| Line 36... |
Line 36... |
| 36 |
# not remove this file when Fail2ban runs. It will not be possible to
|
36 |
# not remove this file when Fail2ban runs. It will not be possible to
|
| 37 |
# communicate with the server afterwards.
|
37 |
# communicate with the server afterwards.
|
| 38 |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
|
38 |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
|
| 39 |
#
|
39 |
#
|
| 40 |
socket = /var/run/fail2ban/fail2ban.sock
|
40 |
socket = /var/run/fail2ban/fail2ban.sock
|
| - |
|
41 |
|
| - |
|
42 |
# Option: pidfile
|
| - |
|
43 |
# Notes.: Set the PID file. This is used to store the process ID of the
|
| - |
|
44 |
# fail2ban server.
|
| - |
|
45 |
# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
|
| - |
|
46 |
#
|
| - |
|
47 |
pidfile = /var/run/fail2ban/fail2ban.pid
|
| 41 |
EOF
|
48 |
EOF
|
| 42 |
|
49 |
|
| 43 |
#########################################################
|
50 |
#########################################################
|
| 44 |
## Mise à jour de la configuration de jail de fail2ban ##
|
51 |
## Mise à jour de la configuration de jail de fail2ban ##
|
| 45 |
#########################################################
|
52 |
#########################################################
|
| Line 84... |
Line 91... |
| 84 |
# is not installed, Fail2ban will use polling.
|
91 |
# is not installed, Fail2ban will use polling.
|
| 85 |
# polling: uses a polling algorithm which does not require external libraries.
|
92 |
# polling: uses a polling algorithm which does not require external libraries.
|
| 86 |
# auto: will choose Gamin if available and polling otherwise.
|
93 |
# auto: will choose Gamin if available and polling otherwise.
|
| 87 |
backend = auto
|
94 |
backend = auto
|
| 88 |
|
95 |
|
| - |
|
96 |
# "usedns" specifies if jails should trust hostnames in logs,
|
| - |
|
97 |
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
| - |
|
98 |
#
|
| - |
|
99 |
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
| - |
|
100 |
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
| - |
|
101 |
# but it will be logged as a warning.
|
| - |
|
102 |
# no: if a hostname is encountered, will not be used for banning,
|
| - |
|
103 |
# but it will be logged as info.
|
| - |
|
104 |
usedns = warn
|
| - |
|
105 |
|
| 89 |
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
|
106 |
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
|
| 90 |
[alcasar_mod-evasive]
|
107 |
[alcasar_mod-evasive]
|
| 91 |
|
108 |
|
| 92 |
enabled = true
|
109 |
#enabled = true
|
| 93 |
#enabled = false
|
110 |
enabled = false
|
| 94 |
filter = mod-evasive
|
111 |
filter = alcasar_mod-evasive
|
| 95 |
action = iptables-allports[name=alcasar_mod-evasive]
|
112 |
action = iptables-allports[name=alcasar_mod-evasive]
|
| 96 |
logpath = /var/log/httpd/error_log
|
113 |
logpath = /var/log/httpd/error_log
|
| 97 |
maxretry = 2
|
114 |
maxretry = 2
|
| 98 |
|
115 |
|
| 99 |
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
|
116 |
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
|
| Line 109... |
Line 126... |
| 109 |
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
|
126 |
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
|
| 110 |
[alcasar_htdigest]
|
127 |
[alcasar_htdigest]
|
| 111 |
|
128 |
|
| 112 |
enabled = true
|
129 |
enabled = true
|
| 113 |
#enabled = false
|
130 |
#enabled = false
|
| 114 |
filter = htdigest
|
131 |
filter = alcasar_htdigest
|
| 115 |
action = iptables-allports[name=alcasar_htdigest]
|
132 |
action = iptables-allports[name=alcasar_htdigest]
|
| 116 |
logpath = /var/log/httpd/ssl_error_log
|
133 |
logpath = /var/log/httpd/ssl_request_log
|
| 117 |
maxretry = 5
|
134 |
maxretry = 5
|
| 118 |
|
135 |
|
| 119 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
|
136 |
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
|
| 120 |
[alcasar_intercept]
|
137 |
[alcasar_intercept]
|
| 121 |
|
138 |
|
| 122 |
enabled = true
|
139 |
enabled = true
|
| 123 |
#enabled = false
|
140 |
#enabled = false
|
| 124 |
filter = intercept
|
141 |
filter = alcasar_intercept
|
| 125 |
action = iptables-allports[name=alcasar_intercept]
|
142 |
action = iptables-allports[name=alcasar_intercept]
|
| 126 |
logpath = /var/log/httpd/ssl_request_log
|
143 |
logpath = /var/log/httpd/ssl_request_log
|
| 127 |
maxretry = 5
|
144 |
maxretry = 5
|
| 128 |
|
145 |
|
| 129 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
|
146 |
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
|
| 130 |
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
