Subversion Repositories ALCASAR

Rev

Go to most recent revision | Details | Last modification | View Log

Rev Author Line No. Line
1191 crox53 1
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
2
JAIL_CONF="/etc/fail2ban/jail.conf"
3
DIR_FILTER="/etc/fail2ban/filter.d/"
4
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
5
 
6
if(test -f $FAIL_CONF)
7
then
8
        mv $FAIL_CONF $FAIL_CONF.old
9
fi
10
 
11
if(test -f $JAIL_CONF)
12
then
13
        mv $JAIL_CONF $JAIL_CONF.old
14
fi
15
 
16
#########################################################
17
## Mise à jour du fichier de configuration de fail2ban ##
18
#########################################################
19
 
20
cat << EOF > $FAIL_CONF
21
 
22
[Definition]
23
 
24
# Option:  loglevel
25
# Notes.:  Set the log level output.
26
#          1 = ERROR
27
#          2 = WARN
28
#          3 = INFO
29
#          4 = DEBUG
30
# Values:  NUM  Default:  3
31
#
32
loglevel = 3
33
 
34
# Option:  logtarget
35
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
36
#          Only one log target can be specified.
37
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
38
#
39
logtarget = /var/log/fail2ban.log
40
 
41
# Option: socket
42
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
43
#         not remove this file when Fail2ban runs. It will not be possible to
44
#         communicate with the server afterwards.
45
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
46
#
47
socket = /var/run/fail2ban/fail2ban.sock
48
EOF
49
 
50
#########################################################
51
## Mise à jour de la configuration de jail de fail2ban ##
52
#########################################################
53
 
54
cat << EOF > $JAIL_CONF
55
 
56
# Fail2Ban configuration file
57
#
58
# Author: Cyril Jaquier
59
#
60
# $Revision$
61
#
62
 
63
# The DEFAULT allows a global definition of the options. They can be overridden
64
# in each jail afterwards.
65
 
66
[DEFAULT]
67
 
68
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
69
# ban a host which matches an address in this list. Several addresses can be
70
# defined using space separator.
71
ignoreip = 127.0.0.1/8
72
 
73
# "bantime" is the number of seconds that a host is banned.
74
bantime  = 600
75
 
76
# A host is banned if it has generated "maxretry" during the last "findtime"
77
# seconds.
78
# Un client est banni dans le cas ou il genere "maxretry" pendant le temps
79
# findtime en seconds
80
# Ici 5 requetes remplissant les filtres en 60 secondes
81
 
82
findtime  = 60
83
 
84
# "maxretry" is the number of failures before a host get banned.
85
maxretry = 5
86
 
87
# "backend" specifies the backend used to get files modification. Available
88
# options are "gamin", "polling" and "auto". This option can be overridden in
89
# each jail too (use "gamin" for a jail and "polling" for another).
90
#
91
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
92
#          is not installed, Fail2ban will use polling.
93
# polling: uses a polling algorithm which does not require external libraries.
94
# auto:    will choose Gamin if available and polling otherwise.
95
backend = auto
96
 
97
 
98
# This jail corresponds to the standard configuration in Fail2ban 0.6.
99
# The mail-whois action send a notification e-mail with a whois request
100
# in the body.
101
 
102
 
103
# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports
104
 
105
[mod-evasive]
106
 
107
enabled = true
108
#enabled = false
109
filter = mod-evasive
110
action = iptables-allports[name=mod-evasive]
111
logpath = /var/log/httpd/error_log
112
maxretry = 2
113
 
114
# Bannissement pour SSH-Brute-Force
115
 
116
[ssh-iptables]
117
 
118
enabled = true
119
#enabled  = false
120
filter   = sshd
121
action   = iptables-allports[name=SSH]
122
logpath  = /var/log/auth.log
123
maxretry = 3
124
 
125
# Bannissement si 5 tentatives de connexion echouer en alcasar/acc
126
 
127
[htdigest]
128
 
129
enabled = true
130
#enabled = false
131
filter = htdigest
132
action = iptables-allports[name=htdigest]
133
logpath = /var/log/httpd/ssl_error_log
134
maxretry = 5
135
 
136
# Bannissement si 5 tentatives de connexion avec intercept.php avec reason=reject
137
 
