Permalink
Browse files

decided to use "interpolations" in the config file to make it more re…

…adable
  • Loading branch information...
1 parent a0dfb0f commit 55d7440fe1fb742779463b14fea6c045d5f62720 @yarikoptic yarikoptic committed Jan 15, 2006
Showing with 99 additions and 94 deletions.
  1. +77 −93 config/fail2ban.conf.default
  2. +2 −0 confreader/configreader.py
  3. +14 −1 debian/README.Debian
  4. +6 −0 debian/changelog
View
170 config/fail2ban.conf.default
@@ -76,20 +76,20 @@ findtime = 600
# Example: ignoreip = 192.168.0.1/24 123.45.235.65
# Values: IP Default:
#
-ignoreip =
+ignoreip =
# Option: cmdstart
# Notes.: command executed once at the start of Fail2Ban
# Values: CMD Default:
#
-cmdstart =
+cmdstart =
# Option: cmdend
# Notes.: command executed once at the end of Fail2Ban.
# Values: CMD Default:
#
-cmdend =
+cmdend =
# Option: polltime
# Notes.: number of seconds fail2ban sleeps between iterations.
@@ -111,6 +111,68 @@ reinittime = 10
#
maxreinits = -1
+#
+# NOTE: Interpolations
+#
+# fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations
+# so %(__name__)s will be substituted by a name of each section
+# (unless the option is overriden in a section).
+# If you are going to use interpolations in your setup, please make
+# sure that you specified options port and protocol (which also has
+# an option in DEFAULT)
+#
+
+# Option: protocol
+# Notes.: internally used by config reader for interpolations.
+# Values: [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option: fwstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD Default:
+#
+fwstart = iptables -N fail2ban-%(__name__)s
+ iptables -A fail2ban-%(__name__)s -j RETURN
+ iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+
+# Option: fwend
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD Default:
+#
+fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+ iptables -F fail2ban-%(__name__)s
+ iptables -X fail2ban-%(__name__)s
+
+# Option: fwcheck
+# Notes.: command executed once before each fwban command
+# Values: CMD Default:
+#
+fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s
+
+# Option: fwban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <failures> number of failures
+# <failtime> unix timestamp of the last failure
+# <bantime> unix timestamp of the ban time
+# Values: CMD
+# Default: iptables -I INPUT 1 -s <ip> -j DROP
+#
+fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
+
+# Option: fwunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: <ip> IP address
+# <bantime> unix timestamp of the ban time
+# <unbantime> unix timestamp of the unban time
+# Values: CMD
+# Default: iptables -D INPUT -s <ip> -j DROP
+#
+fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
+
[MAIL]
# Option: enabled
@@ -188,57 +250,18 @@ message = Hi,<br>
#
enabled = false
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = http
+
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/apache/access.log
#
logfile = /var/log/apache/access.log
-# Option: fwstart
-# Notes.: command executed once at the start of Fail2Ban
-# Values: CMD Default:
-#
-fwstart = iptables -N fail2ban-http
- iptables -A fail2ban-http -j RETURN
- iptables -I INPUT -p tcp --dport http -j fail2ban-http
-
-# Option: fwend
-# Notes.: command executed once at the end of Fail2Ban
-# Values: CMD Default:
-#
-fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
- iptables -F fail2ban-http
- iptables -X fail2ban-http
-
-# Option: fwcheck
-# Notes.: command executed once before each fwban command
-# Values: CMD Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-http
-
-# Option: fwban
-# Notes.: command executed when banning an IP. Take care that the
-# command is executed with Fail2Ban user rights.
-# Tags: <ip> IP address
-# <failures> number of failures
-# <failtime> unix timestamp of the last failure
-# <bantime> unix timestamp of the ban time
-# Values: CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-http 1 -s <ip> -j DROP
-
-# Option: fwunban
-# Notes.: command executed when unbanning an IP. Take care that the
-# command is executed with Fail2Ban user rights.
