#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######################################################################## # OPENAPI-URI: /api/fail2ban ######################################################################## # post: # requestBody: # content: # application/json: # schema: # $ref: '#/components/schemas/SearchObject' # description: Search query # required: true # responses: # '200': # content: # application/json: # schema: # $ref: '#/components/schemas/SearchResult' # description: Search result # default: # content: # application/json: # schema: # $ref: '#/components/schemas/Error' # description: unexpected error # summary: Search for whether a user was blocked via fail2ban # ######################################################################## """ This is the search handler for Blocky/2 """ import json import re import time import bcrypt import hashlib import plugins.worker import netaddr import datetime def find_rule(DB, doctype, ip): """ Find a rule, either v1 or v2 style """ bid = plugins.worker.make_sha1(str(ip)) bid2 = plugins.worker.make_sha1(str(ip).replace('/32', '').replace('/128','')) # Blocky/2 ban doc if DB.ES.exists(index=DB.dbname, doc_type = doctype, id = bid): return DB.ES.get(index=DB.dbname, doc_type = doctype, id = bid) if DB.ES.exists(index=DB.dbname, doc_type = doctype, id = bid2): return DB.ES.get(index=DB.dbname, doc_type = doctype, id = bid2) # Blocky/1 ban doc oid = str(ip).replace('/', '_').replace('_32', '').replace('_128', '') if DB.ES.exists(index=DB.dbname, doc_type = doctype, id = oid): return DB.ES.get(index=DB.dbname, doc_type = doctype, id = oid) def run(API, environ, indata, session): method = environ['REQUEST_METHOD'] # Searching? :) if method == "POST": found = { 'whitelist': [], 'banlist': [], 'iptables': [], } user = indata.get('source') # Prep list of indices to check against, for performance reasons d = datetime.datetime.utcnow() t = [] for i in range(0,7): t.append(d.strftime("loggy-%Y.%m.%d")) d -= datetime.timedelta(days = 1) threes = ",".join(t) # Past seven days res = session.DB.ES.search( index=threes, size = 500, body = { "query": { "bool": { "must": [ { "match": { "message": "AH01617" } }, { "match": { "message": user } }, { "term": { "_type": 'apache_error' } }, ] } } } ) ips = {} for hit in res['hits']['hits']: doc = hit['_source'] if doc.get('module') == 'auth_basic:error' and user in doc.get('message') and 'client_ip' in doc: ips[doc['client_ip']] = doc['message'] #get whitelist and banlist, plus iptables rules whitelist = plugins.worker.get_whitelist(session.DB) banlist = plugins.worker.get_banlist(session.DB) iptables = plugins.worker.get_iptables(session.DB) for ip, msg in ips.items(): print(ip) me = plugins.worker.to_block(ip) # queried IP as IPNetwork object # Find all whitelist entries that touch on this for block in whitelist: if me in block or block in me or me == block: rule = find_rule(session.DB, 'whitelist', str(block)) if rule: doc = rule['_source'] doc['rid'] = rule['_id'] found['whitelist'].append(doc) # Find all banlist entries that touch on this for block in banlist: if me in block or block in me or me == block: rule = find_rule(session.DB, 'ban', str(block)) if rule: doc = rule['_source'] doc['rid'] = rule['_id'] if not 'ip' in doc: doc['ip'] = doc['rid'].replace('_', '/') found['banlist'].append(doc) # Find any iptables rules that may have it as well (max 10) found_iptables = 0 anything = netaddr.IPNetwork("0.0.0.0/0") for host in iptables: for rule in host['rules']: block = rule['ip'] if block and type(block) is netaddr.IPNetwork: if (me in block or block in me or me == block ) and (block != anything and me != anything): rule['hostname'] = host['hostname'] rule['ip'] = str(rule['ip']) # stringify rule['msg'] = msg found['iptables'].append(rule) found_iptables += 1 if found_iptables == 10: break if found_iptables == 10: break yield json.dumps({"results": found}, indent = 2) return # Finally, if we hit a method we don't know, balk! yield API.exception(400, "I don't know this request method!!")