138
[intercept]
139
 
140
enabled = true
141
#enabled = false
142
filter = intercept
143
action = iptables-allports[name=intercept]
144
logpath = /var/log/httpd/ssl_request_log
145
maxretry = 5
146
 
147
# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min
148
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
149
 
150
[mot_de_passe]
151
 
152
enabled = true
153
#enabled = false
154
filter = mot_de_passe
155
action = iptables-allports[name=Mot_de_Passe]
156
logpath = /var/log/httpd/ssl_request_log
157
maxretry = 5
158
 
159
 
160
[proftpd-iptables]
161
 
162
enabled  = false
163
filter   = proftpd
164
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
165
           sendmail-whois[name=ProFTPD, dest=you@example.com]
166
logpath  = /var/log/proftpd/proftpd.log
167
maxretry = 6
168
 
169
# This jail forces the backend to "polling".
170
 
171
[sasl-iptables]
172
 
173
enabled  = false
174
filter   = sasl
175
backend  = polling
176
action   = iptables[name=sasl, port=smtp, protocol=tcp]
177
           sendmail-whois[name=sasl, dest=you@example.com]
178
logpath  = /var/log/mail.log
179
 
180
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
181
# used to avoid banning the user "myuser".
182
 
183
[ssh-tcpwrapper]
184
 
185
enabled     = false
186
filter      = sshd
187
action      = hostsdeny
188
              sendmail-whois[name=SSH, dest=you@example.com]
189
ignoreregex = for myuser from
190
logpath     = /var/log/auth.log
191
 
192
# This jail demonstrates the use of wildcards in "logpath".
193
# Moreover, it is possible to give other files on a new line.
194
 
195
[apache-tcpwrapper]
196
 
197
enabled  = false
198
filter   = apache-auth
199
action   = hostsdeny
200
logpath  = /var/log/apache*/*error.log
201
           /home/www/myhomepage/error.log
202
maxretry = 6
203
 
204
# The hosts.deny path can be defined with the "file" argument if it is
205
# not in /etc.
206
 
207
[postfix-tcpwrapper]
208
 
209
enabled  = false
210
filter   = postfix
211
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
212
           sendmail[name=Postfix, dest=you@example.com]
213
logpath  = /var/log/postfix.log
214
bantime  = 300
215
 
216
# Do not ban anybody. Just report information about the remote host.
217
# A notification is sent at most every 600 seconds (bantime).
218
 
219
[vsftpd-notification]
220
 
221
enabled  = false
222
filter   = vsftpd
223
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
224
logpath  = /var/log/vsftpd.log
225
maxretry = 5
226
bantime  = 1800
227
 
228
# Same as above but with banning the IP address.
229
 
230
[vsftpd-iptables]
231
 
232
enabled  = false
233
filter   = vsftpd
234
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
235
           sendmail-whois[name=VSFTPD, dest=you@example.com]
236
logpath  = /var/log/vsftpd.log
237
maxretry = 5
238
bantime  = 1800
239
 
240
# Ban hosts which agent identifies spammer robots crawling the web
241
# for email addresses. The mail outputs are buffered.
242
 
243
[apache-badbots]
244
 
245
enabled  = false
246
filter   = apache-badbots
247
action   = iptables-multiport[name=BadBots, port="http,https"]
248
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
249
logpath  = /var/www/*/logs/access_log
250
bantime  = 172800
251
maxretry = 1
252
 
253
# Use shorewall instead of iptables.
254
 
255
[apache-shorewall]
256
 
257
enabled  = false
258
filter   = apache-noscript
259
action   = shorewall
260
           sendmail[name=Postfix, dest=you@example.com]
261
logpath  = /var/log/apache2/error_log
262
 
263
# Ban attackers that try to use PHP's URL-fopen() functionality
264
# through GET/POST variables. - Experimental, with more than a year
265
# of usage in production environments.
266
 
267
[php-url-fopen]
268
 
269
enabled = false
270
port    = http,https
271
filter  = php-url-fopen
272
logpath = /var/www/*/logs/access_log
273
maxretry = 1
274
 
275
# A simple PHP-fastcgi jail which works with lighttpd.
276
# If you run a lighttpd server, then you probably will
277
# find these kinds of messages in your error_log:
278
# ALERT – tried to register forbidden variable ‘GLOBALS’
279
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
280
# This jail would block the IP 1.2.3.4.
281
 
