%zTestServer.setLogTargetN)__name__ __module__ __qualname__r$r&rrrr#r;s rcsLeZdZfddZfddZdd d Zdd d Zd dZddZZ S)TransmitterBasecs2tt||jj|_d|_|j|jtdS)Call before every test case. TestJail1N) superr*setUpserver_Server__transmtransmjailNameaddJail FAST_BACKENDr  __class__rr#r.Es zTransmitterBase.setUpcs|jtt|dSzCall after every test case.N)r/quitr-r*tearDownr5r6rr#r:Ns zTransmitterBase.tearDownrrNFc sd||g}d|g}|dur|d||d||dkr|}fdd} || |j|| ||f|sI|| |j|| d|fdSdS) zoProcess set/get commands and compare both return values with outValue if it was given otherwise with inValuesetgetNrrcsrt|S|S)zPrepare value for comparison)reprxrepr_rr#vasz%TransmitterBase.setGetTest..vr)insert assertEqualr1proceed) r cmdinValueoutValueoutCodejailrAsetCmdgetCmdrBrr@r# setGetTestTs     $zTransmitterBase.setGetTestcCsvd||g}d|g}|dur|d||d||j|d}||j|dd||j|d|fdS)Nr;r<rr)rCr1rErD)r rFrGrJrKrL initValuerrr# setGetTestNOKjs   zTransmitterBase.setGetTestNOKc Csd|}d|}||jd||gdgft|D]W\}}|jd|||g}|j|dttt|dfdttt|d|dfdd|jd||g}|j|dttt|dfdttt|d|dfddqt|D]W\}}|jd|||g}|j|dttt|dfdttt||ddfdd|jd||g}|j|dttt|dfdttt||ddfddqwdS) Nadddelr<rr;rr)level)rDr1rE enumerateassertSortedEquallistmapstr) r rFvaluesrJcmdAddcmdDelnvalueretrrr#jailAddDelTestws @B@BzTransmitterBase.jailAddDelTestc Csd|}d|}||jd||gdgft|D]/\}}||jd|||gd|d|df||jd||gd|d|dfqt|D]/\}}||jd||dgd||ddf||jd||gd||ddfqOdS)NrPrQr<rr;r)rDr1rErS) r rFinValues outValuesrJrYrZr[r\rrr#jailAddDelRegexTests0z#TransmitterBase.jailAddDelRegexTest)rrNF) r'r(r)r.r:rMrOr^ra __classcell__rrr6r#r*Cs    r*cseZdZfddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ ddZddZddZddZdd Zd!d"Zd#d$Zed%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Z d;d<Z!d=d>Z"d?d@Z#dAdBZ$dCdDZ%dEdFZ&dGdHZ'dIdJZ(dKdLZ)dMdNZ*dOdPZ+dQdRZ,dSdTZ-dUdVZ.dWdXZ/dYdZZ0Z1S)[ Transmittercst|_tt|dSr)rr/r-rcr.r5r6rr#r.szTransmitter.setUpcCs||jdSr) assertFalser/ isStartedr5rrr#testServerIsNotStartedsz"Transmitter.testServerIsNotStartedcC||jdgddS)NstoprNrDr1rEr5rrr#testStopServerzTransmitter.testStopServercCrg)Nping)rpongrjr5rrr#testPingrlzTransmitter.testPingcCs ||jdgdtjfdS)Nrr)rDr1rErr5rrr# testVersion zTransmitter.testVersioncCs~tjjs1t}||jddgdt}||}|jd|ko'dknd|ddS||jddgddS) Nsleepz0.1rig ףp= ?g?zSleep was %g sec)msgz0.0001)unittestF2BfasttimerDr1rE assertTrue)r t0t1dtrrr# testSleeps*zTransmitter.testSleepcCstjjs tdd\}}nd}|d||j|j| d|| d|| ddd|dd| d d d |d d|j |jt | d||j|j| |j gd d | |j ddgd | |j gdd | |j ddgd | |j gdd | |j dd gd |j |jt | |j gd d tjjst|t|dSdS)Nz.db fail2ban_z:memory:dbfile dbmaxmatches100dLIZARD dbpurgeage600X)r;r~Nonerir<)r;rr)r;r500)rtru memory_dbtempfilemkstemprOr/delJailr2rMr3r4rDr1rEoscloseunlink)r tmp tmpFilenamerrr# testDatabasesl              zTransmitter.testDatabasecCsd}d}d}||jd|dgd|f||jd|gd|f||jd|dgdd||jd|d gd|f||jd|jdgdd||jgd dddS) N TestJail2 TestJail3 TestJail4rPrrzinvalid backendrauto)rP--allrrDr1rEr2)r jail2jail3jail4rrr# testAddJails&zTransmitter.testAddJailcspjdjgdttjt fdddjdjgd jj j dS)Nstartric&jdotjdjgt S)Nrstatusr/isAlive isinstancer1rEr2 RuntimeErrorrr5rr#&z/Transmitter.testStartStopJail..rh) rDr1rEr2rwrrr DEFAULT_SLEEP_TIMErxwait_for assertNotInr/_Server__jailsr5rr5r#testStartStopJails  zTransmitter.testStartStopJailcsjdtjdjgdjddgdtt j  t fdddjddgd t fd dd jjj djjdS) Nrrricr)Nrrrrr5rr#rrz2Transmitter.testStartStopAllJail..rrhrcstjj Sr)lenr/rrr5rr#rs)r/r3r4rDr1rEr2rwrrr rrxrrrr5rr5r#testStartStopAllJail s   z Transmitter.testStartStopAllJailcCsb||jd|jddgd||jd|jddgd||jd|jddgdd dS) Nr;idleonrToffrFCATrrrr5rrr# testJailIdleszTransmitter.testJailIdlecCf|jddd|jd|jddd|jd|jddd|jd|jdd d |jd|jdd |jddS) Nfindtime120xrJ60<30mz-60iDogrMr2rOr5rrr#testJailFindTime( zTransmitter.testJailFindTimecCr) Nbantimerrr502z-50iz 15d 5h 30miCatrr5rrr#testJailBanTime/rzTransmitter.testJailBanTimecCr) N datepattern%%%Y%m%d%H%M%S)rz%YearMonthDay24hourMinuteSecondrEpoch)Nrz^Epoch)Nz{^LN-BEG}EpochTAI64N)Nrz %Cat%a%%%grr5rrr#testDatePattern6s   zTransmitter.testDatePatterncCs*|jddd|jd|jdd|jddS)N logtimezonezUTC+0400rznot-a-time-zonerr5rrr#testLogTimeZoneBszTransmitter.testLogTimeZonecCs\|jdd|jd|jdd|jd|jdd|jdd}||jd|jd|gddS) NusednsyesrwarnnoFishr;)rr)rMr2rDr1rEr r\rrr#testJailUseDNSFszTransmitter.testJailUseDNSc Cs|j|j||jd|jddddgd|jddddd ||jd|jdd gd |jd dd ||jd|jdddddgd|jddddd |jddddd |||jd|jdddgdd||jd|jdddgd|jddddd dS)Nr;banip 192.0.2.1 192.0.2.2)rr Ban 192.0.2.1 Ban 192.0.2.2TallwaitBadgerrrz Ban Badgerrunbanipz 192.0.2.255z 192.0.2.254zUnban 192.0.2.1zUnban 192.0.2.2z192.0.2.255 is not bannedz192.0.2.254 