Allow hostnames for fail2ban whitelist.

This commit is contained in:
Kraeutergarten 2019-05-17 19:38:34 +02:00
parent 885b79f06f
commit 4cc63ceeb7
2 changed files with 27 additions and 1 deletions

View File

@ -5,6 +5,7 @@ import os
import time import time
import atexit import atexit
import signal import signal
import socket
import ipaddress import ipaddress
from random import randint from random import randint
from threading import Thread from threading import Thread
@ -39,6 +40,13 @@ log = {}
quit_now = False quit_now = False
lock = Lock() lock = Lock()
def is_ip_network(address):
try:
ipaddress.ip_network(address.decode('ascii'), False)
except ValueError:
return False
return True
def refreshF2boptions(): def refreshF2boptions():
global f2boptions global f2boptions
global quit_now global quit_now
@ -119,6 +127,19 @@ def ban(address):
self_network = ipaddress.ip_network(address.decode('ascii')) self_network = ipaddress.ip_network(address.decode('ascii'))
if WHITELIST: if WHITELIST:
for wl_key in WHITELIST: for wl_key in WHITELIST:
if not is_ip_network(wl_key):
hostname = wl_key
try:
wl_key = socket.gethostbyname(hostname)
except socket.gaierror as err:
continue
log['time'] = int(round(time.time()))
log['priority'] = 'info'
log['message'] = 'Hostname %s is resolved to %s' % (hostname, wl_key)
r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
print 'Hostname %s is resolved to %s' % (hostname, wl_key)
wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False) wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)
if wl_net.overlaps(self_network): if wl_net.overlaps(self_network):
log['time'] = int(round(time.time())) log['time'] = int(round(time.time()))

View File

@ -9,6 +9,11 @@ function valid_network($network) {
} }
return false; return false;
} }
function valid_hostname($hostname) {
return filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);
}
function fail2ban($_action, $_data = null) { function fail2ban($_action, $_data = null) {
global $redis; global $redis;
global $lang; global $lang;
@ -188,7 +193,7 @@ function fail2ban($_action, $_data = null) {
$wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl)); $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));
if (is_array($wl_array)) { if (is_array($wl_array)) {
foreach ($wl_array as $wl_item) { foreach ($wl_array as $wl_item) {
if (valid_network($wl_item)) { if (valid_network($wl_item) || valid_hostname($wl_item)) {
$redis->hSet('F2B_WHITELIST', $wl_item, 1); $redis->hSet('F2B_WHITELIST', $wl_item, 1);
} }
} }