diff options
Diffstat (limited to 'files')
-rwxr-xr-x | files/debian-initd | 146 | ||||
-rw-r--r-- | files/fail2ban-openrc.conf | 2 | ||||
-rwxr-xr-x | files/fail2ban-openrc.init.in | 86 | ||||
-rw-r--r-- | files/fail2ban-tmpfiles.conf | 2 | ||||
-rw-r--r-- | files/fail2ban.service.in | 9 | ||||
-rw-r--r-- | files/gentoo-confd | 8 | ||||
-rwxr-xr-x | files/gentoo-initd | 60 |
7 files changed, 176 insertions, 137 deletions
diff --git a/files/debian-initd b/files/debian-initd index 3b1745c1..a9cc584f 100755 --- a/files/debian-initd +++ b/files/debian-initd @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh ### BEGIN INIT INFO # Provides: fail2ban # Required-Start: $local_fs $remote_fs @@ -22,28 +22,28 @@ # rename this file: (sudo) mv /etc/init.d/fail2ban.init /etc/init.d/fail2ban # same with the logrotate file: (sudo) mv /etc/logrotate.d/fail2ban.logrotate /etc/logrotate.d/fail2ban # -PATH=/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin -DESC="authentication failure monitor" -NAME=fail2ban +PATH="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin" +DESC="Authentication failure monitor" +NAME="fail2ban" # fail2ban-client is not a daemon itself but starts a daemon and # loads its with configuration -DAEMON=/usr/local/bin/$NAME-client -SCRIPTNAME=/etc/init.d/$NAME +DAEMON="/usr/local/bin/$NAME-client" +SCRIPTNAME="/etc/init.d/$NAME" # Ad-hoc way to parse out socket file name -SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local 2>/dev/null \ - | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g'` -[ -z "$SOCKFILE" ] && SOCKFILE='/var/run/fail2ban.sock' +SOCKFILE="$(grep -h '^[^#]*socket *=' "/etc/$NAME/$NAME.conf" "/etc/$NAME/$NAME.local" 2>/dev/null \ + | tail -n 1 | sed -e 's/.*socket *= *//g' -e 's/ *$//g')" +[ -z "$SOCKFILE" ] && SOCKFILE="/var/run/fail2ban.sock" # Exit if the package is not installed [ -x "$DAEMON" ] || exit 0 # Run as root by default. -FAIL2BAN_USER=root +FAIL2BAN_USER="root" # Read configuration variable file if it is present -[ -r /etc/default/$NAME ] && . /etc/default/$NAME +[ -r "/etc/default/$NAME" ] && . "/etc/default/$NAME" DAEMON_ARGS="$FAIL2BAN_OPTS" # Load the VERBOSE setting and other rcS variables @@ -51,7 +51,8 @@ DAEMON_ARGS="$FAIL2BAN_OPTS" # Predefine what can be missing from lsb source later on -- necessary to run # on sarge. Just present it in a bit more compact way from what was shipped -log_daemon_msg () { +log_daemon_msg() +{ [ -z "$1" ] && return 1 echo -n "$1:" [ -z "$2" ] || echo -n " $2" @@ -68,7 +69,7 @@ log_daemon_msg () { # report_bug() { - echo $* + echo "$*" echo "Please submit a bug report to Debian BTS (reportbug fail2ban)" exit 1 } @@ -80,10 +81,10 @@ report_bug() check_socket() { # Return - # 0 if socket is present and readable - # 1 if socket file is not present - # 2 if socket file is present but not readable - # 3 if socket file is present but is not a socket + # 0 if socket is present and readable + # 1 if socket file is not present + # 2 if socket file is present but not readable + # 3 if socket file is present but is not a socket [ -e "$SOCKFILE" ] || return 1 [ -r "$SOCKFILE" ] || return 2 [ -S "$SOCKFILE" ] || return 3 @@ -96,14 +97,14 @@ check_socket() do_start() { # Return - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started do_status && return 1 if [ -e "$SOCKFILE" ]; then log_failure_msg "Socket file $SOCKFILE is present" - [ "$1" = "force-start" ] \ + [ "$1" = force-start ] \ && log_success_msg "Starting anyway as requested" \ || return 2 DAEMON_ARGS="$DAEMON_ARGS -x" @@ -112,18 +113,20 @@ do_start() # Assure that /var/run/fail2ban exists [ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban - if [ "$FAIL2BAN_USER" != "root" ]; then + if [ "$FAIL2BAN_USER" != root ]; then # Make the socket directory, IP lists and fail2ban log # files writable by fail2ban chown "$FAIL2BAN_USER" /var/run/fail2ban # Create the logfile if it doesn't exist touch /var/log/fail2ban.log chown "$FAIL2BAN_USER" /var/log/fail2ban.log - find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \; + find /proc/net/xt_recent -name "fail2ban-*" -exec chown "$FAIL2BAN_USER" "{}" ";" fi - start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \ - $DAEMON_ARGS start > /dev/null\ + # $DAEMON_ARGS need to be expanded possibly with multiple or no options + # shellcheck disable=SC2086 + start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec "$DAEMON" -- \ + $DAEMON_ARGS start >/dev/null \ || return 2 return 0 @@ -136,8 +139,8 @@ do_start() # do_status() { - $DAEMON ping > /dev/null 2>&1 - return $? + $DAEMON ping >/dev/null 2>&1 + return "$?" } # @@ -146,22 +149,22 @@ do_status() do_stop() { # Return - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - # other if a failure occurred - $DAEMON status > /dev/null 2>&1 || return 1 - $DAEMON stop > /dev/null || return 2 + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + $DAEMON status >/dev/null 2>&1 || return 1 + $DAEMON stop >/dev/null || return 2 # now we need actually to wait a bit since it might take time # for server to react on client's stop request. Especially # important for restart command on slow boxes count=1 - while do_status && [ $count -lt 60 ]; do + while do_status && [ "$count" -lt 60 ]; do sleep 1 - count=$(($count+1)) + count="$((count + 1))" done - [ $count -lt 60 ] || return 3 # failed to stop + [ "$count" -lt 60 ] || return 3 # failed to stop return 0 } @@ -169,8 +172,9 @@ do_stop() # # Function to reload configuration # -do_reload() { - $DAEMON reload > /dev/null && return 0 || return 1 +do_reload() +{ + "$DAEMON" reload >/dev/null && return 0 || return 1 return 0 } @@ -180,16 +184,16 @@ do_reload() { # log_end_msg_wrapper() { - if [ $1 != 0 ] && [ $1 != $2 ]; then - value=1 + if [ "$1" != 0 ] && [ "$1" != "$2" ]; then + value="1" else - value=0 + value="0" fi - if [ "$3" != "no" ]; then - log_end_msg $value + if [ "$3" != no ]; then + log_end_msg "$value" fi - if [ $value != "0" ]; then - exit $1 + if [ "$value" != 0 ]; then + exit "$1" fi } @@ -198,13 +202,13 @@ case "$command" in start|force-start) [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" do_start "$command" - log_end_msg_wrapper $? 255 "$VERBOSE" + log_end_msg_wrapper "$?" 255 "$VERBOSE" ;; stop) [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" do_stop - log_end_msg_wrapper $? 255 "$VERBOSE" + log_end_msg_wrapper "$?" 255 "$VERBOSE" ;; restart|force-reload) @@ -213,41 +217,55 @@ case "$command" in case "$?" in 0|1) do_start - log_end_msg_wrapper $? 0 "always" + log_end_msg_wrapper "$?" 0 always ;; *) # Failed to stop log_end_msg 1 ;; - esac + esac ;; - reload|force-reload) - log_daemon_msg "Reloading $DESC" "$NAME" - do_reload - log_end_msg $? - ;; + reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload + log_end_msg "$?" + ;; status) log_daemon_msg "Status of $DESC" do_status - case $? in - 0) log_success_msg " $NAME is running" ;; + case "$?" in + 0) + log_success_msg " $NAME is running" + ;; 255) check_socket - case $? in - 1) log_failure_msg " $NAME is not running" && exit 3 ;; - 0) log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 ;; - 2) log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 ;; - 3) log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 ;; - *) report_bug "Unknown return