2009-02-11 04:32:18 +01:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# Template SUSE system startup script for example daemon fail2ban
|
2010-05-07 16:09:42 +02:00
|
|
|
# Copyright (C) 2010 Klaus Sinvogel, SUSE / Novell Inc.
|
2009-02-11 04:32:18 +01:00
|
|
|
#
|
|
|
|
# This library is free software; you can redistribute it and/or modify it
|
|
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
|
|
# the Free Software Foundation; either version 2.1 of the License, or (at
|
|
|
|
# your option) any later version.
|
|
|
|
#
|
|
|
|
# This library is distributed in the hope that it will be useful, but
|
|
|
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
# Lesser General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
|
|
# License along with this library; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
|
|
|
|
# USA.
|
|
|
|
#
|
|
|
|
#
|
|
|
|
### BEGIN INIT INFO
|
|
|
|
# Provides: fail2ban
|
|
|
|
# Required-Start: $syslog $remote_fs $local_fs
|
2010-05-07 16:09:42 +02:00
|
|
|
# Should-Start: $time $network iptables
|
2009-02-11 04:32:18 +01:00
|
|
|
# Required-Stop: $syslog $remote_fs $local_fs
|
2010-05-07 16:09:42 +02:00
|
|
|
# Should-Stop: $time $network iptables
|
2009-02-11 04:32:18 +01:00
|
|
|
# Default-Start: 3 5
|
|
|
|
# Default-Stop: 0 1 2 6
|
2010-05-07 16:09:42 +02:00
|
|
|
# Short-Description: Bans IPs with too many password failures
|
2009-02-11 04:32:18 +01:00
|
|
|
# Description: Start fail2ban to scan logfiles and ban IP addresses
|
|
|
|
# which make too many logfiles failures, and/or sent e-mails about
|
|
|
|
### END INIT INFO
|
|
|
|
|
|
|
|
# Check for missing binaries (stale symlinks should not happen)
|
2010-05-07 16:09:42 +02:00
|
|
|
FAIL2BAN_CLI=/usr/bin/fail2ban-client
|
|
|
|
test -x $FAIL2BAN_CLI || { echo "$FAIL2BAN_CLI not installed";
|
|
|
|
if [ "$1" = "stop" ]; then exit 0;
|
|
|
|
else exit 5; fi; }
|
|
|
|
FAIL2BAN_SRV=/usr/bin/fail2ban-server
|
|
|
|
test -x $FAIL2BAN_SRV || { echo "$FAIL2BAN_SRV not installed";
|
2009-02-11 04:32:18 +01:00
|
|
|
if [ "$1" = "stop" ]; then exit 0;
|
|
|
|
else exit 5; fi; }
|
|
|
|
|
|
|
|
# Check for existence of needed config file and read it
|
|
|
|
FAIL2BAN_CONFIG=/etc/sysconfig/fail2ban
|
|
|
|
test -r $FAIL2BAN_CONFIG || { echo "$FAIL2BAN_CONFIG not existing";
|
|
|
|
if [ "$1" = "stop" ]; then exit 0;
|
|
|
|
else exit 6; fi; }
|
|
|
|
|
2010-05-07 16:09:42 +02:00
|
|
|
# Socket directory
|
|
|
|
FAIL2BAN_SOCK_DIR="/var/run/fail2ban"
|
|
|
|
|
2009-02-11 04:32:18 +01:00
|
|
|
# Read config
|
|
|
|
. $FAIL2BAN_CONFIG
|
|
|
|
|
|
|
|
. /etc/rc.status
|
|
|
|
rc_reset
|
|
|
|
|
|
|
|
case "$1" in
|
|
|
|
start)
|
|
|
|
echo -n "Starting fail2ban "
