ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ruben:b539eac83d748fa9f7ceee90b208cf01fadd8996
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1
..
compare: ruben:a64d17b2e8921783a7d2a81235d8d2db2956a320
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1

No commits in common. "b539eac83d748fa9f7ceee90b208cf01fadd8996" and "a64d17b2e8921783a7d2a81235d8d2db2956a320" have entirely different histories.
b539eac83d ... a64d17b2e8

11 changed files with 29 additions and 173 deletions
Show Stats Expand all files Collapse all files

13
.gitea/workflows/flake8.yml
View File

@ -1,13 +0,0 @@
---
name: Flake8
on: [push]
jobs:
build:
strategy:
matrix:
python-version: ["3.11"]
steps:
- name: Analyse code with Flake8
run: |
flake8 $(git ls-files '*.py')

30
.gitlab-ci.yml
View File

@ -1,34 +1,6 @@
---
run pylint:
stage: test
image: python:3.11
script:
- pip install --upgrade pylint
- pylint $(git ls-files '*.py')
tags:
- docker
run flake8:
stage: test
image: python:3.11
script:
- pip install --upgrade flake8
- flake8 $(git ls-files '*.py')
tags:
- docker
run mypy:
stage: test
image: python:3.11
script:
- pip install --upgrade mypy
- mypy --install-types --non-interactive $(git ls-files '*.py')
tags:
- docker
run tests: run tests:
stage: test stage: test
image: python:3.11 image: python:3.9
script: script:
- pip install pytest pytest-cov pytest-mock pytest-flask - pip install pytest pytest-cov pytest-mock pytest-flask
- pip install Flask-HTTPAuth - pip install Flask-HTTPAuth

1
README.md
View File

@ -1,7 +1,6 @@
[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main) [![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
An API to remotely control a pf based fail2ban
## Installation ## Installation

44
jail2ban/__init__.py
View File

@ -1,17 +1,11 @@
''' from flask import Flask, request, jsonify, current_app
An API to remotely control a pf based fail2ban from flask_httpauth import HTTPBasicAuth
'''
import re
from ipaddress import ip_address
from subprocess import CalledProcessError
from flask import Flask, current_app, jsonify, request
from flask_httpauth import HTTPBasicAuth # type: ignore
from werkzeug.security import check_password_hash from werkzeug.security import check_password_hash
from ipaddress import ip_address
import re
from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
from jail2ban.auth import get_users from jail2ban.auth import get_users
from jail2ban.pfctl import pfctl_cfg_read, pfctl_cfg_write, pfctl_table_op from subprocess import CalledProcessError
auth = HTTPBasicAuth() auth = HTTPBasicAuth()
@ -22,52 +16,48 @@ PAT_PROT = r'^(?:tcp|udp)$'
PAT_NAME = r'^[\w\-]+$' PAT_NAME = r'^[\w\-]+$'
def untaint(pattern: str, string: str) -> str: def untaint(pattern, string):
''' '''
untaint string (as perl does) untaint string (as perl does)
''' '''
match = re.match(pattern, string) match = re.match(pattern, string)
if match: if match:
return match.string return match.string
else:
raise ValueError(f'"{string}" is tainted') raise ValueError(f'"{string}" is tainted')
def create_app(): def create_app():
'''
Create the flask application
'''
app = Flask(__name__, instance_relative_config=True) app = Flask(__name__, instance_relative_config=True)
# load the instance config, if it exists, when not testing # load the instance config, if it exists, when not testing
app.config.from_pyfile('config.py', silent=True) app.config.from_pyfile('config.py', silent=True)
@auth.verify_password @auth.verify_password
def verify_password(username: str, password: str) -> str | None: def verify_password(username, password):
users = get_users() users = get_users()
current_app.logger.debug(users) current_app.logger.debug(users)
current_app.logger.debug('Checking password of %s', username) current_app.logger.debug('Checking password of %s', username)
if username in users and \ if username in users and \
check_password_hash(users.get(username), password): check_password_hash(users.get(username), password):
return username return username
return None
@app.route("/ping", methods=['GET']) @app.route("/ping", methods=['GET'])
@auth.login_required @auth.login_required
def ping(): def ping():
remote_user = auth.username() remote_user = auth.username()
app.logger.info('Received ping for' app.logger.info('Received ping for'
' anchor f2b-jail/%s', remote_user) f' anchor f2b-jail/{remote_user}')
return jsonify({'anchor': f'f2b-jail/{remote_user}', return jsonify({'anchor': f'f2b-jail/{remote_user}',
'operation': 'ping', 'operation': 'ping',
'result': 'pong'}) 'result': 'pong'})
@app.route("/flush/<name>", methods=['GET']) @app.route("/flush/<name>", methods=['GET'])
@auth.login_required @auth.login_required
def flush(name): def flush(name):
remote_user = auth.username() remote_user = auth.username()
name = untaint(PAT_NAME, name) name = untaint(PAT_NAME, name)
app.logger.info('Flushing table f2b-%s' app.logger.info(f'Flushing table f2b-{name}'
' in anchor f2b-jail/%s', name, remote_user) f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op('f2b-jail/{remote_user}', res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}', table='f2b-{name}',
operation='flush') operation='flush')
@ -107,7 +97,7 @@ def create_app():
pfctl_table_op(f'f2b-jail/{remote_user}', pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='kill') operation='kill')
app.logger.info('pfctl -a f2b-jail/%s -f-', remote_user) app.logger.info(f'pfctl -a f2b-jail/{remote_user} -f-')
return jsonify({'anchor': f'f2b-jail/{remote_user}', return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}', 'table': f'f2b-{name}',
'action': 'start' if request.method == 'PUT' 'action': 'start' if request.method == 'PUT'
@ -123,15 +113,15 @@ def create_app():
name = untaint(PAT_NAME, data['name']) name = untaint(PAT_NAME, data['name'])
ip = ip_address(data['ip']) ip = ip_address(data['ip'])
if request.method == 'PUT': if request.method == 'PUT':
app.logger.info('Add %s to f2b-%s' app.logger.info(f'Add {ip} to f2b-{name}'
' in anchor f2b-jail/%s', ip, name, remote_user) f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}', res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='add', operation='add',
value=str(ip)) value=str(ip))
else: # 'DELETE': else: # 'DELETE':
app.logger.info('Remove %s from f2b-%s' app.logger.info(f'Remove {ip} from f2b-{name}'
' in anchor f2b-jail/%s', ip, name, remote_user) f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}', res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}', table=f'f2b-{name}',
operation='delete', operation='delete',

