ruben/jail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: ruben:main
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1
..
compare: ruben:develop
Branches Tags
ruben:main
ruben:develop
ruben:2023.1
ruben:2022.1

3 Commits
main ... develop

Author SHA1 Message Date
Ruben van Staveren
6f36df2195 Merge branch '4-create-a-list-route-for-showing-banned-addresses' into 'develop' 
Resolve "Create a /list route for showing banned addresses"

See merge request ruben/jail2ban-pf!7
 2023-01-16 16:38:37 +00:00
Ruben van Staveren
c991df53fa Resolve "Create a /list route for showing banned addresses" 2023-01-16 16:38:37 +00:00
Ruben van Staveren
f39d319b25
Merge branch 'release/2023.1' into develop 2023-01-13 10:33:59 +01:00
16 changed files with 218 additions and 197 deletions
Show Stats Expand all files Collapse all files

17
.gitea/workflows/flake8.yml
View File

@ -1,17 +0,0 @@
---
name: Flake8
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Flake8
run: |
flake8 $(git ls-files '*.py')

17
.gitea/workflows/mypy.yml
View File

@ -1,17 +0,0 @@
---
name: Mypy
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Mypy
run: |
mypy --install-types --non-interactive $(git ls-files '*.py')

17
.gitea/workflows/pylint.yml
View File

@ -1,17 +0,0 @@
---
name: Pylint
on: [push]
# XXX need to do stuff with uv
jobs:
build:
runs-on: freebsd
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- name: Analyse code with Pylint
run: |
pylint $(git ls-files '*.py')

2
.gitignore vendored
View File

@ -1,5 +1,7 @@
venv/
*.sw?
*.pyc
__pycache__/

30
.gitlab-ci.yml
View File

@ -1,34 +1,6 @@
---
run pylint:
stage: test
image: python:3.11
script:
- pip install --upgrade pylint
- pylint $(git ls-files '*.py')
tags:
- docker
run flake8:
stage: test
image: python:3.11
script:
- pip install --upgrade flake8
- flake8 $(git ls-files '*.py')
tags:
- docker
run mypy:
stage: test
image: python:3.11
script:
- pip install --upgrade mypy
- mypy --install-types --non-interactive $(git ls-files '*.py')
tags:
- docker
run tests:
stage: test
image: python:3.11
image: python:3.9
script:
- pip install pytest pytest-cov pytest-mock pytest-flask
- pip install Flask-HTTPAuth

2
.pylintrc Normal file
View File

@ -0,0 +1,2 @@
[TYPECHECK]
generated-members=app.logger.*

1
README.md
View File

@ -1,7 +1,6 @@
[![pipeline status](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/pipeline.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
[![coverage report](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/badges/main/coverage.svg)](https://gitlab.niet.verweg.com/ruben/jail2ban-pf/-/commits/main)
An API to remotely control a pf based fail2ban
## Installation

