WebSVN – ALCASAR – Diff – /conf/fail2ban.sh


#!/bin/sh
# $Id: fail2ban.sh 2497 2018-02-26 02:00:25Z tom.houdayer $
 
 
JAIL_CONF="/etc/fail2ban/jail.conf"
DIR_FILTER="/etc/fail2ban/filter.d/"
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
#########################################################
## Mise à jour de la configuration de jail de fail2ban ##
#########################################################
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
cat << EOF > $JAIL_CONF
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 300
 
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
findtime  = 60
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
 
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
[alcasar_mod-evasive]
 
#enabled = true
enabled = false
backend = auto
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/lighttpd/access.log
maxretry = 2
 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
[ssh-iptables]
 
enabled = true
#enabled  = false
filter   = sshd
action   = iptables-allports[name=SSH]
logpath  = /var/log/auth.log
maxretry = 3
 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
[alcasar_acc]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_acc
action = iptables-allports[name=alcasar_acc]
logpath = /var/log/lighttpd/access.log
maxretry = 6
 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
[alcasar_intercept]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/lighttpd/access.log
maxretry = 5
 
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
[alcasar_change-pwd]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/lighttpd/access.log
maxretry = 5
 
EOF
 
##################################################
## Mise en place des filtres spécifiques	##
## - Mod_evasive.conf				##
## - acc-htdigest.conf				##
## - intercept.conf				##
## - change-pwd.conf				##
##################################################
 
######################
## MOD-EVASIVE.CONF ##
######################
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  <HOST> .+\] "[^"]+" 403
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#######################
## ACC-HTDIGEST.CONF ##
#######################
cat << EOF > $DIR_FILTER/alcasar_acc.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  <HOST> .+\] "[^"]+" 401
 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
####################
## INTERCEPT.CONF ##
####################
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#####################
## CHANGE-PWD.CONF ##
#####################
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = <HOST> .* \"POST \/password\.php
 
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
##############################################
##   Log sur ULOG quand iptables-allports   ##
##############################################
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
cat << EOF > $ACTION_ALLPORTS
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 
[Init]
 
