ad_user
/
f2b
2
2
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: ad_user:373c4faf5643db3fa14e85c973bc96ee1fe49c0d
Branches Tags
ad_user:master
...
compare: ad_user:e9f6b82d14616899537c68095464c79265898bba
Branches Tags
ad_user:master

6 Commits
373c4faf56 ... e9f6b82d14

Author SHA1 Message Date
Alex 'AdUser' Z e9f6b82d14 * refactor jail flags and statefile handling
3 years ago
Alex 'AdUser' Z 42185ab77d * disable set jail 'state' param at runtime (closes #11)
3 years ago
Alex 'AdUser' Z 8216b55920 = fix socket leakage
3 years ago
Alex 'AdUser' Z ad8d18240a * restore filter's defscore on flush
3 years ago
Alex 'AdUser' Z 14c6866603 * update filters
3 years ago
Alex 'AdUser' Z 0498b918a0 * configs/conf-available/05-source-portknock.conf
3 years ago
7 changed files with 59 additions and 29 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats
  1. 9
      configs/conf-available/05-source-portknock.conf
  2. 2
      filters/dovecot.preg
  3. 1
      src/csocket.c
  4. 1
      src/filters/pcre.c
  5. 1
      src/filters/preg.c
  6. 63
      src/jail.c
  7. 11
      src/jail.h

9
configs/conf-available/05-source-portknock.conf
Unescape View File

@ -1,5 +1,14 @@
[source:portknock]
load = source_portknock.so
; listen = 0.0.0.0:21 # ftp
; listen = 0.0.0.0:23 # telnet
; listen = 0.0.0.0:25 # smtp
; listen = 0.0.0.0:110 # pop3
; listen = 0.0.0.0:143 # imap
; listen = 0.0.0.0:1080 # socks
; listen = 0.0.0.0:3128 # proxy
; listen = 0.0.0.0:3389 # rdp
; listen = 0.0.0.0:5060 # sip
; listen = 0.0.0.0:6667 # irc
; listen = 0.0.0.0:7547 # TR-069
; listen = 0.0.0.0:8080 # proxy

2
filters/dovecot.preg
Unescape View File

@ -1,3 +1,5 @@
pop3-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Aborted login \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
pop3-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
imap-login: Disconnected \(auth failed, [0-9]+ attempts in [0-9]+ secs\): .* rip=<HOST>
# set: defscore=5

1
src/csocket.c
Unescape View File

@ -522,6 +522,7 @@ f2b_csocket_poll(void (*cb)(const f2b_cmd_t *cmd, f2b_buf_t *res)) {
if (retval < 0) {
f2b_log_msg(log_debug, "closing connection on socket %d", conn->sock);
shutdown(conn->sock, SHUT_RDWR);
close(conn->sock);
f2b_conn_destroy(conn);
csock.clients[cnum] = NULL;
}

1
src/filters/pcre.c
Unescape View File

@ -193,6 +193,7 @@ flush(cfg_t *cfg) {
free(r);
}
cfg->regexps = NULL;
cfg->defscore = MATCH_DEFSCORE;
}
void

1
src/filters/preg.c
Unescape View File

@ -150,6 +150,7 @@ flush(cfg_t *cfg) {
free(r);
}
cfg->regexps = NULL;
cfg->defscore = MATCH_DEFSCORE;
}
void

