|
Server : Apache System : Linux iad1-shared-b8-43 6.6.49-grsec-jammy+ #10 SMP Thu Sep 12 23:23:08 UTC 2024 x86_64 User : dh_edsupp ( 6597262) PHP Version : 8.2.26 Disable Function : NONE Directory : /lib/python3/dist-packages/fail2ban/tests/__pycache__/ |
Upload File : |
o
����;s*b�]���������������������@���s���d�Z�dZdZddlZddlZddlZddlZddlZddlZddl Z ddl
m
Z
m
Z
m
Z
�ddlmZ�ddlmZ�dd lmZ�dd
lmZ�dd
lmZ�dd
lmZ�dd
lm
Z
�ddl
m
Z
�ddl m Z m!Z!m"Z"�ddl#m$Z$m%Z%m&Z&�ddl'm(Z(�zddlm)Z)�W�n
�e*y����dZ)Y�nw�ej+�,ej+�-e.�d�Z/dZ0e$d�Z1G�dd��de�Z2G�dd��de �Z3G�dd
��d
e3�Z4G�d
d
��d
e3�Z5G�d d ��d ej6�Z7G�d!d"��d"ej6�Z8G�d#d$��d$e�Z9G�d%d&��d&e �Z:dd'l;m<Z<m=Z=m>Z>�G�d(d)��d)e �Z?dS�)*z
Cyril Jaquierz Copyright (c) 2004 Cyril Jaquier�GPL�����N����)�Regex� FailRegex�RegexException)�actions)�Server)�IPAddr)�Jail)�
JailThread)� BanTicket)�Utils����)� DummyJail)�LogCaptureTestCase�
with_alt_time�MyTime)� getLogger�extractOptions�
PREFER_ENC)�version)�
filtersystemd�files�polling�fail2banc�������������������@���s
���e�Zd�Zdd��Zdd��ZdS�)�
TestServerc�����������������O�������d�S��N����self�args�kwargsr
���r
����?/usr/lib/python3/dist-packages/fail2ban/tests/servertestcase.py�
setLogLevel<�������zTestServer.setLogLevelc�����������������O���r
���r
���r
���r ���r
���r
���r#����
setLogTarget?���r%���zTestServer.setLogTargetN)�__name__�
__module__�
__qualname__r$���r&���r
���r
���r
���r#���r���;���s����
r���c�����������������������sL���e�Zd�Z��fdd�Z��fdd�Zdd d
�Zdd
d
�Zd
d��Zdd��Z���Z S�)�TransmitterBasec��������������������s2���t�t|������|�jj|�_d|�_|�j�|�jt��dS�)�
Call before every test case.� TestJail1N) �superr*����setUp�server�_Server__transm�transm�jailName�addJail�
FAST_BACKEND�r ����� __class__r
���r#���r.���E���s���
zTransmitterBase.setUpc��������������������s
���|�j�����tt|������dS��zCall after every test case.N)r/����quitr-���r*����tearDownr5���r6���r
���r#���r:���N���s���
zTransmitterBase.tearDownr
���r���NFc�����������
���������s����d||g}d|g}|dur|��d|��|��d|��|dkr |}��fdd�} |��| |�j�|��| ||f���|sI|��| |�j�|��| d|f���dS�dS�) zoProcess set/get commands and compare both return values
with outValue if it was given otherwise with inValue�set�getNr���r
���c��������������������s�����rt�|��S�|�S�)z
Prepare value for comparison)�repr��x��repr_r
���r#����va���s���z%TransmitterBase.setGetTest.<locals>.vr���)�insert�
assertEqualr1����proceed)
r ����cmd�inValue�outValue�outCode�jailrA����setCmd�getCmdrB���r
���r@���r#����
setGetTestT���s���
$�zTransmitterBase.setGetTestc�����������������C���sv���d||g}d|g}|d�ur|��d|��|��d|��|�j�|�d�}|��|�j�|�d�d��|��|�j�|�d|f��d�S�)Nr;���r<���r���r���)rC���r1���rE���rD���)r ���rF���rG���rJ���rK���rL���� initValuer
���r
���r#����
setGetTestNOKj���s���
z
TransmitterBase.setGetTestNOKc����������� ���
���C���s���d|�}d|�}|���|�j�d||g�dg�f��t|�D�]W\}}|�j�d|||g�}|�j|d�ttt|d���fdttt|d�|d�����fdd��|�j�d||g�}|�j|d�ttt|d���fdttt|d�|d�����fdd��qt|�D�]W\}}|�j�d|||g�}|�j|d�ttt|d���fdttt||d�d�����fdd��|�j�d||g�}|�j|d�ttt|d���fdttt||d�d�����fdd��qwd�S�) N�add�delr<���r���r;���r���r���)�level)rD���r1���rE���� enumerate�assertSortedEqual�list�map�str) r ���rF����valuesrJ����cmdAdd�cmdDel�n�value�retr
���r
���r#����jailAddDelTestw���s ����@B@B�z
TransmitterBase.jailAddDelTestc����������� ��� ���C���s��d|�}d|�}|���|�j�d||g�dg�f��t|�D�]/\}}|���|�j�d|||g�d|d�|d���f��|���|�j�d||g�d|d�|d���f��qt|�D�]/\}}|���|�j�d||dg�d||d�d���f��|���|�j�d||g�d||d�d���f��qOd�S�)NrP���rQ���r<���r���r;���r���)rD���r1���rE���rS���) r ���rF����inValues� outValuesrJ���rY���rZ���r[���r\���r
���r
���r#����jailAddDelRegexTest����s0���������z#TransmitterBase.jailAddDelRegexTest)r
���r���NF)
r'���r(���r)���r.���r:���rM���rO���r^���ra����
__classcell__r
���r
���r6���r#���r*���C���s����
r*���c�����������������������s���e�Zd�Z��fdd�Zdd��Zdd��Zdd��Zd d
��Zd
d
��Zd
d��Z dd��Z
dd��Z
dd��Z
dd��Z
dd��Zdd��Zdd
��Zd
d
��Zd d ��Zd!d"��Zd#d$��Zed%d&���Zd'd(��Zd)d*��Zd+d,��Zd-d.��Zd/d0��Zd1d2��Z
d3d4��Z
d5d6��Z
d7d8��Z d9d:��Z d;d<��Z!d=d>��Z"d?d@��Z#dAdB��Z$dCdD��Z%dEdF��Z&dGdH��Z'dIdJ��Z(dKdL��Z)dMdN��Z*dOdP��Z+dQdR��Z,dSdT��Z-dUdV��Z.dWdX��Z/dYdZ��Z0���Z1S�)[�
Transmitterc��������������������s���t���|�_tt|������d�S�r
���)r���r/���r-���rc���r.���r5���r6���r
���r#���r.�������s���zTransmitter.setUpc�����������������C���s���|���|�j�����d�S�r
���)�
assertFalser/���� isStartedr5���r
���r
���r#����testServerIsNotStarted����s���z"Transmitter.testServerIsNotStartedc�����������������C�������|���|�j�dg�d��d�S�)N�stop�r���N�rD���r1���rE���r5���r
���r
���r#����testStopServer��������zTransmitter.testStopServerc�����������������C���rg���)N�ping)r����pongrj���r5���r
���r
���r#����testPing����rl���zTransmitter.testPingc�����������������C���s ���|���|�j�dg�dtjf��d�S�)Nr���r���)rD���r1���rE���r���r5���r
���r
���r#����
testVersion�������� zTransmitter.testVersionc�����������������C���s~���t�jjs1t���}|��|�j�ddg�d��t���}||�}|�jd|��k�o'dk�n��d|�d��d�S�|��|�j�ddg�d��d�S�) N�sleepz0.1ri���g
ףp=
�?g�������?zSleep was %g sec)�msgz0.0001)�unittest�F2B�fast�timerD���r1���rE����
assertTrue)r ����t0�t1�dtr
���r
���r#���� testSleep����s���*
zTransmitter.testSleepc�����������������C���s���t�jjs
t�dd�\}}nd}|��d|��|�j�|�j��|�� d|��|�� d|��|�� ddd��|��dd��|�� d d
d
��|��d d��|�j�
|�jt
��|�� d|��|�j�|�j��|��
|�j
�g�d
��d
��|��
|�j
�ddg�d
��|��
|�j
�g�d��d
��|��
|�j
�ddg�d
��|��
|�j
�g�d��d
��|��
|�j
�dd g�d
��|�j�
|�jt
��|��
|�j
�g�d
��d
��t�jjs�t�|��t�|��d�S�d�S�)Nz.db� fail2ban_z:memory:�dbfile�
dbmaxmatches�100�d����LIZARD�
dbpurgeage�600�X��)r;���r~����Noneri���r<���)r;���r���r����)r;���r�����500)rt���ru���� memory_db�tempfile�mkstemprO���r/����delJailr2���rM���r3���r4���rD���r1���rE����os�close�unlink)r ����tmp�
tmpFilenamer
���r
���r#����
testDatabase����sl���
��
��
��
��
��
��
��
�zTransmitter.testDatabasec�����������������C���s����d}d}d}|���|�j�d|dg�d|f��|���|�j�d|g�d|f��|���|�j�d|dg�d�d��|���|�j�d|d g�d|f��|���|�j�d|�jdg�d�d��|���|�j�g�d
��d�d��d�S�)
N� TestJail2� TestJail3� TestJail4rP���r���r���zinvalid backendr����auto)rP����--allr����rD���r1���rE���r2���)r ����jail2�jail3�jail4r
���r
���r#����
testAddJail����s&����
����zTransmitter.testAddJailc��������������������sp���������j�d��jg�d��t�tj�����t� ��fdd�d���������j�d��jg�d�����
��j��j
j
��d�S�)N�startri���c�����������������������&�����j��d�ot��j�d��jg�t�
�S�)Nr����status�r/����isAlive�
isinstancer1���rE���r2����
RuntimeErrorr
���r5���r
���r#����<lambda>������&�z/Transmitter.testStartStopJail.<locals>.<lambda>����rh���)
rD���r1���rE���r2���rw���rr���r
����DEFAULT_SLEEP_TIMErx����wait_for�
assertNotInr/����_Server__jailsr5���r
���r5���r#����testStartStopJail����s����
��z
Transmitter.testStartStopJailc��������������������s������j��dt�������j�d��jg�d�������j�ddg�d��t�t j
�����
t �
��fdd�d��������j�ddg�d�����
t �
��fd d�d������
��j��j�j�����
d��j�j��d�S�)
Nr����r����ri���c����������������������r����)Nr���r����r����r
���r5���r
���r#���r������r����z2Transmitter.testStartStopAllJail.<locals>.<lambda>r����rh���r����c����������������������s���t���jj�
�S�r
���)�lenr/���r����r
���r5���r
