| 0,0 → 1,204 |
|---|
| #!/bin/sh |
| # $Id$ |
| |
| JAIL_CONF="/etc/fail2ban/jail.conf" |
| DIR_FILTER="/etc/fail2ban/filter.d/" |
| |
| ######################################################### |
| ## Mise à jour de la configuration de jail de fail2ban ## |
| ######################################################### |
| [ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default |
| cat << EOF > $JAIL_CONF |
| |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| |
| # The DEFAULT allows a global definition of the options. They can be overridden |
| # in each jail afterwards. |
| [DEFAULT] |
| # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not |
| # ban a host which matches an address in this list. Several addresses can be |
| # defined using space separator. |
| ignoreip = 127.0.0.1/8 |
| # "bantime" is the number of seconds that a host is banned. |
| bantime = 180 |
| |
| # A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
| # Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes) |
| # Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes |
| findtime = 60 |
| |
| # "maxretry" is the number of failures before a host get banned. |
| maxretry = 5 |
| |
| # "backend" specifies the backend used to get files modification. Available |
| # options are "gamin", "polling" and "auto". This option can be overridden in |
| # each jail too (use "gamin" for a jail and "polling" for another). |
| # |
| # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin |
| # is not installed, Fail2ban will use polling. |
| # polling: uses a polling algorithm which does not require external libraries. |
| # auto: will choose Gamin if available and polling otherwise. |
| backend = auto |
| |
| # "usedns" specifies if jails should trust hostnames in logs, |
| # warn when DNS lookups are performed, or ignore all hostnames in logs |
| # |
| # yes: if a hostname is encountered, a DNS lookup will be performed. |
| # warn: if a hostname is encountered, a DNS lookup will be performed, |
| # but it will be logged as a warning. |
| # no: if a hostname is encountered, will not be used for banning, |
| # but it will be logged as info. |
| usedns = warn |
| |
| # Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes) |
| [alcasar_mod-evasive] |
| #enabled = true |
| enabled = false |
| backend = auto |
| filter = alcasar_mod-evasive |
| action = iptables-allports[name=alcasar_mod-evasive] |
| logpath = /var/log/lighttpd/access.log |
| maxretry = 3 |
| |
| # Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
| [ssh-iptables] |
| enabled = true |
| #enabled = false |
| filter = sshd |
| action = iptables-allports[name=SSH] |
| logpath = /var/log/auth.log |
| maxretry = 3 |
| |
| # Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC) |
| [alcasar_acc] |
| enabled = true |
| #enabled = false |
| backend = auto |
| filter = alcasar_acc |
| action = iptables-allports[name=alcasar_acc] |
| logpath = /var/log/lighttpd/access.log |
| maxretry = 5 |
| |
| # Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
| [alcasar_intercept] |
| enabled = true |
| #enabled = false |
| backend = auto |
| filter = alcasar_intercept |
| action = iptables-allports[name=alcasar_intercept] |
| logpath = /var/log/lighttpd/access.log |
| maxretry = 5 |
| |
| # Bannissement sur tout les port après 5 échecs de changement de mot de passe |
| # 5 POST pour changer le mot de passe que le POST soit ok ou non. |
| [alcasar_change-pwd] |
| enabled = true |
| #enabled = false |
| backend = auto |
| filter = alcasar_change-pwd |
| action = iptables-allports[name=alcasar_change-pwd] |
| logpath = /var/log/lighttpd/access.log |
| maxretry = 5 |
| |
| EOF |
| |
| ############################################## |
| ## Mise en place des filtres spécifiques ## |
| ## - Mod_evasive.conf ## |
| ## - acc-htdigest.conf ## |
| ## - intercept.conf ## |
| ## - change-pwd.conf ## |
| ############################################## |
| |
| ###################### |
| ## MOD-EVASIVE.CONF ## |
| ###################### |
| cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| failregex = <HOST> .+\] "[^"]+" 403 |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| ignoreregex = |
| EOF |
| |
| ####################### |
| ## ACC-HTDIGEST.CONF ## |
| ####################### |
| cat << EOF > $DIR_FILTER/alcasar_acc.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| failregex = <HOST> .+\] "[^"]+" 401 |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| ignoreregex = |
| EOF |
| |
| #################### |
| ## INTERCEPT.CONF ## |
| #################### |
| cat << EOF > $DIR_FILTER/alcasar_intercept.conf |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| ignoreregex = |
| EOF |
| |
| ##################### |
| ## CHANGE-PWD.CONF ## |
| ##################### |
| cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf |
| |
| # Fail2Ban configuration file |
| # |
| # Author: Cyril Jaquier |
| # Adapted by ALCASAR team |
| |
| [Definition] |
| # Option: failregex |
| # Notes.: regex to match the password failure messages in the logfile. The |
| # host must be matched by a group named "host". The tag "<HOST>" can |
| # be used for standard IP/hostname matching and is only an alias for |
| # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
| # Values: TEXT |
| failregex = <HOST> .* \"POST \/password\.php |
| # Option: ignoreregex |
| # Notes.: regex to ignore. If this regex matches, the line is ignored. |
| ignoreregex = |
| EOF |
| Property changes: |
|---|
| Added: svn:eol-style |
|---|
| +LF |
|---|
| \ No newline at end of property |
|---|
| Added: svn:executable |
|---|
| +* |
|---|
| \ No newline at end of property |
|---|
| Added: svn:keywords |
|---|
| +Id |
|---|
| \ No newline at end of property |
|---|