is not bannedz--report-absentrr)rr)r/ startJailr2rDr1rE assertLoggedpruneLogr5rrr# testJailBanIPQsFzTransmitter.testJailBanIPcsjjfdd}jdddjddD]}dD]}||d |gd qqjd d d d d||dddDd jdd djdd dddS)Ncsjdjd|g|S)Nr;attempt)r1rEr2)ipmatchesr5rr#rqrlz.Transmitter.testJailAttemptIP..attemptmaxretry5r)rr)rrtest failure %drz 192.0.2.1:2z 192.0.2.2:2TrcSsg|]}d|qS)rr).0irrr# {sz1Transmitter.testJailAttemptIP..)rrz 192.0.2.2:5rrr)r/rr2rMrDrassertNotLogged)r rrrrr5r#testJailAttemptIPns zTransmitter.testJailAttemptIPcsd}j|tj|dddgffdd }||gd||dddgd ||d ddd gd ||d gd d||dd d gd||d d gd||d gddS)NTestJailBanListrcs|durjd|d|gdjd|dd|dur6jd|d|gdjd|ddjjd |dgt|d |fd d ttd dS)Nr;rrzBan %sTrrzUnban %sr<rF) nestedOnlyr) rDr1rErrTrUrsetTimerw)rJrrr!outListr5rr#_getBanListTests"z4Transmitter.testJailBanList.._getBanListTest)r 127.0.0.1)z --with-timez:127.0.0.1 2005-08-14 12:00:01 + 600 = 2005-08-14 12:10:01)rr!r 192.168.0.1z<192.168.0.1 2005-08-14 12:00:02 + 600 = 2005-08-14 12:10:02 192.168.1.10)rrr)rr)rr)r/r3r4r)r rJrrr5r#testJailBanLists6  zTransmitter.testJailBanListcCR|jddd|jd|jddd|jd|jddd|jd|jdd |jddS) N maxmatchesrrr2r-2Duckrr5rrr#testJailMaxMatcheszTransmitter.testJailMaxMatchescCr) Nrrrrrrrrrrr5rrr#testJailMaxRetryrzTransmitter.testJailMaxRetrycCsP|jddd|jd|jddd|jd|jdd|jd|jdd|jddS) Nmaxlinesrrrrrrrrr5rrr#testJailMaxLinesszTransmitter.testJailMaxLinescCsN|jdd|jd|jdd|jd|jddt|jd|jdd|jddS)N logencodingzUTF-8rasciirMonkey)rMr2rrOr5rrr#testJailLogEncodings  zTransmitter.testJailLogEncodingc Csh|dtjtdtjtdtjtdg|jtjtd}||jd|jd|gd|gf||jd|jd|gd|gf||jd |jdgd|gf||jd|jd |gdgf||jd|jd|d gd|gf||jd|jd|d gd|gf||jd|jd|d gdd||jd|jd|||gdddS)Nlogpathtestcase01.logztestcase02.logztestcase03.logztestcase04.logr; addlogpathrr< dellogpathtailheadbadgerr) r^rpathjoinTEST_FILES_DIRr2rDr1rErrrr#testJailLogPathsj    zTransmitter.testJailLogPathcCs2d}|jd|jd|g}|t|dtdS)Nzthis_file_shouldn't_existr;r r)r1rEr2rxrIOError)r r\resultrrr#testJailLogPathInvalidFiles  z&Transmitter.testJailLogPathInvalidFilecCsXtjdd}|d}t|||jd|jd|g}|t|dt t |dS)Ntmp_fail2ban_broken_symlink)prefixz.slinkr;r r) rmktemprsymlinkr1rEr2rxrrr)r namesnamerrrr#testJailLogPathBrokenSymlinks   z(Transmitter.testJailLogPathBrokenSymlinkcCs|dgd|jd}||jd|jd|gd|gf||jd|jd|gd|gf||jd|jdgd|gf||jd|jd|gdgf||jd|jd gd ||jd|jd d gd ||jd|jd gd dS) Nignoreip)rz 192.168.1.1z8.8.8.8rr; addignoreiprr< delignoreip ignoreselfrFr)r^r2rDr1rErrrr#testJailIgnoreIPsD zTransmitter.testJailIgnoreIPcC|jdd|jddS)N ignorecommandzbin/ignore-command rrMr2r5rrr#testJailIgnoreCommand&z!Transmitter.testJailIgnoreCommandcCs0|jddgd|jd|jddd|jddS)N ignorecachez%key="",max-time=1d,max-count=9999)zi'iQrr%r5rrr#testJailIgnoreCache)s zTransmitter.testJailIgnoreCachecCr#)N prefregexz^Testrr%r5rrr#testJailPrefRegex0r'zTransmitter.testJailPrefRegexc Cs|dgddtddtddtdg|j||jd|jdd gd d ||jd|jdd gd d dS) N failregex)zuser john at Admin user login from z failed attempt from againzuser john at %sAdmin user login from %szfailed attempt from %s againr; addfailregexz No host regexrrirar_resolveHostTagr2rDr1rEr5rrr# testJailRegex3s0     zTransmitter.testJailRegexc Csn|dgdddtddg|j||jd|jdd gd d ||jd|jdd gd d dS) N ignoreregex) user johnr.Dont match me!r6r0r/r7r;addignoreregexzInvalid [regexrrrr2r5rrr#testJailIgnoreRegexKs0   zTransmitter.testJailIgnoreRegexc Cs|jg}||jdgddt|fdd|fgf|jdt| d||jdgddt|fdd|fgfdS)NrrzNumber of jailz Jail listz, r) r2rDr1rErrr/r3r4append)r jailsrrr# testStatuscs zTransmitter.testStatusc CsB||jd|jgdddddgfgfddd d gfgfgfdS) NrrFilterzCurrently failedrz Total failedr File listActionszCurrently bannedrz Total bannedrBanned IP listrr5rrr#testJailStatuslszTransmitter.testJailStatusc CD||jd|jdgdddddgfgfdd d d gfgfgfdS) Nrbasicrr=r>r?r@rArBrCrDrr5rrr#testJailStatusBasic~zTransmitter.testJailStatusBasicc CrF) NrINVALIDrr=r>r?r@rArBrCrDrr5rrr#testJailStatusBasicKwargrIz$Transmitter.testJailStatusBasicKwargc Cstjz ddl}ddl}Wn tydg}Ynwg}||jd|j dgdddddgfgfd d d d gfd |fd|fd|fgfgfdS)Nrerrorrcymrur=r>r?r@rArBrCrDzBanned ASN listzBanned Country listzBanned RIR list) rtruSkipIfNoNetwork dns.exception dns.resolver ImportErrorrDr1rEr2)r dnsr\rrr#testJailStatusCymrus4    zTransmitter.testJailStatusCymruc Csd}gd}gd}||jd|jd|gd|f||jd|jdgd d|t||D]\}}||jd|jd |||gd|fq2t||D]\}}||jd|jd ||gd|fqO||jd|jd |d d gd ||jd|jd |d gd ||jd|jd |dgdd ||jd|jd |ddgd||jd|jd |dgd||jd|jd|gd||jd|jddgdd dS)NTestCaseAction) actionstart actionstop actioncheck actionban actionunban)z Action Startz Action Stopz Action Checkz Action Banz