code from $NAME:check_socket." && exit 4 ;; + case "$?" in + 1) + log_failure_msg " $NAME is not running" && exit 3 + ;; + 0) + log_failure_msg " $NAME is not running but $SOCKFILE exists" && exit 3 + ;; + 2) + log_failure_msg " $SOCKFILE not readable, status of $NAME is unknown" && exit 3 + ;; + 3) + log_failure_msg " $SOCKFILE exists but not a socket, status of $NAME is unknown" && exit 3 + ;; + *) + report_bug "Unknown return code from $NAME:check_socket." && exit 4 + ;; esac ;; - *) report_bug "Unknown $NAME status code" && exit 4 + *) + report_bug "Unknown $NAME status code" && exit 4 + ;; esac ;; *) - echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" >&2 + echo "Usage: $SCRIPTNAME {start|force-start|stop|restart|force-reload|status}" 1>&2 exit 3 ;; esac diff --git a/files/fail2ban-openrc.conf b/files/fail2ban-openrc.conf new file mode 100644 index 00000000..9454ef68 --- /dev/null +++ b/files/fail2ban-openrc.conf @@ -0,0 +1,2 @@ +# For available options, plase run "fail2ban-server --help". +#FAIL2BAN_OPTIONS="-x" diff --git a/files/fail2ban-openrc.init.in b/files/fail2ban-openrc.init.in new file mode 100755 index 00000000..2c56ee3a --- /dev/null +++ b/files/fail2ban-openrc.init.in @@ -0,0 +1,86 @@ +#!/sbin/openrc-run +# This file is part of Fail2Ban. +# +# Fail2Ban is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# Fail2Ban is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Fail2Ban; if not, write to the Free Software +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +# +# Author: Sireyessire, Cyril Jaquier +# + +description="Ban hosts that cause multiple authentication errors" +description_reload="reload configuration without dropping bans" +extra_started_commands="reload" + +# Can't (and shouldn't) be changed by the end-user. +# +# Note that @BINDIR@ is already supplied by the build system. Some +# day, it might be nice to have @RUNDIR@ supplied by the build system +# as well, so that we don't have to hard-code /run here. +FAIL2BAN_RUNDIR="/run/${RC_SVCNAME}" +FAIL2BAN_SOCKET="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.sock" + +# The fail2ban-client program is also capable of starting and stopping +# the server, but things are simpler if we let start-stop-daemon do it. +command="@BINDIR@/fail2ban-server" +pidfile="${FAIL2BAN_RUNDIR}/${RC_SVCNAME}.pid" + +# We force the pidfile/socket location in this service script because +# we're taking responsibility for ensuring that their parent directory +# exists and has the correct permissions (which we can't do if the +# user is allowed to change them). +command_args="${FAIL2BAN_OPTIONS} -p ${pidfile} -s ${FAIL2BAN_SOCKET}" +retry="30" + +depend() { + use logger + after iptables +} + +checkconfig() { + "${command}" ${command_args} --test +} + +start_pre() { + # If this isn't a restart, make sure that the user's config isn't + # busted before we try to start the daemon (this will produce + # better error messages than if we just try to start it blindly). + # + # If, on the other hand, this *is* a restart, then the stop_pre + # action will have ensured that the config is usable and we don't + # need to do that again. + if [ "${RC_CMD}" != "restart" ] ; then + checkconfig || return $? + fi + checkpath -d "${FAIL2BAN_RUNDIR}" +} + +stop_pre() { + # If this is a restart, check to make sure the user's config + # isn't busted before we stop the running daemon. + if [ "${RC_CMD}" = "restart" ] ; then + checkconfig || return $? + fi +} + +reload() { + # The fail2ban-client uses an undocumented protocol to tell + # the server to reload(), so we have to use it here rather + # than e.g. sending a