in server/api/pages/fail2ban.py [0:0]
def run(API, environ, indata, session):
method = environ['REQUEST_METHOD']
# Searching? :)
if method == "POST":
found = {
'whitelist': [],
'banlist': [],
'iptables': [],
}
user = indata.get('source')
# Prep list of indices to check against, for performance reasons
d = datetime.datetime.utcnow()
t = []
for i in range(0,7):
t.append(d.strftime("loggy-%Y.%m.%d"))
d -= datetime.timedelta(days = 1)
threes = ",".join(t) # Past seven days
res = session.DB.ES.search(
index=threes,
size = 500,
body = {
"query": {
"bool": {
"must": [
{
"match": {
"message": "AH01617"
}
},
{
"match": {
"message": user
}
},
{
"term": {
"_type": 'apache_error'
}
},
]
}
}
}
)
ips = {}
for hit in res['hits']['hits']:
doc = hit['_source']
if doc.get('module') == 'auth_basic:error' and user in doc.get('message') and 'client_ip' in doc:
ips[doc['client_ip']] = doc['message']
#get whitelist and banlist, plus iptables rules
whitelist = plugins.worker.get_whitelist(session.DB)
banlist = plugins.worker.get_banlist(session.DB)
iptables = plugins.worker.get_iptables(session.DB)
for ip, msg in ips.items():
print(ip)
me = plugins.worker.to_block(ip) # queried IP as IPNetwork object
# Find all whitelist entries that touch on this
for block in whitelist:
if me in block or block in me or me == block:
rule = find_rule(session.DB, 'whitelist', str(block))
if rule:
doc = rule['_source']
doc['rid'] = rule['_id']
found['whitelist'].append(doc)
# Find all banlist entries that touch on this
for block in banlist:
if me in block or block in me or me == block:
rule = find_rule(session.DB, 'ban', str(block))
if rule:
doc = rule['_source']
doc['rid'] = rule['_id']
if not 'ip' in doc:
doc['ip'] = doc['rid'].replace('_', '/')
found['banlist'].append(doc)
# Find any iptables rules that may have it as well (max 10)
found_iptables = 0
anything = netaddr.IPNetwork("0.0.0.0/0")
for host in iptables:
for rule in host['rules']:
block = rule['ip']
if block and type(block) is netaddr.IPNetwork:
if (me in block or block in me or me == block ) and (block != anything and me != anything):
rule['hostname'] = host['hostname']
rule['ip'] = str(rule['ip']) # stringify
rule['msg'] = msg
found['iptables'].append(rule)
found_iptables += 1
if found_iptables == 10:
break
if found_iptables == 10:
break
yield json.dumps({"results": found}, indent = 2)
return
# Finally, if we hit a method we don't know, balk!
yield API.exception(400, "I don't know this request method!!")