Action Unbanr; addactionrr<rractionKEYVALUE)rr] InvalidKeytimeout10)r delactionriz Doesn't exist)rDr1rEr2zip)r r[cmdList cmdValueListrFr\rrr# testActions  zTransmitter.testActionc Csd}z|jd|jd|tjtdddg}||d|fWn*tyIdt j kr1d krHnd |d vrHddl }| d t j YdSw||jd |jd|gd ddg||jd |jd|dgd||jd |jd|dgd||jd |jd|gd gd||jd|jd|ddgd||jd|jd|ddgd||jd|jd|ddgddS)NrTr;rZaction.dz action.pyz{"opt1": "value"}r)r)rrhrz#__init__() keywords must be stringsrzYour version of Python %s seems to experience a known issue forbidding correct operation of Fail2Ban: http://bugs.python.org/issue2646 Upgrade your Python and meanwhile other intestPythonActionMethodsAndProperties will be skippedr<actionpropertiesopt1opt2r[)rr\ri actionmethods)banrebanrrh testmethodunbanroz{"text": "world!"})rzHello world! value another value)rrq)rzHello world! another value)r1rEr2rrrrrDAssertionErrorsys version_infowarningsrrrT)r r[outrurrr#$testPythonActionMethodsAndPropertiess    z0Transmitter.testPythonActionMethodsAndPropertiescCs ||jddgdddS)NrJCOMMANDrrrjr5rrr#testNOK0rqzTransmitter.testNOKcC ||jgddddS)N)r;rJrxrrrjr5rrr# testSetNOK3zTransmitter.testSetNOKcCrz)N)r<rJrxrrrjr5rrr# testGetNOK7r|zTransmitter.testGetNOKcCrz)N)rrJrxrrrjr5rrr# testStatusNOK;r|zTransmitter.testStatusNOKc Cs6tstdd}|j|dgd}t|D]\}}||jd|d|gddd |d|d Dfqt|D]\}}||jd|d |gdd d ||d dDfq.rdeljournalmatchcSrrrrrrr#rRr _COMM=sshd)r+r_UID=0rrrzThis isn't valid!zFIELD=NotPresent) rrtSkipTestr/r3rSrDr1rErxr ValueError)r r2rXr[r\rrrr#testJournalMatch?s             zTransmitter.testJournalMatchc Cststd|dd}|j|dgd}t|D]\}}||j d|d|gdd d |d|d Dfqt|D]\}}||j d|d |gdd d ||d dDfqAdS)NrTrzsystemd[journalflags=2]rr;rrcSrrrrrrr#rrz5Transmitter.testJournalFlagsMatch..rrcSrrrrrrr#rr) rrtrrxr/r3rSrDr1rE)r r2rXr[r\rrr#testJournalFlagsMatchs*    z!Transmitter.testJournalFlagsMatch)2r'r(r)r.rfrkrorpr|rrrrrrrrrrrrrrrrrrrrrr"r&r*r,r4r9r<rErHrKrSrfrwryr{r}r~rrrbrrr6r#rcs^  0     +* % <4GrccsTeZdZfddZddZddZddZd d Zd d Zd dZ ddZ Z S)TransmitterLoggingcs>t|_tt||jd|jd|jddS)N /dev/nullCRITICALr)rr/r-rr.r&r$setSyslogSocketr5r6rr#r.s   zTransmitterLogging.setUpcCsg}tdD]}tdd}||dt|dq|D]}|d|qd}|d||j gd|D]}t |q:|dd d |dd d dS) Nrr transmitterrr logtarget/this/path/should/not/exist)r;rrzSTDOUT[format="%(message)s"]STDOUTz!STDERR[datetime=off, padding=off]STDERR) rangerrr:rrrMrOr1rEremove)r logTargets_tmpFile logTargetr\rrr# testLogTargets    z TransmitterLogging.testLogTargetcCsJtjds td||jd|dd||jddS)N/dev/logz'/dev/log' not presentrrSYSLOG) rrexistsrtrrxr/getSyslogSocketrMr5rrr#testLogTargetSYSLOGs   z&TransmitterLogging.testLogTargetSYSLOGcCs|dddS)N syslogsocketz/dev/log/NEW/PATH)rMr5rrr#testSyslogSocketsz#TransmitterLogging.testSyslogSocketc Csd|dd|dd|dd|jd iitdtddd d td vo,tjddS) NrrrrrrzFailed to change log targetT)rIrHrA)TF)Linux)rr) rMrOdict Exceptionplatformsystemrrrr5rrr#testSyslogSocketNOKs    z&TransmitterLogging.testSyslogSocketNOKcCs|dd|dd|dd|dd|dd|dd|dd|dd |dd |dd d |dd dS) Nloglevel HEAVYDEBUG TRACEDEBUG9DEBUGINFONOTICEWARNINGERRORrcRiTiCaLBird)rMrOr5rrr# testLogLevels         zTransmitterLogging.testLogLevelc Cs~||jdgdztd\}}t||jd||jdd|gd|ft d}| d ztd\}}t|t ||| d ||jdgd| d t |d Q}t |}|d dkrtt |}||dt |}||dzt |}|ddkr|t|jn|d|Wn tyYnwWdn1swYt |d *}t |}|ddkrt |}||d|t|j|Wdn1swYWt|nt|wWzt|WntyYnwzt|Wwty%Yww||jgdd||jdgddS)N flushlogs)rz rolled overz fail2ban.logrr;rrrzBefore file movedzAfter file movedzAfter flushlogsrzChanged logging target tozBefore file moved zAfter file moved zCommand: ['flushlogs']zCException StopIteration or Command: ['flushlogs'] expected. Got: %szrollover performed onzAfter flushlogs )r;rr)rr)rflushed)rDr1rErrrrr/r$rwarningrenameopennextfindrxendswith assertRaises StopIteration__next__failrOSError) r ffnlf2fn2line1line2r[rrr# testFlushLogssn           z TransmitterLogging.testFlushLogscCs|jddd|jd|jddd|jd|jdd d |jd|jd d d |jd|jd d|jd|jddd|jd|jddd|jddS)Nzbantime.incrementtrueTrzbantime.rndtime30minrzbantime.maxtimez 1000 daysi\&zbantime.factorrzbantime.formulazGban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)zbantime.multipliersz1 5 30 60 300 720 1440 2880zbantime.overalljailsr%r5rrr#testBanTimeIncrsz"TransmitterLogging.testBanTimeIncr) r'r(r)r.rrrrrrrrbrrr6r#rs  0rc@eZdZddZdS) JailTestscCsd}t|}||j|dS)Nveryveryverylongname)r rDr)r longnamerJrrr# testLongNameszJailTests.testLongNameN)r'r(r)rrrrr#rs rc@$eZdZddZddZddZdS) RegexTestscCs.