282
[lighttpd-fastcgi]
283
 
284
enabled = false
285
port    = http,https
286
filter  = lighttpd-fastcgi
287
# adapt the following two items as needed
288
logpath = /var/log/lighttpd/error.log
289
maxretry = 2
290
 
291
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
292
# option is overridden in this jail. Moreover, the action "mail-whois" defines
293
# the variable "name" which contains a comma using "". The characters '' are
294
# valid too.
295
 
296
[ssh-ipfw]
297
 
298
enabled  = false
299
filter   = sshd
300
action   = ipfw[localhost=192.168.0.1]
301
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
302
logpath  = /var/log/auth.log
303
ignoreip = 168.192.0.1
304
 
305
# These jails block attacks against named (bind9). By default, logging is off
306
# with bind9 installation. You will need something like this:
307
#
308
# logging {
309
#     channel security_file {
310
#         file "/var/log/named/security.log" versions 3 size 30m;
311
#         severity dynamic;
312
#         print-time yes;
313
#     };
314
#     category security {
315
#         security_file;
316
#     };
317
# };
318
#
319
# in your named.conf to provide proper logging.
320
# This jail blocks UDP traffic for DNS requests.
321
 
322
# !!! WARNING !!!
323
#   Since UDP is connection-less protocol, spoofing of IP and imitation
324
#   of illegal actions is way too simple.  Thus enabling of this filter
325
#   might provide an easy way for implementing a DoS against a chosen
326
#   victim. See
327
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
328
#   Please DO NOT USE this jail unless you know what you are doing.
329
#
330
# [named-refused-udp]
331
#
332
# enabled  = false
333
# filter   = named-refused
334
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
335
#            sendmail-whois[name=Named, dest=you@example.com]
336
# logpath  = /var/log/named/security.log
337
# ignoreip = 168.192.0.1
338
 
339
# This jail blocks TCP traffic for DNS requests.
340
 
341
[named-refused-tcp]
342
 
343
enabled  = false
344
filter   = named-refused
345
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
346
           sendmail-whois[name=Named, dest=you@example.com]
347
logpath  = /var/log/named/security.log
348
ignoreip = 168.192.0.1
349
 
350
EOF
351
 
352
###########################################
353
## Mise en place des filters spécifiques ##
354
## - Mod_evasive.conf                    ##
355
## - htdigest.conf                       ##
356
## - 
357
## - 
358
###########################################
359
 
360
######################
361
## MOD-EVASIVE.CONF ##
362
######################
363
 
364
if (test -f $DIR_FILTER/mod-evasive.conf)
365
then
366
        mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old
367
fi
368
 
369
cat << EOF > $DIR_FILTER/mod-evasive.conf
370
# Fail2Ban configuration file
371
#
372
# Author: Cyril Jaquier
373
#
374
# $Revision$
375
#
376
 
377
[Definition]
378
 
379
# Option:  failregex
380
# Notes.:  regex to match the password failure messages in the logfile. The
381
#          host must be matched by a group named "host". The tag "<HOST>" can
382
#          be used for standard IP/hostname matching and is only an alias for
383
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
384
# Values:  TEXT
385
#
386
failregex = [[]client <HOST>[]] client denied by server configuration
387
 
388
# Option:  ignoreregex
389
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
390
# Values:  TEXT
391
#
392
ignoreregex =
393
EOF
394
 
395
###################
396
## HTDIGEST.CONF ##
397
###################
398
 
399
if ( test -f $DIR_FILTER/htdigest.conf)
400
then
401
        mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old
402
fi
403
 
404
cat << EOF > $DIR_FILTER/htdigest.conf
405
# Fail2Ban configuration file
406
#
407
# Author: Cyril Jaquier
408
#
409
# $Revision$
410
#
411
 
412
[Definition]
413
 
414
# Option:  failregex
415
# Notes.:  regex to match the password failure messages in the logfile. The
416
#          host must be matched by a group named "host". The tag "<HOST>" can
417
#          be used for standard IP/hostname matching and is only an alias for
418
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
419
# Values:  TEXT
420
#
421
failregex = [[]error[]] [[]client <HOST>[]] Digest:
422
 
