Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2837 2020-06-16 22:24:15Z rexy $
3
 
1191 crox53 4
JAIL_CONF="/etc/fail2ban/jail.conf"
5
DIR_FILTER="/etc/fail2ban/filter.d/"
6
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
7
 
1388 richard 8
#########################################################
1191 crox53 9
## Mise à jour de la configuration de jail de fail2ban ##
10
#########################################################
2271 tom.houday 11
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 12
cat << EOF > $JAIL_CONF
13
 
14
# Fail2Ban configuration file
15
#
16
# Author: Cyril Jaquier
1388 richard 17
# Adapted by ALCASAR team
1191 crox53 18
 
1388 richard 19
 
1191 crox53 20
# The DEFAULT allows a global definition of the options. They can be overridden
21
# in each jail afterwards.
22
 
23
[DEFAULT]
24
 
25
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
26
# ban a host which matches an address in this list. Several addresses can be
27
# defined using space separator.
28
ignoreip = 127.0.0.1/8
29
 
30
# "bantime" is the number of seconds that a host is banned.
2815 rexy 31
bantime  = 180
1191 crox53 32
 
1388 richard 33
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
34
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
35
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 36
findtime  = 60
37
 
38
# "maxretry" is the number of failures before a host get banned.
39
maxretry = 5
40
 
41
# "backend" specifies the backend used to get files modification. Available
42
# options are "gamin", "polling" and "auto". This option can be overridden in
43
# each jail too (use "gamin" for a jail and "polling" for another).
44
#
45
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
46
#          is not installed, Fail2ban will use polling.
47
# polling: uses a polling algorithm which does not require external libraries.
48
# auto:    will choose Gamin if available and polling otherwise.
49
backend = auto
50
 
1410 richard 51
# "usedns" specifies if jails should trust hostnames in logs,
52
# warn when DNS lookups are performed, or ignore all hostnames in logs
53
#
54
# yes: if a hostname is encountered, a DNS lookup will be performed.
55
# warn: if a hostname is encountered, a DNS lookup will be performed,
56
# but it will be logged as a warning.
57
# no: if a hostname is encountered, will not be used for banning,
58
# but it will be logged as info.
59
usedns = warn
60
 
2815 rexy 61
# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
1388 richard 62
[alcasar_mod-evasive]
1191 crox53 63
 
1410 richard 64
#enabled = true
65
enabled = false
2487 lucas.echa 66
backend = auto
1410 richard 67
filter = alcasar_mod-evasive
1388 richard 68
action = iptables-allports[name=alcasar_mod-evasive]
2488 lucas.echa 69
logpath = /var/log/lighttpd/access.log
2815 rexy 70
maxretry = 3
1191 crox53 71
 
1388 richard 72
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 73
[ssh-iptables]
74
 
75
enabled = true
76
#enabled  = false
77
filter   = sshd
78
action   = iptables-allports[name=SSH]
79
logpath  = /var/log/auth.log
80
maxretry = 3
81
 
1388 richard 82
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 83
[alcasar_acc]
1191 crox53 84
 
85
enabled = true
86
#enabled = false
2487 lucas.echa 87
backend = auto
2284 tom.houday 88
filter = alcasar_acc
89
action = iptables-allports[name=alcasar_acc]
2488 lucas.echa 90
logpath = /var/log/lighttpd/access.log
91
maxretry = 6
1191 crox53 92
 
1388 richard 93
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
94
[alcasar_intercept]
1191 crox53 95
 
96
enabled = true
97
#enabled = false
2487 lucas.echa 98
backend = auto
1410 richard 99
filter = alcasar_intercept
1388 richard 100
action = iptables-allports[name=alcasar_intercept]
2488 lucas.echa 101
logpath = /var/log/lighttpd/access.log
2837 rexy 102
maxretry = 6
1191 crox53 103
 
1388 richard 104
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 105
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 106
[alcasar_change-pwd]
1191 crox53 107
 
108
enabled = true
109
#enabled = false
2487 lucas.echa 110
backend = auto
1410 richard 111
filter = alcasar_change-pwd
112
action = iptables-allports[name=alcasar_change-pwd]
2488 lucas.echa 113
logpath = /var/log/lighttpd/access.log
1191 crox53 114
maxretry = 5
1410 richard 115
 
1191 crox53 116
EOF
117
 
1388 richard 118
##################################################
119
## Mise en place des filtres spécifiques	##
120
## - Mod_evasive.conf				##
2271 tom.houday 121
## - acc-htdigest.conf				##
1388 richard 122
## - intercept.conf				##
2271 tom.houday 123
## - change-pwd.conf				##
1388 richard 124
##################################################
1191 crox53 125
 
126
######################
127
## MOD-EVASIVE.CONF ##
128
######################
1388 richard 129
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 130
# Fail2Ban configuration file
131
#
132
# Author: Cyril Jaquier
1388 richard 133
# Adapted by ALCASAR team
1191 crox53 134
 
135
[Definition]
136
 
137
# Option:  failregex
138
# Notes.:  regex to match the password failure messages in the logfile. The
139
#          host must be matched by a group named "host". The tag "<HOST>" can
140
#          be used for standard IP/hostname matching and is only an alias for
141
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
142
# Values:  TEXT
143
#
2488 lucas.echa 144
failregex =  <HOST> .+\] "[^"]+" 403
1191 crox53 145
 