-# Tags: <ip> IP address
-# <bantime> unix timestamp of the ban time
-# <unbantime> unix timestamp of the unban time
-# Values: CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-http -s <ip> -j DROP
-
# Option: timeregex
# Notes.: regex to match timestamp in Apache logfile.
# Values: [Wed Jan 05 15:08:01 2005]
@@ -267,57 +290,18 @@ failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not fo
#
enabled = true
+# Option: port
+# Notes.: specifies port to monitor
+# Values: [ NUM | STRING ] Default:
+#
+port = ssh
+
# Option: logfile
# Notes.: logfile to monitor.
# Values: FILE Default: /var/log/auth.log
#
logfile = /var/log/auth.log
-# Option: fwstart
-# Notes.: command executed once at the start of Fail2Ban
-# Values: CMD Default:
-#
-fwstart = iptables -N fail2ban-ssh
- iptables -A fail2ban-ssh -j RETURN
- iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh
-
-# Option: fwend
-# Notes.: command executed once at the end of Fail2Ban
-# Values: CMD Default:
-#
-fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
- iptables -F fail2ban-ssh
- iptables -X fail2ban-ssh
-
-# Option: fwcheck
-# Notes.: command executed once before each fwban command
-# Values: CMD Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
-
-# Option: fwbanrule
-# Notes.: command executed when banning an IP. Take care that the
-# command is executed with Fail2Ban user rights.
-# Tags: <ip> IP address
-# <failures> number of failures
-# <failtime> unix timestamp of the last failure
-# <bantime> unix timestamp of the ban time
-# Values: CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-ssh 1 -s <ip> -j DROP
-
-# Option: fwunbanrule
-# Notes.: command executed when unbanning an IP. Take care that the
-# command is executed with Fail2Ban user rights.
-# Tags: <ip> IP address
-# <bantime> unix timestamp of the ban time
-# <unbantime> unix timestamp of the unban time
-# Values: CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-ssh -s <ip> -j DROP
-
# Option: timeregex
# Notes.: regex to match timestamp in SSH logfile.
# Values: [Mar 7 17:53:28]
View
2 confreader/configreader.py
@@ -80,6 +80,8 @@ def getLogOptions(self, sec, options):
v = self.configParser.get(sec, option[1])
values[option[1]] = v
+ logSys.debug("%s: Accepted value %s=%s"%(
+ sec, option[1], `v`))
except NoOptionError:
logSys.warn("No '" + option[1] + "' defined in '" + sec +
"'. Using default one: '" + `option[2]` + "'")
View
15 debian/README.Debian
@@ -34,6 +34,19 @@ just a single group (?P<host>...)
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
+"Interpolations" in the config file:
+
+Since version 0.6.0-3 to reduce duplication, thus to improve
+readability of the config file, interpolations provided by the module
+ConfigParser are used. If you had custom sections defined before, you
+might benefit from updating config file and adding appropriate
+information for the new sections.
+
+N.B. If you have some nice additional sections defined, I would really
+appreciate if you share them with me, so they could be eventually
+included in the fail2ban package for general use by the rest of the
+community.
+
Mailing:
As it was reported (bug #329722) you might need to provide a full
@@ -60,4 +73,4 @@ had enough of failed logins within "findtime" will be banned for
"bantime" since [re]start moment, not since the last failed login
time.
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Nov 20 21:44:56 2005
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006
View
6 debian/changelog
@@ -1,6 +1,12 @@
fail2ban (0.6.0-3) unstable; urgency=low
* ignoreip is now empty by default (closes: #347766)
+ * increased verbosity in verbose=2 mode: now prints options accepted
+ from the config file
+ * to make fail2ban.conf more compact, thus to improve its readability,
+ fail2ban.conf was converted to use "interpolations" provided by
+ ConfigParser class. fw{start,end,{,un}ban} options were moved into
+ DEFAULT section and required options (port, protocol) were added
-- Yaroslav Halchenko <debian@onerussian.com> Thu, 12 Jan 2006 18:32:14 -0500

0 comments on commit 55d7440

Please sign in to comment.