79
jail2ban/__init__.py
View File

@ -1,17 +1,16 @@
'''
An API to remotely control a pf based fail2ban
jail2ban, a remote fail2ban action plugin using OpenBSD pf(8)
'''
import re
from ipaddress import ip_address
import re
from subprocess import CalledProcessError
from flask import Flask, current_app, jsonify, request
from flask_httpauth import HTTPBasicAuth # type: ignore
from flask import Flask, request, jsonify, current_app
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import check_password_hash
from jail2ban.pfctl import pfctl_table_op, pfctl_cfg_read, pfctl_cfg_write
from jail2ban.auth import get_users
from jail2ban.pfctl import pfctl_cfg_read, pfctl_cfg_write, pfctl_table_op
auth = HTTPBasicAuth()
@ -21,8 +20,15 @@ PAT_PORT = r'^any(?:\s+port\s+{\w+(?:,\w+)*})?$'
PAT_PROT = r'^(?:tcp|udp)$'
PAT_NAME = r'^[\w\-]+$'
_PFCTL_TABLE_PAT = r'''\s+(?P<addr>\S+)\n
\s+Cleared:\s+(?P<date>\S+\s+\S+\s+\d+\s+(?:\d{2}:){2}\d{2}\s+\d{4})\n
\s+In/Block:\s+\[\s+Packets:\s+(?P<in_pckt_block>\d+)\s+Bytes:\s+(?P<in_bytes_block>\d+)\s+\]\n
\s+In/Pass:\s+\[\s+Packets:\s+(?P<in_pckt_pass>\d+)\s+Bytes:\s+(?P<in_bytes_pass>\d+)\s+\]\n
\s+Out/Block:\s+\[\s+Packets:\s+(?P<out_pckt_block>\d+)\s+Bytes:\s+(?P<out_bytes_block>\d+)\s+\]\n
\s+Out/Pass:\s+\[\s+Packets:\s+(?P<out_pckt_pass>\d+)\s+Bytes:\s+(?P<out_bytes_pass>\d+)\s+\]'''
def untaint(pattern: str, string: str) -> str:
def untaint(pattern, string):
'''
untaint string (as perl does)
'''
@ -34,7 +40,7 @@ def untaint(pattern: str, string: str) -> str:
def create_app():
'''
Create the flask application
Create wsgi application instance
'''
app = Flask(__name__, instance_relative_config=True)
@ -42,7 +48,7 @@ def create_app():
app.config.from_pyfile('config.py', silent=True)
@auth.verify_password
def verify_password(username: str, password: str) -> str | None:
def verify_password(username, password):
users = get_users()
current_app.logger.debug(users)
current_app.logger.debug('Checking password of %s', username)
@ -56,18 +62,17 @@ def create_app():
def ping():
remote_user = auth.username()
app.logger.info('Received ping for'
' anchor f2b-jail/%s', remote_user)
f' anchor f2b-jail/{remote_user}')
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'operation': 'ping',
'result': 'pong'})
@app.route("/flush/<name>", methods=['GET'])
@auth.login_required
def flush(name):
remote_user = auth.username()
name = untaint(PAT_NAME, name)
app.logger.info('Flushing table f2b-%s'
' in anchor f2b-jail/%s', name, remote_user)
app.logger.info(f'Flushing table f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}',
operation='flush')
@ -76,6 +81,36 @@ def create_app():
'operation': 'flush',
'result': [x.decode('ascii') for x in res]})
@app.route("/list/<name>", methods=['GET'])
@auth.login_required
def list_table(name):
remote_user = auth.username()
name = untaint(PAT_NAME, name)
app.logger.info(f'Flushing table f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
reply = {'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}',
'operation': 'list'}
try:
res = pfctl_table_op('f2b-jail/{remote_user}',
table='f2b-{name}',
operation='show',
verbose=True)
except CalledProcessError as err:
if err.stderr.find(b'pfctl: Table does not exist.') > 0:
res = []
reply.update({'error': f'\'{name}\' is not a known fail2ban jail'})
else:
raise err
result = [entry.groupdict() for entry in
re.finditer(_PFCTL_TABLE_PAT,
'\n'.join([x.decode('ascii') for x in res]),
re.MULTILINE|re.VERBOSE)]
reply.update({'result': result})
return jsonify(reply), 200 if len(res) else 404
@app.route("/register", methods=['PUT', 'DELETE'])
@auth.login_required
def register():
@ -107,7 +142,7 @@ def create_app():
pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='kill')
app.logger.info('pfctl -a f2b-jail/%s -f-', remote_user)
app.logger.info(f'pfctl -a f2b-jail/{remote_user} -f-')
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}',
'action': 'start' if request.method == 'PUT'
@ -121,21 +156,21 @@ def create_app():
data = request.get_json()
# name / ip
name = untaint(PAT_NAME, data['name'])
ip = ip_address(data['ip'])
ip_addr = ip_address(data['ip'])
if request.method == 'PUT':
app.logger.info('Add %s to f2b-%s'
' in anchor f2b-jail/%s', ip, name, remote_user)
app.logger.info(f'Add {ip_addr} to f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='add',
value=str(ip))
value=str(ip_addr))
else: # 'DELETE':
app.logger.info('Remove %s from f2b-%s'
' in anchor f2b-jail/%s', ip, name, remote_user)
app.logger.info(f'Remove {ip_addr} from f2b-{name}'
f' in anchor f2b-jail/{remote_user}')
res = pfctl_table_op(f'f2b-jail/{remote_user}',
table=f'f2b-{name}',
operation='delete',
value=str(ip))
value=str(ip_addr))
return jsonify({'anchor': f'f2b-jail/{remote_user}',
'table': f'f2b-{name}',
'operation': 'add' if request.method == 'PUT'
@ -156,6 +191,8 @@ def create_app():
Show a json parsable error if the value is illegal
'''
app.logger.fatal(error)
app.logger.fatal('stdout: %s', error.stderr)
app.logger.fatal('stderr: %s', error.stderr)
return jsonify({'error': str(error)}), 500
@app.errorhandler(FileNotFoundError)

6
jail2ban/auth.py
View File

@ -1,13 +1,7 @@
'''
Authentication backend
'''
from flask import current_app
def get_users():
'''
Load users from password file (AUTHFILE)
'''
users = {}
authfile = current_app.config['AUTHFILE']

14
jail2ban/pfctl.py
View File

@ -1,5 +1,5 @@
'''
pf table/anchor operations
Lowlevel routines for calling the pf binary with passwordless sudo
'''
import logging
from subprocess import run
@ -7,10 +7,9 @@ from subprocess import run
_SUDO = '/usr/local/bin/sudo'
_PFCTL = '/sbin/pfctl'
def pfctl_cfg_read(anchor):
'''
Read from pf anchor
Read pf rules stored under a certain anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-sr']
logging.info('Running %s', cmd)
@ -23,7 +22,7 @@ def pfctl_cfg_read(anchor):
def pfctl_cfg_write(anchor, cfg):
'''
Apply configuration to pf anchor
Write pf rules under a certain anchor
'''
cmd = [_SUDO, _PFCTL, '-a', anchor, '-f-']
logging.info('Running %s', cmd)
@ -41,15 +40,12 @@ def pfctl_cfg_write(anchor, cfg):
def pfctl_table_op(anchor, **kwargs):
'''
pf table operation
Parameters:
* table: which table to work on
* operation: operation used on the table
* value (optional): value used for the operation
'''
table = kwargs['table']
operation = kwargs['operation']
value = kwargs['value'] if 'value' in kwargs else None
cmd = [_SUDO, _PFCTL, '-a', anchor, '-t', table, '-T', operation, value]
verbose = '-v' if 'verbose' in kwargs and kwargs['verbose'] else None
cmd = [_SUDO, _PFCTL, '-a', anchor, '-t', table, verbose, '-T', operation, value]
logging.info('Running %s', cmd)

16
tests/conftest.py
View File

@ -1,10 +1,5 @@
'''
Test fixtures
'''
import base64
import pytest
import base64
from jail2ban import create_app
@ -26,23 +21,14 @@ def app():
@pytest.fixture()
def client(app):
'''
Create a synthetic client
'''
return app.test_client()
@pytest.fixture()
def runner(app):
'''
Create a synthetic runner
'''
return app.test_cli_runner()
@pytest.fixture()
def valid_credentials():
'''
Mock authentication for the test
'''
return base64.b64encode(b"test.example.com:testpassword").decode("utf-8")

18
tests/test_ban.py
View File

@ -1,13 +1,7 @@
'''
Test banning
'''
from types import SimpleNamespace
def test_ban_ipv6(client, mocker, valid_credentials):
'''
Test ban an IPv6 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_ban_ipv6(client, mocker, valid_credentials):
def test_ban_ipv4(client, mocker, valid_credentials):
'''
Test ban an IPv4 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -51,9 +42,6 @@ def test_ban_ipv4(client, mocker, valid_credentials):
def test_ban_invalid(client, mocker, valid_credentials):
'''
Test ban an invalid address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -75,9 +63,6 @@ def test_ban_invalid(client, mocker, valid_credentials):
def test_unban_ipv6(client, mocker, valid_credentials):
'''
Test unbanning an IPv6 address
'''
def noop():
pass
run_res = SimpleNamespace()
@ -98,9 +83,6 @@ def test_unban_ipv6(client, mocker, valid_credentials):
def test_unban_ipv4(client, mocker, valid_credentials):
'''
Test unbanning an IPv4 address
'''
def noop():
pass
run_res = SimpleNamespace()