|ttd|ttd|ttddS)Nr)  )rrrr5rrr#testInit%szRegexTests.testInitcCs8|ttdddd|ttdddS)Na"'z Regex('a')r/z FailRegex()rDrWrreplacerxr startswithr5rrr#testStr+szRegexTests.testStrcCs|ttd|ttd|td|td|td|td|td|td|td td }|||d g|||t|jtd }|||d g|||t|jtd}|||dg||||d|dg||||d|dg||||dtd}|||dg|||| dtd}|dg| }|||j fd|dg| }|||j fd|dg| }|||j fd|dg| }|||j fdtd }|d!g| }|||j fd"|d#g| }|||j fd|d$g| }|||j fd%|d&g| }|||j fd'dS)(Nr)z^test no group$z^test group$z^test group$z^test group$z^test group$z<^test id group: ip:port = (?::)?$z-^test id group: user:\([^\)]+\)$z#^test id group: anything = $z %%?)z%%r)r)z#%%inet(?:=|inet6=)?)z %%inet=testr)r)z(%%(?:inet(?:=|6=)?|dns=?))z%%inet=192.0.2.1r)r)r)z%%inet6=2001:DB8::r)r) 2001:DB8::)z%%dns=example.comr)r)z example.com)z%test id group: user:(test login name)r)r)ztest login namez%%net=)z%%net=192.0.2.1r)r))rinet4)z%%net=192.0.2.1/24r)r))z 192.0.2.0/24r)z%%net=2001:DB8:FF:FF::1r)r))z2001:db8:ff:ff::1inet6)z%%net=2001:DB8:FF:FF::1/60r)r))z2001:db8:ff:f0::/60rz%%ip="", mask="?")z%%ip="192.0.2.2", mask=""r)r))rr)z%%ip="192.0.2.2", mask="24"r)r))z"%%ip="2001:DB8:2FF:FF::1", mask=""r)r))z2001:db8:2ff:ff::1r)z$%%ip="2001:DB8:2FF:FF::1", mask="60"r)r))z2001:db8:2ff:f0::/60r) rrrrxrd hasMatchedsearchgetHostrD getFailIDgetIP familyStr)r frrrrr#testHost1sz              zRegexTests.testHostN)r'r(r)rrrrrrr#r#s rc@r) _BadThreadcCstd)Nzrun bad thread exception)rr5rrr#runysz_BadThread.runN)r'r(r)rrrrr#rxs rc@r) LoggingTestscCs*td}||jjd||jddS)Nzfail2ban.some.string.with.namerz fail2ban.name)rrDparentr)r testLogSysrrr#testGetF2BLoggerszLoggingTests.testGetF2BLoggercstj}gfddt_zt}||tfdddW|t_n|t_wd t d ddt dS)Ncs |Sr)r:)r!r>rr#rs z5LoggingTests.testFail2BanExceptHook..cstodS)NUnhandled exception)r _is_loggedrr r?rr#rrrrrr) rs__excepthook__rrrrxr rrrDrr)r prev_exchook badThreadrrr#testFail2BanExceptHooks z#LoggingTests.testFail2BanExceptHookc Csg}tdd\}}t|||tdd\}}t|||t}z+|j||dd||| dW| |D] }tj |rRt |qEdS| |D] }tj |rht |q[w)Nz fail2ban.sockzf2b-testz fail2ban.pidF)forcezServer already running)rrrrr:rrrdrerr9rrr)r tmp_filessock_fd sock_name pidfile_fd pidfile_namer/rrrr#testStartFailedSockExistss0         z&LoggingTests.testStartFailedSockExistsN)r'r(r)rrrrrrr#r}s r) ActionReader JailsReader CONFIG_DIRcseZdZfddZfddZfddZddd Zd d Zd d ZddZ ddZ ddZ ddZ dddZ ddZZS)ServerConfigReaderTestscs tt|j|i|i|_dSr)r-r__init__#_ServerConfigReaderTests__share_cfgrr6rr#rs z ServerConfigReaderTests.__init__cstt|g|_dS)r+N)r-rr. _execCmdLstr5r6rr#r.s zServerConfigReaderTests.setUpcstt|dSr8)r-rr:r5r6rr#r:sz ServerConfigReaderTests.tearDownrcCs6|dD]}|dstd|qt|qdS)N #zexec-cmd: `%s`T)splitrlogSysdebug)r realCmdr_rrrr# _executeCmds   z#ServerConfigReaderTests._executeCmdcCsPt|ds%t}i|_dD]\}}t|}|dtj|||j|<q |jS)N__aInfos))ipv4r)ipv6rr)hasattrr _ServerConfigReaderTests__aInfosr setBanTime_actionsrA ActionInfo)r dmyjailtrticketrrr#_testActionInfoss   z(ServerConfigReaderTests._testActionInfoscCs.|j}|}|D]}||jD]}||j|}tdtd|d|jtdt|tjs5q|j |_ td| | td| | |dtd| ||dtd| | |d td | ||d td | |qq dS) N4# ================================================== # == %-44s == - # === start ===# === ban-ipv4 ===r# === unban ipv4 ===# === ban ipv6 ===r# === unban ipv6 ===# === stop ===)rrrr r _namerr CommandActionr executeCmdrrrmrprh)r r/r;aInfosrJrr[rrr#_testExecActionss0   z(ServerConfigReaderTests._testExecActionsc Csztjjddttd|jd}|||||j dd}t }|j }|j }|D]}|ddkr|ddkrAd|d <nLt |d kro|dd kro|d d krotjtd |d}tj|sjtjtd}||d <ntjjrt |d kr|ddvr|d dkrd |d<d|d <z||Wq.ty}z|d||fWYd}~q.d}~wwq.tjjs||dSdS)NTstock)basedir force_enable share_config)allow_no_filesrrrPrrrr;r logsrr )r;z multi-setr1zDUMMY-REGEX z"Command %r has failed. Received %r)rtruSkipIfCfgMissingrrrrxread getOptionsconvertrr0_Transmitter__commandHandlerrrrrrrrvrrr() r r;streamr/r1 cmdHandlerrFrerrr#testCheckStockJailActionss>    $  $ z1ServerConfigReaderTests.testCheckStockJailActionscCsb|d|}t|\}}d|dgg}t||||jtd}|||i|| |S)Nz %(__name__)srPr)r-r+) rrrrrrxr1r2extendr3)r rJactactNameactOptr5r[rrr#getDefaultJailStreams   z,ServerConfigReaderTests.getDefaultJailStreamc Cstjjddtjddl}t}|j}|tj t ddD]+}tj | dd}| d||}|D]}||\}} ||dq7||q!dS) NTr)rrgz*.confz.confr)zj-)rtrur0 SkipIfFastglobrr0rrrrbasenamerr=rErDr() r r?r/r1actCfgr:r5rFr]resrrr#testCheckStockAllActions.s  z0ServerConfigReaderTests.testCheckStockAllActionscCstjjddddddddd d d d d ddddd fdddddddddddddddd fd d!d"d#d$d%d&d'd(d)d*d+ fd,d-d"d#d.d/d0d1d2fd3d4d5d6d7d8d9d:d;dd?d@dA fdBdCd5d6dDdEdFdGdHdIdJdKdLdMdA fdNdOdPdQdRdSdTdUdVdWdXdYdZ fd[d\d]d^d_d`dadbdcdddedfdZ fdgdhd5d6didjdkdldmdndodpdqdrdA fdsdtd5d6dudvdwdxdydzd{d|d}d~dA fdddddddddddddd