���r#���r������s����)r/���r3���r4���rD���r1���rE���r2���rw���rr���r
���r����rx���r����r����r����r5���r
���r5���r#����testStartStopAllJail
��s �����
�z Transmitter.testStartStopAllJailc�����������������C���sb���|���|�j�d|�jddg�d��|���|�j�d|�jddg�d��|���|�j�d|�jddg�d�d ��d�S�)
Nr;����idle�on�r���T�off�r���F�CATr���r���r����r5���r
���r
���r#����
testJailIdle
��s������zTransmitter.testJailIdlec�����������������C����f���|�j�ddd|�jd��|�j�ddd|�jd��|�j�ddd|�jd��|�j�dd d
|�jd��|�jdd
|�jd��d�S�)
N�findtime�120�x����rJ����60�<����30m���z-60i����Dog�rM���r2���rO���r5���r
���r
���r#����testJailFindTime(���
���z
Transmitter.testJailFindTimec�����������������C���r����)
N�bantimer����r����r�����50�2���z-50i���z
15d 5h 30mi���Catr����r5���r
���r
���r#����testJailBanTime/��r����zTransmitter.testJailBanTimec�����������������C���r����)
N�
datepattern�%%%Y%m%d%H%M%S)r����z %YearMonthDay24hourMinuteSecondr�����Epoch)Nr����z^Epoch)Nz{^LN-BEG}Epoch�TAI64N)Nr����z
%Cat%a%%%gr����r5���r
���r
���r#����testDatePattern6��s
����
�
�
�zTransmitter.testDatePatternc�����������������C���s*���|�j�ddd|�jd��|�jdd|�jd��d�S�)N�
logtimezonezUTC+0400r����znot-a-time-zoner����r5���r
���r
���r#����testLogTimeZoneB��s���zTransmitter.testLogTimeZonec�����������������C���s\���|�j�dd|�jd��|�j�dd|�jd��|�j�dd|�jd��d}|��|�j�d|�jd|g�d��d�S�) N�usedns�yesr�����warn�no�Fishr;���)r���r����)rM���r2���rD���r1���rE����r ���r\���r
���r
���r#����testJailUseDNSF��s����zTransmitter.testJailUseDNSc��������������
���C���s��|�j��|�j��|��|�j�d|�jddddg�d��|�jddddd ��|��|�j�d|�jdd
g�d
��|�jd
dd
��|��|�j�d|�jdddddg�d��|�jddddd ��|�jddddd ��|�����|��|�j�d|�jdddg�d�d��|��|�j�d|�jdddg�d��|�jddddd ��d�S�)Nr;����banip� 192.0.2.1� 192.0.2.2)r���r����
Ban 192.0.2.1�
Ban 192.0.2.2T��all�wait�Badger�r���r���z
Ban Badger�r�����unbanipz
192.0.2.255z
192.0.2.254zUnban 192.0.2.1zUnban 192.0.2.2z192.0.2.255 is not bannedz192.0.2.254 is not bannedz--report-absentr���r���)r���r���)r/���� startJailr2���rD���r1���rE����
assertLogged�pruneLogr5���r
���r
���r#����
testJailBanIPQ��sF������������zTransmitter.testJailBanIPc��������������������s������j����j����fdd�}��jddd��jd��dD�]}dD�]}���||d |�g�d
��q
q��jd
d
d
d
d�����||dd��dD���d
����jdd
d����jdd
d�����d��d�S�)Nc��������������������s�����j��d��jd|�g|��S�)Nr;����attempt)r1���rE���r2���)�ip�matchesr5���r
���r#���r����q��rl���z.Transmitter.testJailAttemptIP.<locals>.attempt�maxretry�5����r����)r���r���)r����r�����test failure %dr����z
192.0.2.1:2z
192.0.2.2:2Tr����c�����������������S���s���g�|�]}d�|��qS�)r����r
���)�.0�ir
���r
���r#����
<listcomp>{��s����z1Transmitter.testJailAttemptIP.<locals>.<listcomp>)r��������r����z
192.0.2.2:5r����r����r����)r/���r����r2���rM���rD���r�����assertNotLogged)r ���r����r����r����r
���r5���r#����testJailAttemptIPn��s���
�
z
Transmitter.testJailAttemptIPc��������������������s����d}��j��|t����j��|��d�d�dg�f��fdd� }||g�d��||dddgd ��||d
ddd
gd ��||d
g�d
�d��||dd
d
gd��||d
d
gd��||d
g�d��d�S�)N�TestJailBanListr
���c��������������������s����|d�ur������j�d|�d|g�d����jd|�dd��|d�ur6������j�d|�d|g�d����jd|�dd����j��j�d |�dgt|���d
|fd
d
��t�t���d
���d�S�)Nr;���r����r����zBan %sTr����r����zUnban %sr<���r���F)�
nestedOnlyr���) rD���r1���rE���r����rT���rU���r����setTimerw���)rJ���r����r����r!����outListr5���r
���r#����_getBanListTest���s"������z4Transmitter.testJailBanList.<locals>._getBanListTest)r����� 127.0.0.1)z
--with-timez:127.0.0.1 2005-08-14 12:00:01 + 600 = 2005-08-14 12:10:01)r����r!���r�����
192.168.0.1z<192.168.0.1 2005-08-14 12:00:02 + 600 = 2005-08-14 12:10:02�
192.168.1.10)r����r����r����)r����r����)r����r����)r/���r3���r4���r����)r ���rJ���r����r
���r5���r#����testJailBanList���s6���
�������
�zTransmitter.testJailBanListc�����������������C����R���|�j�ddd|�jd��|�j�ddd|�jd��|�j�ddd|�jd��|�jdd |�jd��d�S�)
N�
maxmatchesr����r����r�����2r����-2����Duckr����r5���r
���r
���r#����testJailMaxMatches�������z
Transmitter.testJailMaxMatchesc�����������������C���r����)
Nr����r����r����r����r����r���r����r����r����r����r5���r
���r
���r#����testJailMaxRetry���r��z
Transmitter.testJailMaxRetryc�����������������C���sP���|�j�ddd|�jd��|�j�ddd|�jd��|�jdd|�jd��|�jdd|�jd��d�S�) N�maxlinesr����r����r����r����r���r����r����r����r5���r
���r
���r#����testJailMaxLines���s���z
Transmitter.testJailMaxLinesc�����������������C���sN���|�j�dd|�jd��|�j�dd|�jd��|�j�ddt|�jd��|�jdd|�jd��d�S�)N�
logencodingzUTF-8r�����asciir�����Monkey)rM���r2���r���rO���r5���r
���r
���r#����testJailLogEncoding���s
���
�z Transmitter.testJailLogEncodingc��������������
���C���sh��|���dtj�td�tj�td�tj�td�g|�j��tj�td�}|��|�j�d|�jd|g�d|gf��|��|�j�d|�jd|g�d|gf��|��|�j�d |�jdg�d|gf��|��|�j�d|�jd
|g�dg�f��|��|�j�d|�jd|d
g�d|gf��|��|�j�d|�jd|d
g�d|gf��|��|�j�d|�jd|d
g�d�d��|��|�j�d|�jd|||g�d�d��d�S�)N�logpath�testcase01.logztestcase02.logztestcase03.logztestcase04.logr;����
addlogpathr���r<����
dellogpath�tail�head�badgerr���) r^���r�����path�join�TEST_FILES_DIRr2���rD���r1���rE���r����r
���r
���r#����testJailLogPath���sj���
��
��������������zTransmitter.testJailLogPathc�����������������C���s2���d}|�j��d|�jd|g�}|��t|d�t���d�S�)Nzthis_file_shouldn't_existr;���r
��r���)r1���rE���r2���rx���r�����IOError)r ���r\����resultr
���r
���r#����testJailLogPathInvalidFile���s
���
�z&Transmitter.testJailLogPathInvalidFilec�����������������C���sX���t�jdd�}|d�}t�||��|�j�d|�jd|g�}|��t|d�t ���t�
|��d�S�)N�tmp_fail2ban_broken_symlink)�prefixz.slinkr;���r
��r���)
r�����mktempr�����symlinkr1���rE���r2���rx���r����r��r����)r ����name�snamer��r
���r
���r#����
testJailLogPathBrokenSymlink���s���
�z(Transmitter.testJailLogPathBrokenSymlinkc�����������������C���s����|���dg�d�|�j��d}|��|�j�d|�jd|g�d|gf��|��|�j�d|�jd|g�d|gf��|��|�j�d|�jdg�d|gf��|��|�j�d|�jd|g�dg�f��|��|�j�d|�jd g�d
��|��|�j�d|�jd d
g�d
��|��|�j�d|�jd g�d
��d�S�)
N�ignoreip)r����z
192.168.1.1z8.8.8.8r����r;����
addignoreipr���r<����
delignoreip�
ignoreselfr����Fr����)r^���r2���rD���r1���rE���r����r
���r
���r#����testJailIgnoreIP��sD����
�������z
Transmitter.testJailIgnoreIPc�����������������C�������|�j�dd|�jd��d�S�)N�
ignorecommandzbin/ignore-command <ip>r�����rM���r2���r5���r
���r
���r#����testJailIgnoreCommand&������z!Transmitter.testJailIgnoreCommandc�����������������C���s0���|�j�ddg�d�|�jd��|�j�ddd�|�jd��d�S�)N�
ignorecachez%key="<ip>",max-time=1d,max-count=9999)z<ip>i'��i�Q�r������r%��r5���r
���r
���r#����testJailIgnoreCache)��s
����z Transmitter.testJailIgnoreCachec�����������������C���r#��)N� prefregexz^Testr����r%��r5���r
���r
���r#����testJailPrefRegex0��r'��z
Transmitter.testJailPrefRegexc��������������
���C���s����|���dg�d�dt�d��dt�d��dt�d��g|�j��|��|�j�d|�jdd g�d
�d
��|��|�j�d|�jdd
g�d
�d
��d�S�)
N� failregex)zuser john at <HOST>�
Admin user login from <HOST>z failed attempt from <HOST> againzuser john at %s�<HOST>�Admin user login from %sz
failed attempt from %s againr;����
addfailregexz
No host regexr���r���i����ra���r����_resolveHostTagr2���rD���r1���rE���r5���r
���r
���r#����
testJailRegex3��s0���
��
���
���zTransmitter.testJailRegexc�������������� ���C���sn���|���dg�d�ddt�d��dg|�j��|��|�j�d|�jdd g�d
�d
