| 0,0 → 1,353 |
|---|
| #!/bin/sh |
| # $Id$ |
| |
| FAIL_CONF="/etc/fail2ban/fail2ban.conf" |
| JAIL_CONF="/etc/fail2ban/jail.conf" |
| DIR_FILTER="/etc/fail2ban/filter.d/" |
| ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf" |
| |
| ######################################################### |
| ## Mise à jour du fichier de configuration de fail2ban ## |
| ######################################################### |
| [ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default |
| cat << EOF > $FAIL_CONF |
| |
| [Definition] |
| |
| # Option: loglevel |
| # Notes.: Set the log level output. |
| # 1 = ERROR |
| # 2 = WARN |
| # 3 = INFO |
| # 4 = DEBUG |
| # Values: NUM Default: 3 |
| # |
| loglevel = 3 |
| |
| # Option: logtarget |
| # Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. |
| # Only one log target can be specified. |
| # Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log |
| # |
| logtarget = /var/log/fail2ban.log |
| |
| # Option: socket |
| # Notes.: Set the socket file. This is used to communicate with the daemon. Do |
| # not remove this file when Fail2ban runs. It will not be possible to |
| # communicate with the server afterwards. |
| # Values: FILE Default: /var/run/fail2ban/fail2ban.sock |
| # |
| socket = /var/run/fail2ban/fail2ban.sock |
| |
| # Option: pidfile |
| # Notes.: Set the PID file. This is used to store the process ID of the |
| # fail2ban server. |
| # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid |
| # |
| pidfile = /var/run/fail2ban/fail2ban.pid |
| EOF |
| |
| ######################################################### |
| ## Mise à jour de la configuration de jail de fail2ban ## |
| ######################################################### |
| [ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default |
| cat << EOF > $JAIL_CONF |
| |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| |
| # The DEFAULT allows a global definition of the options. They can be overridden |
| # in each jail afterwards. |
| |
| [DEFAULT] |
| |
| # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not |
| # ban a host which matches an address in this list. Several addresses can be |
| # defined using space separator. |
| ignoreip = 127.0.0.1/8 |
| |
| # "bantime" is the number of seconds that a host is banned. |
| bantime = 300 |
| |
| # A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
| # Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes) |
| # Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes |
| findtime = 60 |
| |
| # "maxretry" is the number of failures before a host get banned. |
| maxretry = 5 |
| |
| # "backend" specifies the backend used to get files modification. Available |
| # options are "gamin", "polling" and "auto". This option can be overridden in |
| # each jail too (use "gamin" for a jail and "polling" for another). |
| # |
| # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin |
| # is not installed, Fail2ban will use polling. |
| # polling: uses a polling algorithm which does not require external libraries. |
| # auto: will choose Gamin if available and polling otherwise. |
| backend = auto |
| |
| # "usedns" specifies if jails should trust hostnames in logs, |
| # warn when DNS lookups are performed, or ignore all hostnames in logs |
| # |
| # yes: if a hostname is encountered, a DNS lookup will be performed. |
| # warn: if a hostname is encountered, a DNS lookup will be performed, |
| # but it will be logged as a warning. |
| # no: if a hostname is encountered, will not be used for banning, |
| # but it will be logged as info. |
| usedns = warn |
| |
| # Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes) |
| [alcasar_mod-evasive] |
| |
| #enabled = true |
| enabled = false |
| filter = alcasar_mod-evasive |
| action = iptables-allports[name=alcasar_mod-evasive] |
| logpath = /var/log/httpd/error_log |
| /var/log/httpd/ssl_error_log |
| maxretry = 2 |
| |
| # Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
| [ssh-iptables] |
| |
| enabled = true |
| #enabled = false |
| filter = sshd |
| action = iptables-allports[name=SSH] |
| logpath = /var/log/auth.log |
| maxretry = 3 |
| |
| # Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC) |
| [alcasar_acc] |
| |
| enabled = true |
| #enabled = false |
| filter = alcasar_acc |
| action = iptables-allports[name=alcasar_acc] |
| logpath = /var/log/httpd/ssl_error_log |
| maxretry = 5 |
| |
| # Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
| [alcasar_intercept] |
| |
| enabled = true |
| #enabled = false |
| filter = alcasar_intercept |
| action = iptables-allports[name=alcasar_intercept] |
| logpath = /var/log/httpd/ssl_request_log |
| maxretry = 5 |
| |
| # Bannissement sur tout les port après 5 échecs de changement de mot de passe |
