1

I have made my own custom action for fail2ban. It is a script write in Python. I have created the following function according to the documentation:

  • _init_
  • start : When fail2ban start
  • stop : When fail2ban stop
  • ban : When fail2ban ban an ip
  • unban : When fail2ban unban an ip

I use this action for many jails and it seems that for each jails fail2ban call the start function and in my case create a new rule iptables. So I have many duplicate iptables rules because fail2ban call several time the start function.

I have tried to put a condition. "If the rule doesn't exist I create it". But all jails seems to be started in thread. With this condition I can limited the duplicate rules to 2 or 3.

Is there a tricks or a permanent solution ? Maybe semaphore during the start function or lock a file or something else ?

4

1 回答 1

0

因此,我使用以下脚本解决了我的问题:

#!/bin/bash

RED='\033[0;31m'
GREEN='\033[0;32m'
NC='\033[0m' # No Color

/usr/bin/fail2ban-server 

grep "^\[" /etc/fail2ban/jail.d/* | grep -v "#" | cut -d"[" -f 2 | cut -d "]" -f 1 | while read jail
do
    load=$(uptime | cut -d ":" -f5 | cut -d"," -f 1)
    compare=$(bc <<< "$load>3")
    while [[ $compare -eq "1" ]]
    do
        echo -e "Load too ${RED}high${NC} ($load) .... sleep 5 secondes"
        sleep 5
        load=$(uptime | cut -d ":" -f5 | cut -d"," -f 1)
        compare=$(bc <<< "$load>3")
    done    

    echo -n -e "$1 starting jail $jail ..."
    fail2ban-client reload $jail
    echo -e "[${GREEN}OK${NC}] "

done

它将获取 jail.d 中的每个监狱,并通过使用命令 fail2ban-client reload (不适用于 fail2ban-client start )并处理服务器的负载来启动它们。

监狱不会一个接一个地开始,我的初始条件会起作用

于 2017-08-02T19:47:17.460 回答