# Defaut name of the chain
#
name = default
 
# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
 
# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
 
EOF
 

Rev 2488	Rev 2497
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: fail2ban.sh 2488 2018-02-25 14:53:54Z lucas.echard $`	2	`# $Id: fail2ban.sh 2497 2018-02-26 02:00:25Z tom.houdayer $`
3		3
4	`FAIL_CONF="/etc/fail2ban/fail2ban.conf"`	-
5	`JAIL_CONF="/etc/fail2ban/jail.conf"`	4	`JAIL_CONF="/etc/fail2ban/jail.conf"`
6	`DIR_FILTER="/etc/fail2ban/filter.d/"`	5	`DIR_FILTER="/etc/fail2ban/filter.d/"`
7	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`	6	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`
8		7
9	`#########################################################`	-
10	`## Mise à jour du fichier de configuration de fail2ban ##`	-
11	`#########################################################`	-
12	`[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default`	-
13	`cat << EOF > $FAIL_CONF`	-
14		-
15	`[Definition]`	-
16		-
17	`# Option: loglevel`	-
18	`# Notes.: Set the log level output.`	-
19	`# 1 = ERROR`	-
20	`# 2 = WARN`	-
21	`# 3 = INFO`	-
22	`# 4 = DEBUG`	-
23	`# Values: NUM Default: 3`	-
24	`#`	-
25	`loglevel = 3`	-
26		-
27	`# Option: logtarget`	-
28	`# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.`	-
29	`# Only one log target can be specified.`	-
30	`# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log`	-
31	`#`	-
32	`logtarget = /var/log/fail2ban.log`	-
33		-
34	`# Option: socket`	-
35	`# Notes.: Set the socket file. This is used to communicate with the daemon. Do`	-
36	`# not remove this file when Fail2ban runs. It will not be possible to`	-
37	`# communicate with the server afterwards.`	-
38	`# Values: FILE Default: /var/run/fail2ban/fail2ban.sock`	-
39	`#`	-
40	`socket = /var/run/fail2ban/fail2ban.sock`	-
41		-
42	`# Option: pidfile`	-
43	`# Notes.: Set the PID file. This is used to store the process ID of the`	-
44	`# fail2ban server.`	-
45	`# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid`	-
46	`#`	-
47	`pidfile = /var/run/fail2ban/fail2ban.pid`	-
48	`EOF`	-
49		-
50	`#########################################################`	8	`#########################################################`
51	`## Mise à jour de la configuration de jail de fail2ban ##`	9	`## Mise à jour de la configuration de jail de fail2ban ##`
52	`#########################################################`	10	`#########################################################`
53	`[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default`	11	`[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default`
54	`cat << EOF > $JAIL_CONF`	12	`cat << EOF > $JAIL_CONF`
55		13
56	`# Fail2Ban configuration file`	14	`# Fail2Ban configuration file`
57	`#`	15	`#`
58	`# Author: Cyril Jaquier`	16	`# Author: Cyril Jaquier`
59	`# Adapted by ALCASAR team`	17	`# Adapted by ALCASAR team`
60		18
61		19
62	`# The DEFAULT allows a global definition of the options. They can be overridden`	20	`# The DEFAULT allows a global definition of the options. They can be overridden`
63	`# in each jail afterwards.`	21	`# in each jail afterwards.`
64		22
65	`[DEFAULT]`	23	`[DEFAULT]`
66		24
67	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`	25	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`
68	`# ban a host which matches an address in this list. Several addresses can be`	26	`# ban a host which matches an address in this list. Several addresses can be`
69	`# defined using space separator.`	27	`# defined using space separator.`
70	`ignoreip = 127.0.0.1/8`	28	`ignoreip = 127.0.0.1/8`
71		29
72	`# "bantime" is the number of seconds that a host is banned.`	30	`# "bantime" is the number of seconds that a host is banned.`
73	`bantime = 300`	31	`bantime = 300`
74		32
75	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`	33	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`
76	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`	34	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`
77	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`	35	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`
78	`findtime = 60`	36	`findtime = 60`
79		37
80	`# "maxretry" is the number of failures before a host get banned.`	38	`# "maxretry" is the number of failures before a host get banned.`
