fail2ban-rs 1.0.0

A pure-Rust fail2ban replacement. Single static binary, fast two-phase matching, nftables/iptables firewall backends.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

//! Tests for the watcher module.

use std::io::Write;

use tempfile::NamedTempFile;
use tokio::sync::mpsc;
use tokio_util::sync::CancellationToken;

use crate::date::{DateFormat, DateParser};
use crate::ignore::IgnoreList;
use crate::matcher::JailMatcher;
use crate::watcher;

fn test_matcher() -> JailMatcher {
    JailMatcher::new(&[r"Failed password for .* from <HOST>".to_string()]).unwrap()
}

#[tokio::test]
async fn detects_failure_in_appended_lines() {
    let mut tmpfile = NamedTempFile::new().unwrap();
    let path = tmpfile.path().to_path_buf();

    let (tx, mut rx) = mpsc::channel(16);
    let cancel = CancellationToken::new();

    let cancel_clone = cancel.clone();
    let path_clone = path.clone();
    let handle = tokio::spawn(async move {
        watcher::run(
            "test".to_string(),
            path_clone,
            test_matcher(),
            DateParser::new(DateFormat::Syslog).unwrap(),
            IgnoreList::new(&[], false).unwrap(),
            tx,
            cancel_clone,
        )
        .await;
    });

    // Give watcher time to start and seek to end.
    tokio::time::sleep(std::time::Duration::from_millis(100)).await;

    // Append a matching line.
    writeln!(
        tmpfile,
        "Jan 15 10:30:00 server sshd[1234]: Failed password for root from 192.168.1.100 port 22"
    )
    .unwrap();
    tmpfile.flush().unwrap();

    // Wait for watcher to pick it up.
    let failure = tokio::time::timeout(std::time::Duration::from_secs(2), rx.recv())
        .await
        .expect("timeout waiting for failure")
        .expect("channel closed");

    assert_eq!(failure.ip.to_string(), "192.168.1.100");
    assert_eq!(failure.jail_id, "test");

    cancel.cancel();
    handle.await.unwrap();
}

#[tokio::test]
async fn ignores_non_matching_lines() {
    let mut tmpfile = NamedTempFile::new().unwrap();
    let path = tmpfile.path().to_path_buf();

    let (tx, mut rx) = mpsc::channel(16);
    let cancel = CancellationToken::new();

    let cancel_clone = cancel.clone();
    let path_clone = path.clone();
    let handle = tokio::spawn(async move {
        watcher::run(
            "test".to_string(),
            path_clone,
            test_matcher(),
            DateParser::new(DateFormat::Syslog).unwrap(),
            IgnoreList::new(&[], false).unwrap(),
            tx,
            cancel_clone,
        )
        .await;
    });

    tokio::time::sleep(std::time::Duration::from_millis(100)).await;

    // Append a non-matching line.
    writeln!(
        tmpfile,
        "Jan 15 10:30:00 server sshd[1234]: Accepted password for user from 10.0.0.1 port 22"
    )
    .unwrap();
    tmpfile.flush().unwrap();

    // Should not receive anything.
    let result = tokio::time::timeout(std::time::Duration::from_millis(500), rx.recv()).await;
    assert!(result.is_err(), "should not have received a failure");

    cancel.cancel();
    handle.await.unwrap();
}

#[tokio::test]
async fn ignores_allowlisted_ips() {
    let mut tmpfile = NamedTempFile::new().unwrap();
    let path = tmpfile.path().to_path_buf();

    let (tx, mut rx) = mpsc::channel(16);
    let cancel = CancellationToken::new();

    let cancel_clone = cancel.clone();
    let path_clone = path.clone();
    let handle = tokio::spawn(async move {
        watcher::run(
            "test".to_string(),
            path_clone,
            test_matcher(),
            DateParser::new(DateFormat::Syslog).unwrap(),
            IgnoreList::new(&["192.168.1.0/24".to_string()], false).unwrap(),
            tx,
            cancel_clone,
        )
        .await;
    });

    tokio::time::sleep(std::time::Duration::from_millis(100)).await;

    writeln!(
        tmpfile,
        "Jan 15 10:30:00 server sshd[1234]: Failed password for root from 192.168.1.100 port 22"
    )
    .unwrap();
    tmpfile.flush().unwrap();

    let result = tokio::time::timeout(std::time::Duration::from_millis(500), rx.recv()).await;
    assert!(result.is_err(), "ignored IP should not produce a failure");

    cancel.cancel();
    handle.await.unwrap();
}