0,0 → 1,337 |
FAIL_CONF="/etc/fail2ban/fail2ban.conf" |
JAIL_CONF="/etc/fail2ban/jail.conf" |
DIR_FILTER="/etc/fail2ban/filter.d/" |
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf" |
|
######################################################### |
## Mise à jour du fichier de configuration de fail2ban ## |
######################################################### |
if(test -f $FAIL_CONF) |
then |
mv $FAIL_CONF $FAIL_CONF.default |
fi |
cat << EOF > $FAIL_CONF |
|
[Definition] |
|
# Option: loglevel |
# Notes.: Set the log level output. |
# 1 = ERROR |
# 2 = WARN |
# 3 = INFO |
# 4 = DEBUG |
# Values: NUM Default: 3 |
# |
loglevel = 3 |
|
# Option: logtarget |
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. |
# Only one log target can be specified. |
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log |
# |
logtarget = /var/log/fail2ban.log |
|
# Option: socket |
# Notes.: Set the socket file. This is used to communicate with the daemon. Do |
# not remove this file when Fail2ban runs. It will not be possible to |
# communicate with the server afterwards. |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock |
# |
socket = /var/run/fail2ban/fail2ban.sock |
EOF |
|
######################################################### |
## Mise à jour de la configuration de jail de fail2ban ## |
######################################################### |
if(test -f $JAIL_CONF) |
then |
mv $JAIL_CONF $JAIL_CONF.default |
fi |
cat << EOF > $JAIL_CONF |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
|
# The DEFAULT allows a global definition of the options. They can be overridden |
# in each jail afterwards. |
|
[DEFAULT] |
|
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not |
# ban a host which matches an address in this list. Several addresses can be |
# defined using space separator. |
ignoreip = 127.0.0.1/8 |
|
# "bantime" is the number of seconds that a host is banned. |
bantime = 300 |
|
# A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes) |
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes |
findtime = 60 |
|
# "maxretry" is the number of failures before a host get banned. |
maxretry = 5 |
|
# "backend" specifies the backend used to get files modification. Available |
# options are "gamin", "polling" and "auto". This option can be overridden in |
# each jail too (use "gamin" for a jail and "polling" for another). |
# |
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin |
# is not installed, Fail2ban will use polling. |
# polling: uses a polling algorithm which does not require external libraries. |
# auto: will choose Gamin if available and polling otherwise. |
backend = auto |
|
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes) |
[alcasar_mod-evasive] |
|
enabled = true |
#enabled = false |
filter = mod-evasive |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/httpd/error_log |
maxretry = 2 |
|
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
[ssh-iptables] |
|
enabled = true |
#enabled = false |
filter = sshd |
action = iptables-allports[name=SSH] |
logpath = /var/log/auth.log |
maxretry = 3 |
|
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC) |
[alcasar_htdigest] |
|
enabled = true |
#enabled = false |
filter = htdigest |
action = iptables-allports[name=alcasar_htdigest] |
logpath = /var/log/httpd/ssl_error_log |
maxretry = 5 |
|
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
[alcasar_intercept] |
|
enabled = true |
#enabled = false |
filter = intercept |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
|
# Bannissement sur tout les port après 5 échecs de changement de mot de passe |
# 5 POST pour changer le mot de passe que le POST soit ok ou non. |
[alcasar_change-password] |
|
enabled = true |
#enabled = false |
filter = mot_de_passe |
action = iptables-allports[name=alcasar_change-password] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
EOF |
|
################################################## |
## Mise en place des filtres spécifiques ## |
## - Mod_evasive.conf ## |
## - htdigest.conf ## |
## - intercept.conf ## |
## - mot de passe ## |
################################################## |
|
###################### |
## MOD-EVASIVE.CONF ## |
###################### |
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = [[]client <HOST>[]] client denied by server configuration |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
################### |
## HTDIGEST.CONF ## |
################### |
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = [[]error[]] [[]client <HOST>[]] Digest: |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
#################### |
## INTERCEPT.CONF ## |
#################### |
cat << EOF > $DIR_FILTER/alcasar_intercept.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
####################### |
## MOT_DE_PASSE.CONF ## |
####################### |
cat << EOF > $DIR_FILTER/alcasar_change-password.conf |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
############################################## |
## Log sur ULOG quand iptables-allports ## |
############################################## |
if ( test -f $ACTION_ALLPORTS ) |
then |
mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default |
fi |
cat << EOF > $ACTION_ALLPORTS |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Modified: Yaroslav O. Halchenko <debian@onerussian.com> |
# made active on all ports from original iptables.conf |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: actionstart |
# Notes.: command executed once at the start of Fail2Ban. |
# Values: CMD |
# |
actionstart = iptables -N fail2ban-<name> |
iptables -A fail2ban-<name> -j RETURN |
iptables -I <chain> -p <protocol> -j fail2ban-<name> |
|
# Option: actionstop |
# Notes.: command executed once at the end of Fail2Ban |
# Values: CMD |
# |
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> |
iptables -F fail2ban-<name> |
iptables -X fail2ban-<name> |
|
# Option: actioncheck |
# Notes.: command executed once before each actionban command |
# Values: CMD |
# |
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> |
|
# Option: actionban |
# Notes.: command executed when banning an IP. Take care that the |
# command is executed with Fail2Ban user rights. |
# Tags: <ip> IP address |
# <failures> number of failures |
# <time> unix timestamp of the ban time |
# Values: CMD |
|
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP" |
iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
|
# Option: actionunban |
# Notes.: command executed when unbanning an IP. Take care that the |
# command is executed with Fail2Ban user rights. |
# Tags: <ip> IP address |
# <failures> number of failures |
# <time> unix timestamp of the ban time |
# Values: CMD |
# |
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP |
iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP" |
|
[Init] |
|
# Defaut name of the chain |
# |
name = default |
|
# Option: protocol |
# Notes.: internally used by config reader for interpolations. |
# Values: [ tcp | udp | icmp | all ] Default: tcp |
# |
protocol = tcp |
|
# Option: chain |
# Notes specifies the iptables chain to which the fail2ban rules should be |
# added |
# Values: STRING Default: INPUT |
chain = INPUT |
|
EOF |
Property changes: |
Added: svn:executable |
+* |
\ No newline at end of property |