signal to the server daemon. Note that + # the reload will fail (on the server side) if the new config + # is invalid; we therefore don't need to test it ourselves + # with checkconfig() before initiating the reload. + ebegin "Reloading ${RC_SVCNAME}" + "@BINDIR@/fail2ban-client" ${command_args} reload + eend $? "Failed to reload ${RC_SVCNAME}" +} diff --git a/files/fail2ban-tmpfiles.conf b/files/fail2ban-tmpfiles.conf index 3fd783f3..68f8e345 100644 --- a/files/fail2ban-tmpfiles.conf +++ b/files/fail2ban-tmpfiles.conf @@ -1 +1 @@ -D /var/run/fail2ban 0755 root root -
\ No newline at end of file +D /run/fail2ban 0755 root root -
\ No newline at end of file diff --git a/files/fail2ban.service.in b/files/fail2ban.service.in index 24dcb51e..9a245c61 100644 --- a/files/fail2ban.service.in +++ b/files/fail2ban.service.in @@ -1,18 +1,19 @@ [Unit] Description=Fail2Ban Service Documentation=man:fail2ban(1) -After=network.target iptables.service firewalld.service ip6tables.service ipset.service -PartOf=iptables.service firewalld.service ip6tables.service ipset.service +After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service +PartOf=iptables.service firewalld.service ip6tables.service ipset.service nftables.service [Service] Type=simple -ExecStartPre=/bin/mkdir -p /var/run/fail2ban +Environment="PYTHONNOUSERSITE=1" +ExecStartPre=/bin/mkdir -p /run/fail2ban ExecStart=@BINDIR@/fail2ban-server -xf start # if should be logged in systemd journal, use following line or set logtarget to sysout in fail2ban.local # ExecStart=@BINDIR@/fail2ban-server -xf --logtarget=sysout start ExecStop=@BINDIR@/fail2ban-client stop ExecReload=@BINDIR@/fail2ban-client reload -PIDFile=/var/run/fail2ban/fail2ban.pid +PIDFile=/run/fail2ban/fail2ban.pid Restart=on-failure RestartPreventExitStatus=0 255 diff --git a/files/gentoo-confd b/files/gentoo-confd deleted file mode 100644 index 00d19f8b..00000000 --- a/files/gentoo-confd +++ /dev/null @@ -1,8 +0,0 @@ -# Config file for /etc/init.d/fail2ban -# -# For information on options, see "/usr/bin/fail2ban-client -h". - -FAIL2BAN_OPTIONS="" - -# Force execution of the server even if the socket already exists: -#FAIL2BAN_OPTIONS="-x" diff --git a/files/gentoo-initd b/files/gentoo-initd deleted file mode 100755 index 0fb157cd..00000000 --- a/files/gentoo-initd +++ /dev/null @@ -1,60 +0,0 @@ -#!/sbin/openrc-run -# This file is part of Fail2Ban. -# -# Fail2Ban is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# Fail2Ban is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with Fail2Ban; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -# -# Author: Sireyessire, Cyril Jaquier -# - -description="Daemon to ban hosts that cause multiple authentication errors" -description_reload="reload configuration" -description_showlog="show fail2ban logs" -extra_started_commands="reload showlog" - -FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}" - -depend() { - need net - need logger - after iptables -} - -start() { - ebegin "Starting fail2ban" - mkdir -p /var/run/fail2ban || return 1 - # remove stalled sock file after system crash - # bug 347477 - rm -f /var/run/fail2ban/fail2ban.sock || return 1 - start-stop-daemon --start --pidfile /var/run/fail2ban/fail2ban.pid \ - -- ${FAIL2BAN} start - eend $? "Failed to start fail2ban" -} - -stop() { - ebegin "Stopping fail2ban" - start-stop-daemon --stop --pidfile /var/run/fail2ban/fail2ban.pid --retry 30 \ - -- ${FAIL2BAN} stop - eend $? "Failed to stop fail2ban" -} - -reload() { - ebegin "Reloading fail2ban" - ${FAIL2BAN} reload - eend $? "Failed to reload fail2ban" -} - -showlog(){ - less /var/log/fail2ban.log -} |