fdddddddddddddd fdddddddddddddd fdddddddddddddddA fdddddddddddddd fdddddddddddddd fdddddddddddddZ fdddddddddddddZ fddddddddd2fddddddddd2ff}t}|j}|j}|D]\}}}|||}|D]} || \} } || dqUqH|j } | } |D]\}}}| |j D]}| |j |}t dt d|d|jt d|t|tj|j|_|d||dr|j|dddin|dr|dr|j|d|dddi|d|| d|dr|j|dd|dddi|dr|j|dddi|j|dd|dddi|j|dddi|d|| d|j|dd|dddi|j|dddi|d|| d|drp|j|dd|dddi|dr|j|dddi|j|dd|dddi|j|dddi|d|| d|j|dd|dddi|j|dddi|dr|d||j|dddi|d||dr|j|dddiq|qqdS(NTr)z j-w-nft-mpzQnftables-multiport[name=%(__name__)s, port="http,https", protocol="tcp,udp,sctp"])zip ipv4_addrzaddr-)zip6 ipv6_addrzaddr6-)`nft add table inet f2b-table`W`nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}`z9`for proto in $(echo 'tcp,udp,sctp' | sed 's/,/ /g'); do`z`done`)zG`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`z`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`z`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || )z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`5`nft delete rule inet f2b-table f2b-chain $hdl; done`z3`nft delete set inet f2b-table addr-set-j-w-nft-mp`z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rHz4`nft delete set inet f2b-table addr6-set-j-w-nft-mp`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-mp[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`) ip4ip6*-start ip4-start ip6-startflushrh ip4-check ip6-checkip4-ban ip4-unbanip6-ban ip6-unbanz j-w-nft-apz8nftables-allports[name=%(__name__)s, protocol="tcp,udp"])rFrG)zG`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; \}`zg`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip saddr @addr-set-j-w-nft-ap reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; \}`zi`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || )z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rHz3`nft delete set inet f2b-table addr-set-j-w-nft-ap`z`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rHz4`nft delete set inet f2b-table addr6-set-j-w-nft-ap`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-ap[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`zj-dummyzodummy[name=%(__name__)s, init="=='/'==bt:==bc:==", target="/tmp/fail2ban.dummy"])z family: inet4)z family: inet6)z$`printf %b "=='/'==bt:600==bc:0==\n"z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- started"`)z9`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- clear all"`)z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`)zP`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`)zR`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 192.0.2.1 (family: inet4)"`)zQ`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 2001:db8:: (family: inet6)"`)zS`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 2001:db8:: (family: inet6)"`) rIrJrrNrhrQrRrSrTz j-hostsdenyzPhostsdeny[name=%(__name__)s, actionstop="rm ", file="/tmp/fail2ban.dummy"])z5`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`)z^`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)z8`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`)za`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)rIrJrQrRrSrTzj-w-iptables-mpzniptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain=""]) `iptables icmp-port-unreachable) `ip6tables icmp6-port-unreachable)z$`iptables -w -N f2b-j-w-iptables-mp`z.`iptables -w -A f2b-j-w-iptables-mp -j RETURN`zU`iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`)z%`ip6tables -w -N f2b-j-w-iptables-mp`z/`ip6tables -w -A f2b-j-w-iptables-mp -j RETURN`zV`ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`)$`iptables -w -F f2b-j-w-iptables-mp`%`ip6tables -w -F f2b-j-w-iptables-mp`)zU`iptables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`rYz$`iptables -w -X f2b-j-w-iptables-mp`zV`ip6tables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`rZz%`ip6tables -w -X f2b-j-w-iptables-mp`)z>`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`)z?`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`)za`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`) rIrJrLrMrNrhrOrPrQrRrSrTzj-w-iptables-apzZiptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain=""])z$`iptables -w -N f2b-j-w-iptables-ap`z.`iptables -w -A f2b-j-w-iptables-ap -j RETURN`z4`iptables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`)z%`ip6tables -w -N f2b-j-w-iptables-ap`z/`ip6tables -w -A f2b-j-w-iptables-ap -j RETURN`z5`ip6tables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`)$`iptables -w -F f2b-j-w-iptables-ap`%`ip6tables -w -F f2b-j-w-iptables-ap`)z4`iptables -w -D INPUT -p tcp -j f2b-j-w-iptables-ap`r[z$`iptables -w -X f2b-j-w-iptables-ap`z5`ip6tables -w -D INPUT -p tcp -j f2b-j-w-iptables-ap`r\z%`ip6tables -w -X f2b-j-w-iptables-ap`)z>`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`)z?