17
tests/test_flush.py
View File

@ -1,14 +1,8 @@
'''
Test flushing pf tables
'''
from types import SimpleNamespace
from subprocess import CalledProcessError
def test_flush(client, mocker, valid_credentials):
'''
Test flushing existing entry
'''
def noop():
pass
run_res = SimpleNamespace()
@ -28,9 +22,6 @@ def test_flush(client, mocker, valid_credentials):
def test_flush_nonexistent(client, mocker, valid_credentials):
'''
Test flushing non existing entry
'''
cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor',
@ -51,9 +42,6 @@ def test_flush_nonexistent(client, mocker, valid_credentials):
def test_wrong_method(client, mocker, valid_credentials):
'''
Test invalid method
'''
cmd = ['/usr/local/bin/sudo',
'/sbin/pfctl', '-a', 'some/anchor',
@ -73,10 +61,7 @@ def test_wrong_method(client, mocker, valid_credentials):
assert response.status_code == 405
def test_filenotfound(app, valid_credentials):
'''
Test for when AUTHFILE cannot be found
'''
def test_filenotfound(app, mocker, valid_credentials):
app.config.update({
"AUTHFILE": '../tests/nonexistent-users-test.txt'

140
tests/test_list.py Normal file
View File

@ -0,0 +1,140 @@
'''
Tests for /list route
'''
from types import SimpleNamespace
from subprocess import CalledProcessError
_PF_TABLE_LIST = b''' 192.0.2.66
Cleared: Sat Jan 7 12:50:36 2023
In/Block: [ Packets: 0 Bytes: 0 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
2001:db8::abad:cafe
Cleared: Sat Jan 7 05:13:53 2023
In/Block: [ Packets: 4 Bytes: 240 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
2001:db8::abad:f00d:cafe
Cleared: Sat Jan 7 05:05:16 2023
In/Block: [ Packets: 48 Bytes: 2880 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]'''
_LIST_RESULT = [{'addr': '192.0.2.66',
'date': 'Sat Jan 7 12:50:36 2023',
'in_pckt_block': '0',
'in_bytes_block': '0',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'},
{'addr': '2001:db8::abad:cafe',
'date': 'Sat Jan 7 05:13:53 2023',
'in_pckt_block': '4',
'in_bytes_block': '240',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'},
{'addr': '2001:db8::abad:f00d:cafe',
'date': 'Sat Jan 7 05:05:16 2023',
'in_pckt_block': '48',
'in_bytes_block': '2880',
'in_pckt_pass': '0',
'in_bytes_pass': '0',
'out_pckt_block': '0',
'out_bytes_block': '0',
'out_pckt_pass': '0',
'out_bytes_pass': '0'}]
def test_list_single_table(client, mocker, valid_credentials):
'''
List a single pf table using the fail2ban jail name
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = _PF_TABLE_LIST
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n'
run_res.returncode = 0
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)
response = client.get("/list/sshd",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.json['table'] == 'f2b-sshd'
assert response.json['result'] == _LIST_RESULT
def test_list_nonexistent_table(client, mocker, valid_credentials):
'''
Test for nonexistent table. Should result in a 404 not found
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = b''
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n' \
b'pfctl: Table does not exist.\n'
run_res.returncode = 255
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run',
return_value=run_res,
side_effect=CalledProcessError(run_res.returncode,
'foobar',
output=run_res.stdout,
stderr=run_res.stderr)
)
response = client.get("/list/nonexistent",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.status_code == 404
assert response.json['error'] == "'nonexistent' is not " \
"a known fail2ban jail"
def test_list_wrong_table_name(client, mocker, valid_credentials):
'''
Test for an wrong table name that lets pfctl fail. should result in a 500
'''
def noop():
pass
run_res = SimpleNamespace()
run_res.stdout = b''
run_res.stderr = b'No ALTQ support in kernel\nALTQ related functions disabled\n' \
b'pfctl: Invalid argument.\n'
run_res.returncode = 255
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run',
return_value=run_res,
side_effect=CalledProcessError(run_res.returncode,
'foobar',
output=run_res.stdout,
stderr=run_res.stderr)
)
response = client.get("/list/notanerrorbuttestneedstofail",
headers={"Authorization":
"Basic " + valid_credentials})
assert response.status_code == 500
assert response.json['error'] == "Command 'foobar' returned non-zero exit status 255."