��|��|�j�d|�jdd
g�d
�d
��d�S�)
N�
ignoreregex)� user johnr.���Dont match me!r6��r0��r/��r7��r;����addignoreregexzInvalid [regexr���r���r����r2��r5���r
���r
���r#����testJailIgnoreRegexK��s0���
��
���
���z Transmitter.testJailIgnoreRegexc�������������� ���C���s����|�j�g}|��|�j�dg�ddt|�fdd�|�fgf��|�j�dt��|� d��|��|�j�dg�ddt|�fdd�|�fgf��d�S�)Nr����r���zNumber of jailz Jail listz, r����)
r2���rD���r1���rE���r����r��r/���r3���r4����append)r ����jailsr
���r
���r#����
testStatusc��s���
�
�zTransmitter.testStatusc��������������
���C���sB���|���|�j�d|�jg�dddddg�fgfddd d
g�fgfgf��d�S�)
Nr����r����Filter�zCurrently failedr����z
Total failedr���� File list�Actions�zCurrently bannedr����z
Total bannedr����Banned IP listr����r5���r
���r
���r#����testJailStatusl��s
��������zTransmitter.testJailStatusc��������������
���C����D���|���|�j�d|�jdg�dddddg�fgfdd d
d
g�fgfgf��d�S�)
Nr�����basicr���r=��r>��r?��r@��rA��rB��rC��rD��r����r5���r
���r
���r#����testJailStatusBasic~���
��������z Transmitter.testJailStatusBasicc��������������
���C���rF��)
Nr�����INVALIDr���r=��r>��r?��r@��rA��rB��rC��rD��r����r5���r
���r
���r#����testJailStatusBasicKwarg���rI��z$Transmitter.testJailStatusBasicKwargc��������������
���C���s����t�j����z
dd�l}dd�l}W�n
�ty���dg}Y�nw�g�}|��|�j�d|�j dg�dddddg�fgfd d
d
d
g�fd
|fd|fd|fgfgf��d�S�)Nr����errorr�����cymrur=��r>��r?��r@��rA��rB��rC��rD��zBanned ASN listzBanned Country listzBanned RIR list)
rt���ru����SkipIfNoNetwork�
dns.exception�
dns.resolver�
ImportErrorrD���r1���rE���r2���)r ����dnsr\���r
���r
���r#����testJailStatusCymru���s4���
������z Transmitter.testJailStatusCymruc��������������
���C���s���d}g�d�}g�d�}|���|�j�d|�jd|g�d|f��|���|�j�d|�jdg�d �d�|��t||�D�]\}}|���|�j�d|�jd
|||g�d|f��q2t||�D�]\}}|���|�j�d|�jd
||g�d|f��qO|���|�j�d|�jd
|d
d
g�d
��|���|�j�d|�jd
|d
g�d
��|���|�j�d|�jd
|dg�d�d ��|���|�j�d|�jd
|ddg�d��|���|�j�d|�jd
|dg�d��|���|�j�d|�jd|g�d��|���|�j�d|�jddg�d�d ��d�S�)N�TestCaseAction)�
actionstart�
actionstop�
actioncheck� actionban�
actionunban)z
Action Startz
Action Stopz
Action Checkz
Action Banz
Action Unbanr;���� addactionr���r<���r���r����action�KEY�VALUE)r���r]���
InvalidKey�timeout�10)r����
���� delactionri���z
Doesn't exist)rD���r1���rE���r2����zip)r ���r[���cmdList�
cmdValueListrF���r\���r
���r
���r#����
testAction���s�����
�������������������
���zTransmitter.testActionc��������������
���C���s���d}z
|�j��d|�jd|tj�tdd�dg�}|��|d|f��W�n*�tyI���dt j
��kr1d k�rHn���d
|d
�v�rHdd�l
}|�
d
t j
���Y�d�S���w�|��|�j��d
|�jd|g�d
�ddg��|��|�j��d
|�jd|dg�d��|��|�j��d
|�jd|dg�d��|��|�j��d
|�jd|g�d
�g�d���|��|�j��d|�jd|ddg�d��|��|�j��d|�jd|ddg�d��|��|�j��d|�jd|ddg�d��d�S�)
NrT��r;���rZ���action.dz action.pyz{"opt1": "value"}r���)r�������)r���rh��r����z#__init__() keywords must be stringsr���z�Your version of Python %s seems to experience a known issue forbidding correct operation of Fail2Ban: http://bugs.python.org/issue2646 Upgrade your Python and meanwhile other intestPythonActionMethodsAndProperties will be skippedr<����actionproperties�opt1�opt2r[��)r���r\���ri����
actionmethods)�ban�rebanr����rh����
testmethod�unbanro��z{"text": "world!"})r���zHello world! value�
another value)r���rq��)r���zHello world! another value)r1���rE���r2���r����r��r��r��rD����AssertionError�sys�
version_info�warningsr����r���rT���)r ���r[���outru��r
���r
���r#����$testPythonActionMethodsAndProperties���s����
��
����
����������������z0Transmitter.testPythonActionMethodsAndPropertiesc�����������������C���s ���|���|�j�ddg�d�d��d�S�)NrJ���COMMANDr���r���rj���r5���r
���r
���r#����testNOK0��rq���zTransmitter.testNOKc�����������������C���� ���|���|�j�g�d��d�d��d�S�)N)r;���rJ��rx��r���r���rj���r5���r
���r
���r#����
testSetNOK3�������zTransmitter.testSetNOKc�����������������C���rz��)N)r<���rJ��rx��r���r���rj���r5���r
���r
���r#����
testGetNOK7��r|��zTransmitter.testGetNOKc�����������������C���rz��)N)r����rJ��rx��r���r���rj���r5���r
���r
���r#����
testStatusNOK;��r|��zTransmitter.testStatusNOKc��������������
���C���s6��t�st�d��d}|�j�|d��g�d�}t|�D�] \}}|��|�j�d|d|g�ddd ��|d�|d
���D��f��qt|�D�] \}}|��|�j�d|d
|g�dd
d ��||d
�d���D��f��q<d
}|��|�j�d|d|g�d|ggf��|��|�j�d|d|g�d|g|ggf��|��|�j�d|d
|g�d|ggf��|��|�j�d|d
|g�dg�f��g�d�}|��|�j�d|dg|��dd
gddggf��|��|�j�d|d
g|d�d
����dddggf��|��|�j�d|d
g|dd�����dg�f��d}|�j�d|d|g�}|�� t
|d
�t
���d}|�j�d|d
|g�}|�� t
|d
�t
���d�S�)N�&systemd python interface not availabler�����systemd��_SYSTEMD_UNIT=sshd.servicezTEST_FIELD1=ABCz_HOSTNAME=example.comr;����addjournalmatchr���c�����������������S�������g�|�]}|g�qS�r
���r
����r�����valr
���r
���r#���r����M�������z0Transmitter.testJournalMatch.<locals>.<listcomp>r����deljournalmatchc�����������������S���r���r
���r
���r���r
���r
���r#���r����R��r����
_COMM=sshd)r����+r����_UID=0r���r���r���zThis isn't valid!zFIELD=NotPresent)
r���rt����SkipTestr/���r3���rS���rD���r1���rE���rx���r�����
ValueError)r ���r2���rX���r[���r\���r��r
���r
���r#����testJournalMatch?��s����
�
�
�
�
�
�
��
�
�
��
���
���
�
�z
Transmitter.testJournalMatchc��������������
���C���s����t�st�d��|��d��d}|�j�|d��g�d�}t|�D�] \}}|��|�j� d|d|g�dd d
��|d�|d
���D��f��q
t|�D�] \}}|��|�j� d|d
|g�dd
d
��||d
�d���D��f��qAd�S�)Nr��Tr����zsystemd[journalflags=2]r���r;���r���r���c�����������������S���r���r
���r
���r���r
���r
���r#���r�������r���z5Transmitter.testJournalFlagsMatch.<locals>.<listcomp>r���r���c�����������������S���r���r
���r
���r���r
���r
���r#���r�������r���)
r���rt���r���rx���r/���r3���rS���rD���r1���rE���)r ���r2���rX���r[���r\���r
���r
���r#����testJournalFlagsMatch���s*���
�
�
�
��z!Transmitter.testJournalFlagsMatch)2r'���r(���r)���r.���rf���rk���ro���rp���r|���r����r����r����r����r����r����r����r����r����r����r����r����r���r����r���r��r��r��r��r��r
��r"��r&��r*��r,��r4��r9��r<��rE��rH��rK��rS��rf��rw��ry��r{��r}��r~��r���r���rb���r
���r
���r6���r#���rc�������s^����
0
+*
%
<4Grc���c�����������������������sT���e�Zd�Z��fdd�Zdd��Zdd��Zdd��Zd d
��Zd
d
��Zd
d��Z dd��Z
���Z
S�)�TransmitterLoggingc��������������������s>���t���|�_tt|������|�j�d��|�j�d��|�j�d��d�S�)N� /dev/null�CRITICALr����)r���r/���r-���r���r.���r&���r$����setSyslogSocketr5���r6���r
���r#���r.������s
���
zTransmitterLogging.setUpc�����������������C���s����g�}t�d�D�]}t�dd�}|�|d���t�|d���q|D�]}|��d|��q d}|��d|��|�j� g�d���|D�]}t�
|��q:|��dd d
��|��dd
d
��d�S�)
Nr����r����
transmitterr���r���� logtarget�/this/path/should/not/exist)r;���r���r���z
STDOUT[format="%(message)s"]�STDOUTz!STDERR[datetime=off, padding=off]�STDERR)
�ranger����r����r:��r����r����rM���rO���r1���rE����remove)r ����
logTargets�_�tmpFile� logTargetr\���r
���r
���r#����
testLogTarget���s
���
z TransmitterLogging.testLogTargetc�����������������C���sJ���t�j�d�s
t�d��|��|�j���d��|��dd��|��|�j���d��d�S�)N�/dev/logz'/dev/log' not presentr����r����SYSLOG) r����r���existsrt���r���rx���r/����getSyslogSocketrM���r5���r
���r
���r#����testLogTargetSYSLOG���s
���
z&TransmitterLogging.testLogTargetSYSLOGc�����������������C���s���|���dd��d�S�)N�
syslogsocketz/dev/log/NEW/PATH)rM���r5���r
���r