`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`)za`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-ipsetz\iptables-ipset-proto6[name=%(__name__)s, port="http", protocol="tcp", chain=""])z f2b-j-w-iptables-ipset )z f2b-j-w-iptables-ipset6 )z8`ipset create f2b-j-w-iptables-ipset hash:ip timeout 0 `z`iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`)zE`ipset create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`z`ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)$`ipset flush f2b-j-w-iptables-ipset`%`ipset flush f2b-j-w-iptables-ipset6`)z`iptables -w -D INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`r]z&`ipset destroy f2b-j-w-iptables-ipset`z`ip6tables -w -D INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`r^z'`ipset destroy f2b-j-w-iptables-ipset6`)z=`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0 -exist`)z3`ipset del f2b-j-w-iptables-ipset 192.0.2.1 -exist`)z?`ipset add f2b-j-w-iptables-ipset6 2001:db8:: timeout 0 -exist`)z5`ipset del f2b-j-w-iptables-ipset6 2001:db8:: -exist`) rIrJrLrMrNrhrQrRrSrTzj-w-iptables-ipset-apzHiptables-ipset-proto6-allports[name=%(__name__)s, chain=""])z f2b-j-w-iptables-ipset-ap )z f2b-j-w-iptables-ipset-ap6 )z;`ipset create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `zu`iptables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zH`ipset create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`zx`ip6tables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)'`ipset flush f2b-j-w-iptables-ipset-ap`(`ipset flush f2b-j-w-iptables-ipset-ap6`)zu`iptables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`r_z)`ipset destroy f2b-j-w-iptables-ipset-ap`zx`ip6tables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`r`z*`ipset destroy f2b-j-w-iptables-ipset-ap6`)z@`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0 -exist`)z6`ipset del f2b-j-w-iptables-ipset-ap 192.0.2.1 -exist`)zB`ipset add f2b-j-w-iptables-ipset-ap6 2001:db8:: timeout 0 -exist`)z8`ipset del f2b-j-w-iptables-ipset-ap6 2001:db8:: -exist`z j-w-iptablesz^iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain=""])z!`iptables -w -N f2b-j-w-iptables`z+`iptables -w -A f2b-j-w-iptables -j RETURN`z>`iptables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`)z"`ip6tables -w -N f2b-j-w-iptables`z,`ip6tables -w -A f2b-j-w-iptables -j RETURN`z?`ip6tables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`)!`iptables -w -F f2b-j-w-iptables`"`ip6tables -w -F f2b-j-w-iptables`)z>`iptables -w -D INPUT -p tcp --dport http -j f2b-j-w-iptables`raz!`iptables -w -X f2b-j-w-iptables`z?`ip6tables -w -D INPUT -p tcp --dport http -j f2b-j-w-iptables`rbz"`ip6tables -w -X f2b-j-w-iptables`)z;`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`)z<`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`)z^`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z\`iptables -w -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)za`ip6tables -w -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z_`ip6tables -w -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-newzbiptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain=""])z%`iptables -w -N f2b-j-w-iptables-new`z/`iptables -w -A f2b-j-w-iptables-new -j RETURN`zW`iptables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`)z&`ip6tables -w -N f2b-j-w-iptables-new`z0`ip6tables -w -A f2b-j-w-iptables-new -j RETURN`zX`ip6tables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`)%`iptables -w -F f2b-j-w-iptables-new`&`ip6tables -w -F f2b-j-w-iptables-new`)zW`iptables -w -D INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`rcz%`iptables -w -X f2b-j-w-iptables-new`zX`ip6tables -w -D INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`rdz&`ip6tables -w -X f2b-j-w-iptables-new`)z?