| 2271 |
tom.houday |
1 |
#!/bin/sh
|
|
|
2 |
# $Id: fail2ban.sh 2865 2020-10-18 22:21:46Z rexy $
|
|
|
3 |
|
| 1191 |
crox53 |
4 |
JAIL_CONF="/etc/fail2ban/jail.conf"
|
|
|
5 |
DIR_FILTER="/etc/fail2ban/filter.d/"
|
|
|
6 |
|
| 1388 |
richard |
7 |
#########################################################
|
| 1191 |
crox53 |
8 |
## Mise à jour de la configuration de jail de fail2ban ##
|
|
|
9 |
#########################################################
|
| 2271 |
tom.houday |
10 |
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
|
| 1191 |
crox53 |
11 |
cat << EOF > $JAIL_CONF
|
|
|
12 |
|
|
|
13 |
# Fail2Ban configuration file
|
|
|
14 |
#
|
|
|
15 |
# Author: Cyril Jaquier
|
| 1388 |
richard |
16 |
# Adapted by ALCASAR team
|
| 1191 |
crox53 |
17 |
|
| 1388 |
richard |
18 |
|
| 1191 |
crox53 |
19 |
# The DEFAULT allows a global definition of the options. They can be overridden
|
|
|
20 |
# in each jail afterwards.
|
|
|
21 |
[DEFAULT]
|
|
|
22 |
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
|
|
23 |
# ban a host which matches an address in this list. Several addresses can be
|
|
|
24 |
# defined using space separator.
|
|
|
25 |
ignoreip = 127.0.0.1/8
|
|
|
26 |
# "bantime" is the number of seconds that a host is banned.
|
| 2815 |
rexy |
27 |
bantime = 180
|
| 1191 |
crox53 |
28 |
|
| 1388 |
richard |
29 |
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
|
|
|
30 |
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
|
|
|
31 |
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
|
| 1191 |
crox53 |
32 |
findtime = 60
|
|
|
33 |
|
|
|
34 |
# "maxretry" is the number of failures before a host get banned.
|
|
|
35 |
maxretry = 5
|
|
|
36 |
|
|
|
37 |
# "backend" specifies the backend used to get files modification. Available
|
|
|
38 |
# options are "gamin", "polling" and "auto". This option can be overridden in
|
|
|
39 |
# each jail too (use "gamin" for a jail and "polling" for another).
|
|
|
40 |
#
|
|
|
41 |
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
|
|
|
42 |
# is not installed, Fail2ban will use polling.
|
|
|
43 |
# polling: uses a polling algorithm which does not require external libraries.
|
|
|
44 |
# auto: will choose Gamin if available and polling otherwise.
|
|
|
45 |
backend = auto
|
|
|
46 |
|
| 1410 |
richard |
47 |
# "usedns" specifies if jails should trust hostnames in logs,
|
|
|
48 |
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
|
|
49 |
#
|
|
|
50 |
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
|
|
51 |
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
|
|
52 |
# but it will be logged as a warning.
|
|
|
53 |
# no: if a hostname is encountered, will not be used for banning,
|
|
|
54 |
# but it will be logged as info.
|
|
|
55 |
usedns = warn
|
|
|
56 |
|
| 2815 |
rexy |
57 |
# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
|
| 1388 |
richard |
58 |
[alcasar_mod-evasive]
|
| 1410 |
richard |
59 |
#enabled = true
|
|
|
60 |
enabled = false
|
| 2487 |
lucas.echa |
61 |
backend = auto
|
| 1410 |
richard |
62 |
filter = alcasar_mod-evasive
|
| 1388 |
richard |
63 |
action = iptables-allports[name=alcasar_mod-evasive]
|
| 2488 |
lucas.echa |
64 |
logpath = /var/log/lighttpd/access.log
|
| 2815 |
rexy |
65 |
maxretry = 3
|
| 1191 |
crox53 |
66 |
|
| 1388 |
richard |
67 |
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
|
| 1191 |
crox53 |
68 |
[ssh-iptables]
|
|
|
69 |
enabled = true
|
|
|
70 |
#enabled = false
|
|
|
71 |
filter = sshd
|
|
|
72 |
action = iptables-allports[name=SSH]
|
|
|
73 |
logpath = /var/log/auth.log
|
|
|
74 |
maxretry = 3
|
|
|
75 |
|
| 1388 |
richard |
76 |
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
|
| 2284 |
tom.houday |
77 |
[alcasar_acc]
|
| 1191 |
crox53 |
78 |
enabled = true
|
|
|
79 |
#enabled = false
|
| 2487 |
lucas.echa |
80 |
backend = auto
|
| 2284 |
tom.houday |
81 |
filter = alcasar_acc
|
|
|
82 |
action = iptables-allports[name=alcasar_acc]
|
| 2488 |
lucas.echa |
83 |
logpath = /var/log/lighttpd/access.log
|
| 2864 |
rexy |
84 |
maxretry = 5
|
| 1191 |
crox53 |
85 |
|
| 1388 |
richard |
86 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
|
|
|
87 |
[alcasar_intercept]
|
| 1191 |
crox53 |
88 |
enabled = true
|
|
|
89 |
#enabled = false
|
| 2487 |
lucas.echa |
90 |
backend = auto
|
| 1410 |
richard |
91 |
filter = alcasar_intercept
|
| 1388 |
richard |
92 |
action = iptables-allports[name=alcasar_intercept]
|
| 2488 |
lucas.echa |
93 |
logpath = /var/log/lighttpd/access.log
|
| 2864 |
rexy |
94 |
maxretry = 5
|
| 1191 |
crox53 |
95 |
|
| 1388 |
richard |
96 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
