From 4cc63ceeb7af654c4b1cbd7ef796919c9429c4fc Mon Sep 17 00:00:00 2001 From: Kraeutergarten Date: Fri, 17 May 2019 19:38:34 +0200 Subject: [PATCH] Allow hostnames for fail2ban whitelist. --- data/Dockerfiles/netfilter/server.py | 21 +++++++++++++++++++++ data/web/inc/functions.fail2ban.inc.php | 7 ++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/data/Dockerfiles/netfilter/server.py b/data/Dockerfiles/netfilter/server.py index 910679c6c..a7de6393e 100644 --- a/data/Dockerfiles/netfilter/server.py +++ b/data/Dockerfiles/netfilter/server.py @@ -5,6 +5,7 @@ import os import time import atexit import signal +import socket import ipaddress from random import randint from threading import Thread @@ -39,6 +40,13 @@ log = {} quit_now = False lock = Lock() +def is_ip_network(address): + try: + ipaddress.ip_network(address.decode('ascii'), False) + except ValueError: + return False + return True + def refreshF2boptions(): global f2boptions global quit_now @@ -119,6 +127,19 @@ def ban(address): self_network = ipaddress.ip_network(address.decode('ascii')) if WHITELIST: for wl_key in WHITELIST: + if not is_ip_network(wl_key): + hostname = wl_key + try: + wl_key = socket.gethostbyname(hostname) + except socket.gaierror as err: + continue + + log['time'] = int(round(time.time())) + log['priority'] = 'info' + log['message'] = 'Hostname %s is resolved to %s' % (hostname, wl_key) + r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False)) + print 'Hostname %s is resolved to %s' % (hostname, wl_key) + wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False) if wl_net.overlaps(self_network): log['time'] = int(round(time.time())) diff --git a/data/web/inc/functions.fail2ban.inc.php b/data/web/inc/functions.fail2ban.inc.php index 1cde10d31..bf4924905 100644 --- a/data/web/inc/functions.fail2ban.inc.php +++ b/data/web/inc/functions.fail2ban.inc.php @@ -9,6 +9,11 @@ function valid_network($network) { } return false; } + +function valid_hostname($hostname) { + return filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME); +} + function fail2ban($_action, $_data = null) { global $redis; global $lang; @@ -188,7 +193,7 @@ function fail2ban($_action, $_data = null) { $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl)); if (is_array($wl_array)) { foreach ($wl_array as $wl_item) { - if (valid_network($wl_item)) { + if (valid_network($wl_item) || valid_hostname($wl_item)) { $redis->hSet('F2B_WHITELIST', $wl_item, 1); } }