���r#����testSyslogSocket���s���z#TransmitterLogging.testSyslogSocketc�������������� ���C���sd���|���dd��|��dd��|���dd��|�j�d
i�i�tdtd�dd �d
�t���d
v�o,tj�d�����d�S�)
Nr���r���r���r���r���r���zFailed to change log targetT)rI���rH���rA���)TF)�Linux)r���r���) rM���rO����dict� Exception�platform�systemr����r��r���r5���r
���r
���r#����testSyslogSocketNOK���s
���
���
�z&TransmitterLogging.testSyslogSocketNOKc�����������������C���s����|���dd��|���dd��|���dd��|���dd��|���dd��|���dd��|���dd��|���dd ��|���dd
��|���dd
d
��|��dd
��d�S�)
N�loglevel�
HEAVYDEBUG�
TRACEDEBUG�9�DEBUG�INFO�NOTICE�WARNING�ERRORr����cRiTiCaL�Bird)rM���rO���r5���r
���r
���r#����
testLogLevel���s���
z TransmitterLogging.testLogLevelc����������� ������C���s~��|���|�j�dg�d���zt�d�\}}t�|��|�j�d��|���|�j�dd|g�d|f��t d�}|�
d ��z�t�d�\}}t�|��t�
||��|�
d
��|���|�j�dg�d��|�
d
��t
|d
��Q}t
|�}|�d
�dkrtt
|�}|��|�d���t
|�}|��|�d���z
t
|�}|�d�dkr�|��t|j��n|��d|���W�n �ty����Y�nw�W�d�����n1�s�w���Y��t
|d
��*}t
|�}|�d�dkr�t
|�}|��|�d���|��t|j��|����W�d�����n1�s�w���Y��W�t�|��nt�|��w�W�zt�|��W�n
�t�y���Y�nw�zt�|��W�w��t�y%���Y�w�w�|���|�j�g�d��d��|���|�j�dg�d��d�S�)N� flushlogs)r���z
rolled overz
fail2ban.logr���r;���r���r���r���zBefore file movedzAfter file movedzAfter flushlogs�rzChanged logging target tozBefore file moved
zAfter file moved
zCommand: ['flushlogs']zCException StopIteration or Command: ['flushlogs'] expected. Got: %szrollover performed onzAfter flushlogs
)r;���r���r���)r���r���)r����flushed)rD���r1���rE���r����r����r����r����r/���r$���r����warning�rename�open�next�findrx����endswith�
assertRaises�
StopIteration�__next__�failr����OSError) r ����f�fn�l�f2�fn2�line1�line2r[���r
���r
���r#����
testFlushLogs���sn���
�
��
�
�����z TransmitterLogging.testFlushLogsc�����������������C���s����|�j�ddd|�jd��|�j�ddd|�jd��|�j�dd d
|�jd��|�j�d
d
d
|�jd��|�j�d
d|�jd��|�j�ddd|�jd��|�j�ddd|�jd��d�S�)Nzbantime.increment�trueTr����zbantime.rndtime�30minr����zbantime.maxtimez 1000 daysi�\&zbantime.factorr����zbantime.formulazGban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)zbantime.multipliersz1 5 30 60 300 720 1440 2880zbantime.overalljailsr%��r5���r
���r
���r#����testBanTimeIncr��s���z"TransmitterLogging.testBanTimeIncr)
r'���r(���r)���r.���r���r���r���r���r���r���r���rb���r
���r
���r6���r#���r������s����
0r���c�������������������@�������e�Zd�Zdd��ZdS�)� JailTestsc�����������������C���s
���d}t�|�}|��|j|��d�S�)N�veryveryverylongname)r
���rD���r��)r ����longnamerJ���r
���r
���r#����
testLongName
��s���zJailTests.testLongNameN)r'���r(���r)���r���r
���r
���r
���r#���r�����s����
r���c�������������������@����$���e�Zd�Zdd��Zdd��Zdd��ZdS�)�
RegexTestsc�����������������C���s.���|���ttd��|���ttd��|���ttd��d�S�)Nr)��� � )r���r���r���r5���r
���r
���r#����testInit%��s���zRegexTests.testInitc�����������������C���s8���|���ttd���dd�d��|��ttd���d���d�S�)N�a�"�'z
Regex('a')r/��z
FailRegex()rD���rW���r����replacerx���r����
startswithr5���r
���r
���r#����testStr+��s���
zRegexTests.testStrc�����������������C���s��|���ttd��|���ttd��|��td���|��td���|��td���|��td���|��td���|��td���|��td ���td
�}|��|�����|�d
g��|��|�����|���t|j��td
�}|��|�����|�d
g��|��|�����|���t|j��td�}|��|�����|�dg��|��|�����|��|���d��|�dg��|��|�����|��|���d��|�dg��|��|�����|��|���d��td�}|��|�����|�dg��|��|�����|��|� ��d��td�}|�dg��|�
��}|��||j
fd��|�dg��|�
��}|��||j
fd��|�d
g��|�
��}|��||j
fd
��|�d
g��|�
��}|��||j
fd ��td �}|�d!g��|�
��}|��||j
fd"��|�d#g��|�
��}|��||j
fd��|�d$g��|�
��}|��||j
fd%��|�d&g��|�
��}|��||j
fd'��d�S�)(Nr)��z^test no group$z^test <HOST> group$z^test <IP4> group$z^test <IP6> group$z^test <DNS> group$z<^test id group: ip:port = <F-ID><IP4>(?::<F-PORT/>)?</F-ID>$z-^test id group: user:\(<F-ID>[^\)]+</F-ID>\)$z#^test id group: anything = <F-ID/>$z %%<HOST>?)z%%r)��r)��z#%%inet(?:=<F-IP4/>|inet6=<F-IP6/>)?)z
%%inet=testr)��r)��z(%%(?:inet(?:=<IP4>|6=<IP6>)?|dns=<DNS>?))z%%inet=192.0.2.1r)��r)��r����)z%%inet6=2001:DB8::r)��r)���
2001:DB8::)z%%dns=example.comr)��r)��z
example.com)z%test id group: user:(test login name)r)��r)��ztest login namez%%net=<SUBNET>)z%%net=192.0.2.1r)��r)��)r�����inet4)z%%net=192.0.2.1/24r)��r)��)z
192.0.2.0/24r���)z%%net=2001:DB8:FF:FF::1r)��r)��)z2001:db8:ff:ff::1�inet6)z%%net=2001:DB8:FF:FF::1/60r)��r)��)z2001:db8:ff:f0::/60r���z
%%ip="<ADDR>", mask="<CIDR>?")z%%ip="192.0.2.2", mask=""r)��r)��)r����r���)z%%ip="192.0.2.2", mask="24"r)��r)��)z"%%ip="2001:DB8:2FF:FF::1", mask=""r)��r)��)z2001:db8:2ff:ff::1r���)z$%%ip="2001:DB8:2FF:FF::1", mask="60"r)��r)��)z2001:db8:2ff:f0::/60r���)
r���r���r���rx���rd����
hasMatched�search�getHostrD���� getFailID�getIP� familyStr)r ����frr����r
���r
���r#����testHost1��sz���
zRegexTests.testHostN)r'���r(���r)���r���r���r���r
���r
���r
���r#���r���#��s����
r���c�������������������@���r���)�
_BadThreadc�����������������C���s���t�d��)Nzrun bad thread exception)r����r5���r
���r
���r#����runy��s���z_BadThread.runN)r'���r(���r)���r���r
���r
���r
���r#���r���x��s����
r���c�������������������@���r���)�
LoggingTestsc�����������������C���s*���t�d�}|��|jjd��|��|jd��d�S�)Nz
fail2ban.some.string.with.namer���z
fail2ban.name)r���rD����parentr��)r ����
testLogSysr
���r
���r#����testGetF2BLogger��s���z
LoggingTests.testGetF2BLoggerc��������������������s����t�j}g���fdd�t�_z
t��}|����|�������t����fdd�d���W�|t�_n|t�_w����d����� t
��d����� �d�d�t
��d�S�)Nc���������������������s
�������|��S�r
���)r:��)r!���r>���r
���r#���r�������s���
�z5LoggingTests.testFail2BanExceptHook.<locals>.<lambda>c����������������������s���t���o���d�S�)N�Unhandled exception)r�����
_is_loggedr
����r ���r?���r
���r#���r�������r���r����r���r���r���)
rs���__excepthook__r���r����r��rx���r
���r����r����rD���r����r����)r ����
prev_exchook� badThreadr
���r���r#����testFail2BanExceptHook���s���
z#LoggingTests.testFail2BanExceptHookc��������������
���C���s����g�}t��dd�\}}t�|��|�|��t��dd�\}}t�|��|�|��t��}z+|j||dd��|��|�����|�� d��W�|�
���|D�]
}tj
�
|�rRt�
|��qEd�S�|�
���|D�]
}tj
�
|�rht�
|��q[w�)Nz
fail2ban.sockzf2b-testz
fail2ban.pidF)�forcezServer already running)r����r����r����r����r:��r���r����rd���re���r����r9���r��r���r���)r ���� tmp_files�sock_fd� sock_name�
pidfile_fd�
pidfile_namer/���r���r
���r
���r#����testStartFailedSockExists���s0���
���
��z&LoggingTests.testStartFailedSockExistsN)r'���r(���r)���r���r���r���r
���r
���r
���r#���r���}��s����
r���)�
ActionReader�
JailsReader�
CONFIG_DIRc�����������������������s����e�Zd�Z��fdd�Z��fdd�Z��fdd�Zddd �Zd
d
��Zd
d
��Zdd��Z dd��Z
dd��Z
dd��Z
ddd�Z
dd��Z���ZS�)�ServerConfigReaderTestsc��������������������s ���t�t|��j|i�|���i�|�_d�S�r
���)r-���r���__init__�#_ServerConfigReaderTests__share_cfgr ���r6���r
���r#���r�����s���
z ServerConfigReaderTests.__init__c��������������������s���t�t|������g�|�_dS�)r+���N)r-���r��r.����
_execCmdLstr5���r6���r
���r#���r.������s���
z
ServerConfigReaderTests.setUpc��������������������s���t�t|������dS�r8���)r-���r��r:���r5���r6���r
���r#���r:������s���z ServerConfigReaderTests.tearDownr����c�����������������C���s6���|��d�D�]}|�d�st�d|��qt�|��qdS�)N�
�#zexec-cmd: `%s`T)�splitr����logSys�debug)r ����realCmdr_��r���r