81	`maxretry = 5`	39	`maxretry = 5`
82		40
83	`# "backend" specifies the backend used to get files modification. Available`	41	`# "backend" specifies the backend used to get files modification. Available`
84	`# options are "gamin", "polling" and "auto". This option can be overridden in`	42	`# options are "gamin", "polling" and "auto". This option can be overridden in`
85	`# each jail too (use "gamin" for a jail and "polling" for another).`	43	`# each jail too (use "gamin" for a jail and "polling" for another).`
86	`#`	44	`#`
87	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`	45	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`
88	`# is not installed, Fail2ban will use polling.`	46	`# is not installed, Fail2ban will use polling.`
89	`# polling: uses a polling algorithm which does not require external libraries.`	47	`# polling: uses a polling algorithm which does not require external libraries.`
90	`# auto: will choose Gamin if available and polling otherwise.`	48	`# auto: will choose Gamin if available and polling otherwise.`
91	`backend = auto`	49	`backend = auto`
92		50
93	`# "usedns" specifies if jails should trust hostnames in logs,`	51	`# "usedns" specifies if jails should trust hostnames in logs,`
94	`# warn when DNS lookups are performed, or ignore all hostnames in logs`	52	`# warn when DNS lookups are performed, or ignore all hostnames in logs`
95	`#`	53	`#`
96	`# yes: if a hostname is encountered, a DNS lookup will be performed.`	54	`# yes: if a hostname is encountered, a DNS lookup will be performed.`
97	`# warn: if a hostname is encountered, a DNS lookup will be performed,`	55	`# warn: if a hostname is encountered, a DNS lookup will be performed,`
98	`# but it will be logged as a warning.`	56	`# but it will be logged as a warning.`
99	`# no: if a hostname is encountered, will not be used for banning,`	57	`# no: if a hostname is encountered, will not be used for banning,`
100	`# but it will be logged as info.`	58	`# but it will be logged as info.`
101	`usedns = warn`	59	`usedns = warn`
102		60
103	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`	61	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`
104	`[alcasar_mod-evasive]`	62	`[alcasar_mod-evasive]`
105		63
106	`#enabled = true`	64	`#enabled = true`
107	`enabled = false`	65	`enabled = false`
108	`backend = auto`	66	`backend = auto`
109	`filter = alcasar_mod-evasive`	67	`filter = alcasar_mod-evasive`
110	`action = iptables-allports[name=alcasar_mod-evasive]`	68	`action = iptables-allports[name=alcasar_mod-evasive]`
111	`logpath = /var/log/lighttpd/access.log`	69	`logpath = /var/log/lighttpd/access.log`
112	`maxretry = 2`	70	`maxretry = 2`
113		71
114	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`	72	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`
115	`[ssh-iptables]`	73	`[ssh-iptables]`
116		74
117	`enabled = true`	75	`enabled = true`
118	`#enabled = false`	76	`#enabled = false`
119	`filter = sshd`	77	`filter = sshd`
120	`action = iptables-allports[name=SSH]`	78	`action = iptables-allports[name=SSH]`
121	`logpath = /var/log/auth.log`	79	`logpath = /var/log/auth.log`
122	`maxretry = 3`	80	`maxretry = 3`
123		81
124	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`	82	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`
125	`[alcasar_acc]`	83	`[alcasar_acc]`
126		84
127	`enabled = true`	85	`enabled = true`
128	`#enabled = false`	86	`#enabled = false`
129	`backend = auto`	87	`backend = auto`
130	`filter = alcasar_acc`	88	`filter = alcasar_acc`
131	`action = iptables-allports[name=alcasar_acc]`	89	`action = iptables-allports[name=alcasar_acc]`
132	`logpath = /var/log/lighttpd/access.log`	90	`logpath = /var/log/lighttpd/access.log`
133	`maxretry = 6`	91	`maxretry = 6`
134		92
135	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`	93	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`
136	`[alcasar_intercept]`	94	`[alcasar_intercept]`
137		95
138	`enabled = true`	96	`enabled = true`
139	`#enabled = false`	97	`#enabled = false`
140	`backend = auto`	98	`backend = auto`
141	`filter = alcasar_intercept`	99	`filter = alcasar_intercept`
142	`action = iptables-allports[name=alcasar_intercept]`	100	`action = iptables-allports[name=alcasar_intercept]`
143	`logpath = /var/log/lighttpd/access.log`	101	`logpath = /var/log/lighttpd/access.log`
144	`maxretry = 5`	102	`maxretry = 5`
