Remove fail2ban from my project. Update eterban_switcher.py

53b2f560 · Ruzal Gimazov · 33dcfb70 · 53b2f560 · 33dcfb70 · 33dcfb70
Commit 53b2f560 authored Mar 07, 2020 by Ruzal Gimazov
4 changed files
--- a/eterban.spec
+++ b/eterban.spec
@@ -62,12 +62,9 @@ mkdir -p %buildroot/etc/fail2ban/action.d/
 mkdir -p %buildroot/etc/systemd/system/
 mkdir -p %buildroot/var/log/eterban/
 mkdir -p %buildroot%webserver_htdocsdir/%name/
-mkdir -p %buildroot/etc/fail2ban/jail.d/

 cp -a gateway/usr/share/%name/* %buildroot%_datadir/%name/
 install -m 644 gateway/etc/eterban/* %buildroot/etc/%name/
-install -m 644 gateway/etc/fail2ban/action.d/* %buildroot/etc/fail2ban/action.d/
-install -m 644 gateway/etc/fail2ban/jail.d/* %buildroot/etc/fail2ban/jail.d/
 install -m 644 gateway/etc/systemd/system/* %buildroot/etc/systemd/system/

 install -m 644 ban-server/data/www/* %buildroot%webserver_htdocsdir/%name/
@@ -78,8 +75,6 @@ cp -a prod-server/usr/share/%name/* %buildroot%_datadir/%name/

 %files gateway
 %config(noreplace) /etc/%name/settings.ini
-%config(noreplace) /etc/fail2ban/action.d/ban.conf
-%config(noreplace) /etc/fail2ban/jail.d/blacklist.conf
 /etc/systemd/system/
 /var/log/eterban/
 %_datadir/%name/eterban_switcher.py

--- a/gateway/etc/fail2ban/action.d/ban.conf
+++ b/gateway/etc/fail2ban/action.d/ban.conf
-[INCLUDES]
-before = iptables-common.conf
-
-[Definition]
-# Notes.: create list blacklist at the start of Fail2Ban
-# Value: CMD (eterban-switcher.py)
-
-actionstart = ipset --create blacklist iphash
-              iptables -t nat -I PREROUTING -i brlocal -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
-              iptables -t nat -I PREROUTING -i brlocal -m set ! --match-set blacklist src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81
-              iptables -I FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set blacklist src -j REJECT
-#              iptables -t nat -I POSTROUTING -o breth0 -d 91.232.225.67 -j SNAT --to-source 91.232.225.1
-
-
-actionstop  = iptables -t nat -D PREROUTING -i brlocal -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
-              iptables -t nat -D PREROUTING -i brlocal -m set ! --match-set blacklist src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81
-	      iptables -D FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set blacklist src -j REJECT
-              ipset destroy blacklist
-#              iptables -t nat -D POSTROUTING -o breth0 -d 91.232.225.67 -j SNAT --to-source 91.232.225.1
-
-actionban = ipset -A blacklist <ip>
-actionunban = ipset -D blacklist <ip>
--- a/gateway/etc/fail2ban/jail.d/blacklist.conf
+++ b/gateway/etc/fail2ban/jail.d/blacklist.conf
-[blacklist]
-enabled = true
-#filter = blacklist
-filter = sshd
-action = ban
-logpath = /dev/null
-# 10 year. Tish rule rune ONLY after eterban_switcher.py (eterban package)
-bantime = 315360000
-findtime  = 1200
-maxretry = 2
-
--- a/gateway/usr/share/eterban/eterban_switcher.py
+++ b/gateway/usr/share/eterban/eterban_switcher.py
@@ -5,6 +5,10 @@ import time
 import sys
 import configparser
 import os
+import signal
+
+
+

 def createConfig(path_to_config, path_to_log):
    """
@@ -56,37 +60,75 @@ except:
        print ("Unknown error with logfile")
        sys.exit()

+def restore_ipset_eterban_1():
+    command='ipset restore --file /usr/share/eterban/eterban_1'
+    subprocess.call (command, shell = True)

-path_to_config = '/etc/eterban/settings.ini'
-redis_server = get_ip_redis_server (path_to_config, path_to_log)
+def create_iptables_rules():
+    commands=["ipset --create eterban_1 iphash",
+        'iptables -t nat -I PREROUTING -i brlocal -m set --match-set eterban_1 src -j DNAT --to-destination 91.232.225.67',
+        'iptables -t nat -I PREROUTING -i brlocal -m set ! --match-set eterban_1 src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81',
+        'iptables -I FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set eterban_1 src -j REJECT']
+    for command in commands:
+        subprocess.call (command, shell = True)
+
+def destroy_iptables_rules ():
+    commands=['iptables -t nat -D PREROUTING -i brlocal -m set --match-set eterban_1 src -j DNAT --to-destination 91.232.225.67',
+        'iptables -t nat -D PREROUTING -i brlocal -m set ! --match-set eterban_1 src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81',
+        'iptables -D FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set eterban_1 src -j REJECT',
+        'ipset destroy eterban_1']
+
+    for command in commands:
+        subprocess.call (command, shell = True)
+        #print (command)
+
+def exit_gracefully(signum, frame):
+    destroy_iptables_rules()
+    print ("End of the program. I was killed with ", signum,'\n')
+    sys.exit()

+signal.signal(signal.SIGINT, exit_gracefully)
+signal.signal(signal.SIGQUIT, exit_gracefully)
+signal.signal(signal.SIGTERM, exit_gracefully)


-#print ("done!")
+path_to_config = '/etc/eterban/settings.ini'
+redis_server = get_ip_redis_server (path_to_config, path_to_log)
+
+print ("done!")
 #print (time.strftime( "%Y-%m-%d %H:%M:%S", time.localtime()))
 #subprocess.call ('ipset create blacklist hash:ip', stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)

-r = redis.Redis(host=redis_server)
-p = r.pubsub()
+try:
+    r = redis.Redis(host=redis_server)
+    p = r.pubsub()
+
+    p.subscribe('ban', 'unban', 'by')
+except:
+    print ("Enable to connect redes")
+    sys.exit()
+
+restore_ipset_eterban_1()
+create_iptables_rules()

-p.subscribe('ban', 'unban', 'by')

 for message in p.listen():
    if message is not None and  message['type']=='message' and message['channel'] == b'ban':
        ip = message['data'].decode('utf-8')
        ip = message['data'].decode('utf-8')
-        #ban = 'ipset -A blacklist ' + ip
-        ban = 'fail2ban-client set blacklist  banip ' + ip
+        ban = 'ipset -A blacklist ' + ip
+        print (message)
+        #ban = 'fail2ban-client set blacklist  banip ' + ip
        #subprocess.call (ban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
        subprocess.call (ban, shell = True)
        tcp_drop = 'conntrack -D -s ' + ip
        subprocess.Popen(tcp_drop, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
        #subprocess.Popen(tcp_drop, shell = True)
    elif message is not None and message['type'] =='message' and message['channel'] == b'unban' :
-        #print (message)
+        print (message)
        ip = message['data'].decode('utf-8')
-        #unban = 'ipset -D blacklist ' + ip
-        unban = 'fail2ban-client set blacklist unbanip ' + ip
+        unban = 'ipset -D blacklist ' + ip
+        #unban = 'fail2ban-client set blacklist unbanip ' + ip
        subprocess.call (unban, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell = True)
        #subprocess.call (unban, shell = True)
        tcp_drop = 'conntrack -D -s ' + ip
@@ -95,14 +137,14 @@ for message in p.listen():
    elif message is not None and message['type'] =='message' and message['channel'] == b'by':
        info = time.strftime( "%Y-%m-%d %H:%M:%S", time.localtime())
        info += " " + message['data'].decode('utf-8') + "\n"
-        #print (info)
+        print (info)
        log.write(info)
        log.flush()
    elif message is not None:
-        #print ("AHTUNG!!1!", message)
+        print ("AHTUNG!!1!", message)
        info = time.strftime( "%Y-%m-%d %H:%M:%S", time.localtime())
        info += " Unknown message: " + str(message) + "\n"
-        #print (info)
+        print (info)
        log.write(info)
        log.flush()
    else: