3,20 → 3,13 |
DIR_FILTER="/etc/fail2ban/filter.d/" |
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf" |
|
######################################################### |
## Mise à jour du fichier de configuration de fail2ban ## |
######################################################### |
if(test -f $FAIL_CONF) |
then |
mv $FAIL_CONF $FAIL_CONF.old |
mv $FAIL_CONF $FAIL_CONF.default |
fi |
|
if(test -f $JAIL_CONF) |
then |
mv $JAIL_CONF $JAIL_CONF.old |
fi |
|
######################################################### |
## Mise à jour du fichier de configuration de fail2ban ## |
######################################################### |
|
cat << EOF > $FAIL_CONF |
|
[Definition] |
50,16 → 43,18 |
######################################################### |
## Mise à jour de la configuration de jail de fail2ban ## |
######################################################### |
|
if(test -f $JAIL_CONF) |
then |
mv $JAIL_CONF $JAIL_CONF.default |
fi |
cat << EOF > $JAIL_CONF |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
|
# The DEFAULT allows a global definition of the options. They can be overridden |
# in each jail afterwards. |
|
73,12 → 68,9 |
# "bantime" is the number of seconds that a host is banned. |
bantime = 300 |
|
# A host is banned if it has generated "maxretry" during the last "findtime" |
# seconds. |
# Un client est banni dans le cas ou il genere "maxretry" pendant le temps |
# findtime en seconds |
# Ici 5 requetes remplissant les filtres en 60 secondes |
|
# A host is banned if it has generated "maxretry" during the last "findtime" seconds. |
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes) |
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes |
findtime = 60 |
|
# "maxretry" is the number of failures before a host get banned. |
94,25 → 86,17 |
# auto: will choose Gamin if available and polling otherwise. |
backend = auto |
|
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes) |
[alcasar_mod-evasive] |
|
# This jail corresponds to the standard configuration in Fail2ban 0.6. |
# The mail-whois action send a notification e-mail with a whois request |
# in the body. |
|
|
# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports |
|
[mod-evasive] |
|
enabled = true |
#enabled = false |
filter = mod-evasive |
action = iptables-allports[name=mod-evasive] |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/httpd/error_log |
maxretry = 2 |
|
# Bannissement pour SSH-Brute-Force |
|
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force) |
[ssh-iptables] |
|
enabled = true |
122,257 → 106,54 |
logpath = /var/log/auth.log |
maxretry = 3 |
|
# Bannissement si 5 échec de connexion sur alcasar/acc |
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC) |
[alcasar_htdigest] |
|
[htdigest] |
|
enabled = true |
#enabled = false |
filter = htdigest |
action = iptables-allports[name=htdigest] |
action = iptables-allports[name=alcasar_htdigest] |
logpath = /var/log/httpd/ssl_error_log |
maxretry = 5 |
|
# Bannissement si 5 echec de connexion sur intercept.php (reason=reject) |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager |
[alcasar_intercept] |
|
[intercept] |
|
enabled = true |
#enabled = false |
filter = intercept |
action = iptables-allports[name=intercept] |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
|
# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe |
# 5 POST pour changer le mot de passe que le POST soit ok ou non. |
[alcasar_change-password] |
|
[mot_de_passe] |
|
enabled = true |
#enabled = false |
filter = mot_de_passe |
action = iptables-allports[name=Mot_de_Passe] |
action = iptables-allports[name=alcasar_change-password] |
logpath = /var/log/httpd/ssl_request_log |
maxretry = 5 |
|
|
[proftpd-iptables] |
|
enabled = false |
filter = proftpd |
action = iptables[name=ProFTPD, port=ftp, protocol=tcp] |
sendmail-whois[name=ProFTPD, dest=you@example.com] |