|
147 |
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
|
| 131 |
[alcasar_change-password]
|
148 |
[alcasar_change-pwd]
|
| 132 |
|
149 |
|
| 133 |
enabled = true
|
150 |
enabled = true
|
| 134 |
#enabled = false
|
151 |
#enabled = false
|
| 135 |
filter = mot_de_passe
|
152 |
filter = alcasar_change-pwd
|
| 136 |
action = iptables-allports[name=alcasar_change-password]
|
153 |
action = iptables-allports[name=alcasar_change-pwd]
|
| 137 |
logpath = /var/log/httpd/ssl_request_log
|
154 |
logpath = /var/log/httpd/ssl_request_log
|
| 138 |
maxretry = 5
|
155 |
maxretry = 5
|
| - |
|
156 |
|
| 139 |
EOF
|
157 |
EOF
|
| 140 |
|
158 |
|
| 141 |
##################################################
|
159 |
##################################################
|
| 142 |
## Mise en place des filtres spécifiques ##
|
160 |
## Mise en place des filtres spécifiques ##
|
| 143 |
## - Mod_evasive.conf ##
|
161 |
## - Mod_evasive.conf ##
|
| Line 189... |
Line 207... |
| 189 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
207 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
| 190 |
# be used for standard IP/hostname matching and is only an alias for
|
208 |
# be used for standard IP/hostname matching and is only an alias for
|
| 191 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
209 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
| 192 |
# Values: TEXT
|
210 |
# Values: TEXT
|
| 193 |
#
|
211 |
#
|
| 194 |
failregex = [[]error[]] [[]client <HOST>[]] Digest:
|
212 |
#failregex = [[]error[]] [[]client <HOST>[]] Digest:
|
| - |
|
213 |
failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972
|
| - |
|
214 |
|
| - |
|
215 |
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
|
| 195 |
|
216 |
|
| 196 |
# Option: ignoreregex
|
217 |
# Option: ignoreregex
|
| 197 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
218 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
| 198 |
# Values: TEXT
|
219 |
# Values: TEXT
|
| 199 |
#
|
220 |
#
|
| Line 216... |
Line 237... |
| 216 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
237 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
| 217 |
# be used for standard IP/hostname matching and is only an alias for
|
238 |
# be used for standard IP/hostname matching and is only an alias for
|
| 218 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
239 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
| 219 |
# Values: TEXT
|
240 |
# Values: TEXT
|
| 220 |
#
|
241 |
#
|
| 221 |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
|
242 |
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
|
| - |
|
243 |
failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject
|
| 222 |
|
244 |
|
| 223 |
# Option: ignoreregex
|
245 |
# Option: ignoreregex
|
| 224 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
246 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
| 225 |
# Values: TEXT
|
247 |
# Values: TEXT
|
| 226 |
#
|
248 |
#
|
| Line 228... |
Line 250... |
| 228 |
EOF
|
250 |
EOF
|
| 229 |
|
251 |
|
| 230 |
#######################
|
252 |
#######################
|
| 231 |
## MOT_DE_PASSE.CONF ##
|
253 |
## MOT_DE_PASSE.CONF ##
|
| 232 |
#######################
|
254 |
#######################
|
| 233 |
cat << EOF > $DIR_FILTER/alcasar_change-password.conf
|
255 |
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
|
| 234 |
|
256 |
|
| 235 |
# Fail2Ban configuration file
|
257 |
# Fail2Ban configuration file
|
| 236 |
#
|
258 |
#
|
| 237 |
# Author: Cyril Jaquier
|
259 |
# Author: Cyril Jaquier
|
| 238 |
# Adapted by ALCASAR team
|
260 |
# Adapted by ALCASAR team
|
| Line 244... |
Line 266... |
| 244 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
266 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
| 245 |
# be used for standard IP/hostname matching and is only an alias for
|
267 |
# be used for standard IP/hostname matching and is only an alias for
|
| 246 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
268 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
| 247 |
# Values: TEXT
|
269 |
# Values: TEXT
|
| 248 |
#
|
270 |
#
|
| 249 |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
|
271 |
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
|
| - |
|
272 |
failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169
|
| - |
|
273 |
|
| 250 |
|
274 |
|
| 251 |
# Option: ignoreregex
|
275 |
# Option: ignoreregex
|
| 252 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
276 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
| 253 |
# Values: TEXT
|
277 |
# Values: TEXT
|
| 254 |
#
|
278 |
#
|