Subversion Repositories ALCASAR

FAIL_CONF="/etc/fail2ban/fail2ban.conf"

JAIL_CONF="/etc/fail2ban/jail.conf"

DIR_FILTER="/etc/fail2ban/filter.d/"

ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"

if(test -f $FAIL_CONF)

then

	mv $FAIL_CONF $FAIL_CONF.old

fi

if(test -f $JAIL_CONF)

then

	mv $JAIL_CONF $JAIL_CONF.old

fi

#########################################################

## Mise à jour du fichier de configuration de fail2ban ##

#########################################################

cat << EOF > $FAIL_CONF

[Definition]

# Option:  loglevel

# Notes.:  Set the log level output.

#          1 = ERROR

#          2 = WARN

#          3 = INFO

#          4 = DEBUG

# Values:  NUM  Default:  3

#

loglevel = 3

# Option:  logtarget

# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.

#          Only one log target can be specified.

# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log

#

logtarget = /var/log/fail2ban.log

# Option: socket

# Notes.: Set the socket file. This is used to communicate with the daemon. Do

#         not remove this file when Fail2ban runs. It will not be possible to

#         communicate with the server afterwards.

# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock

#

socket = /var/run/fail2ban/fail2ban.sock

EOF

#########################################################

## Mise à jour de la configuration de jail de fail2ban ##

#########################################################

cat << EOF > $JAIL_CONF

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision$

#

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.

bantime  = 300

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

# Un client est banni dans le cas ou il genere "maxretry" pendant le temps

# findtime en seconds

# Ici 5 requetes remplissant les filtres en 60 secondes

findtime  = 60

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "backend" specifies the backend used to get files modification. Available

# options are "gamin", "polling" and "auto". This option can be overridden in

# each jail too (use "gamin" for a jail and "polling" for another).

#

# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin

#          is not installed, Fail2ban will use polling.

# polling: uses a polling algorithm which does not require external libraries.

# auto:    will choose Gamin if available and polling otherwise.

backend = auto

# This jail corresponds to the standard configuration in Fail2ban 0.6.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports

[mod-evasive]

enabled = true

#enabled = false

filter = mod-evasive

action = iptables-allports[name=mod-evasive]

logpath = /var/log/httpd/error_log

maxretry = 2

# Bannissement pour SSH-Brute-Force

[ssh-iptables]

enabled = true

#enabled  = false

filter   = sshd

action   = iptables-allports[name=SSH]

logpath  = /var/log/auth.log

maxretry = 3

# Bannissement si 5 échec de connexion sur alcasar/acc

[htdigest]

enabled = true

#enabled = false

filter = htdigest

action = iptables-allports[name=htdigest]

logpath = /var/log/httpd/ssl_error_log

maxretry = 5

# Bannissement si 5 echec de connexion sur intercept.php (reason=reject)

[intercept]

enabled = true

#enabled = false

filter = intercept

action = iptables-allports[name=intercept]

logpath = /var/log/httpd/ssl_request_log

maxretry = 5

# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min

# 5 POST pour changer le mot de passe que le POST soit ok ou non.

[mot_de_passe]

enabled = true

#enabled = false

filter = mot_de_passe

action = iptables-allports[name=Mot_de_Passe]

logpath = /var/log/httpd/ssl_request_log

maxretry = 5

[proftpd-iptables]

enabled  = false

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false

filter   = sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

           sendmail-whois[name=sasl, dest=you@example.com]

logpath  = /var/log/mail.log

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is

# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false

filter      = sshd

action      = hostsdeny

              sendmail-whois[name=SSH, dest=you@example.com]

ignoreregex = for myuser from

logpath     = /var/log/auth.log

# This jail demonstrates the use of wildcards in "logpath".

# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false

filter	 = apache-auth

action   = hostsdeny

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is

# not in /etc.

[postfix-tcpwrapper]

enabled  = false

filter   = postfix

action   = hostsdeny[file=/not/a/standard/path/hosts.deny]

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/postfix.log

bantime  = 300

# Do not ban anybody. Just report information about the remote host.

# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath  = /var/www/*/logs/access_log

bantime  = 172800

maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false

filter   = apache-noscript

action   = shorewall

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/apache2/error_log

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled = false

port    = http,https

filter  = php-url-fopen

logpath = /var/www/*/logs/access_log

maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.