���r
���r#����
_executeCmd���s
���
z#ServerConfigReaderTests._executeCmdc�����������������C���sP���t�|�d�s%t��}i�|�_dD�]\}}t|�}|�d��tj�||�|�j|<�q
|�jS�)N�__aInfos))�ipv4r����)�ipv6r���r����)�hasattrr���� _ServerConfigReaderTests__aInfosr
����
setBanTime�_actionsrA���
ActionInfo)r ����dmyjail�tr�����ticketr
���r
���r#����_testActionInfos���s���
z(ServerConfigReaderTests._testActionInfosc�����������������C���s.��|j�}|����}|D�]�}||�jD�]�}||�j|�}t�d��t�d|d�|j���t�d��t|tj�s5q|�j |_
t�d��|��
���|�
���t�d��|��
���|�
|d���t�d��|��
���|�|d���t�d��|��
���|�
|d ���t�d
��|��
���|�|d ���t�d
��|��
���|����qq d�S�)
N�4# ==================================================�
# == %-44s ==� - �# === start ===�# === ban-ipv4 ===r���# === unban ipv4 ===�# === ban ipv6 ===r���# === unban ipv6 ===�# === stop ===)r����r��r���r
��r
���_namer����r���
CommandActionr���
executeCmdr����r����rm��rp��rh���)r ���r/���r;���aInfosrJ���r���r[��r
���r
���r#����_testExecActions���s0���
��z(ServerConfigReaderTests._testExecActionsc����������� ���
���C���sz��t�jjdd��ttd|�jd�}|��|�����|��|�����|j dd�}t
��}|j
}|j
}|D�]�}|d�dkr�|d�dkrAd|d <�nLt
|�d
kro|d�d
kro|d �d
krotj�td
|d��}tj�|�sjtj�td�}||d
<�n
t�jjr�t
|�d
kr�|d�dv�r�|d �dkr�d
|d<�d|d
<�z||��W�q.�ty��}�z|��d||f���W�Y�d�}~q.d�}~ww�q.t�jjs�|��|��d�S�d�S�)NT��stock)�basedir�
force_enable�
share_config)�allow_no_filesr���r����rP���r���r���r����r;���r
���logsr���r
��)r;���z multi-setr1��zDUMMY-REGEX <HOST>z"Command %r has failed. Received %r)rt���ru����SkipIfCfgMissingr��r��r��rx����read�
getOptions�convertr���r0����
_Transmitter__commandHandlerr����r����r��r��r��r���rv���r���r���r(��) r ���r;���streamr/���r1����
cmdHandlerrF���r����er
���r
���r#����testCheckStockJailActions���s>���
$
$
��� �z1ServerConfigReaderTests.testCheckStockJailActionsc�����������������C���sb���|��d|�}t|�\}}d|dgg}t||||�jtd�}|��|�����|�i���|�|� ����|S�)Nz
%(__name__)srP���r���)r-��r+��)
r���r���r��r��r��rx���r1��r2���extendr3��)r ���rJ����act�actName�actOptr5��r[��r
���r
���r#����getDefaultJailStream ��s���
��
z,ServerConfigReaderTests.getDefaultJailStreamc�����������
������C���s����t�jjdd��t�j����dd�l}t��}|j}|�tj� t
dd��D�]+}tj�
|��
dd�}|��
d|�|�}|D�]}|�|�\}} |��|d��q7|��|��q!d�S�) NTr)��r���rg��z*.confz.confr)��zj-)rt���ru���r0���
SkipIfFast�globr���r0���r����r��r��r���basenamer���r=��rE���rD���r(��)
r ���r?��r/���r1����actCfgr:��r5��rF���r]����resr
���r
���r#����testCheckStockAllActions.��s���
�z0ServerConfigReaderTests.testCheckStockAllActionsc��������������
���C���s��t�jjdd��ddddddd d
d
d
d
ddddd�
fdddddddddddd
d
d
d d�
fd d!d"d#d$d%d&d'd(d)d*d+� fd,d-d"d#d.d/d0d1d2�fd3d4d5d6d7d8d9d:d;d<d=d>d?d@dA�
fdBdCd5d6dDdEdFdGdHdIdJdKdLdMdA�
fdNdOdPdQdRdSdTdUdVdWdXdYdZ�
fd[d\d]d^d_d`dadbdcdddedfdZ�
fdgdhd5d6didjdkdldmdndodpdqdrdA�
fdsdtd5d6dudvdwdxdydzd{d|d}d~dA�
fdd�d�d�d�d�d�d�d�d�d�d�d�d��
fd�d�d�d�d�d�d�d�d�d�d�d�d�d��
fd�d�d�d�d�d�d�d�d�d�d�d�d�d��
fd�d�d�d�d�d�d�d�d�d�d�d�d�d�dA�
fd�d�d�d�d�d�d�d�d�d�d�d�d�d��
fd�d�d�d�d�d�d�d�d�d�d�d�d�d��
fd�d�d�d�d�d�d�d�d�d�d�d�dZ�
fd�d�d�d�d�d�d�d�d�d�d�d�dZ�
fd�d�d�d�d�d�d�d�d2�fd�d�d�d�d�d�d�d�d2�ff}t��}|j}|j}|D�] \}}}|��||�}|D�]} |�| �\}
}
|��|
d���qU�qH|j }
|��
��}
|D��]�\}}}|
|�j
D��]�}|
|�j
|�}t
�
d��t
�
d�|d��|j���t
�
d��|��t|tj���|�j|_|��d��|����|�d��r�|�j|d��d�di��n|�d��r�|�d��r�|�j|d��|d���d�di��|��d��|�|
d����|�d��r�|�j|�d�d��|d���d�di��|�d��r|�j|d��d�di��|�j|�d�d��|d���d�di��|�j|d��d�di��|��d���|�|
d����|�j|�d�d��|d���d�di��|�j|d��d�di��|��d���|�|
d����|�d��rp|�j|�d�d��|d���d�di��|�d��r�|�j|d��d�di��|�j|�d�d��|d���d�di��|�j|�d��d�di��|���d��|�|
d����|�j|�d�d��|�d��d�di��|�j|�d��d�di��|��d��r�|���d��|�
���|�j|�d�d�di��|���d��|�
���|��d��r�|�j|�d�d�di���q|�qqd�S�(��NTr)��z
j-w-nft-mpzQnftables-multiport[name=%(__name__)s, port="http,https", protocol="tcp,udp,sctp"])zip � ipv4_addrzaddr-)zip6 � ipv6_addrzaddr6-)�
`nft add table inet f2b-table`�W`nft -- add chain inet f2b-table f2b-chain \{ type filter hook input priority -1 \; \}`z9`for proto in $(echo 'tcp,udp,sctp' | sed 's/,/ /g'); do`z`done`)zG`nft add set inet f2b-table addr-set-j-w-nft-mp \{ type ipv4_addr\; \}`z�`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip saddr @addr-set-j-w-nft-mp reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-mp \{ type ipv6_addr\; \}`z�`nft add rule inet f2b-table f2b-chain $proto dport \{ $(echo 'http,https' | sed s/:/-/g) \} ip6 saddr @addr6-set-j-w-nft-mp reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-mp 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-mp 2> /dev/null; } || )z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`�5`nft delete rule inet f2b-table f2b-chain $hdl; done`z3`nft delete set inet f2b-table addr-set-j-w-nft-mp`z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-mp\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rH��z4`nft delete set inet f2b-table addr6-set-j-w-nft-mp`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-mp[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-mp[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-mp \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-mp \{ 2001:db8:: \}`)
�ip4�ip6�*-start� ip4-start� ip6-start�flushrh���� ip4-check� ip6-check�ip4-ban� ip4-unban�ip6-ban� ip6-unbanz
j-w-nft-apz8nftables-allports[name=%(__name__)s, protocol="tcp,udp"])rF��rG��)zG`nft add set inet f2b-table addr-set-j-w-nft-ap \{ type ipv4_addr\; \}`zg`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip saddr @addr-set-j-w-nft-ap reject`)zH`nft add set inet f2b-table addr6-set-j-w-nft-ap \{ type ipv6_addr\; \}`zi`nft add rule inet f2b-table f2b-chain meta l4proto \{ tcp,udp \} ip6 saddr @addr6-set-j-w-nft-ap reject`)zG`{ nft flush set inet f2b-table addr-set-j-w-nft-ap 2> /dev/null; } || zH`{ nft flush set inet f2b-table addr6-set-j-w-nft-ap 2> /dev/null; } || )z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rH��z3`nft delete set inet f2b-table addr-set-j-w-nft-ap`z�`{ nft -a list chain inet f2b-table f2b-chain | grep -oP '@addr6-set-j-w-nft-ap\s+.*\s+\Khandle\s+(\d+)$'; } | while read -r hdl; do`rH��z4`nft delete set inet f2b-table addr6-set-j-w-nft-ap`)zO`nft list chain inet f2b-table f2b-chain | grep -q '@addr-set-j-w-nft-ap[ \t]'`)zP`nft list chain inet f2b-table f2b-chain | grep -q '@addr6-set-j-w-nft-ap[ \t]'`)zD`nft add element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zG`nft delete element inet f2b-table addr-set-j-w-nft-ap \{ 192.0.2.1 \}`)zF`nft add element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`)zI`nft delete element inet f2b-table addr6-set-j-w-nft-ap \{ 2001:db8:: \}`zj-dummyzodummy[name=%(__name__)s, init="=='<family>/<ip>'==bt:<bantime>==bc:<bancount>==", target="/tmp/fail2ban.dummy"])z
family: inet4)z
family: inet6)z$`printf %b "=='/'==bt:600==bc:0==\n"z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- started"`)z9`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- clear all"`)z7`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- stopped"`)zP`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 192.0.2.1 (family: inet4)"`)zR`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 192.0.2.1 (family: inet4)"`)zQ`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- banned 2001:db8:: (family: inet6)"`)zS`echo "[j-dummy] dummy /tmp/fail2ban.dummy -- unbanned 2001:db8:: (family: inet6)"`) rI��rJ��r����rN��rh���rQ��rR��rS��rT��z
