2271 |
tom.houday |
1 |
#!/bin/sh
|
|
|
2 |
# $Id: fail2ban.sh 2488 2018-02-25 14:53:54Z lucas.echard $
|
|
|
3 |
|
1191 |
crox53 |
4 |
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
|
|
|
5 |
JAIL_CONF="/etc/fail2ban/jail.conf"
|
|
|
6 |
DIR_FILTER="/etc/fail2ban/filter.d/"
|
|
|
7 |
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
|
|
|
8 |
|
1388 |
richard |
9 |
#########################################################
|
|
|
10 |
## Mise à jour du fichier de configuration de fail2ban ##
|
|
|
11 |
#########################################################
|
2271 |
tom.houday |
12 |
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
|
1191 |
crox53 |
13 |
cat << EOF > $FAIL_CONF
|
|
|
14 |
|
|
|
15 |
[Definition]
|
|
|
16 |
|
|
|
17 |
# Option: loglevel
|
|
|
18 |
# Notes.: Set the log level output.
|
|
|
19 |
# 1 = ERROR
|
|
|
20 |
# 2 = WARN
|
|
|
21 |
# 3 = INFO
|
|
|
22 |
# 4 = DEBUG
|
|
|
23 |
# Values: NUM Default: 3
|
|
|
24 |
#
|
|
|
25 |
loglevel = 3
|
|
|
26 |
|
|
|
27 |
# Option: logtarget
|
|
|
28 |
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
|
|
|
29 |
# Only one log target can be specified.
|
|
|
30 |
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
|
|
|
31 |
#
|
|
|
32 |
logtarget = /var/log/fail2ban.log
|
|
|
33 |
|
|
|
34 |
# Option: socket
|
|
|
35 |
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
|
|
|
36 |
# not remove this file when Fail2ban runs. It will not be possible to
|
|
|
37 |
# communicate with the server afterwards.
|
|
|
38 |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
|
|
|
39 |
#
|
|
|
40 |
socket = /var/run/fail2ban/fail2ban.sock
|
1410 |
richard |
41 |
|
|
|
42 |
# Option: pidfile
|
|
|
43 |
# Notes.: Set the PID file. This is used to store the process ID of the
|
|
|
44 |
# fail2ban server.
|
|
|
45 |
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
|
|
|
46 |
#
|
|
|
47 |
pidfile = /var/run/fail2ban/fail2ban.pid
|
1191 |
crox53 |
48 |
EOF
|
|
|
49 |
|
|
|
50 |
#########################################################
|
|
|
51 |
## Mise à jour de la configuration de jail de fail2ban ##
|
|
|
52 |
#########################################################
|
2271 |
tom.houday |
53 |
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
|
1191 |
crox53 |
54 |
cat << EOF > $JAIL_CONF
|
|
|
55 |
|
|
|
56 |
# Fail2Ban configuration file
|
|
|
57 |
#
|
|
|
58 |
# Author: Cyril Jaquier
|
1388 |
richard |
59 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
60 |
|
1388 |
richard |
61 |
|
1191 |
crox53 |
62 |
# The DEFAULT allows a global definition of the options. They can be overridden
|
|
|
63 |
# in each jail afterwards.
|
|
|
64 |
|
|
|
65 |
[DEFAULT]
|
|
|
66 |
|
|
|
67 |
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
|
|
68 |
# ban a host which matches an address in this list. Several addresses can be
|
|
|
69 |
# defined using space separator.
|
|
|
70 |
ignoreip = 127.0.0.1/8
|
|
|
71 |
|
|
|
72 |
# "bantime" is the number of seconds that a host is banned.
|
1270 |
richard |
73 |
bantime = 300
|
1191 |
crox53 |
74 |
|
1388 |
richard |
75 |
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
|
|
|
76 |
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
|
|
|
77 |
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
|
1191 |
crox53 |
78 |
findtime = 60
|
|
|
79 |
|
|
|
80 |
# "maxretry" is the number of failures before a host get banned.
|
|
|
81 |
maxretry = 5
|
|
|
82 |
|
|
|
83 |
# "backend" specifies the backend used to get files modification. Available
|
|
|
84 |
# options are "gamin", "polling" and "auto". This option can be overridden in
|
|
|
85 |
# each jail too (use "gamin" for a jail and "polling" for another).
|
|
|
86 |
#
|
|
|
87 |
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
|
|
|
88 |
# is not installed, Fail2ban will use polling.
|
|
|
89 |
# polling: uses a polling algorithm which does not require external libraries.
|
|
|
90 |
# auto: will choose Gamin if available and polling otherwise.
|
|
|
91 |
backend = auto
|
|
|
92 |
|
1410 |
richard |
93 |
# "usedns" specifies if jails should trust hostnames in logs,
|
|
|
94 |
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
|
|
95 |
#
|
|
|
96 |
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
|
|
97 |
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
|
|
98 |
# but it will be logged as a warning.
|
|
|
99 |
# no: if a hostname is encountered, will not be used for banning,
|
|
|
100 |
# but it will be logged as info.
|
|
|
101 |
usedns = warn
|
|
|
102 |
|
1388 |
richard |
103 |
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
|
|
|
104 |
[alcasar_mod-evasive]
|
1191 |
crox53 |
105 |
|
1410 |
richard |
106 |
#enabled = true
|
|
|
107 |
enabled = false
|
2487 |
lucas.echa |
108 |
backend = auto
|
1410 |
richard |
109 |
filter = alcasar_mod-evasive
|
1388 |
richard |
110 |
action = iptables-allports[name=alcasar_mod-evasive]
|
2488 |
lucas.echa |
111 |
logpath = /var/log/lighttpd/access.log
|
1191 |
crox53 |
112 |
maxretry = 2
|
|
|
113 |
|
1388 |
richard |
114 |
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
|
1191 |
crox53 |
115 |
[ssh-iptables]
|
|
|
116 |
|
|
|
117 |
enabled = true
|
|
|
118 |
#enabled = false
|
|
|
119 |
filter = sshd
|
|
|
120 |
action = iptables-allports[name=SSH]
|
|
|
121 |
logpath = /var/log/auth.log
|
|
|
122 |
maxretry = 3
|
|
|
123 |
|
1388 |
richard |
124 |
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
|
2284 |
tom.houday |
125 |
[alcasar_acc]
|
1191 |
crox53 |
126 |
|
|
|
127 |
enabled = true
|
|
|
128 |
#enabled = false
|
2487 |
lucas.echa |
129 |
backend = auto
|
2284 |
tom.houday |
130 |
filter = alcasar_acc
|
|
|
131 |
action = iptables-allports[name=alcasar_acc]
|
2488 |
lucas.echa |
132 |
logpath = /var/log/lighttpd/access.log
|
|
|
133 |
maxretry = 6
|
1191 |
crox53 |
134 |
|
1388 |
richard |
135 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
|
|
|
136 |
[alcasar_intercept]
|
1191 |
crox53 |
137 |
|
|
|
138 |
enabled = true
|
|
|
139 |
#enabled = false
|
2487 |
lucas.echa |
140 |
backend = auto
|
1410 |
richard |
141 |
filter = alcasar_intercept
|
1388 |
richard |
142 |
action = iptables-allports[name=alcasar_intercept]
|
2488 |
lucas.echa |
143 |
logpath = /var/log/lighttpd/access.log
|
1191 |
crox53 |
144 |
maxretry = 5
|
|
|
145 |
|
1388 |
richard |
146 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
|
1191 |
crox53 |
147 |
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
|
1410 |
richard |
148 |
[alcasar_change-pwd]
|
1191 |
crox53 |
149 |
|
|
|
150 |
enabled = true
|
|
|
151 |
#enabled = false
|
2487 |
lucas.echa |
152 |