423
# Option:  ignoreregex
424
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
425
# Values:  TEXT
426
#
427
ignoreregex =
428
EOF
429
 
430
####################
431
## INTERCEPT.CONF ##
432
####################
433
 
434
if ( test -f $DIR_FILTER/intercept.conf)
435
then
436
        mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old
437
fi
438
 
439
cat << EOF > $DIR_FILTER/intercept.conf
440
 
441
# Fail2Ban configuration file
442
#
443
# Author: Cyril Jaquier
444
#
445
# $Revision$
446
#
447
 
448
[Definition]
449
 
450
# Option:  failregex
451
# Notes.:  regex to match the password failure messages in the logfile. The
452
#          host must be matched by a group named "host". The tag "<HOST>" can
453
#          be used for standard IP/hostname matching and is only an alias for
454
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
455
# Values:  TEXT
456
#
457
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
458
 
459
# Option:  ignoreregex
460
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
461
# Values:  TEXT
462
#
463
ignoreregex =
464
EOF
465
 
466
#######################
467
## MOT_DE_PASSE.CONF ##
468
#######################
469
 
470
if ( test -f $DIR_FILTER/mot_de_passe.conf )
471
then
472
        mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old
473
fi
474
 
475
cat << EOF > $DIR_FILTER/mot_de_passe.conf
476
 
477
# Fail2Ban configuration file
478
#
479
# Author: Cyril Jaquier
480
#
481
# $Revision$
482
#
483
 
484
[Definition]
485
 
486
# Option:  failregex
487
# Notes.:  regex to match the password failure messages in the logfile. The
488
#          host must be matched by a group named "host". The tag "<HOST>" can
489
#          be used for standard IP/hostname matching and is only an alias for
490
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
491
# Values:  TEXT
492
#
493
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
494
 
495
# Option:  ignoreregex
496
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
497
# Values:  TEXT
498
#
499
ignoreregex =
500
EOF
501
 
502
 
503
##############################################
504
## Log sur Iptables quand iptables-allports ##
505
##############################################
506
 
507
if ( test -f $ACTION_ALLPORTS )
508
then
509
        mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old
510
fi
511
 
512
cat << EOF > $ACTION_ALLPORTS
513
 
514
# Fail2Ban configuration file
515
#
516
# Author: Cyril Jaquier
517
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
518
#                       made active on all ports from original iptables.conf
519
#
520
# $Revision$
521
#
522
 
523
[Definition]
524
 
525
# Option:  actionstart
526
# Notes.:  command executed once at the start of Fail2Ban.
527
# Values:  CMD
528
#
529
actionstart = iptables -N fail2ban-<name>
530
              iptables -A fail2ban-<name> -j RETURN
531
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
532
 
533
# Option:  actionstop
534
# Notes.:  command executed once at the end of Fail2Ban
535
# Values:  CMD
536
#
537
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
538
             iptables -F fail2ban-<name>
539
             iptables -X fail2ban-<name>
540
 
541
# Option:  actioncheck
542
# Notes.:  command executed once before each actionban command
543
# Values:  CMD
544
#
545
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
546
 
547
# Option:  actionban
548
# Notes.:  command executed when banning an IP. Take care that the
549
#          command is executed with Fail2Ban user rights.
550
# Tags:    <ip>  IP address
551
#          <failures>  number of failures
552
#          <time>  unix timestamp of the ban time
553
# Values:  CMD
554
 
555
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
556
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
557
 
558
# Option:  actionunban
559
# Notes.:  command executed when unbanning an IP. Take care that the
560
#          command is executed with Fail2Ban user rights.
561
# Tags:    <ip>  IP address
562
#          <failures>  number of failures
563
#          <time>  unix timestamp of the ban time
564
# Values:  CMD
565
#
566
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
567
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
568
 
569
[Init]
570
 
571
# Defaut name of the chain
572
#
573
name = default
574
 
575
# Option:  protocol
576
# Notes.:  internally used by config reader for interpolations.
577
# Values:  [ tcp | udp | icmp | all ] Default: tcp
578
#
579
protocol = tcp
580
 
581
# Option:  chain
582
# Notes    specifies the iptables chain to which the fail2ban rules should be
583
#          added
584
# Values:  STRING  Default: INPUT
585
chain = INPUT
586
 
587
EOF