146
# Option:  ignoreregex
147
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
148
# Values:  TEXT
149
#
150
ignoreregex = 
151
EOF
152
 
2271 tom.houday 153
#######################
154
## ACC-HTDIGEST.CONF ##
155
#######################
2284 tom.houday 156
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 157
# Fail2Ban configuration file
158
#
159
# Author: Cyril Jaquier
1388 richard 160
# Adapted by ALCASAR team
1191 crox53 161
 
162
[Definition]
163
 
164
# Option:  failregex
165
# Notes.:  regex to match the password failure messages in the logfile. The
166
#          host must be matched by a group named "host". The tag "<HOST>" can
167
#          be used for standard IP/hostname matching and is only an alias for
168
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
169
# Values:  TEXT
170
#
2488 lucas.echa 171
failregex =  <HOST> .+\] "[^"]+" 401
1191 crox53 172
 
1410 richard 173
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
174
 
1191 crox53 175
# Option:  ignoreregex
176
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
177
# Values:  TEXT
178
#
179
ignoreregex = 
180
EOF
181
 
182
####################
183
## INTERCEPT.CONF ##
184
####################
1388 richard 185
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 186
# Fail2Ban configuration file
187
#
188
# Author: Cyril Jaquier
1388 richard 189
# Adapted by ALCASAR team
1191 crox53 190
 
191
[Definition]
192
 
193
# Option:  failregex
194
# Notes.:  regex to match the password failure messages in the logfile. The
195
#          host must be matched by a group named "host". The tag "<HOST>" can
196
#          be used for standard IP/hostname matching and is only an alias for
197
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
198
# Values:  TEXT
199
#
2488 lucas.echa 200
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 201
 
202
# Option:  ignoreregex
203
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
204
# Values:  TEXT
205
#
206
ignoreregex = 
207
EOF
208
 
2271 tom.houday 209
#####################
210
## CHANGE-PWD.CONF ##
211
#####################
1410 richard 212
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 213
 
214
# Fail2Ban configuration file
215
#
216
# Author: Cyril Jaquier
1388 richard 217
# Adapted by ALCASAR team
1191 crox53 218
 
219
[Definition]
220
 
221
# Option:  failregex
222
# Notes.:  regex to match the password failure messages in the logfile. The
223
#          host must be matched by a group named "host". The tag "<HOST>" can
224
#          be used for standard IP/hostname matching and is only an alias for
225
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
226
# Values:  TEXT
227
#
2488 lucas.echa 228
failregex = <HOST> .* \"POST \/password\.php
1191 crox53 229
 
1410 richard 230
 
1191 crox53 231
# Option:  ignoreregex
232
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
233
# Values:  TEXT
234
#
235
ignoreregex = 
236
EOF
237
 
238
##############################################
1388 richard 239
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 240
##############################################
2271 tom.houday 241
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 242
cat << EOF > $ACTION_ALLPORTS
243
# Fail2Ban configuration file
244
#
245
# Author: Cyril Jaquier
246
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
247
# 			made active on all ports from original iptables.conf
1388 richard 248
# Adapted by ALCASAR team
1191 crox53 249
 
250
[Definition]
251
 
252
# Option:  actionstart
253
# Notes.:  command executed once at the start of Fail2Ban.
254
# Values:  CMD
255
#
256
actionstart = iptables -N fail2ban-<name>
257
              iptables -A fail2ban-<name> -j RETURN
258
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
259
 
260
# Option:  actionstop
261
# Notes.:  command executed once at the end of Fail2Ban
262
# Values:  CMD
263
#
264
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
265
             iptables -F fail2ban-<name>
266
             iptables -X fail2ban-<name>
267
 
268
# Option:  actioncheck
269
# Notes.:  command executed once before each actionban command
270
# Values:  CMD
271
#
272
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
273
 
274
# Option:  actionban
275
# Notes.:  command executed when banning an IP. Take care that the
276
#          command is executed with Fail2Ban user rights.
277
# Tags:    <ip>  IP address
278
#          <failures>  number of failures
279
#          <time>  unix timestamp of the ban time
280
# Values:  CMD
281
 
2357 tom.houday 282
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
1191 crox53 283
 
284
# Option:  actionunban
285
# Notes.:  command executed when unbanning an IP. Take care that the
286
#          command is executed with Fail2Ban user rights.
287
# Tags:    <ip>  IP address
288
#          <failures>  number of failures
289
#          <time>  unix timestamp of the ban time
290
# Values:  CMD
291
#
2357 tom.houday 292
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
1191 crox53 293
 
294
[Init]
295
 
296
# Defaut name of the chain
297
#
298
name = default
299
 
300
# Option:  protocol
301
# Notes.:  internally used by config reader for interpolations.
302
# Values:  [ tcp | udp | icmp | all ] Default: tcp
303
#
304
protocol = tcp
305
 
306
# Option:  chain
307
# Notes    specifies the iptables chain to which the fail2ban rules should be
308
#          added
309
# Values:  STRING  Default: INPUT
310
chain = INPUT
311
 
312
EOF