backend = auto
|
1410 |
richard |
153 |
filter = alcasar_change-pwd
|
|
|
154 |
action = iptables-allports[name=alcasar_change-pwd]
|
2488 |
lucas.echa |
155 |
logpath = /var/log/lighttpd/access.log
|
1191 |
crox53 |
156 |
maxretry = 5
|
1410 |
richard |
157 |
|
1191 |
crox53 |
158 |
EOF
|
|
|
159 |
|
1388 |
richard |
160 |
##################################################
|
|
|
161 |
## Mise en place des filtres spécifiques ##
|
|
|
162 |
## - Mod_evasive.conf ##
|
2271 |
tom.houday |
163 |
## - acc-htdigest.conf ##
|
1388 |
richard |
164 |
## - intercept.conf ##
|
2271 |
tom.houday |
165 |
## - change-pwd.conf ##
|
1388 |
richard |
166 |
##################################################
|
1191 |
crox53 |
167 |
|
|
|
168 |
######################
|
|
|
169 |
## MOD-EVASIVE.CONF ##
|
|
|
170 |
######################
|
1388 |
richard |
171 |
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
|
1191 |
crox53 |
172 |
# Fail2Ban configuration file
|
|
|
173 |
#
|
|
|
174 |
# Author: Cyril Jaquier
|
1388 |
richard |
175 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
176 |
|
|
|
177 |
[Definition]
|
|
|
178 |
|
|
|
179 |
# Option: failregex
|
|
|
180 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
181 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
182 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
183 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
184 |
# Values: TEXT
|
|
|
185 |
#
|
2488 |
lucas.echa |
186 |
failregex = <HOST> .+\] "[^"]+" 403
|
1191 |
crox53 |
187 |
|
|
|
188 |
# Option: ignoreregex
|
|
|
189 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
190 |
# Values: TEXT
|
|
|
191 |
#
|
|
|
192 |
ignoreregex =
|
|
|
193 |
EOF
|
|
|
194 |
|
2271 |
tom.houday |
195 |
#######################
|
|
|
196 |
## ACC-HTDIGEST.CONF ##
|
|
|
197 |
#######################
|
2284 |
tom.houday |
198 |
cat << EOF > $DIR_FILTER/alcasar_acc.conf
|
1191 |
crox53 |
199 |
# Fail2Ban configuration file
|
|
|
200 |
#
|
|
|
201 |
# Author: Cyril Jaquier
|
1388 |
richard |
202 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
203 |
|
|
|
204 |
[Definition]
|
|
|
205 |
|
|
|
206 |
# Option: failregex
|
|
|
207 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
208 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
209 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
210 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
211 |
# Values: TEXT
|
|
|
212 |
#
|
2488 |
lucas.echa |
213 |
failregex = <HOST> .+\] "[^"]+" 401
|
1191 |
crox53 |
214 |
|
1410 |
richard |
215 |
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
|
|
|
216 |
|
1191 |
crox53 |
217 |
# Option: ignoreregex
|
|
|
218 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
219 |
# Values: TEXT
|
|
|
220 |
#
|
|
|
221 |
ignoreregex =
|
|
|
222 |
EOF
|
|
|
223 |
|
|
|
224 |
####################
|
|
|
225 |
## INTERCEPT.CONF ##
|
|
|
226 |
####################
|
1388 |
richard |
227 |
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
|
1191 |
crox53 |
228 |
# Fail2Ban configuration file
|
|
|
229 |
#
|
|
|
230 |
# Author: Cyril Jaquier
|
1388 |
richard |
231 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
232 |
|
|
|
233 |
[Definition]
|
|
|
234 |
|
|
|
235 |
# Option: failregex
|
|
|
236 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
237 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
238 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
239 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
240 |
# Values: TEXT
|
|
|
241 |
#
|
2488 |
lucas.echa |
242 |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
|
1191 |
crox53 |
243 |
|
|
|
244 |
# Option: ignoreregex
|
|
|
245 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
246 |
# Values: TEXT
|
|
|
247 |
#
|
|
|
248 |
ignoreregex =
|
|
|
249 |
EOF
|
|
|
250 |
|
2271 |
tom.houday |
251 |
#####################
|
|
|
252 |
## CHANGE-PWD.CONF ##
|
|
|
253 |
#####################
|
1410 |