145		103
146	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`	104	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`
147	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`	105	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`
148	`[alcasar_change-pwd]`	106	`[alcasar_change-pwd]`
149		107
150	`enabled = true`	108	`enabled = true`
151	`#enabled = false`	109	`#enabled = false`
152	`backend = auto`	110	`backend = auto`
153	`filter = alcasar_change-pwd`	111	`filter = alcasar_change-pwd`
154	`action = iptables-allports[name=alcasar_change-pwd]`	112	`action = iptables-allports[name=alcasar_change-pwd]`
155	`logpath = /var/log/lighttpd/access.log`	113	`logpath = /var/log/lighttpd/access.log`
156	`maxretry = 5`	114	`maxretry = 5`
157		115
158	`EOF`	116	`EOF`
159		117
160	`##################################################`	118	`##################################################`
161	`## Mise en place des filtres spécifiques ##`	119	`## Mise en place des filtres spécifiques ##`
162	`## - Mod_evasive.conf ##`	120	`## - Mod_evasive.conf ##`
163	`## - acc-htdigest.conf ##`	121	`## - acc-htdigest.conf ##`
164	`## - intercept.conf ##`	122	`## - intercept.conf ##`
165	`## - change-pwd.conf ##`	123	`## - change-pwd.conf ##`
166	`##################################################`	124	`##################################################`
167		125
168	`######################`	126	`######################`
169	`## MOD-EVASIVE.CONF ##`	127	`## MOD-EVASIVE.CONF ##`
170	`######################`	128	`######################`
171	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`	129	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`
172	`# Fail2Ban configuration file`	130	`# Fail2Ban configuration file`
173	`#`	131	`#`
174	`# Author: Cyril Jaquier`	132	`# Author: Cyril Jaquier`
175	`# Adapted by ALCASAR team`	133	`# Adapted by ALCASAR team`
176		134
177	`[Definition]`	135	`[Definition]`
178		136
179	`# Option: failregex`	137	`# Option: failregex`
180	`# Notes.: regex to match the password failure messages in the logfile. The`	138	`# Notes.: regex to match the password failure messages in the logfile. The`
181	`# host must be matched by a group named "host". The tag "<HOST>" can`	139	`# host must be matched by a group named "host". The tag "<HOST>" can`
182	`# be used for standard IP/hostname matching and is only an alias for`	140	`# be used for standard IP/hostname matching and is only an alias for`
183	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	141	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
184	`# Values: TEXT`	142	`# Values: TEXT`
185	`#`	143	`#`
186	`failregex = <HOST> .+\] "[^"]+" 403`	144	`failregex = <HOST> .+\] "[^"]+" 403`
187		145
188	`# Option: ignoreregex`	146	`# Option: ignoreregex`
189	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	147	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
190	`# Values: TEXT`	148	`# Values: TEXT`
191	`#`	149	`#`
192	`ignoreregex =`	150	`ignoreregex =`
193	`EOF`	151	`EOF`
194		152
195	`#######################`	153	`#######################`
196	`## ACC-HTDIGEST.CONF ##`	154	`## ACC-HTDIGEST.CONF ##`
197	`#######################`	155	`#######################`
198	`cat << EOF > $DIR_FILTER/alcasar_acc.conf`	156	`cat << EOF > $DIR_FILTER/alcasar_acc.conf`
199	`# Fail2Ban configuration file`	157	`# Fail2Ban configuration file`
200	`#`	158	`#`
201	`# Author: Cyril Jaquier`	159	`# Author: Cyril Jaquier`
202	`# Adapted by ALCASAR team`	160	`# Adapted by ALCASAR team`
203		161
204	`[Definition]`	162	`[Definition]`
205		163
206	`# Option: failregex`	164	`# Option: failregex`
207	`# Notes.: regex to match the password failure messages in the logfile. The`	165	`# Notes.: regex to match the password failure messages in the logfile. The`
208	`# host must be matched by a group named "host". The tag "<HOST>" can`	166	`# host must be matched by a group named "host". The tag "<HOST>" can`
209	`# be used for standard IP/hostname matching and is only an alias for`	167	`# be used for standard IP/hostname matching and is only an alias for`
210	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	168	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
211	`# Values: TEXT`	169	`# Values: TEXT`
212	`#`	170	`#`
213	`failregex = <HOST> .+\] "[^"]+" 401`	171	`failregex = <HOST> .+\] "[^"]+" 401`