`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`)z@`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`)zb`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z``iptables -w -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)ze`ip6tables -w -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zc`ip6tables -w -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-xtrezPiptables-xt_recent-echo[name=%(__name__)s, bantime="10m", chain=""])rUz/f2b-j-w-iptables-xtre`)rWz/f2b-j-w-iptables-xtre6`)z`if [ `id -u` -eq 0 ];then iptables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;fi`)z`if [ `id -u` -eq 0 ];then ip6tables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;fi`)z4`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre`z`if [ `id -u` -eq 0 ];then iptables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;fi`z5`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`z`if [ `id -u` -eq 0 ];then ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;fi`)z3`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z4`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z=`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z=`echo -192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z?`echo +2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z?`echo -2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`) rIrJrLrMrhrOrPrQrRrSrTzj-w-pfz2pf[name=%(__name__)s, actionstart_on_demand=false]r)zF`echo "table persist counters" | pfctl -a f2b/j-w-pf -f-`z port=""z\`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf -f-`),`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`)zT`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`rez+`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T kill`)z.`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`)z4`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 192.0.2.1`)z7`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 192.0.2.1`)z5`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`)z8`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`) rIrJrrNrhrOrPrQrRrSrTz j-w-pf-mpz@pf[actiontype=][name=%(__name__)s, port="http,https"])zL`echo "table persist counters" | pfctl -a f2b/j-w-pf-mp -f-`zport="http,https"zb`echo "block quick proto tcp from to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`)2`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`)z]`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`rfz1`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T kill`)z4`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`)z:`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 2001:db8::`z j-w-pf-apzHpf[actiontype=, actionstart_on_demand=true][name=%(__name__)s])zL`echo "table persist counters" | pfctl -a f2b/j-w-pf-ap -f-`zW`echo "block quick proto tcp from to any" | pfctl -a f2b/j-w-pf-ap -f-`)2`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T flush`)z]`pfctl -a f2b/j-w-pf-ap -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -a f2b/j-w-pf-ap -f-`rgz1`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T kill`)z4`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`)z:`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 2001:db8::`z j-w-fwcmd-mpzqfirewallcmd-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain=""])z ipv4 rV)z ipv6 rX)z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-mp`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-mp`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`z j-w-fwcmd-apz]firewallcmd-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain=""])z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)zT`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-ap`zT`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-ap`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-fwcmd-ipsetzXfirewallcmd-ipset[name=%(__name__)s, port="http", protocol="tcp", chain=""])z f2b-j-w-fwcmd-ipset )z f2b-j-w-fwcmd-ipset6 )z5`ipset create f2b-j-w-fwcmd-ipset hash:ip timeout 0 `z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`)zB`ipset create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)!`ipset flush f2b-j-w-fwcmd-ipset`"`ipset flush f2b-j-w-fwcmd-ipset6`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`rhz#`ipset destroy f2b-j-w-fwcmd-ipset`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`riz$`ipset destroy f2b-j-w-fwcmd-ipset6`)z:`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 0 -exist`)z0`ipset del f2b-j-w-fwcmd-ipset 192.0.2.1 -exist`)z<`ipset add f2b-j-w-fwcmd-ipset6 2001:db8:: timeout 0 -exist`)z2`ipset del f2b-j-w-fwcmd-ipset6 2001:db8:: -exist`zj-w-fwcmd-ipset-apzbfirewallcmd-ipset[name=%(__name__)s, actiontype=, protocol="tcp", chain=""])z f2b-j-w-fwcmd-ipset-ap )z f2b-j-w-fwcmd-ipset-ap6 )z8`ipset create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 `z`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zE`ipset create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 family inet6`z`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)$`ipset flush f2b-j-w-fwcmd-ipset-ap`%`ipset flush f2b-j-w-fwcmd-ipset-ap6`)z`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`rjz&`ipset destroy f2b-j-w-fwcmd-ipset-ap`z`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`rkz'`ipset destroy f2b-j-w-fwcmd-ipset-ap6`)z=`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 0 -exist`)z3`ipset del f2b-j-w-fwcmd-ipset-ap 192.0.2.1 -exist`)z?