j-hostsdenyzPhostsdeny[name=%(__name__)s, actionstop="rm <file>", file="/tmp/fail2ban.dummy"])z5`printf %b "ALL: 192.0.2.1\n" >> /tmp/fail2ban.dummy`)z^`IP=$(echo "192.0.2.1" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)z8`printf %b "ALL: [2001:db8::]\n" >> /tmp/fail2ban.dummy`)za`IP=$(echo "[2001:db8::]" | sed 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /tmp/fail2ban.dummy`)rI��rJ��rQ��rR��rS��rT��zj-w-iptables-mpzniptables-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="<known/chain>"])�
`iptables �icmp-port-unreachable)�
`ip6tables �icmp6-port-unreachable)z$`iptables -w -N f2b-j-w-iptables-mp`z.`iptables -w -A f2b-j-w-iptables-mp -j RETURN`zU`iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`)z%`ip6tables -w -N f2b-j-w-iptables-mp`z/`ip6tables -w -A f2b-j-w-iptables-mp -j RETURN`zV`ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`)�$`iptables -w -F f2b-j-w-iptables-mp`�%`ip6tables -w -F f2b-j-w-iptables-mp`)zU`iptables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`rY��z$`iptables -w -X f2b-j-w-iptables-mp`zV`ip6tables -w -D INPUT -p tcp -m multiport --dports http,https -j f2b-j-w-iptables-mp`rZ��z%`ip6tables -w -X f2b-j-w-iptables-mp`)z>`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`)z?`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-mp[ \t]'`)za`iptables -w -I f2b-j-w-iptables-mp 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-mp -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-mp 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-mp -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)
rI��rJ��rL��rM��rN��rh���rO��rP��rQ��rR��rS��rT��zj-w-iptables-apzZiptables-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain="<known/chain>"])z$`iptables -w -N f2b-j-w-iptables-ap`z.`iptables -w -A f2b-j-w-iptables-ap -j RETURN`z4`iptables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`)z%`ip6tables -w -N f2b-j-w-iptables-ap`z/`ip6tables -w -A f2b-j-w-iptables-ap -j RETURN`z5`ip6tables -w -I INPUT -p tcp -j f2b-j-w-iptables-ap`)�$`iptables -w -F f2b-j-w-iptables-ap`�%`ip6tables -w -F f2b-j-w-iptables-ap`)z4`iptables -w -D INPUT -p tcp -j f2b-j-w-iptables-ap`r[��z$`iptables -w -X f2b-j-w-iptables-ap`z5`ip6tables -w -D INPUT -p tcp -j f2b-j-w-iptables-ap`r\��z%`ip6tables -w -X f2b-j-w-iptables-ap`)z>`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`)z?`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-ap[ \t]'`)za`iptables -w -I f2b-j-w-iptables-ap 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z_`iptables -w -D f2b-j-w-iptables-ap -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)zd`ip6tables -w -I f2b-j-w-iptables-ap 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zb`ip6tables -w -D f2b-j-w-iptables-ap -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-ipsetz\iptables-ipset-proto6[name=%(__name__)s, port="http", protocol="tcp", chain="<known/chain>"])z f2b-j-w-iptables-ipset )z f2b-j-w-iptables-ipset6 )z8`ipset create f2b-j-w-iptables-ipset hash:ip timeout 0 `z�`iptables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`)zE`ipset create f2b-j-w-iptables-ipset6 hash:ip timeout 0 family inet6`z�`ip6tables -w -I INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)�$`ipset flush f2b-j-w-iptables-ipset`�%`ipset flush f2b-j-w-iptables-ipset6`)z�`iptables -w -D INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset src -j REJECT --reject-with icmp-port-unreachable`r]��z&`ipset destroy f2b-j-w-iptables-ipset`z�`ip6tables -w -D INPUT -p tcp -m multiport --dports http -m set --match-set f2b-j-w-iptables-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`r^��z'`ipset destroy f2b-j-w-iptables-ipset6`)z=`ipset add f2b-j-w-iptables-ipset 192.0.2.1 timeout 0 -exist`)z3`ipset del f2b-j-w-iptables-ipset 192.0.2.1 -exist`)z?`ipset add f2b-j-w-iptables-ipset6 2001:db8:: timeout 0 -exist`)z5`ipset del f2b-j-w-iptables-ipset6 2001:db8:: -exist`)
rI��rJ��rL��rM��rN��rh���rQ��rR��rS��rT��zj-w-iptables-ipset-apzHiptables-ipset-proto6-allports[name=%(__name__)s, chain="<known/chain>"])z f2b-j-w-iptables-ipset-ap )z
f2b-j-w-iptables-ipset-ap6 )z;`ipset create f2b-j-w-iptables-ipset-ap hash:ip timeout 0 `zu`iptables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zH`ipset create f2b-j-w-iptables-ipset-ap6 hash:ip timeout 0 family inet6`zx`ip6tables -w -I INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)�'`ipset flush f2b-j-w-iptables-ipset-ap`�(`ipset flush f2b-j-w-iptables-ipset-ap6`)zu`iptables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`r_��z)`ipset destroy f2b-j-w-iptables-ipset-ap`zx`ip6tables -w -D INPUT -m set --match-set f2b-j-w-iptables-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`r`��z*`ipset destroy f2b-j-w-iptables-ipset-ap6`)z@`ipset add f2b-j-w-iptables-ipset-ap 192.0.2.1 timeout 0 -exist`)z6`ipset del f2b-j-w-iptables-ipset-ap 192.0.2.1 -exist`)zB`ipset add f2b-j-w-iptables-ipset-ap6 2001:db8:: timeout 0 -exist`)z8`ipset del f2b-j-w-iptables-ipset-ap6 2001:db8:: -exist`z
j-w-iptablesz^iptables[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"])z!`iptables -w -N f2b-j-w-iptables`z+`iptables -w -A f2b-j-w-iptables -j RETURN`z>`iptables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`)z"`ip6tables -w -N f2b-j-w-iptables`z,`ip6tables -w -A f2b-j-w-iptables -j RETURN`z?`ip6tables -w -I INPUT -p tcp --dport http -j f2b-j-w-iptables`)�!`iptables -w -F f2b-j-w-iptables`�"`ip6tables -w -F f2b-j-w-iptables`)z>`iptables -w -D INPUT -p tcp --dport http -j f2b-j-w-iptables`ra��z!`iptables -w -X f2b-j-w-iptables`z?`ip6tables -w -D INPUT -p tcp --dport http -j f2b-j-w-iptables`rb��z"`ip6tables -w -X f2b-j-w-iptables`)z;`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`)z<`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables[ \t]'`)z^`iptables -w -I f2b-j-w-iptables 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z\`iptables -w -D f2b-j-w-iptables -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)za`ip6tables -w -I f2b-j-w-iptables 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z_`ip6tables -w -D f2b-j-w-iptables -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-newzbiptables-new[name=%(__name__)s, bantime="10m", port="http", protocol="tcp", chain="<known/chain>"])z%`iptables -w -N f2b-j-w-iptables-new`z/`iptables -w -A f2b-j-w-iptables-new -j RETURN`zW`iptables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`)z&`ip6tables -w -N f2b-j-w-iptables-new`z0`ip6tables -w -A f2b-j-w-iptables-new -j RETURN`zX`ip6tables -w -I INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`)�%`iptables -w -F f2b-j-w-iptables-new`�&`ip6tables -w -F f2b-j-w-iptables-new`)zW`iptables -w -D INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`rc��z%`iptables -w -X f2b-j-w-iptables-new`zX`ip6tables -w -D INPUT -m state --state NEW -p tcp --dport http -j f2b-j-w-iptables-new`rd��z&`ip6tables -w -X f2b-j-w-iptables-new`)z?