6
jail2ban/auth.py
View File

@ -1,13 +1,7 @@
'''
Authentication backend
'''
from flask import current_app from flask import current_app
def get_users(): def get_users():
'''
Load users from password file (AUTHFILE)
'''
users = {} users = {}
authfile = current_app.config['AUTHFILE'] authfile = current_app.config['AUTHFILE']

16
jail2ban/pfctl.py
View File

@ -1,6 +1,3 @@
'''
pf table/anchor operations
'''
import logging import logging
from subprocess import run from subprocess import run
@ -9,9 +6,6 @@ _PFCTL = '/sbin/pfctl'
def pfctl_cfg_read(anchor): def pfctl_cfg_read(anchor):
'''
Read from pf anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr'] cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr']
logging.info('Running %s', cmd) logging.info('Running %s', cmd)
@ -22,9 +16,6 @@ def pfctl_cfg_read(anchor):
def pfctl_cfg_write(anchor, cfg): def pfctl_cfg_write(anchor, cfg):
'''
Apply configuration to pf anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-'] cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-']
logging.info('Running %s', cmd) logging.info('Running %s', cmd)
logging.info('Config %s', cfg) logging.info('Config %s', cfg)
@ -39,13 +30,6 @@ def pfctl_cfg_write(anchor, cfg):
def pfctl_table_op(anchor, **kwargs): def pfctl_table_op(anchor, **kwargs):
'''
pf table operation
Parameters:
* table: which table to work on
* operation: operation used on the table
* value (optional): value used for the operation
'''
table = kwargs['table'] table = kwargs['table']
operation = kwargs['operation'] operation = kwargs['operation']
value = kwargs['value'] if 'value' in kwargs else None value = kwargs['value'] if 'value' in kwargs else None

16
tests/conftest.py
View File

@ -1,10 +1,5 @@
'''
Test fixtures
'''
import base64
import pytest import pytest
import base64
from jail2ban import create_app from jail2ban import create_app
@ -26,23 +21,14 @@ def app():
@pytest.fixture() @pytest.fixture()
def client(app): def client(app):
'''
Create a synthetic client
'''
return app.test_client() return app.test_client()
@pytest.fixture() @pytest.fixture()
def runner(app): def runner(app):
'''
Create a synthetic runner
'''
return app.test_cli_runner() return app.test_cli_runner()
@pytest.fixture() @pytest.fixture()
def valid_credentials(): def valid_credentials():
'''
Mock authentication for the test
'''
return base64.b64encode(b"test.example.com:testpassword").decode("utf-8") return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

18
tests/test_ban.py
View File

@ -1,13 +1,7 @@
'''
Test banning
'''
from types import SimpleNamespace from types import SimpleNamespace
def test_ban_ipv6(client, mocker, valid_credentials): def test_ban_ipv6(client, mocker, valid_credentials):
'''
Test ban an IPv6 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_ban_ipv6(client, mocker, valid_credentials):
def test_ban_ipv4(client, mocker, valid_credentials): def test_ban_ipv4(client, mocker, valid_credentials):
'''
Test ban an IPv4 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -51,9 +42,6 @@ def test_ban_ipv4(client, mocker, valid_credentials):
def test_ban_invalid(client, mocker, valid_credentials): def test_ban_invalid(client, mocker, valid_credentials):
'''
Test ban an invalid address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -75,9 +63,6 @@ def test_ban_invalid(client, mocker, valid_credentials):
def test_unban_ipv6(client, mocker, valid_credentials): def test_unban_ipv6(client, mocker, valid_credentials):
'''
Test unbanning an IPv6 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -98,9 +83,6 @@ def test_unban_ipv6(client, mocker, valid_credentials):
def test_unban_ipv4(client, mocker, valid_credentials): def test_unban_ipv4(client, mocker, valid_credentials):
'''
Test unbanning an IPv4 address
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()

