Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Allow hostnames for fail2ban whitelist.

Kraeutergarten 6 years ago
parent
885b79f06f
commit
4cc63ceeb7
2 changed files with 27 additions and 1 deletions
Unified View Show Diff Stats
  1. 21 0
      data/Dockerfiles/netfilter/server.py
  2. 6 1
      data/web/inc/functions.fail2ban.inc.php

+ 21 - 0
data/Dockerfiles/netfilter/server.py
View File 

@@ -5,6 +5,7 @@ import os
 
 import time

 import time

 import atexit

 import atexit

 import signal

 import signal

+import socket

 import ipaddress

 import ipaddress

 from random import randint

 from random import randint

 from threading import Thread

 from threading import Thread

@@ -39,6 +40,13 @@ log = {}
 
 quit_now = False

 quit_now = False

 lock = Lock()

 lock = Lock()

 

 

+def is_ip_network(address):

+  try:

+    ipaddress.ip_network(address.decode('ascii'), False)

+  except ValueError:

+    return False

+  return True

+

 def refreshF2boptions():

 def refreshF2boptions():

   global f2boptions

   global f2boptions

   global quit_now

   global quit_now

@@ -119,6 +127,19 @@ def ban(address):
 
   self_network = ipaddress.ip_network(address.decode('ascii'))

   self_network = ipaddress.ip_network(address.decode('ascii'))

   if WHITELIST:

   if WHITELIST:

     for wl_key in WHITELIST:

     for wl_key in WHITELIST:

+      if not is_ip_network(wl_key):

+        hostname = wl_key

+        try:

+          wl_key = socket.gethostbyname(hostname)

+        except socket.gaierror as err:

+          continue

+          

+        log['time'] = int(round(time.time()))

+        log['priority'] = 'info'

+        log['message'] = 'Hostname %s is resolved to %s' % (hostname, wl_key)

+        r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))

+        print 'Hostname %s is resolved to %s' % (hostname, wl_key)

+

       wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)

       wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)

       if wl_net.overlaps(self_network):

       if wl_net.overlaps(self_network):

         log['time'] = int(round(time.time()))

         log['time'] = int(round(time.time()))

+ 6 - 1
data/web/inc/functions.fail2ban.inc.php
View File 

@@ -9,6 +9,11 @@ function valid_network($network) {
 
   }

   }

   return false;

   return false;

 }

 }

+

+function valid_hostname($hostname) {

+    return filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME);

+}

+

 function fail2ban($_action, $_data = null) {

 function fail2ban($_action, $_data = null) {

   global $redis;

   global $redis;

   global $lang;

   global $lang;

@@ -188,7 +193,7 @@ function fail2ban($_action, $_data = null) {
 
           $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));

           $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));

           if (is_array($wl_array)) {

           if (is_array($wl_array)) {

             foreach ($wl_array as $wl_item) {

             foreach ($wl_array as $wl_item) {

-              if (valid_network($wl_item)) {

+              if (valid_network($wl_item) || valid_hostname($wl_item)) {

                 $redis->hSet('F2B_WHITELIST', $wl_item, 1);

                 $redis->hSet('F2B_WHITELIST', $wl_item, 1);

               }

               }

             }

             }