logpath = /var/log/proftpd/proftpd.log |
maxretry = 6 |
|
# This jail forces the backend to "polling". |
|
[sasl-iptables] |
|
enabled = false |
filter = sasl |
backend = polling |
action = iptables[name=sasl, port=smtp, protocol=tcp] |
sendmail-whois[name=sasl, dest=you@example.com] |
logpath = /var/log/mail.log |
|
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is |
# used to avoid banning the user "myuser". |
|
[ssh-tcpwrapper] |
|
enabled = false |
filter = sshd |
action = hostsdeny |
sendmail-whois[name=SSH, dest=you@example.com] |
ignoreregex = for myuser from |
logpath = /var/log/auth.log |
|
# This jail demonstrates the use of wildcards in "logpath". |
# Moreover, it is possible to give other files on a new line. |
|
[apache-tcpwrapper] |
|
enabled = false |
filter = apache-auth |
action = hostsdeny |
logpath = /var/log/apache*/*error.log |
/home/www/myhomepage/error.log |
maxretry = 6 |
|
# The hosts.deny path can be defined with the "file" argument if it is |
# not in /etc. |
|
[postfix-tcpwrapper] |
|
enabled = false |
filter = postfix |
action = hostsdeny[file=/not/a/standard/path/hosts.deny] |
sendmail[name=Postfix, dest=you@example.com] |
logpath = /var/log/postfix.log |
bantime = 300 |
|
# Do not ban anybody. Just report information about the remote host. |
# A notification is sent at most every 600 seconds (bantime). |
|
[vsftpd-notification] |
|
enabled = false |
filter = vsftpd |
action = sendmail-whois[name=VSFTPD, dest=you@example.com] |
logpath = /var/log/vsftpd.log |
maxretry = 5 |
bantime = 1800 |
|
# Same as above but with banning the IP address. |
|
[vsftpd-iptables] |
|
enabled = false |
filter = vsftpd |
action = iptables[name=VSFTPD, port=ftp, protocol=tcp] |
sendmail-whois[name=VSFTPD, dest=you@example.com] |
logpath = /var/log/vsftpd.log |
maxretry = 5 |
bantime = 1800 |
|
# Ban hosts which agent identifies spammer robots crawling the web |
# for email addresses. The mail outputs are buffered. |
|
[apache-badbots] |
|
enabled = false |
filter = apache-badbots |
action = iptables-multiport[name=BadBots, port="http,https"] |
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] |
logpath = /var/www/*/logs/access_log |
bantime = 172800 |
maxretry = 1 |
|
# Use shorewall instead of iptables. |
|
[apache-shorewall] |
|
enabled = false |
filter = apache-noscript |
action = shorewall |
sendmail[name=Postfix, dest=you@example.com] |
logpath = /var/log/apache2/error_log |
|
# Ban attackers that try to use PHP's URL-fopen() functionality |
# through GET/POST variables. - Experimental, with more than a year |
# of usage in production environments. |
|
[php-url-fopen] |
|
enabled = false |
port = http,https |
filter = php-url-fopen |
logpath = /var/www/*/logs/access_log |
maxretry = 1 |
|
# A simple PHP-fastcgi jail which works with lighttpd. |
# If you run a lighttpd server, then you probably will |
# find these kinds of messages in your error_log: |
# ALERT – tried to register forbidden variable ‘GLOBALS’ |
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') |
# This jail would block the IP 1.2.3.4. |
|
[lighttpd-fastcgi] |
|
enabled = false |
port = http,https |
filter = lighttpd-fastcgi |
# adapt the following two items as needed |
logpath = /var/log/lighttpd/error.log |
maxretry = 2 |
|
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" |
# option is overridden in this jail. Moreover, the action "mail-whois" defines |
# the variable "name" which contains a comma using "". The characters '' are |
# valid too. |
|
[ssh-ipfw] |
|
enabled = false |
filter = sshd |
action = ipfw[localhost=192.168.0.1] |
sendmail-whois[name="SSH,IPFW", dest=you@example.com] |
logpath = /var/log/auth.log |
ignoreip = 168.192.0.1 |
|