7
tests/test_ping.py
View File

@ -1,9 +1,4 @@
'''
Test application health check
'''
def test_ping(client, valid_credentials):
def test_ping(client, mocker, valid_credentials):
'''
Test application health check
'''

32
tests/test_register.py
View File

@ -1,9 +1,6 @@
'''
Test various registration scenarios
'''
from subprocess import CompletedProcess
PFCTL_STDOUT_LINES = b'''
pfctl_stdout_lines = b'''
block drop quick proto tcp from <f2b-sendmail-auth> to any port = submission
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtps
block drop quick proto tcp from <f2b-sendmail-auth> to any port = smtp
@ -11,16 +8,13 @@ block drop quick proto tcp from <f2b-sshd> to any port = ssh
block drop quick proto tcp from <f2b-recidive> to any
'''.strip() + b'\n'
PFCTL_STDOUT_LINES_SCRATCH = b'table <f2b-dovecot> persist counters\n' \
pfctl_stdout_lines_scratch = b'table <f2b-dovecot> persist counters\n' \
b'block quick proto tcp from <f2b-dovecot>' \
b' to any port ' \
b'{pop3,pop3s,imap,imaps,submission,465,sieve}\n'
def test_register_unauth(client):
'''
Test a registration without being authorized
'''
json_payload = {"port":
"any port {pop3,pop3s,imap,imaps,submission,465,sieve}",
"name": "dovecot", "protocol": "tcp"}
@ -30,13 +24,10 @@ def test_register_unauth(client):
def test_unregister_valid(client, mocker, valid_credentials):
'''
Test unregistration
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -54,13 +45,10 @@ def test_unregister_valid(client, mocker, valid_credentials):
def test_register_valid(client, mocker, valid_credentials):
'''
Test a registration of a rule
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
pfctl_run = mocker.patch('jail2ban.pfctl.run', return_value=run_res)
@ -75,16 +63,13 @@ def test_register_valid(client, mocker, valid_credentials):
"Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
for existing_line in PFCTL_STDOUT_LINES.splitlines():
for existing_line in pfctl_stdout_lines.splitlines():
assert existing_line in pfctl_run_input_arg.splitlines()
assert response.json['action'] == 'start'
def test_register_valid_from_scratch(client, mocker, valid_credentials):
'''
Test from scratch point of view
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
@ -103,18 +88,15 @@ def test_register_valid_from_scratch(client, mocker, valid_credentials):
"Basic " + valid_credentials})
pfctl_run_input_arg = pfctl_run.call_args_list[1][1]['input']
assert pfctl_run_input_arg == PFCTL_STDOUT_LINES_SCRATCH
assert pfctl_run_input_arg == pfctl_stdout_lines_scratch
assert response.json['action'] == 'start'
def test_register_invalid(client, mocker, valid_credentials):
'''
Test a bogus pf command
'''
def noop():
pass
run_res = CompletedProcess(args=['true'], returncode=0)
run_res.stdout = PFCTL_STDOUT_LINES
run_res.stdout = pfctl_stdout_lines
run_res.check_returncode = noop
mocker.patch('jail2ban.pfctl.run', return_value=run_res)