# If you run a lighttpd server, then you probably will

# find these kinds of messages in your error_log:

# ALERT – tried to register forbidden variable ‘GLOBALS’

# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')

# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false

port    = http,https

filter  = lighttpd-fastcgi

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"

# option is overridden in this jail. Moreover, the action "mail-whois" defines

# the variable "name" which contains a comma using "". The characters '' are

# valid too.

[ssh-ipfw]

enabled  = false

filter   = sshd

action   = ipfw[localhost=192.168.0.1]

           sendmail-whois[name="SSH,IPFW", dest=you@example.com]

logpath  = /var/log/auth.log

ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off

# with bind9 installation. You will need something like this:

#

# logging {

#     channel security_file {

#         file "/var/log/named/security.log" versions 3 size 30m;

#         severity dynamic;

#         print-time yes;

#     };

#     category security {

#         security_file;

#     };

# };

#

# in your named.conf to provide proper logging.

# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# [named-refused-udp]

#

# enabled  = false

# filter   = named-refused

# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]

#            sendmail-whois[name=Named, dest=you@example.com]

# logpath  = /var/log/named/security.log

# ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false

filter   = named-refused

action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

           sendmail-whois[name=Named, dest=you@example.com]

logpath  = /var/log/named/security.log

ignoreip = 168.192.0.1

EOF

###########################################

## Mise en place des filters spécifiques ##

## - Mod_evasive.conf                    ##

## - htdigest.conf                       ##

## - 

## - 

###########################################

######################

## MOD-EVASIVE.CONF ##

######################

if (test -f $DIR_FILTER/mod-evasive.conf)

then

	mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old

fi

cat << EOF > $DIR_FILTER/mod-evasive.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision$

#

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = [[]client <HOST>[]] client denied by server configuration

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex = 

EOF

###################

## HTDIGEST.CONF ##

###################

if ( test -f $DIR_FILTER/htdigest.conf)

then

	mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old

fi

cat << EOF > $DIR_FILTER/htdigest.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision$

#

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = [[]error[]] [[]client <HOST>[]] Digest:

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex = 

EOF

####################

## INTERCEPT.CONF ##

####################

if ( test -f $DIR_FILTER/intercept.conf)

then

	mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old

fi

cat << EOF > $DIR_FILTER/intercept.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision$

#

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex = 

EOF

#######################

## MOT_DE_PASSE.CONF ##

#######################

if ( test -f $DIR_FILTER/mot_de_passe.conf )

then

	mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old

fi

cat << EOF > $DIR_FILTER/mot_de_passe.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

#

# $Revision$

#

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex = 

EOF

##############################################

## Log sur Iptables quand iptables-allports ##

##############################################

if ( test -f $ACTION_ALLPORTS )

then

	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old

fi

cat << EOF > $ACTION_ALLPORTS

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Modified: Yaroslav O. Halchenko <debian@onerussian.com>

# 			made active on all ports from original iptables.conf

#

# $Revision$

#

[Definition]

# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = iptables -N fail2ban-<name>

              iptables -A fail2ban-<name> -j RETURN

              iptables -I <chain> -p <protocol> -j fail2ban-<name>

# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>

             iptables -F fail2ban-<name>

             iptables -X fail2ban-<name>

# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    <ip>  IP address

#          <failures>  number of failures

#          <time>  unix timestamp of the ban time

# Values:  CMD

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"

	    iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    <ip>  IP address

#          <failures>  number of failures

#          <time>  unix timestamp of the ban time

# Values:  CMD

#

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

	      iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"

[Init]

# Defaut name of the chain

#

name = default

# Option:  protocol

# Notes.:  internally used by config reader for interpolations.

# Values:  [ tcp | udp | icmp | all ] Default: tcp

#

protocol = tcp

# Option:  chain

# Notes    specifies the iptables chain to which the fail2ban rules should be

#          added

# Values:  STRING  Default: INPUT

chain = INPUT

EOF

#Activation de l'unité

systemctl enable fail2ban.service