214		172
215	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`	173	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`
216		174
217	`# Option: ignoreregex`	175	`# Option: ignoreregex`
218	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	176	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
219	`# Values: TEXT`	177	`# Values: TEXT`
220	`#`	178	`#`
221	`ignoreregex =`	179	`ignoreregex =`
222	`EOF`	180	`EOF`
223		181
224	`####################`	182	`####################`
225	`## INTERCEPT.CONF ##`	183	`## INTERCEPT.CONF ##`
226	`####################`	184	`####################`
227	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`	185	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`
228	`# Fail2Ban configuration file`	186	`# Fail2Ban configuration file`
229	`#`	187	`#`
230	`# Author: Cyril Jaquier`	188	`# Author: Cyril Jaquier`
231	`# Adapted by ALCASAR team`	189	`# Adapted by ALCASAR team`
232		190
233	`[Definition]`	191	`[Definition]`
234		192
235	`# Option: failregex`	193	`# Option: failregex`
236	`# Notes.: regex to match the password failure messages in the logfile. The`	194	`# Notes.: regex to match the password failure messages in the logfile. The`
237	`# host must be matched by a group named "host". The tag "<HOST>" can`	195	`# host must be matched by a group named "host". The tag "<HOST>" can`
238	`# be used for standard IP/hostname matching and is only an alias for`	196	`# be used for standard IP/hostname matching and is only an alias for`
239	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	197	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
240	`# Values: TEXT`	198	`# Values: TEXT`
241	`#`	199	`#`
242	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`	200	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`
243		201
244	`# Option: ignoreregex`	202	`# Option: ignoreregex`
245	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	203	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
246	`# Values: TEXT`	204	`# Values: TEXT`
247	`#`	205	`#`
248	`ignoreregex =`	206	`ignoreregex =`
249	`EOF`	207	`EOF`
250		208
251	`#####################`	209	`#####################`
252	`## CHANGE-PWD.CONF ##`	210	`## CHANGE-PWD.CONF ##`
253	`#####################`	211	`#####################`
254	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`	212	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`
255		213
256	`# Fail2Ban configuration file`	214	`# Fail2Ban configuration file`
257	`#`	215	`#`
258	`# Author: Cyril Jaquier`	216	`# Author: Cyril Jaquier`
259	`# Adapted by ALCASAR team`	217	`# Adapted by ALCASAR team`
260		218
261	`[Definition]`	219	`[Definition]`
262		220
263	`# Option: failregex`	221	`# Option: failregex`
264	`# Notes.: regex to match the password failure messages in the logfile. The`	222	`# Notes.: regex to match the password failure messages in the logfile. The`
265	`# host must be matched by a group named "host". The tag "<HOST>" can`	223	`# host must be matched by a group named "host". The tag "<HOST>" can`
266	`# be used for standard IP/hostname matching and is only an alias for`	224	`# be used for standard IP/hostname matching and is only an alias for`
267	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	225	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
268	`# Values: TEXT`	226	`# Values: TEXT`
269	`#`	227	`#`
270	`failregex = <HOST> .* \"POST \/password\.php`	228	`failregex = <HOST> .* \"POST \/password\.php`
271		229
272		230
273	`# Option: ignoreregex`	231	`# Option: ignoreregex`
274	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	232	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
275	`# Values: TEXT`	233	`# Values: TEXT`
276	`#`	234	`#`
277	`ignoreregex =`	235	`ignoreregex =`
278	`EOF`	236	`EOF`
279		237
280	`##############################################`	238	`##############################################`
281	`## Log sur ULOG quand iptables-allports ##`	239	`## Log sur ULOG quand iptables-allports ##`
282	`##############################################`	240	`##############################################`
283	`[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`	241	`[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`
284	`cat << EOF > $ACTION_ALLPORTS`	242	`cat << EOF > $ACTION_ALLPORTS`
285	`# Fail2Ban configuration file`	243	`# Fail2Ban configuration file`
