0,0 → 1,353 |
#!/bin/sh |
# $Id$ |
|
FAIL_CONF="/etc/fail2ban/fail2ban.conf" |
JAIL_CONF="/etc/fail2ban/jail.conf" |
DIR_FILTER="/etc/fail2ban/filter.d/" |
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf" |
|
######################################################### |
## Mise à jour du fichier de configuration de fail2ban ## |
######################################################### |
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default |
cat << EOF > $FAIL_CONF |
|
[Definition] |
|
# Option: loglevel |
# Notes.: Set the log level output. |
# 1 = ERROR |
# 2 = WARN |
# 3 = INFO |
# 4 = DEBUG |
# Values: NUM Default: 3 |
# |
loglevel = 3 |
|
# Option: logtarget |
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. |
# Only one log target can be specified. |
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log |
# |
logtarget = /var/log/fail2ban.log |
|
# Option: socket |
# Notes.: Set the socket file. This is used to communicate with the daemon. Do |
# not remove this file when Fail2ban runs. It will not be possible to |
# communicate with the server afterwards. |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock |
# |
socket = /var/run/fail2ban/fail2ban.sock |
|
# Option: pidfile |
# Notes.: Set the PID file. This is used to store the process ID of the |
# fail2ban server. |
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid |
# |
pidfile = /var/run/fail2ban/fail2ban.pid |
EOF |
|
######################################################### |
## Mise à jour de la configuration de jail de fail2ban ## |
######################################################### |
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default |
cat << EOF > $JAIL_CONF |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
|
# The DEFAULT allows a global definition of the options. They can be overridden |
# in each jail afterwards. |
|
[DEFAULT] |
|
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not |
# ban a host which matches an address in this list. Several addresses can be |
# defined using space separator. |
ignoreip = 127.0.0.1/8 |
|
# "bantime" is the number of seconds that a host is banned. |
bantime = 300 |
|
# A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes) |
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes |
findtime = 60 |
|
# "maxretry" is the number of failures before a host get banned. |
maxretry = 5 |
|
# "backend" specifies the backend used to get files modification. Available |
# options are "gamin", "polling" and "auto". This option can be overridden in |
# each jail too (use "gamin" for a jail and "polling" for another). |
# |
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin |
# is not installed, Fail2ban will use polling. |
# polling: uses a polling algorithm which does not require external libraries. |
# auto: will choose Gamin if available and polling otherwise. |
backend = auto |
|
# "usedns" specifies if jails should trust hostnames in logs, |
# warn when DNS lookups are performed, or ignore all hostnames in logs |
# |
# yes: if a hostname is encountered, a DNS lookup will be performed. |
# warn: if a hostname is encountered, a DNS lookup will be performed, |
# but it will be logged as a warning. |
# no: if a hostname is encountered, will not be used for banning, |
# but it will be logged as info. |
usedns = warn |
|
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes) |
[alcasar_mod-evasive] |
|
#enabled = true |
enabled = false |
filter = alcasar_mod-evasive |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/httpd/error_log |
/var/log/httpd/ssl_error_log |
maxretry = 2 |
|
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
[ssh-iptables] |
|
enabled = true |
#enabled = false |
filter = sshd |
action = iptables-allports[name=SSH] |
logpath = /var/log/auth.log |
maxretry = 3 |
|
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC) |
[alcasar_acc] |
|
enabled = true |
#enabled = false |
filter = alcasar_acc |
action = iptables-allports[name=alcasar_acc] |
logpath = /var/log/httpd/ssl_error_log |
maxretry = 5 |
|
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
[alcasar_intercept] |
|
enabled = true |
#enabled = false |
filter = alcasar_intercept |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
|
# Bannissement sur tout les port après 5 échecs de changement de mot de passe |
# 5 POST pour changer le mot de passe que le POST soit ok ou non. |
[alcasar_change-pwd] |
|
enabled = true |
#enabled = false |
filter = alcasar_change-pwd |
action = iptables-allports[name=alcasar_change-pwd] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
|
EOF |
|
################################################## |
## Mise en place des filtres spécifiques ## |
## - Mod_evasive.conf ## |
## - acc-htdigest.conf ## |
## - intercept.conf ## |
## - change-pwd.conf ## |
################################################## |
|
###################### |
## MOD-EVASIVE.CONF ## |
###################### |
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[client <HOST>:[0-9]+\] .*client denied by server configuration |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
####################### |
## ACC-HTDIGEST.CONF ## |
####################### |
cat << EOF > $DIR_FILTER/alcasar_acc.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\) |
|
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]] |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
#################### |
## INTERCEPT.CONF ## |
#################### |
cat << EOF > $DIR_FILTER/alcasar_intercept.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject |
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
##################### |
## CHANGE-PWD.CONF ## |
##################### |
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: failregex |
# Notes.: regex to match the password failure messages in the logfile. The |
# host must be matched by a group named "host". The tag "<HOST>" can |
# be used for standard IP/hostname matching and is only an alias for |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
# Values: TEXT |
# |
failregex = \[<HOST>\] \"POST \/password\.php |
|
|
# Option: ignoreregex |
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
# Values: TEXT |
# |
ignoreregex = |
EOF |
|
############################################## |
## Log sur ULOG quand iptables-allports ## |
############################################## |
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default |
cat << EOF > $ACTION_ALLPORTS |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Modified: Yaroslav O. Halchenko <debian@onerussian.com> |
# made active on all ports from original iptables.conf |
# Adapted by ALCASAR team |
|
[Definition] |
|
# Option: actionstart |
# Notes.: command executed once at the start of Fail2Ban. |
# Values: CMD |
# |
actionstart = iptables -N fail2ban-<name> |
iptables -A fail2ban-<name> -j RETURN |
iptables -I <chain> -p <protocol> -j fail2ban-<name> |
|
# Option: actionstop |
# Notes.: command executed once at the end of Fail2Ban |
# Values: CMD |
# |
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name> |
iptables -F fail2ban-<name> |
iptables -X fail2ban-<name> |
|
# Option: actioncheck |
# Notes.: command executed once before each actionban command |
# Values: CMD |
# |
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name> |
|
# Option: actionban |
# Notes.: command executed when banning an IP. Take care that the |
# command is executed with Fail2Ban user rights. |
# Tags: <ip> IP address |
# <failures> number of failures |
# <time> unix timestamp of the ban time |
# Values: CMD |
|
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
iptables -I fail2ban-<name> 1 -s <ip> -j DROP |
|
# Option: actionunban |
# Notes.: command executed when unbanning an IP. Take care that the |
# command is executed with Fail2Ban user rights. |
# Tags: <ip> IP address |
# <failures> number of failures |
# <time> unix timestamp of the ban time |
# Values: CMD |
# |
actionunban = iptables -D fail2ban-<name> -s <ip> -j NFLOG --nflog-group 1 --nflog-prefix "RULE Fail2Ban -- DROP" |
iptables -D fail2ban-<name> -s <ip> -j DROP |
|
[Init] |
|
# Defaut name of the chain |
# |
name = default |
|
# Option: protocol |
# Notes.: internally used by config reader for interpolations. |
# Values: [ tcp | udp | icmp | all ] Default: tcp |
# |
protocol = tcp |
|
# Option: chain |
# Notes specifies the iptables chain to which the fail2ban rules should be |
# added |
# Values: STRING Default: INPUT |
chain = INPUT |
|
EOF |
Property changes: |
Added: svn:eol-style |
+LF |
\ No newline at end of property |
Added: svn:executable |
+* |
\ No newline at end of property |
Added: svn:keywords |
+Id |
\ No newline at end of property |