Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2865 2020-10-18 22:21:46Z rexy $
3
 
1191 crox53 4
JAIL_CONF="/etc/fail2ban/jail.conf"
5
DIR_FILTER="/etc/fail2ban/filter.d/"
6
 
1388 richard 7
#########################################################
1191 crox53 8
## Mise à jour de la configuration de jail de fail2ban ##
9
#########################################################
2271 tom.houday 10
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 11
cat << EOF > $JAIL_CONF
12
 
13
# Fail2Ban configuration file
14
#
15
# Author: Cyril Jaquier
1388 richard 16
# Adapted by ALCASAR team
1191 crox53 17
 
1388 richard 18
 
1191 crox53 19
# The DEFAULT allows a global definition of the options. They can be overridden
20
# in each jail afterwards.
21
[DEFAULT]
22
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
23
# ban a host which matches an address in this list. Several addresses can be
24
# defined using space separator.
25
ignoreip = 127.0.0.1/8
26
# "bantime" is the number of seconds that a host is banned.
2815 rexy 27
bantime  = 180
1191 crox53 28
 
1388 richard 29
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
30
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
31
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 32
findtime  = 60
33
 
34
# "maxretry" is the number of failures before a host get banned.
35
maxretry = 5
36
 
37
# "backend" specifies the backend used to get files modification. Available
38
# options are "gamin", "polling" and "auto". This option can be overridden in
39
# each jail too (use "gamin" for a jail and "polling" for another).
40
#
41
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
42
#          is not installed, Fail2ban will use polling.
43
# polling: uses a polling algorithm which does not require external libraries.
44
# auto:    will choose Gamin if available and polling otherwise.
45
backend = auto
46
 
1410 richard 47
# "usedns" specifies if jails should trust hostnames in logs,
48
# warn when DNS lookups are performed, or ignore all hostnames in logs
49
#
50
# yes: if a hostname is encountered, a DNS lookup will be performed.
51
# warn: if a hostname is encountered, a DNS lookup will be performed,
52
# but it will be logged as a warning.
53
# no: if a hostname is encountered, will not be used for banning,
54
# but it will be logged as info.
55
usedns = warn
56
 
2815 rexy 57
# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
1388 richard 58
[alcasar_mod-evasive]
1410 richard 59
#enabled = true
60
enabled = false
2487 lucas.echa 61
backend = auto
1410 richard 62
filter = alcasar_mod-evasive
1388 richard 63
action = iptables-allports[name=alcasar_mod-evasive]
2488 lucas.echa 64
logpath = /var/log/lighttpd/access.log
2815 rexy 65
maxretry = 3
1191 crox53 66
 
1388 richard 67
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 68
[ssh-iptables]
69
enabled = true
70
#enabled  = false
71
filter   = sshd
72
action   = iptables-allports[name=SSH]
73
logpath  = /var/log/auth.log
74
maxretry = 3
75
 
1388 richard 76
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 77
[alcasar_acc]
1191 crox53 78
enabled = true
79
#enabled = false
2487 lucas.echa 80
backend = auto
2284 tom.houday 81
filter = alcasar_acc
82
action = iptables-allports[name=alcasar_acc]
2488 lucas.echa 83
logpath = /var/log/lighttpd/access.log
2864 rexy 84
maxretry = 5
1191 crox53 85
 
1388 richard 86
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
87
[alcasar_intercept]
1191 crox53 88
enabled = true
89
#enabled = false
2487 lucas.echa 90
backend = auto
1410 richard 91
filter = alcasar_intercept
1388 richard 92
action = iptables-allports[name=alcasar_intercept]
2488 lucas.echa 93
logpath = /var/log/lighttpd/access.log
2864 rexy 94
maxretry = 5
1191 crox53 95
 
1388 richard 96
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 97
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 98
[alcasar_change-pwd]
1191 crox53 99
enabled = true
100
#enabled = false
2487 lucas.echa 101
backend = auto
1410 richard 102
filter = alcasar_change-pwd
103
action = iptables-allports[name=alcasar_change-pwd]
2488 lucas.echa 104
logpath = /var/log/lighttpd/access.log
1191 crox53 105
maxretry = 5
1410 richard 106
 
1191 crox53 107
EOF
108
 
2864 rexy 109
##############################################
1388 richard 110
## Mise en place des filtres spécifiques	##
2864 rexy 111
## - Mod_evasive.conf						##
112
## - acc-htdigest.conf						##
113
## - intercept.conf							##
114
## - change-pwd.conf						##
115
##############################################
1191 crox53 116
 
117
######################
118
## MOD-EVASIVE.CONF ##
119
######################
1388 richard 120
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 121
# Fail2Ban configuration file
122
#
123
# Author: Cyril Jaquier
1388 richard 124
# Adapted by ALCASAR team
1191 crox53 125
 
126
[Definition]
127
# Option:  failregex
128
# Notes.:  regex to match the password failure messages in the logfile. The
129
#          host must be matched by a group named "host". The tag "<HOST>" can
130
#          be used for standard IP/hostname matching and is only an alias for
131
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
132
# Values:  TEXT
2488 lucas.echa 133
failregex =  <HOST> .+\] "[^"]+" 403
1191 crox53 134
# Option:  ignoreregex
135
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
136
ignoreregex = 
137
EOF
138
 
2271 tom.houday 139
#######################
140
## ACC-HTDIGEST.CONF ##
141
#######################
2284 tom.houday 142
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 143
# Fail2Ban configuration file
144
#
145
# Author: Cyril Jaquier
1388 richard 146
# Adapted by ALCASAR team
1191 crox53 147
 
148
[Definition]
149
# Option:  failregex
150
# Notes.:  regex to match the password failure messages in the logfile. The
151
#          host must be matched by a group named "host". The tag "<HOST>" can
152
#          be used for standard IP/hostname matching and is only an alias for
153
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
154
# Values:  TEXT
2488 lucas.echa 155
failregex =  <HOST> .+\] "[^"]+" 401
1191 crox53 156
# Option:  ignoreregex
157
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
158
ignoreregex = 
159
EOF
160
 
161
####################
162
## INTERCEPT.CONF ##
163
####################
1388 richard 164
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 165
# Fail2Ban configuration file
166
#
167
# Author: Cyril Jaquier
1388 richard 168
# Adapted by ALCASAR team
1191 crox53 169
 
170
[Definition]
171
# Option:  failregex
172
# Notes.:  regex to match the password failure messages in the logfile. The
173
#          host must be matched by a group named "host". The tag "<HOST>" can
174
#          be used for standard IP/hostname matching and is only an alias for
175
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
176
# Values:  TEXT
2488 lucas.echa 177
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 178
# Option:  ignoreregex
179
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
180
ignoreregex = 
181
EOF
182
 
2271 tom.houday 183
#####################
184
## CHANGE-PWD.CONF ##
185
#####################
1410 richard 186
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 187
 
188
# Fail2Ban configuration file
189
#
190
# Author: Cyril Jaquier
1388 richard 191
# Adapted by ALCASAR team
1191 crox53 192
 
193
[Definition]
194
# Option:  failregex
195
# Notes.:  regex to match the password failure messages in the logfile. The
196
#          host must be matched by a group named "host". The tag "<HOST>" can
197
#          be used for standard IP/hostname matching and is only an alias for
198
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
199
# Values:  TEXT
2488 lucas.echa 200
failregex = <HOST> .* \"POST \/password\.php
1191 crox53 201
# Option:  ignoreregex
202
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
203
ignoreregex = 
204
EOF