# These jails block attacks against named (bind9). By default, logging is off |
# with bind9 installation. You will need something like this: |
# |
# logging { |
# channel security_file { |
# file "/var/log/named/security.log" versions 3 size 30m; |
# severity dynamic; |
# print-time yes; |
# }; |
# category security { |
# security_file; |
# }; |
# }; |
# |
# in your named.conf to provide proper logging. |
# This jail blocks UDP traffic for DNS requests. |
|
# !!! WARNING !!! |
# Since UDP is connection-less protocol, spoofing of IP and imitation |
# of illegal actions is way too simple. Thus enabling of this filter |
# might provide an easy way for implementing a DoS against a chosen |
# victim. See |
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html |
# Please DO NOT USE this jail unless you know what you are doing. |
# |
# [named-refused-udp] |
# |
# enabled = false |
# filter = named-refused |
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp] |
# sendmail-whois[name=Named, dest=you@example.com] |
# logpath = /var/log/named/security.log |
# ignoreip = 168.192.0.1 |
|
# This jail blocks TCP traffic for DNS requests. |
|
[named-refused-tcp] |
|
enabled = false |
filter = named-refused |
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] |
sendmail-whois[name=Named, dest=you@example.com] |
logpath = /var/log/named/security.log |
ignoreip = 168.192.0.1 |
|
EOF |
|
########################################### |
## Mise en place des filters spécifiques ## |
## - Mod_evasive.conf ## |
## - htdigest.conf ## |
## - |
## - |
########################################### |
################################################## |
## Mise en place des filtres spécifiques ## |
## - Mod_evasive.conf ## |
## - htdigest.conf ## |
## - intercept.conf ## |
## - mot de passe ## |
################################################## |
|
###################### |
## MOD-EVASIVE.CONF ## |
###################### |
|
if (test -f $DIR_FILTER/mod-evasive.conf) |
then |
mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old |
fi |
|
cat << EOF > $DIR_FILTER/mod-evasive.conf |
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
[Definition] |
|
395,19 → 176,11 |
################### |
## HTDIGEST.CONF ## |
################### |
|
if ( test -f $DIR_FILTER/htdigest.conf) |
then |
mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old |
fi |
|
cat << EOF > $DIR_FILTER/htdigest.conf |
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
[Definition] |
|
430,20 → 203,11 |
#################### |
## INTERCEPT.CONF ## |
#################### |
|
if ( test -f $DIR_FILTER/intercept.conf) |
then |
mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old |
fi |
|
cat << EOF > $DIR_FILTER/intercept.conf |
|
cat << EOF > $DIR_FILTER/alcasar_intercept.conf |
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
[Definition] |
|
466,20 → 230,12 |
####################### |
## MOT_DE_PASSE.CONF ## |
####################### |
cat << EOF > $DIR_FILTER/alcasar_change-password.conf |
|
if ( test -f $DIR_FILTER/mot_de_passe.conf ) |
then |
mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old |
fi |
|
cat << EOF > $DIR_FILTER/mot_de_passe.conf |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
[Definition] |
|
499,26 → 255,20 |
ignoreregex = |
EOF |
|
|
############################################## |
## Log sur Iptables quand iptables-allports ## |
## Log sur ULOG quand iptables-allports ## |
############################################## |
|
if ( test -f $ACTION_ALLPORTS ) |
then |
mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old |
mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default |
fi |
|
cat << EOF > $ACTION_ALLPORTS |
|
# Fail2Ban configuration file |
# |
# Author: Cyril Jaquier |
# Modified: Yaroslav O. Halchenko <debian@onerussian.com> |
# made active on all ports from original iptables.conf |
# |
# $Revision$ |
# |
# Adapted by ALCASAR team |
|
[Definition] |
|
585,6 → 335,3 |
chain = INPUT |
|
EOF |
|
#Activation de l'unité |
systemctl enable fail2ban.service |