decided to use "interpolations" in the config file to make it more re…

…adable
fail2ban · Jan 15, 2006 · 55d7440 · 55d7440
1 parent a0dfb0f
commit 55d7440
Show file tree

Hide file tree

Showing 4 changed files with 99 additions and 94 deletions.
diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.default
@@ -76,20 +76,20 @@ findtime = 600
 #          Example:  ignoreip = 192.168.0.1/24 123.45.235.65
 # Values:  IP  Default:
 #
-ignoreip = 
+ignoreip =
 
 
 # Option:  cmdstart
 # Notes.:  command executed once at the start of Fail2Ban
 # Values:  CMD  Default:
 #
-cmdstart = 
+cmdstart =
 
 # Option:  cmdend
 # Notes.:  command executed once at the end of Fail2Ban.
 # Values:  CMD  Default:
 #
-cmdend = 
+cmdend =
 
 # Option:  polltime
 # Notes.:  number of seconds fail2ban sleeps between iterations.
@@ -111,6 +111,68 @@ reinittime = 10
 #
 maxreinits = -1
 
+#
+# NOTE: Interpolations
+#
+# fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations
+#  so %(__name__)s  will be substituted by a name of each section
+#  (unless the option is overriden in a section).
+#  If you are going to use interpolations in your setup, please make
+#  sure that you specified options port and protocol (which also has
+#  an option in DEFAULT)
+#
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  fwstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD  Default:
+#
+fwstart = iptables -N fail2ban-%(__name__)s
+          iptables -A fail2ban-%(__name__)s -j RETURN
+          iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+
+# Option:  fwend
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD  Default:
+#
+fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s
+        iptables -F fail2ban-%(__name__)s
+        iptables -X fail2ban-%(__name__)s
+
+# Option:  fwcheck
+# Notes.:  command executed once before each fwban command
+# Values:  CMD  Default:
+#
+fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s
+
+# Option:  fwban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+# Default: iptables -I INPUT 1 -s <ip> -j DROP
+#
+fwban = iptables -I fail2ban-%(__name__)s 1 -s <ip> -j DROP
+
+# Option:  fwunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+# Default: iptables -D INPUT -s <ip> -j DROP
+#
+fwunban = iptables -D fail2ban-%(__name__)s -s <ip> -j DROP
+
 
 [MAIL]
 # Option:  enabled
@@ -188,57 +250,18 @@ message = Hi,<br>
 #
 enabled = false
 
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = http
+
 # Option:  logfile
 # Notes.:  logfile to monitor.
 # Values:  FILE  Default:  /var/log/apache/access.log
 #
 logfile = /var/log/apache/access.log
 
-# Option:  fwstart
-# Notes.:  command executed once at the start of Fail2Ban
-# Values:  CMD  Default:
-#
-fwstart = iptables -N fail2ban-http
-          iptables -A fail2ban-http -j RETURN
-          iptables -I INPUT -p tcp --dport http -j fail2ban-http
-
-# Option:  fwend
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD  Default:
-#
-fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http
-        iptables -F fail2ban-http
-        iptables -X fail2ban-http
-
-# Option:  fwcheck
-# Notes.:  command executed once before each fwban command
-# Values:  CMD  Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-http
-
-# Option:  fwban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <failtime>  unix timestamp of the last failure
-#          <bantime>  unix timestamp of the ban time
-# Values:  CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-http 1 -s <ip> -j DROP
-
-# Option:  fwunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <bantime>  unix timestamp of the ban time
-#          <unbantime>  unix timestamp of the unban time
-# Values:  CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-http -s <ip> -j DROP
-
 # Option:  timeregex
 # Notes.:  regex to match timestamp in Apache logfile.
 # Values:  [Wed Jan 05 15:08:01 2005]
@@ -267,57 +290,18 @@ failregex = [[]client (?P<host>\S*)[]] user .*(?:: authentication failure|not fo
 #
 enabled = true
 
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
 # Option:  logfile
 # Notes.:  logfile to monitor.
 # Values:  FILE  Default:  /var/log/auth.log
 #
 logfile = /var/log/auth.log
 
-# Option:  fwstart
-# Notes.:  command executed once at the start of Fail2Ban
-# Values:  CMD  Default:
-#
-fwstart = iptables -N fail2ban-ssh
-          iptables -A fail2ban-ssh -j RETURN
-          iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh
-
-# Option:  fwend
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD  Default:
-#
-fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh
-        iptables -F fail2ban-ssh
-        iptables -X fail2ban-ssh
-
-# Option:  fwcheck
-# Notes.:  command executed once before each fwban command
-# Values:  CMD  Default:
-#
-fwcheck = iptables -L INPUT | grep -q fail2ban-ssh
-
-# Option:  fwbanrule
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <failtime>  unix timestamp of the last failure
-#          <bantime>  unix timestamp of the ban time
-# Values:  CMD
-# Default: iptables -I INPUT 1 -s <ip> -j DROP
-#
-fwban = iptables -I fail2ban-ssh 1 -s <ip> -j DROP
-
-# Option:  fwunbanrule
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <bantime>  unix timestamp of the ban time
-#          <unbantime>  unix timestamp of the unban time
-# Values:  CMD
-# Default: iptables -D INPUT -s <ip> -j DROP
-#
-fwunban = iptables -D fail2ban-ssh -s <ip> -j DROP
-
 # Option:  timeregex
 # Notes.:  regex to match timestamp in SSH logfile.
 # Values:  [Mar  7 17:53:28]

diff --git a/confreader/configreader.py b/confreader/configreader.py
@@ -80,6 +80,8 @@ def getLogOptions(self, sec, options):
 					v = self.configParser.get(sec, option[1])
 
 				values[option[1]] = v
+				logSys.debug("%s: Accepted value %s=%s"%(
+					sec, option[1], `v`))
 			except NoOptionError:
 				logSys.warn("No '" + option[1] + "' defined in '" + sec +
 							"'. Using default one: '" + `option[2]` + "'")

diff --git a/debian/README.Debian b/debian/README.Debian
@@ -34,6 +34,19 @@ just a single group (?P<host>...)
 
 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330827
 
+"Interpolations" in the config file:
+
+Since version 0.6.0-3 to reduce duplication, thus to improve
+readability of the config file, interpolations provided by the module
+ConfigParser are used. If you had custom sections defined before, you
+might benefit from updating config file and adding appropriate
+information for the new sections.
+
+N.B. If you have some nice additional sections defined, I would really
+appreciate if you share them with me, so they could be eventually
+included in the fail2ban package for general use by the rest of the
+community.
+
 Mailing:
 
 As it was reported (bug #329722) you might need to provide a full
@@ -60,4 +73,4 @@ had enough of failed logins within "findtime" will be banned for
 "bantime" since [re]start moment, not since the last failed login
 time.
 
- -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Nov 20 21:44:56 2005
+ -- Yaroslav O. Halchenko <debian@onerussian.com>, Sun Jan 15 15:18:13 2006
diff --git a/debian/changelog b/debian/changelog
@@ -1,6 +1,12 @@
 fail2ban (0.6.0-3) unstable; urgency=low
 
   * ignoreip is now empty by default (closes: #347766)
+  * increased verbosity in verbose=2 mode: now prints options accepted
+    from the config file
+  * to make fail2ban.conf more compact, thus to improve its readability,
+    fail2ban.conf was converted to use "interpolations" provided by
+    ConfigParser class. fw{start,end,{,un}ban} options were moved into
+    DEFAULT section and required options (port, protocol) were added
 
  -- Yaroslav Halchenko <debian@onerussian.com>  Thu, 12 Jan 2006 18:32:14 -0500