286	`#`	244	`#`
287	`# Author: Cyril Jaquier`	245	`# Author: Cyril Jaquier`
288	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`	246	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`
289	`# made active on all ports from original iptables.conf`	247	`# made active on all ports from original iptables.conf`
290	`# Adapted by ALCASAR team`	248	`# Adapted by ALCASAR team`
291		249
292	`[Definition]`	250	`[Definition]`
293		251
294	`# Option: actionstart`	252	`# Option: actionstart`
295	`# Notes.: command executed once at the start of Fail2Ban.`	253	`# Notes.: command executed once at the start of Fail2Ban.`
296	`# Values: CMD`	254	`# Values: CMD`
297	`#`	255	`#`
298	`actionstart = iptables -N fail2ban-<name>`	256	`actionstart = iptables -N fail2ban-<name>`
299	`iptables -A fail2ban-<name> -j RETURN`	257	`iptables -A fail2ban-<name> -j RETURN`
300	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`	258	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`
301		259
302	`# Option: actionstop`	260	`# Option: actionstop`
303	`# Notes.: command executed once at the end of Fail2Ban`	261	`# Notes.: command executed once at the end of Fail2Ban`
304	`# Values: CMD`	262	`# Values: CMD`
305	`#`	263	`#`
306	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`	264	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`
307	`iptables -F fail2ban-<name>`	265	`iptables -F fail2ban-<name>`
308	`iptables -X fail2ban-<name>`	266	`iptables -X fail2ban-<name>`
309		267
310	`# Option: actioncheck`	268	`# Option: actioncheck`
311	`# Notes.: command executed once before each actionban command`	269	`# Notes.: command executed once before each actionban command`
312	`# Values: CMD`	270	`# Values: CMD`
313	`#`	271	`#`
314	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`	272	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`
315		273
316	`# Option: actionban`	274	`# Option: actionban`
317	`# Notes.: command executed when banning an IP. Take care that the`	275	`# Notes.: command executed when banning an IP. Take care that the`
318	`# command is executed with Fail2Ban user rights.`	276	`# command is executed with Fail2Ban user rights.`
319	`# Tags: <ip> IP address`	277	`# Tags: <ip> IP address`
320	`# <failures> number of failures`	278	`# <failures> number of failures`
321	`# <time> unix timestamp of the ban time`	279	`# <time> unix timestamp of the ban time`
322	`# Values: CMD`	280	`# Values: CMD`
323		281
324	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP`	282	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP`
325		283
326	`# Option: actionunban`	284	`# Option: actionunban`
327	`# Notes.: command executed when unbanning an IP. Take care that the`	285	`# Notes.: command executed when unbanning an IP. Take care that the`
328	`# command is executed with Fail2Ban user rights.`	286	`# command is executed with Fail2Ban user rights.`
329	`# Tags: <ip> IP address`	287	`# Tags: <ip> IP address`
330	`# <failures> number of failures`	288	`# <failures> number of failures`
331	`# <time> unix timestamp of the ban time`	289	`# <time> unix timestamp of the ban time`
332	`# Values: CMD`	290	`# Values: CMD`
333	`#`	291	`#`
334	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`	292	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`
335		293
336	`[Init]`	294	`[Init]`
337		295
338	`# Defaut name of the chain`	296	`# Defaut name of the chain`
339	`#`	297	`#`
340	`name = default`	298	`name = default`
341		299
342	`# Option: protocol`	300	`# Option: protocol`
343	`# Notes.: internally used by config reader for interpolations.`	301	`# Notes.: internally used by config reader for interpolations.`
344	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`	302	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`
345	`#`	303	`#`
346	`protocol = tcp`	304	`protocol = tcp`
347		305
348	`# Option: chain`	306	`# Option: chain`
349	`# Notes specifies the iptables chain to which the fail2ban rules should be`	307	`# Notes specifies the iptables chain to which the fail2ban rules should be`
350	`# added`	308	`# added`
351	`# Values: STRING Default: INPUT`	309	`# Values: STRING Default: INPUT`
352	`chain = INPUT`	310	`chain = INPUT`
353		311
354	`EOF`	312	`EOF`
355		313

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh @ 2714 – Rev 2488 → 2497