richard |
254 |
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
|
1191 |
crox53 |
255 |
|
|
|
256 |
# Fail2Ban configuration file
|
|
|
257 |
#
|
|
|
258 |
# Author: Cyril Jaquier
|
1388 |
richard |
259 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
260 |
|
|
|
261 |
[Definition]
|
|
|
262 |
|
|
|
263 |
# Option: failregex
|
|
|
264 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
265 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
266 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
267 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
268 |
# Values: TEXT
|
|
|
269 |
#
|
2488 |
lucas.echa |
270 |
failregex = <HOST> .* \"POST \/password\.php
|
1191 |
crox53 |
271 |
|
1410 |
richard |
272 |
|
1191 |
crox53 |
273 |
# Option: ignoreregex
|
|
|
274 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
275 |
# Values: TEXT
|
|
|
276 |
#
|
|
|
277 |
ignoreregex =
|
|
|
278 |
EOF
|
|
|
279 |
|
|
|
280 |
##############################################
|
1388 |
richard |
281 |
## Log sur ULOG quand iptables-allports ##
|
1191 |
crox53 |
282 |
##############################################
|
2271 |
tom.houday |
283 |
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
|
1191 |
crox53 |
284 |
cat << EOF > $ACTION_ALLPORTS
|
|
|
285 |
# Fail2Ban configuration file
|
|
|
286 |
#
|
|
|
287 |
# Author: Cyril Jaquier
|
|
|
288 |
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
|
|
|
289 |
# made active on all ports from original iptables.conf
|
1388 |
richard |
290 |
# Adapted by ALCASAR team
|
1191 |
crox53 |
291 |
|
|
|
292 |
[Definition]
|
|
|
293 |
|
|
|
294 |
# Option: actionstart
|
|
|
295 |
# Notes.: command executed once at the start of Fail2Ban.
|
|
|
296 |
# Values: CMD
|
|
|
297 |
#
|
|
|
298 |
actionstart = iptables -N fail2ban-<name>
|
|
|
299 |
iptables -A fail2ban-<name> -j RETURN
|
|
|
300 |
iptables -I <chain> -p <protocol> -j fail2ban-<name>
|
|
|
301 |
|
|
|
302 |
# Option: actionstop
|
|
|
303 |
# Notes.: command executed once at the end of Fail2Ban
|
|
|
304 |
# Values: CMD
|
|
|
305 |
#
|
|
|
306 |
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
|
|
|
307 |
iptables -F fail2ban-<name>
|
|
|
308 |
iptables -X fail2ban-<name>
|
|
|
309 |
|
|
|
310 |
# Option: actioncheck
|
|
|
311 |
# Notes.: command executed once before each actionban command
|
|
|
312 |
# Values: CMD
|
|
|
313 |
#
|
|
|
314 |
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
|
|
315 |
|
|
|
316 |
# Option: actionban
|
|
|
317 |
# Notes.: command executed when banning an IP. Take care that the
|
|
|
318 |
# command is executed with Fail2Ban user rights.
|
|
|
319 |
# Tags: <ip> IP address
|
|
|
320 |
# <failures> number of failures
|
|
|
321 |
# <time> unix timestamp of the ban time
|
|
|
322 |
# Values: CMD
|
|
|
323 |
|
2357 |
tom.houday |
324 |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
|
1191 |
crox53 |
325 |
|
|
|
326 |
# Option: actionunban
|
|
|
327 |
# Notes.: command executed when unbanning an IP. Take care that the
|
|
|
328 |
# command is executed with Fail2Ban user rights.
|
|
|
329 |
# Tags: <ip> IP address
|
|
|
330 |
# <failures> number of failures
|
|
|
331 |
# <time> unix timestamp of the ban time
|
|
|
332 |
# Values: CMD
|
|
|
333 |
#
|
2357 |
tom.houday |
334 |
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
|
1191 |
crox53 |
335 |
|
|
|
336 |
[Init]
|
|
|
337 |
|
|
|
338 |
# Defaut name of the chain
|
|
|
339 |
#
|
|
|
340 |
name = default
|
|
|
341 |
|
|
|
342 |
# Option: protocol
|
|
|
343 |
# Notes.: internally used by config reader for interpolations.
|
|
|
344 |
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
|
|
345 |
#
|
|
|
346 |
protocol = tcp
|
|
|
347 |
|
|
|
348 |
# Option: chain
|
|
|
349 |
# Notes specifies the iptables chain to which the fail2ban rules should be
|
|
|
350 |
# added
|
|
|
351 |
# Values: STRING Default: INPUT
|
|
|
352 |
chain = INPUT
|
|
|
353 |
|
|
|
354 |
EOF
|