63
src/jail.c
Unescape View File

@ -71,6 +71,7 @@ f2b_jail_set_param(f2b_jail_t *jail, const char *param, const char *value) {
assert(param != NULL);
assert(value != NULL);
/* only 'safe to set at runtime' parameters here */
if (strcmp(param, "enabled") == 0) {
if (strcmp(value, "yes") == 0) {
jail->flags |= JAIL_ENABLED;
@ -79,14 +80,6 @@ f2b_jail_set_param(f2b_jail_t *jail, const char *param, const char *value) {
}
return true;
}
if (strcmp(param, "state") == 0) {
if (strcmp(value, "yes") == 0) {
jail->flags |= JAIL_HAS_STATE;
} else {
jail->flags &= ~JAIL_HAS_STATE;
}
return true;
}
if (strcmp(param, "bantime") == 0) {
jail->bantime = atoi(value);
if (jail->bantime <= 0)
@ -143,6 +136,10 @@ f2b_jail_apply_config(f2b_jail_t *jail, f2b_config_section_t *section) {
assert(section->type == t_jail || section->type == t_defaults);
for (param = section->param; param != NULL; param = param->next) {
if (strcmp(param->name, "state") == 0) {
jail->flags |= JAIL_HAS_STATE;
continue;
}
if (strcmp(param->name, "source") == 0) {
f2b_jail_parse_compound_value(param->value, name, init);
jail->source = f2b_source_create(name, init);
@ -158,6 +155,7 @@ f2b_jail_apply_config(f2b_jail_t *jail, f2b_config_section_t *section) {
if (strcmp(param->name, "backend") == 0) {
f2b_jail_parse_compound_value(param->value, name, init);
jail->backend = f2b_backend_create(name, init);
jail->flags |= JAIL_HAS_BACKEND;
continue;
}
if (f2b_jail_set_param(jail, param->name, param->value))
@ -412,6 +410,14 @@ f2b_jail_init(f2b_jail_t *jail, f2b_config_t *config) {
assert(jail != NULL);
assert(config != NULL);
if (jail->flags & JAIL_HAS_STATE) {
jail->sfile = f2b_statefile_create(appconfig.statedir_path, jail->name);
if (jail->sfile == NULL) {
f2b_log_msg(log_debug, "jail '%s': can't create statefile", jail->name);
goto cleanup0;
}
}
if (jail->flags & JAIL_HAS_SOURCE) {
if ((section = f2b_config_section_find(config->sources, jail->source->name)) == NULL) {
f2b_log_msg(log_error, "jail '%s': no source with name '%s'", jail->name, jail->source->name);
@ -461,6 +467,7 @@ f2b_jail_init(f2b_jail_t *jail, f2b_config_t *config) {
goto cleanup3;
}
jail->flags |= JAIL_CONFIGURED;
f2b_log_msg(log_debug, "jail '%s' init complete", jail->name);
return true;
@ -480,6 +487,7 @@ f2b_jail_init(f2b_jail_t *jail, f2b_config_t *config) {
f2b_source_destroy(jail->source);
jail->source = NULL;
}
cleanup0:
return false;
}
@ -491,15 +499,8 @@ f2b_jail_start(f2b_jail_t *jail) {
assert(jail != NULL);
if (jail->flags & JAIL_HAS_STATE) {
jail->sfile = f2b_statefile_create(appconfig.statedir_path, jail->name);
if (jail->sfile == NULL) {
/* error occured, must be already logged, just drop flag */
jail->flags &= ~JAIL_HAS_STATE;
} else {
jail->ipaddrs = f2b_statefile_load(jail->sfile);
}
}
if (jail->flags & JAIL_HAS_STATE)
jail->ipaddrs = f2b_statefile_load(jail->sfile);
for (f2b_ipaddr_t *addr = jail->ipaddrs; addr != NULL; addr = addr->next) {
hostc++;
@ -534,13 +535,17 @@ f2b_jail_stop(f2b_jail_t *jail) {
f2b_log_msg(log_info, "jail '%s': gracefull shutdown", jail->name);
if (!f2b_source_stop(jail->source)) {
f2b_log_msg(log_error, "jail '%s': action 'stop' for source failed", jail->name);
errors = true;
if (jail->flags & JAIL_HAS_SOURCE) {
if (!f2b_source_stop(jail->source)) {
f2b_log_msg(log_error, "jail '%s': action 'stop' for source failed", jail->name);
errors = true;
}
f2b_source_destroy(jail->source);
}
f2b_source_destroy(jail->source);
f2b_filter_destroy(jail->filter);
if (jail->flags & JAIL_HAS_FILTER) {
f2b_filter_destroy(jail->filter);
}
for (f2b_ipaddr_t *addr = jail->ipaddrs; addr != NULL; addr = addr->next) {
if (!addr->banned)
@ -551,11 +556,19 @@ f2b_jail_stop(f2b_jail_t *jail) {
}
f2b_addrlist_destroy(jail->ipaddrs);
if (!f2b_backend_stop(jail->backend)) {
f2b_log_msg(log_error, "jail '%s': action 'stop' for backend failed", jail->name);
errors = true;
if (jail->flags & JAIL_HAS_BACKEND) {
if (!f2b_backend_stop(jail->backend)) {
f2b_log_msg(log_error, "jail '%s': action 'stop' for backend failed", jail->name);
errors = true;
}
f2b_backend_destroy(jail->backend);
}
if (jail->flags & JAIL_HAS_STATE) {
f2b_statefile_destroy(jail->sfile);
}
jail->flags &= ~JAIL_CONFIGURED;
return errors;
}

11
src/jail.h
Unescape View File

@ -13,10 +13,13 @@
*/
/* jail flags */
#define JAIL_ENABLED 0x01
#define JAIL_HAS_STATE 0x02
#define JAIL_HAS_FILTER 0x04
#define JAIL_HAS_SOURCE 0x08
#define JAIL_CONFIGURED 1 /* loaded all modules */
#define JAIL_ENABLED 2 /* poll for new events? */
/* reserved : 4 */
#define JAIL_HAS_STATE 8
#define JAIL_HAS_SOURCE 16
#define JAIL_HAS_FILTER 32
#define JAIL_HAS_BACKEND 64
/** jail metadata struct */
typedef struct f2b_jail_t {

Write Preview
Loading…
Cancel
Save