17
tests/test_flush.py
View File

@ -1,14 +1,8 @@
'''
Test flushing pf tables
'''
from types import SimpleNamespace from types import SimpleNamespace
from subprocess import CalledProcessError from subprocess import CalledProcessError
def test_flush(client, mocker, valid_credentials): def test_flush(client, mocker, valid_credentials):
'''
Test flushing existing entry
'''
def noop(): def noop():
pass pass
run_res = SimpleNamespace() run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_flush(client, mocker, valid_credentials):
def test_flush_nonexistent(client, mocker, valid_credentials): def test_flush_nonexistent(client, mocker, valid_credentials):
'''
Test flushing non existing entry
'''
cmd = ['/usr/local/bin/sudo', cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor', '/sbin/pfctl', '-a', 'some/anchor',
@ -51,9 +42,6 @@ def test_flush_nonexistent(client, mocker, valid_credentials):
def test_wrong_method(client, mocker, valid_credentials): def test_wrong_method(client, mocker, valid_credentials):
'''
Test invalid method
'''
cmd = ['/usr/local/bin/sudo', cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor', '/sbin/pfctl', '-a', 'some/anchor',
@ -73,10 +61,7 @@ def test_wrong_method(client, mocker, valid_credentials):
assert response.status_code == 405 assert response.status_code == 405
def test_filenotfound(app, valid_credentials): def test_filenotfound(app, mocker, valid_credentials):
'''
Test for when AUTHFILE cannot be found
'''
app.config.update({ app.config.update({
"AUTHFILE": '../tests/nonexistent-users-test.txt' "AUTHFILE": '../tests/nonexistent-users-test.txt'

7
tests/test_ping.py
View File

@ -1,9 +1,4 @@
''' def test_ping(client, mocker, valid_credentials):
Test application health check
'''
def test_ping(client, valid_credentials):
''' '''
Test application health check Test application health check
''' '''

32
tests/test_register.py
View File

@ -1,9 +1,6 @@
'''
Test various registration scenarios
'''
from subprocess import CompletedProcess from subprocess import CompletedProcess
PFCTL_STDOUT_LINES = b''' pfctl_stdout_lines = b'''
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
@ -11,16 +8,13 @@ block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any block drop quick proto tcp from <f2b-recidive> to any
'''.strip() + b'\n' '''.strip() + b'\n'
PFCTL_STDOUT_LINES_SCRATCH = b'table <f2b-dovecot> persist counters\n' \ pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
b'block quick proto tcp from <f2b-dovecot>' \ b'block quick proto tcp from <f2b-dovecot>' \
b' to any port ' \ b' to any port ' \
b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n' b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
def test_register_unauth(client): def test_register_unauth(client):
'''
Test a registration without being authorized
'''
json_payload = {"port": json_payload = {"port":
"any port {pop3,pop3s,imap,imaps,submission,465,sieve}", "any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
"name": "dovecot", "protocol": "tcp"} "name": "dovecot", "protocol": "tcp"}
@ -30,13 +24,10 @@ def test_register_unauth(client):
def test_unregister_valid(client, mocker, valid_credentials): def test_unregister_valid(client, mocker, valid_credentials):
'''
Test unregistration
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res) mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -54,13 +45,10 @@ def test_unregister_valid(client, mocker, valid_credentials):
def test_register_valid(client, mocker, valid_credentials): def test_register_valid(client, mocker, valid_credentials):
'''
Test a registration of a rule
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop run_res.check_returncode = noop
pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res) pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -75,16 +63,13 @@ def test_register_valid(client, mocker, valid_credentials):
"Basic " + valid_credentials}) "Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input'] pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
for existing_line in PFCTL_STDOUT_LINES.splitlines(): for existing_line in pfctl_stdout_lines.splitlines():
assert existing_line in pfctl_run_input_arg.splitlines() assert existing_line in pfctl_run_input_arg.splitlines()
assert response.json['action'] == 'start' assert response.json['action'] == 'start'
def test_register_valid_from_scratch(client, mocker, valid_credentials): def test_register_valid_from_scratch(client, mocker, valid_credentials):
'''
Test from scratch point of view
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
@ -103,18 +88,15 @@ def test_register_valid_from_scratch(client, mocker, valid_credentials):
"Basic " + valid_credentials}) "Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input'] pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
assert pfctl_run_input_arg == PFCTL_STDOUT_LINES_SCRATCH assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
assert response.json['action'] == 'start' assert response.json['action'] == 'start'
def test_register_invalid(client, mocker, valid_credentials): def test_register_invalid(client, mocker, valid_credentials):
'''
Test a bogus pf command
'''
def noop(): def noop():
pass pass
run_res = CompletedProcess(args=['true'], returncode=0) run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res) mocker.patch('jail2ban.pfctl.run', return_value=run_res)