|
2010-05-07 16:09:42 +02:00
|
|
|
|
|
|
|
if [ ! -d $FAIL2BAN_SOCK_DIR ]; then
|
|
|
|
mkdir -p $FAIL2BAN_SOCK_DIR
|
|
|
|
fi
|
2009-02-11 04:32:18 +01:00
|
|
|
## Start daemon with startproc(8). If this fails
|
|
|
|
## the return value is set appropriately by startproc.
|
2010-05-07 16:09:42 +02:00
|
|
|
startproc $FAIL2BAN_CLI -q start > /dev/null 2>&1
|
2009-02-11 04:32:18 +01:00
|
|
|
|
|
|
|
# Remember status and be verbose
|
|
|
|
rc_status -v
|
|
|
|
;;
|
|
|
|
stop)
|
|
|
|
echo -n "Shutting down fail2ban "
|
|
|
|
## Stop daemon with built-in functionality 'stop'
|
2010-05-07 16:09:42 +02:00
|
|
|
startproc -w $FAIL2BAN_CLI -q stop > /dev/null 2>&1
|
2009-02-11 04:32:18 +01:00
|
|
|
|
|
|
|
# Remember status and be verbose
|
|
|
|
rc_status -v
|
|
|
|
;;
|
|
|
|
try-restart|condrestart)
|
|
|
|
## Do a restart only if the service was active before.
|
|
|
|
## Note: try-restart is now part of LSB (as of 1.9).
|
|
|
|
## RH has a similar command named condrestart.
|
|
|
|
if test "$1" = "condrestart"; then
|
|
|
|
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
|
|
|
|
fi
|
|
|
|
$0 status
|
|
|
|
if test $? = 0; then
|
|
|
|
$0 restart
|
|
|
|
else
|
|
|
|
rc_reset # Not running is not a failure.
|
|
|
|
fi
|
|
|
|
# Remember status and be quiet
|
|
|
|
rc_status
|
|
|
|
;;
|
|
|
|
restart)
|
|
|
|
## Stop the service and regardless of whether it was
|
|
|
|
## running or not, start it again.
|
|
|
|
$0 stop
|
|
|
|
$0 start
|
|
|
|
|
|
|
|
# Remember status and be quiet
|
|
|
|
rc_status
|
|
|
|
;;
|
|
|
|
force-reload)
|
|
|
|
## Signal the daemon to reload its config. Most daemons
|
|
|
|
## do this on signal 1 (SIGHUP).
|
|
|
|
## If it does not support it, restart the service if it
|
|
|
|
## is running.
|
|
|
|
|
|
|
|
echo -n "Reload service fail2ban "
|
2010-05-07 16:09:42 +02:00
|
|
|
killproc -HUP $FAIL2BAN_SRV
|
2009-02-11 04:32:18 +01:00
|
|
|
rc_status -v
|
|
|
|
|
|
|
|
## Otherwise:
|
|
|
|
#$0 try-restart
|
|
|
|
#rc_status
|
|
|
|
;;
|
|
|
|
reload)
|
|
|
|
## Like force-reload, but if daemon does not support
|
|
|
|
## signaling, do nothing (!)
|
|
|
|
|
|
|
|
# If it supports signaling:
|
|
|
|
echo -n "Reload service fail2ban "
|
2010-05-07 16:09:42 +02:00
|
|
|
startproc $FAIL2BAN_CLI -q reload > /dev/null 2>&1
|
|
|
|
|
2009-02-11 04:32:18 +01:00
|
|
|
rc_status -v
|
|
|
|
|
|
|
|
## Otherwise if it does not support reload:
|
|
|
|
#rc_failed 3
|
|
|
|
#rc_status -v
|
|
|
|
;;
|
|
|
|
status)
|
|
|
|
echo -n "Checking for service fail2ban "
|
|
|
|
## Check status with checkproc(8), if process is running
|
|
|
|
## checkproc will return with exit status 0.
|
|
|
|
|
|
|
|
# Return value is slightly different for the status command:
|
|
|
|
# 0 - service up and running
|
|
|
|
# 1 - service dead, but /var/run/ pid file exists
|
|
|
|
# 2 - service dead, but /var/lock/ lock file exists
|
|
|
|
# 3 - service not running (unused)
|
|
|
|
# 4 - service status unknown :-(
|
|
|
|
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
|
|
|
|
|
|
|
|
# NOTE: checkproc returns LSB compliant status values.
|
2010-05-07 16:09:42 +02:00
|
|
|
checkproc $FAIL2BAN_SRV
|
2009-02-11 04:32:18 +01:00
|
|
|
# NOTE: rc_status knows that we called this init script with
|
|
|
|
# "status" option and adapts its messages accordingly.
|
|
|
|
rc_status -v
|
|
|
|
;;
|
|
|
|
probe)
|
|
|
|
## Optional: Probe for the necessity of a reload, print out the
|
|
|
|
## argument to this init script which is required for a reload.
|
|
|
|
## Note: probe is not (yet) part of LSB (as of 1.9)
|
|
|
|
|
|
|
|
test /etc/fail2ban/fail2ban.conf -nt /var/run/fail2ban/fail2ban.pid && echo reload
|
|
|
|
;;
|
|
|
|
*)
|
|
|
|
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload|probe}"
|
|
|
|
exit 1
|
|
|
|
;;
|
|
|
|
esac
|
|
|
|
rc_exit
|