`iptables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`)z@`ip6tables -w -n -L INPUT | grep -q 'f2b-j-w-iptables-new[ \t]'`)zb`iptables -w -I f2b-j-w-iptables-new 1 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z``iptables -w -D f2b-j-w-iptables-new -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)ze`ip6tables -w -I f2b-j-w-iptables-new 1 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)zc`ip6tables -w -D f2b-j-w-iptables-new -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-iptables-xtrezPiptables-xt_recent-echo[name=%(__name__)s, bantime="10m", chain="<known/chain>"])rU��z/f2b-j-w-iptables-xtre`)rW��z/f2b-j-w-iptables-xtre6`)z�`if [ `id -u` -eq 0 ];then iptables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;fi`)z�`if [ `id -u` -eq 0 ];then ip6tables -w -I INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;fi`)z4`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre`z�`if [ `id -u` -eq 0 ];then iptables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre -j REJECT --reject-with icmp-port-unreachable;fi`z5`echo / > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`z�`if [ `id -u` -eq 0 ];then ip6tables -w -D INPUT -m recent --update --seconds 3600 --name f2b-j-w-iptables-xtre6 -j REJECT --reject-with icmp6-port-unreachable;fi`)z3`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z4`test -e /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z=`echo +192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z=`echo -192.0.2.1 > /proc/net/xt_recent/f2b-j-w-iptables-xtre`)z?`echo +2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)z?`echo -2001:db8:: > /proc/net/xt_recent/f2b-j-w-iptables-xtre6`)
rI��rJ��rL��rM��rh���rO��rP��rQ��rR��rS��rT��zj-w-pfz2pf[name=%(__name__)s, actionstart_on_demand=false]r
���)zF`echo "table <f2b-j-w-pf> persist counters" | pfctl -a f2b/j-w-pf -f-`z
port="<port>"z\`echo "block quick proto tcp from <f2b-j-w-pf> to any port $port" | pfctl -a f2b/j-w-pf -f-`)�,`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T flush`)zT`pfctl -a f2b/j-w-pf -sr 2>/dev/null | grep -v f2b-j-w-pf | pfctl -a f2b/j-w-pf -f-`re��z+`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T kill`)z.`pfctl -a f2b/j-w-pf -sr | grep -q f2b-j-w-pf`)z4`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 192.0.2.1`)z7`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 192.0.2.1`)z5`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T add 2001:db8::`)z8`pfctl -a f2b/j-w-pf -t f2b-j-w-pf -T delete 2001:db8::`)
rI��rJ��r����rN��rh���rO��rP��rQ��rR��rS��rT��z j-w-pf-mpz@pf[actiontype=<multiport>][name=%(__name__)s, port="http,https"])zL`echo "table <f2b-j-w-pf-mp> persist counters" | pfctl -a f2b/j-w-pf-mp -f-`zport="http,https"zb`echo "block quick proto tcp from <f2b-j-w-pf-mp> to any port $port" | pfctl -a f2b/j-w-pf-mp -f-`)�2`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T flush`)z]`pfctl -a f2b/j-w-pf-mp -sr 2>/dev/null | grep -v f2b-j-w-pf-mp | pfctl -a f2b/j-w-pf-mp -f-`rf��z1`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T kill`)z4`pfctl -a f2b/j-w-pf-mp -sr | grep -q f2b-j-w-pf-mp`)z:`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-mp -t f2b-j-w-pf-mp -T delete 2001:db8::`z j-w-pf-apzHpf[actiontype=<allports>, actionstart_on_demand=true][name=%(__name__)s])zL`echo "table <f2b-j-w-pf-ap> persist counters" | pfctl -a f2b/j-w-pf-ap -f-`zW`echo "block quick proto tcp from <f2b-j-w-pf-ap> to any" | pfctl -a f2b/j-w-pf-ap -f-`)�2`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T flush`)z]`pfctl -a f2b/j-w-pf-ap -sr 2>/dev/null | grep -v f2b-j-w-pf-ap | pfctl -a f2b/j-w-pf-ap -f-`rg��z1`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T kill`)z4`pfctl -a f2b/j-w-pf-ap -sr | grep -q f2b-j-w-pf-ap`)z:`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 192.0.2.1`)z=`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 192.0.2.1`)z;`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T add 2001:db8::`)z>`pfctl -a f2b/j-w-pf-ap -t f2b-j-w-pf-ap -T delete 2001:db8::`z
j-w-fwcmd-mpzqfirewallcmd-multiport[name=%(__name__)s, bantime="10m", port="http,https", protocol="tcp", chain="<known/chain>"])z ipv4 rV��)z ipv6 rX��)z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-mp`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 1000 -j RETURN`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-mp`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -m conntrack --ctstate NEW -p tcp -m multiport --dports "$(echo 'http,https' | sed s/:/-/g)" -j f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-mp`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-mp`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-mp$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-mp 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z�`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-mp 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`z
j-w-fwcmd-apz]firewallcmd-allports[name=%(__name__)s, bantime="10m", protocol="tcp", chain="<known/chain>"])z@`firewall-cmd --direct --add-chain ipv4 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)z@`firewall-cmd --direct --add-chain ipv6 filter f2b-j-w-fwcmd-ap`zN`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 1000 -j RETURN`zQ`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`)zT`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv4 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv4 filter f2b-j-w-fwcmd-ap`zT`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -j f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-rules ipv6 filter f2b-j-w-fwcmd-ap`zC`firewall-cmd --direct --remove-chain ipv6 filter f2b-j-w-fwcmd-ap`)zc`firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)zc`firewall-cmd --direct --get-chains ipv6 filter | sed -e 's, ,\n,g' | grep -q '^f2b-j-w-fwcmd-ap$'`)z|`firewall-cmd --direct --add-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z`firewall-cmd --direct --remove-rule ipv4 filter f2b-j-w-fwcmd-ap 0 -s 192.0.2.1 -j REJECT --reject-with icmp-port-unreachable`)z~`firewall-cmd --direct --add-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`)z�`firewall-cmd --direct --remove-rule ipv6 filter f2b-j-w-fwcmd-ap 0 -s 2001:db8:: -j REJECT --reject-with icmp6-port-unreachable`zj-w-fwcmd-ipsetzXfirewallcmd-ipset[name=%(__name__)s, port="http", protocol="tcp", chain="<known/chain>"])z f2b-j-w-fwcmd-ipset )z f2b-j-w-fwcmd-ipset6 )z5`ipset create f2b-j-w-fwcmd-ipset hash:ip timeout 0 `z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`)zB`ipset create f2b-j-w-fwcmd-ipset6 hash:ip timeout 0 family inet6`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`)�!