|
| 1191 |
crox53 |
97 |
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
|
| 1410 |
richard |
98 |
[alcasar_change-pwd]
|
| 1191 |
crox53 |
99 |
enabled = true
|
|
|
100 |
#enabled = false
|
| 2487 |
lucas.echa |
101 |
backend = auto
|
| 1410 |
richard |
102 |
filter = alcasar_change-pwd
|
|
|
103 |
action = iptables-allports[name=alcasar_change-pwd]
|
| 2488 |
lucas.echa |
104 |
logpath = /var/log/lighttpd/access.log
|
| 1191 |
crox53 |
105 |
maxretry = 5
|
| 1410 |
richard |
106 |
|
| 1191 |
crox53 |
107 |
EOF
|
|
|
108 |
|
| 2864 |
rexy |
109 |
##############################################
|
| 1388 |
richard |
110 |
## Mise en place des filtres spécifiques ##
|
| 2864 |
rexy |
111 |
## - Mod_evasive.conf ##
|
|
|
112 |
## - acc-htdigest.conf ##
|
|
|
113 |
## - intercept.conf ##
|
|
|
114 |
## - change-pwd.conf ##
|
|
|
115 |
##############################################
|
| 1191 |
crox53 |
116 |
|
|
|
117 |
######################
|
|
|
118 |
## MOD-EVASIVE.CONF ##
|
|
|
119 |
######################
|
| 1388 |
richard |
120 |
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
|
| 1191 |
crox53 |
121 |
# Fail2Ban configuration file
|
|
|
122 |
#
|
|
|
123 |
# Author: Cyril Jaquier
|
| 1388 |
richard |
124 |
# Adapted by ALCASAR team
|
| 1191 |
crox53 |
125 |
|
|
|
126 |
[Definition]
|
|
|
127 |
# Option: failregex
|
|
|
128 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
129 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
130 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
131 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
132 |
# Values: TEXT
|
| 2488 |
lucas.echa |
133 |
failregex = <HOST> .+\] "[^"]+" 403
|
| 1191 |
crox53 |
134 |
# Option: ignoreregex
|
|
|
135 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
136 |
ignoreregex =
|
|
|
137 |
EOF
|
|
|
138 |
|
| 2271 |
tom.houday |
139 |
#######################
|
|
|
140 |
## ACC-HTDIGEST.CONF ##
|
|
|
141 |
#######################
|
| 2284 |
tom.houday |
142 |
cat << EOF > $DIR_FILTER/alcasar_acc.conf
|
| 1191 |
crox53 |
143 |
# Fail2Ban configuration file
|
|
|
144 |
#
|
|
|
145 |
# Author: Cyril Jaquier
|
| 1388 |
richard |
146 |
# Adapted by ALCASAR team
|
| 1191 |
crox53 |
147 |
|
|
|
148 |
[Definition]
|
|
|
149 |
# Option: failregex
|
|
|
150 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
151 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
152 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
153 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
154 |
# Values: TEXT
|
| 2488 |
lucas.echa |
155 |
failregex = <HOST> .+\] "[^"]+" 401
|
| 1191 |
crox53 |
156 |
# Option: ignoreregex
|
|
|
157 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
158 |
ignoreregex =
|
|
|
159 |
EOF
|
|
|
160 |
|
|
|
161 |
####################
|
|
|
162 |
## INTERCEPT.CONF ##
|
|
|
163 |
####################
|
| 1388 |
richard |
164 |
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
|
| 1191 |
crox53 |
165 |
# Fail2Ban configuration file
|
|
|
166 |
#
|
|
|
167 |
# Author: Cyril Jaquier
|
| 1388 |
richard |
168 |
# Adapted by ALCASAR team
|
| 1191 |
crox53 |
169 |
|
|
|
170 |
[Definition]
|
|
|
171 |
# Option: failregex
|
|
|
172 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
173 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
174 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
175 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
176 |
# Values: TEXT
|
| 2488 |
lucas.echa |
177 |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
|
| 1191 |
crox53 |
178 |
# Option: ignoreregex
|
|
|
179 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
180 |
ignoreregex =
|
|
|
181 |
EOF
|
|
|
182 |
|
| 2271 |
tom.houday |
183 |
#####################
|
|
|
184 |
## CHANGE-PWD.CONF ##
|
|
|
185 |
#####################
|
| 1410 |
richard |
186 |
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
|
| 1191 |
crox53 |
187 |
|
|
|
188 |
# Fail2Ban configuration file
|
|
|
189 |
#
|
|
|
190 |
# Author: Cyril Jaquier
|
| 1388 |
richard |
191 |
# Adapted by ALCASAR team
|
| 1191 |
crox53 |
192 |
|
|
|
193 |
[Definition]
|
|
|
194 |
# Option: failregex
|
|
|
195 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
196 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
197 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
198 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
199 |
# Values: TEXT
|
| 2488 |
lucas.echa |
200 |
failregex = <HOST> .* \"POST \/password\.php
|
| 1191 |
crox53 |
201 |
# Option: ignoreregex
|
|
|
202 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
203 |
ignoreregex =
|
|
|
204 |
EOF
|