`ipset add f2b-j-w-fwcmd-ipset-ap6 2001:db8:: timeout 0 -exist`)z5`ipset del f2b-j-w-fwcmd-ipset-ap6 2001:db8:: -exist`z j-fwcmd-rrz4firewallcmd-rich-rules[port="22:24", protocol="tcp"])z family='ipv4'rV)z family='ipv6'rX)z`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z `ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`)z`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`z j-fwcmd-rlz6firewallcmd-rich-logging[port="22:24", protocol="tcp"])a"`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a%`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a% `ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`)a'`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`rrrrrrrrLrMrrrKrOrQrJr rRr!rrPrSrIr"rTrNz# === flush ===r#rh)rtrur0rr0r4r=rErDrrrr r r$rxrrr%rr&rrr<rrrmrprNrh)r testJailsActionsr/r1r6rJr:testsr5rFr]rBr;r'rr[rrr#testCheckStockCommandActionsBsN 1.,,$$,,"(($$'      ,     ,   "  $z4ServerConfigReaderTests.testCheckStockCommandActionscCs`|}t|tr |d}tdd|}tddd|d}t|tr&||d<n|}tjj||dS) Nrz\)\s*\|\s*(\S*mail\b[^\n]*)z$) | cat; printf "\\n... | "; echo \1z\bADDRESSES=\$\(dig\s[^\n]+cSsdS)Nz@ADDRESSES="abuse-1@abuse-test-server, abuse-2@abuse-test-server"r)mrrr#r;sz9ServerConfigReaderTests._executeMailCmd..r)r_)rrUresubrr%r&)r r r_rFrrr#_executeMailCmd2s   z'ServerConfigReaderTests._executeMailCmdcCstjjddddtjtdddtjtdd d d ifd d tjtdddtjtdd d difddtjtdddtjtdddddfdddddff}t}|j}|j }|D]\}}}| ||}|D]} | | \} } | | dqwqj|j } td} td}t}|D]m\}}}| |jD]b}| |j|}tdtd|d|jtd|j|_d | fd|ffD]7\}}||sq|d |t|}|d!|d"d#gtj||}|||j||d$diqqqdS)%NTr)zj-mail-whois-linesz\mail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s", logpath="r rz ztestcase01a.logz8", _whois_command="echo '-- information about --'"]rQ);The IP 87.142.124.10 has just been banned by Fail2Ban afterz(100 attempts against j-mail-whois-lines..Here is more information about 87.142.124.10 :%-- information about 87.142.124.10 --2Lines containing failures of 87.142.124.10 (max 2)etestcase01.log:Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10etestcase01a.log:Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10zj-sendmail-whois-lineszxsendmail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd='testmail -f "" ""', logpath=")rsz,100 attempts against j-sendmail-whois-lines.rtrurvrwrxzj-complain-abusezcomplain[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s 'Hostname: , family: ' - ",debug=1,logpath="z", ])6try to resolve 10.124.142.87.abuse-contacts.abusix.orgrvrwrxzymail -s Hostname: test-host, family: inet4 - Abuse from 87.142.124.10 abuse-1@abuse-test-server abuse-2@abuse-test-server)htry to resolve 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.abuse-contacts.abusix.orgz0Lines containing failures of 2001:db8::1 (max 2)zwmail -s Hostname: test-host, family: inet6 - Abuse from 2001:db8::1 abuse-1@abuse-test-server abuse-2@abuse-test-server)rQrSz j-xarf-abusezIxarf-login-attack[name=%(__name__)s, mailcmd="mail", mailargs="",debug=1])ryz8We have detected abuse from the IP address 87.142.124.10VDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10UDec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.108mail abuse-1@abuse-test-server abuse-2@abuse-test-server)rzz6We have detected abuse from the IP address 2001:db8::1r}rz 87.142.124.10z 2001:db8::1rrrrSz # === %s ===rr{r|r) rtrur0rrrrrr0r4r=rErDrr rrr r r$rrr&r<rr setAttempt setMatchesrrArrmr)r rlr/r1r6rJr:rmr5rFr]rBr;rrrrr[testrrrrr#testComplexMailActionMultiLogDs         _      z5ServerConfigReaderTests.testComplexMailActionMultiLog)r)r'r(r)rr.r:rrr(r8r=rCrnrrrrbrrr6r#rs$     "3 ur)@ __author__ __copyright__ __license__rtrwrrrprsrserver.failregexrrrr/rr server.serverr server.ipdnsr server.jailr server.jailthreadr server.ticketr server.utilsr dummyjailrutilsrrrhelpersrrrr)rrrQrrdirname__file__rr4r rr*rcrTestCaserrrrclientreadertestcaserrrrrrrr#s\          [} U*