Subversion Repositories ALCASAR

Rev

Details | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2864 2020-10-18 09:06:17Z rexy $
3
 
1191 crox53 4
JAIL_CONF="/etc/fail2ban/jail.conf"
5
DIR_FILTER="/etc/fail2ban/filter.d/"
6
 
1388 richard 7
#########################################################
1191 crox53 8
## Mise à jour de la configuration de jail de fail2ban ##
9
#########################################################
2271 tom.houday 10
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 11
cat << EOF > $JAIL_CONF
12
 
13
# Fail2Ban configuration file
14
#
15
# Author: Cyril Jaquier
1388 richard 16
# Adapted by ALCASAR team
1191 crox53 17
 
1388 richard 18
 
1191 crox53 19
# The DEFAULT allows a global definition of the options. They can be overridden
20
# in each jail afterwards.
21
 
22
[DEFAULT]
23
 
24
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
25
# ban a host which matches an address in this list. Several addresses can be
26
# defined using space separator.
27
ignoreip = 127.0.0.1/8
28
 
29
# "bantime" is the number of seconds that a host is banned.
2815 rexy 30
bantime  = 180
1191 crox53 31
 
1388 richard 32
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
33
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
34
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 35
findtime  = 60
36
 
37
# "maxretry" is the number of failures before a host get banned.
38
maxretry = 5
39
 
40
# "backend" specifies the backend used to get files modification. Available
41
# options are "gamin", "polling" and "auto". This option can be overridden in
42
# each jail too (use "gamin" for a jail and "polling" for another).
43
#
44
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
45
#          is not installed, Fail2ban will use polling.
46
# polling: uses a polling algorithm which does not require external libraries.
47
# auto:    will choose Gamin if available and polling otherwise.
48
backend = auto
49
 
1410 richard 50
# "usedns" specifies if jails should trust hostnames in logs,
51
# warn when DNS lookups are performed, or ignore all hostnames in logs
52
#
53
# yes: if a hostname is encountered, a DNS lookup will be performed.
54
# warn: if a hostname is encountered, a DNS lookup will be performed,
55
# but it will be logged as a warning.
56
# no: if a hostname is encountered, will not be used for banning,
57
# but it will be logged as info.
58
usedns = warn
59
 
2815 rexy 60
# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
1388 richard 61
[alcasar_mod-evasive]
1410 richard 62
#enabled = true
63
enabled = false
2487 lucas.echa 64
backend = auto
1410 richard 65
filter = alcasar_mod-evasive
1388 richard 66
action = iptables-allports[name=alcasar_mod-evasive]
2488 lucas.echa 67
logpath = /var/log/lighttpd/access.log
2815 rexy 68
maxretry = 3
1191 crox53 69
 
1388 richard 70
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 71
[ssh-iptables]
72
enabled = true
73
#enabled  = false
74
filter   = sshd
75
action   = iptables-allports[name=SSH]
76
logpath  = /var/log/auth.log
77
maxretry = 3
78
 
1388 richard 79
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 80
[alcasar_acc]
1191 crox53 81
enabled = true
82
#enabled = false
2487 lucas.echa 83
backend = auto
2284 tom.houday 84
filter = alcasar_acc
85
action = iptables-allports[name=alcasar_acc]
2488 lucas.echa 86
logpath = /var/log/lighttpd/access.log
2864 rexy 87
maxretry = 5
1191 crox53 88
 
1388 richard 89
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
90
[alcasar_intercept]
1191 crox53 91
enabled = true
92
#enabled = false
2487 lucas.echa 93
backend = auto
1410 richard 94
filter = alcasar_intercept
1388 richard 95
action = iptables-allports[name=alcasar_intercept]
2488 lucas.echa 96
logpath = /var/log/lighttpd/access.log
2864 rexy 97
maxretry = 5
1191 crox53 98
 
