also sprach Yaroslav Halchenko <[EMAIL PROTECTED]> [2006.11.15.1655 +0100]: > it is hard to see whole picture since you are just sending changing > snippets of configuration - send the whole entirety...
I did. And it's not changing. Again, without comments:
==> /etc/fail2ban/jail.local <==
[DEFAULT]
action = my-iptables[name=%(__name__)s, port=%(port)s, fwchain=%(fwchain)s,
post_start_commands=%(post_start_commands)s,
pre_end_commands=%(pre_end_commands)s]
[ssh]
fwchain = ssh-tarpit
post_start_commands = iptables -I %(fwchain)s -j ssh-whitelist
pre_end_commands = iptables -D %(fwchain)s -j ssh-whitelist
==> /etc/fail2ban/action.d/my-iptables.local <==
[Definition]
actionstart = iptables -N fail2ban-<name>
iptables -I <fwchain> -m state --state NEW -p <protocol> --dport
<port> -j fail2ban-<name>
%(post_start_commands)s
actionstop = <pre_end_commands>
iptables -D <fwchain> -m state --state NEW -p <protocol> --dport
<port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
actioncheck = iptables -L <fwchain> | grep -q fail2ban-<name>
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
[Init]
name = default
port = ssh
protocol = tcp
fwchain = INPUT
post_start_commands =
pre_end_commands =
==> END <==
> I bet that the reason for current issue is that you defined
> actionstart in [Definition] config/action.d/iptables.conf whenever
> you defined in post_start_commands in [Init] --- how can it see
> its value in Definition?? define it in new section [DEFAULT] of
> the same file then... and you might need to define it to smth
> nonempty - I am not sure what freaks ConfigParser out exactly
I tried this, but I get the same error as originally.
The reason I put my stuff into [Init] is because of the way protocol
is set right now. [Init] defines it to be tcp, but none of the jail
configurations define it, yet it gets used in the actionban/unban
parameters, and I assume it can be specified in the jail sections to
override the default. This is exactly what I want for my three
settings, so I modeled them after protocol.
However, I had to add the fwchain=%(fwchain)s, ... stuff to
jail.local/[DEFAULT]/action because otherwise I couldn't get the
wanted result, which I still cannot get, but I am a little bit
smarter now...
Basically, the action works as intended, the fwchain and
post_start_commands/pre_end_commands are properly interpolated, iff
I use this action setting:
action = my-iptables[name=%(__name__)s, port=%(port)s]
However, overriding them from the jail configuration does not work:
[ssh]
fwchain = ssh-tarpit
...
will still cause INPUT (which is the fwchain default value defined
in action.d/my-iptables.local/[DEFAULT]/fwchain to be used.
Thus I thought I'd need to pass those variables into the action
script:
action = my-iptables[name=%(__name__)s, port=%(port)s,
fwchain=%(fwchain)s, post_start_commands=%(post_start_commands)s,
pre_end_commands=%(pre_end_commands)s]
This then produces the error message that sparked this bug.
So my question is how I can override the defaults from the jail
configuration.
> once again - this is not a fail2ban issue but rather logic behind
> usage of python interpolations in config files
I would appreciate if you showed me to some documentation on how to
configure fail2ban the way you're supposed to do it.
--
.''`. martin f. krafft <[EMAIL PROTECTED]>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
signature.asc
Description: Digital signature (GPG/PGP)