`ipset flush f2b-j-w-fwcmd-ipset`�"`ipset flush f2b-j-w-fwcmd-ipset6`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset src -j REJECT --reject-with icmp-port-unreachable`rh��z#`ipset destroy f2b-j-w-fwcmd-ipset`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo 'http' | sed s/:/-/g)" -m set --match-set f2b-j-w-fwcmd-ipset6 src -j REJECT --reject-with icmp6-port-unreachable`ri��z$`ipset destroy f2b-j-w-fwcmd-ipset6`)z:`ipset add f2b-j-w-fwcmd-ipset 192.0.2.1 timeout 0 -exist`)z0`ipset del f2b-j-w-fwcmd-ipset 192.0.2.1 -exist`)z<`ipset add f2b-j-w-fwcmd-ipset6 2001:db8:: timeout 0 -exist`)z2`ipset del f2b-j-w-fwcmd-ipset6 2001:db8:: -exist`zj-w-fwcmd-ipset-apzbfirewallcmd-ipset[name=%(__name__)s, actiontype=<allports>, protocol="tcp", chain="<known/chain>"])z f2b-j-w-fwcmd-ipset-ap )z f2b-j-w-fwcmd-ipset-ap6 )z8`ipset create f2b-j-w-fwcmd-ipset-ap hash:ip timeout 0 `z�`firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`)zE`ipset create f2b-j-w-fwcmd-ipset-ap6 hash:ip timeout 0 family inet6`z�`firewall-cmd --direct --add-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`)�$`ipset flush f2b-j-w-fwcmd-ipset-ap`�%`ipset flush f2b-j-w-fwcmd-ipset-ap6`)z�`firewall-cmd --direct --remove-rule ipv4 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap src -j REJECT --reject-with icmp-port-unreachable`rj��z&`ipset destroy f2b-j-w-fwcmd-ipset-ap`z�`firewall-cmd --direct --remove-rule ipv6 filter INPUT_direct 0 -p tcp -m set --match-set f2b-j-w-fwcmd-ipset-ap6 src -j REJECT --reject-with icmp6-port-unreachable`rk��z'`ipset destroy f2b-j-w-fwcmd-ipset-ap6`)z=`ipset add f2b-j-w-fwcmd-ipset-ap 192.0.2.1 timeout 0 -exist`)z3`ipset del f2b-j-w-fwcmd-ipset-ap 192.0.2.1 -exist`)z?`ipset add f2b-j-w-fwcmd-ipset-ap6 2001:db8:: timeout 0 -exist`)z5`ipset del f2b-j-w-fwcmd-ipset-ap6 2001:db8:: -exist`z
j-fwcmd-rrz4firewallcmd-rich-rules[port="22:24", protocol="tcp"])z
family='ipv4'rV��)z
family='ipv6'rX��)z�`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z�`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' reject type='icmp-port-unreachable'"; done`)z� `ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`)z�`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' reject type='icmp6-port-unreachable'"; done`z
j-fwcmd-rlz6firewallcmd-rich-logging[port="22:24", protocol="tcp"])a"��`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a%��`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='192.0.2.1' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp-port-unreachable'"; done`)a%�� `ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`)a'��`ports="$(echo '22:24' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv6' source address='2001:db8::' port port='$p' protocol='tcp' log prefix='f2b-j-fwcmd-rl' level='info' limit value='1/m' reject type='icmp6-port-unreachable'"; done`r���r��r
��r
��r
��r����r����rL��rM��r ��r��rK��rO��rQ��rJ��r ��rR��r!��r��rP��rS��rI��r"��rT��rN��z# === flush ===r#��rh���)
rt���ru���r0��r���r0���r4��r=��rE���rD���r����r��r���r
��r
��r$��rx���r����r��r%��r��r&��r����r����r<���r����r����rm��rp��rN��rh���)r ����testJailsActionsr/���r1���r6��rJ���r:���testsr5��rF���r]���rB��r;��r'��r���r[��r
���r
���r#����
testCheckStockCommandActionsB��sN�� �1�.���,�,�$�$�,�,�"����(�(�$�$������������������'
�
,
,
"
$���z4ServerConfigReaderTests.testCheckStockCommandActionsc�����������������C���s`���|}t�|t�r
|d�}t�dd|�}t�ddd��|d�}t�|t�r&||d<�n|}tjj||d�S�) Nr���z\)\s*\|\s*(\S*mail\b[^\n]*)z$) | cat; printf "\\n... | "; echo \1z\bADDRESSES=\$\(dig\s[^\n]+c�����������������S���s���dS�)Nz@ADDRESSES="abuse-1@abuse-test-server, abuse-2@abuse-test-server"r
���)�mr
���r
���r#���r����;��s����z9ServerConfigReaderTests._executeMailCmd.<locals>.<lambda>r���)r_��)r����rU����re�subr��r%��r&��)r ���r
��r_��rF���r
���r
���r#����_executeMailCmd2��s
���
��
z'ServerConfigReaderTests._executeMailCmdc�����������������C���s��t�jjdd��ddtj�td��d�d�tj�td��d �d
d
ifd
d
tj�td��d�d�tj�td��d �d
difddtj�td��d�d�tj�td��d�ddd�fddddd�ff}t��}|j}|j }|D�]
\}}}|��
||�}|D�]} |�
| �\}
}
|��
|
d��qwqj|j
}
td�}
td�}t��}|D�]m\}}}|
|�jD�]b}|
|�j|�}t�d
��t�d
|d
�|j���t�d
��|�j|_d
|
fd |ffD�]7\}}|�|�s�q�|��d |���t|�}|�d!��|�d"d#g��tj
�
||�}|�
|��|�j ||�d$di��q�q�q�d�S�)%NTr)��zj-mail-whois-linesz\mail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s", logpath="r
��r��z ztestcase01a.logz8", _whois_command="echo '-- information about <ip> --'"]rQ��)�;The IP 87.142.124.10 has just been banned by Fail2Ban afterz(100 attempts against j-mail-whois-lines.�.Here is more information about 87.142.124.10 :�%-- information about 87.142.124.10 --�2Lines containing failures of 87.142.124.10 (max 2)�etestcase01.log:Dec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10�etestcase01a.log:Dec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10zj-sendmail-whois-lineszxsendmail-whois-lines[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd='testmail -f "<sender>" "<dest>"', logpath=")rs��z,100 attempts against j-sendmail-whois-lines.rt��ru��rv��rw��rx��zj-complain-abusez�complain[name=%(__name__)s, grepopts="-m 1", grepmax=2, mailcmd="mail -s 'Hostname: <ip-host>, family: <family>' - ",debug=1,logpath="z", ])�6try to resolve 10.124.142.87.abuse-contacts.abusix.orgrv��rw��rx��zymail -s Hostname: test-host, family: inet4 - Abuse from 87.142.124.10 abuse-1@abuse-test-server abuse-2@abuse-test-server)�htry to resolve 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.abuse-contacts.abusix.orgz0Lines containing failures of 2001:db8::1 (max 2)zwmail -s Hostname: test-host, family: inet6 - Abuse from 2001:db8::1 abuse-1@abuse-test-server abuse-2@abuse-test-server)rQ��rS��z
j-xarf-abusezIxarf-login-attack[name=%(__name__)s, mailcmd="mail", mailargs="",debug=1])ry��z8We have detected abuse from the IP address 87.142.124.10�VDec 31 11:59:59 [sshd] error: PAM: Authentication failure for kevin from 87.142.124.10�UDec 31 11:55:01 [sshd] error: PAM: Authentication failure for test from 87.142.124.10�8mail abuse-1@abuse-test-server abuse-2@abuse-test-server)rz��z6We have detected abuse from the IP address 2001:db8::1r}��r���z
87.142.124.10z
2001:db8::1r��r
��r
��rS��z
# === %s ===r����r{��r|��r����) rt���ru���r0��r����r��r��r��r���r0���r4��r=��rE���rD���r����r ���r���r���r
��r
��r$��rr��r&��r<���r����r
����
setAttempt�
setMatchesr��rA��r��rm��r����)r ���rl��r/���r1���r6��rJ���r:��rm��r5��rF���r]���rB��r;��r��r��r��r���r[���testr����r��r
���r
���r#����
testComplexMailActionMultiLogD��s����
���
����
���
����
���
�� ��
���_
�
�
���z5ServerConfigReaderTests.testComplexMailActionMultiLog)r����)r'���r(���r)���r��r.���r:���r��r��r(��r8��r=��rC��rn��rr��r���rb���r
���r
���r6���r#���r�����s$����
"3�����
ur��)@�
__author__�
__copyright__�
__license__rt���rw���r����r����rp��rs��r����server.failregexr���r���r���r/���r���r���
server.serverr����
server.ipdnsr ����
server.jailr
����server.jailthreadr
����
server.ticketr
����
server.utilsr
���� dummyjailr����utilsr���r���r����helpersr���r���r���r)��r���r���rQ��r��r���dirname�__file__r��r4���r
��r���r*���rc���r����TestCaser���r���r���r����clientreadertestcaser��r��r��r��r
���r
���r
���r#����<module>���s\���
�[������} U*