1388 richard 99
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 100
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 101
[alcasar_change-pwd]
1191 crox53 102
enabled = true
103
#enabled = false
2487 lucas.echa 104
backend = auto
1410 richard 105
filter = alcasar_change-pwd
106
action = iptables-allports[name=alcasar_change-pwd]
2488 lucas.echa 107
logpath = /var/log/lighttpd/access.log
1191 crox53 108
maxretry = 5
1410 richard 109
 
1191 crox53 110
EOF
111
 
2864 rexy 112
##############################################
1388 richard 113
## Mise en place des filtres spécifiques       ##
2864 rexy 114
## - Mod_evasive.conf                                           ##
115
## - acc-htdigest.conf                                          ##
116
## - intercept.conf                                                     ##
117
## - change-pwd.conf                                            ##
118
##############################################
1191 crox53 119
 
120
######################
121
## MOD-EVASIVE.CONF ##
122
######################
1388 richard 123
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 124
# Fail2Ban configuration file
125
#
126
# Author: Cyril Jaquier
1388 richard 127
# Adapted by ALCASAR team
1191 crox53 128
 
129
[Definition]
130
 
131
# Option:  failregex
132
# Notes.:  regex to match the password failure messages in the logfile. The
133
#          host must be matched by a group named "host". The tag "<HOST>" can
134
#          be used for standard IP/hostname matching and is only an alias for
135
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
136
# Values:  TEXT
137
#
2488 lucas.echa 138
failregex =  <HOST> .+\] "[^"]+" 403
1191 crox53 139
 
140
# Option:  ignoreregex
141
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
142
# Values:  TEXT
143
#
144
ignoreregex =
145
EOF
146
 
2271 tom.houday 147
#######################
148
## ACC-HTDIGEST.CONF ##
149
#######################
2284 tom.houday 150
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 151
# Fail2Ban configuration file
152
#
153
# Author: Cyril Jaquier
1388 richard 154
# Adapted by ALCASAR team
1191 crox53 155
 
156
[Definition]
157
 
158
# Option:  failregex
159
# Notes.:  regex to match the password failure messages in the logfile. The
160
#          host must be matched by a group named "host". The tag "<HOST>" can
161
#          be used for standard IP/hostname matching and is only an alias for
162
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
163
# Values:  TEXT
164
#
2488 lucas.echa 165
failregex =  <HOST> .+\] "[^"]+" 401
1191 crox53 166
 
1410 richard 167
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
168
 
1191 crox53 169
# Option:  ignoreregex
170
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
171
# Values:  TEXT
172
#
173
ignoreregex =
174
EOF
175
 
176
####################
177
## INTERCEPT.CONF ##
178
####################
1388 richard 179
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 180
# Fail2Ban configuration file
181
#
182
# Author: Cyril Jaquier
1388 richard 183
# Adapted by ALCASAR team
1191 crox53 184
 
185
[Definition]
186
 
187
# Option:  failregex
188
# Notes.:  regex to match the password failure messages in the logfile. The
189
#          host must be matched by a group named "host". The tag "<HOST>" can
190
#          be used for standard IP/hostname matching and is only an alias for
191
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
192
# Values:  TEXT
193
#
2488 lucas.echa 194
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 195
 
196
# Option:  ignoreregex
197
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
198
# Values:  TEXT
199
#
200
ignoreregex =
201
EOF
202
 
2271 tom.houday 203
#####################
204
## CHANGE-PWD.CONF ##
205
#####################
1410 richard 206
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 207
 
208
# Fail2Ban configuration file
209
#
210
# Author: Cyril Jaquier
1388 richard 211
# Adapted by ALCASAR team
1191 crox53 212
 
213
[Definition]
214
 
215
# Option:  failregex
216
# Notes.:  regex to match the password failure messages in the logfile. The
217
#          host must be matched by a group named "host". The tag "<HOST>" can
218
#          be used for standard IP/hostname matching and is only an alias for
219
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
220
# Values:  TEXT
221
#
2488 lucas.echa 222
failregex = <HOST> .* \"POST \/password\.php
1191 crox53 223
 
1410 richard 224
 
1191 crox53 225
# Option:  ignoreregex
226
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
227
# Values:  TEXT
228
#
229
ignoreregex =
230
EOF