| # 5 POST pour changer le mot de passe que le POST soit ok ou non. |
| [alcasar_change-pwd] |
| |
| enabled = true |
| #enabled = false |
| filter = alcasar_change-pwd |
| action = iptables-allports[name=alcasar_change-pwd] |
| logpath = /var/log/httpd/ssl_request_log |
| maxretry = 5 |
| |
| EOF |
| |
| ################################################## |
| ## Mise en place des filtres spécifiques ## |
| ## - Mod_evasive.conf ## |
| ## - acc-htdigest.conf ## |
| ## - intercept.conf ## |
| ## - change-pwd.conf ## |
| ################################################## |
| |
| ###################### |
| ## MOD-EVASIVE.CONF ## |
| ###################### |
| cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| # |
| failregex = \[client <HOST>:[0-9]+\] .*client denied by server configuration |
| |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| # Values: TEXT |
| # |
| ignoreregex = |
| EOF |
| |
| ####################### |
| ## ACC-HTDIGEST.CONF ## |
| ####################### |
| cat << EOF > $DIR_FILTER/alcasar_acc.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| # |
| failregex = \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\) |
| |
| #[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]] |
| |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| # Values: TEXT |
| # |
| ignoreregex = |
| EOF |
| |
| #################### |
| ## INTERCEPT.CONF ## |
| #################### |
| cat << EOF > $DIR_FILTER/alcasar_intercept.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| # |
| failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject |
| |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| # Values: TEXT |
| # |
| ignoreregex = |
| EOF |
| |
| ##################### |
| ## CHANGE-PWD.CONF ## |
| ##################### |
| cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf |
| |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| # |
| failregex = \[<HOST>\] \"POST \/password\.php |
| |
| |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| # Values: TEXT |
| # |
| ignoreregex = |
| EOF |
| |
| ############################################## |
| ## Log sur ULOG quand iptables-allports ## |
| ############################################## |
| [ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default |
| cat << EOF > $ACTION_ALLPORTS |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Modified: Yaroslav O. Halchenko <debian@onerussian.com> |
| # made active on all ports from original iptables.conf |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| |
| # Option: actionstart |
| # Notes.: command executed once at the start of Fail2Ban. |
| # Values: CMD |
| # |
| actionstart = iptables -N fail2ban-<name> |
| iptables -A fail2ban-<name> -j RETURN |
| iptables -I <chain> -p <protocol> -j fail2ban-<name> |
| |
| # Option: actionstop |
| # Notes.: command executed once at the end of Fail2Ban |
| # Values: CMD |
| # |
| actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> |
| iptables -F fail2ban-<name> |
| iptables -X fail2ban-<name> |
| |
| # Option: actioncheck |
| # Notes.: command executed once before each actionban command |
| # Values: CMD |
| # |
| actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> |
| |
| # Option: actionban |
| # Notes.: command executed when banning an IP. Take care that the |
| # command is executed with Fail2Ban user rights. |
| # Tags: <ip> IP address |
| # <failures> number of failures |
| # <time> unix timestamp of the ban time |
| # Values: CMD |
| |
| actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
| iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
| |
| # Option: actionunban |
| # Notes.: command executed when unbanning an IP. Take care that the |
| # command is executed with Fail2Ban user rights. |
| # Tags: <ip> IP address |
| # <failures> number of failures |
| # <time> unix timestamp of the ban time |
| # Values: CMD |
| # |
| actionunban = iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
| iptables -D fail2ban-<name> -s <ip> -j DROP |
| |
| [Init] |
| |
| # Defaut name of the chain |
| # |
| name = default |
| |
| # Option: protocol |
| # Notes.: internally used by config reader for interpolations. |
| # Values: [ tcp | udp | icmp | all ] Default: tcp |
| # |
| protocol = tcp |
| |
| # Option: chain |
| # Notes specifies the iptables chain to which the fail2ban rules should be |
| # added |
| # Values: STRING Default: INPUT |
| chain = INPUT |
| |
| EOF |
| Property changes: |
|---|
| Added: svn:eol-style |
|---|
| +LF |
|---|
| \ No newline at end of property |
|---|
| Added: svn:executable |
|---|
| +* |
|---|
| \ No newline at end of property |
|---|
| Added: svn:keywords |
|---|
| +Id |
|---|
| \ No newline at end of property |
|---|