Subversion Repositories ALCASAR

#!/bin/sh

# $Id: fail2ban.sh 2864 2020-10-18 09:06:17Z rexy $

JAIL_CONF="/etc/fail2ban/jail.conf"

DIR_FILTER="/etc/fail2ban/filter.d/"

#########################################################

## Mise à jour de la configuration de jail de fail2ban ##

#########################################################

[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default

cat << EOF > $JAIL_CONF

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.

bantime  = 180

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.

# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)

# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes

findtime  = 60

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "backend" specifies the backend used to get files modification. Available

# options are "gamin", "polling" and "auto". This option can be overridden in

# each jail too (use "gamin" for a jail and "polling" for another).

#

# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin

#          is not installed, Fail2ban will use polling.

# polling: uses a polling algorithm which does not require external libraries.

# auto:    will choose Gamin if available and polling otherwise.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

# warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes: if a hostname is encountered, a DNS lookup will be performed.

# warn: if a hostname is encountered, a DNS lookup will be performed,

# but it will be logged as a warning.

# no: if a hostname is encountered, will not be used for banning,

# but it will be logged as info.

usedns = warn

# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)

[alcasar_mod-evasive]

#enabled = true

enabled = false

backend = auto

filter = alcasar_mod-evasive

action = iptables-allports[name=alcasar_mod-evasive]

logpath = /var/log/lighttpd/access.log

maxretry = 3

# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)

[ssh-iptables]

enabled = true

#enabled  = false

filter   = sshd

action   = iptables-allports[name=SSH]

logpath  = /var/log/auth.log

maxretry = 3

# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)

[alcasar_acc]

enabled = true

#enabled = false

backend = auto

filter = alcasar_acc

action = iptables-allports[name=alcasar_acc]

logpath = /var/log/lighttpd/access.log

maxretry = 5

# Bannissement sur tout les ports après 5 echecs de connexion pour un usager

[alcasar_intercept]

enabled = true

#enabled = false

backend = auto

filter = alcasar_intercept

action = iptables-allports[name=alcasar_intercept]

logpath = /var/log/lighttpd/access.log

maxretry = 5

# Bannissement sur tout les port après 5 échecs de changement de mot de passe

# 5 POST pour changer le mot de passe que le POST soit ok ou non.

[alcasar_change-pwd]

enabled = true

#enabled = false

backend = auto

filter = alcasar_change-pwd

action = iptables-allports[name=alcasar_change-pwd]

logpath = /var/log/lighttpd/access.log

maxretry = 5

EOF

##############################################

## Mise en place des filtres spécifiques       ##

## - Mod_evasive.conf                                           ##

## - acc-htdigest.conf                                          ##

## - intercept.conf                                                     ##

## - change-pwd.conf                                            ##

##############################################

######################

## MOD-EVASIVE.CONF ##

######################

cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex =  <HOST> .+\] "[^"]+" 403

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

#######################

## ACC-HTDIGEST.CONF ##

#######################

cat << EOF > $DIR_FILTER/alcasar_acc.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex =  <HOST> .+\] "[^"]+" 401

#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

####################

## INTERCEPT.CONF ##

####################

cat << EOF > $DIR_FILTER/alcasar_intercept.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

#####################

## CHANGE-PWD.CONF ##

#####################

cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = <HOST> .* \"POST \/password\.php

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF