Subversion Repositories ALCASAR

Rev

Rev 1270 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1191 crox53 1
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
2
JAIL_CONF="/etc/fail2ban/jail.conf"
3
DIR_FILTER="/etc/fail2ban/filter.d/"
4
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
5
 
1388 richard 6
#########################################################
7
## Mise à jour du fichier de configuration de fail2ban ##
8
#########################################################
1191 crox53 9
if(test -f $FAIL_CONF)
10
then
1388 richard 11
        mv $FAIL_CONF $FAIL_CONF.default
1191 crox53 12
fi
13
cat << EOF > $FAIL_CONF
14
 
15
[Definition]
16
 
17
# Option:  loglevel
18
# Notes.:  Set the log level output.
19
#          1 = ERROR
20
#          2 = WARN
21
#          3 = INFO
22
#          4 = DEBUG
23
# Values:  NUM  Default:  3
24
#
25
loglevel = 3
26
 
27
# Option:  logtarget
28
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
#          Only one log target can be specified.
30
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
31
#
32
logtarget = /var/log/fail2ban.log
33
 
34
# Option: socket
35
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
36
#         not remove this file when Fail2ban runs. It will not be possible to
37
#         communicate with the server afterwards.
38
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
39
#
40
socket = /var/run/fail2ban/fail2ban.sock
41
EOF
42
 
43
#########################################################
44
## Mise à jour de la configuration de jail de fail2ban ##
45
#########################################################
1388 richard 46
if(test -f $JAIL_CONF)
47
then
48
        mv $JAIL_CONF $JAIL_CONF.default
49
fi
1191 crox53 50
cat << EOF > $JAIL_CONF
51
 
52
# Fail2Ban configuration file
53
#
54
# Author: Cyril Jaquier
1388 richard 55
# Adapted by ALCASAR team
1191 crox53 56
 
1388 richard 57
 
1191 crox53 58
# The DEFAULT allows a global definition of the options. They can be overridden
59
# in each jail afterwards.
60
 
61
[DEFAULT]
62
 
63
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
64
# ban a host which matches an address in this list. Several addresses can be
65
# defined using space separator.
66
ignoreip = 127.0.0.1/8
67
 
68
# "bantime" is the number of seconds that a host is banned.
1270 richard 69
bantime  = 300
1191 crox53 70
 
1388 richard 71
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
72
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
73
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 74
findtime  = 60
75
 
76
# "maxretry" is the number of failures before a host get banned.
77
maxretry = 5
78
 
79
# "backend" specifies the backend used to get files modification. Available
80
# options are "gamin", "polling" and "auto". This option can be overridden in
81
# each jail too (use "gamin" for a jail and "polling" for another).
82
#
83
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
84
#          is not installed, Fail2ban will use polling.
85
# polling: uses a polling algorithm which does not require external libraries.
86
# auto:    will choose Gamin if available and polling otherwise.
87
backend = auto
88
 
1388 richard 89
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
90
[alcasar_mod-evasive]
1191 crox53 91
 
92
enabled = true
93
#enabled = false
94
filter = mod-evasive
1388 richard 95
action = iptables-allports[name=alcasar_mod-evasive]
1191 crox53 96
logpath = /var/log/httpd/error_log
97
maxretry = 2
98
 
1388 richard 99
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 100
[ssh-iptables]
101
 
102
enabled = true
103
#enabled  = false
104
filter   = sshd
105
action   = iptables-allports[name=SSH]
106
logpath  = /var/log/auth.log
107
maxretry = 3
108
 
1388 richard 109
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
110
[alcasar_htdigest]
1191 crox53 111
 
112
enabled = true
113
#enabled = false
114
filter = htdigest
1388 richard 115
action = iptables-allports[name=alcasar_htdigest]
1191 crox53 116
logpath = /var/log/httpd/ssl_error_log
117
maxretry = 5
118
 
1388 richard 119
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
120
[alcasar_intercept]
1191 crox53 121
 
122
enabled = true
123
#enabled = false
124
filter = intercept
1388 richard 125
action = iptables-allports[name=alcasar_intercept]
1191 crox53 126
logpath = /var/log/httpd/ssl_request_log
127
maxretry = 5
128
 
1388 richard 129
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 130
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1388 richard 131
[alcasar_change-password]
1191 crox53 132
 
133
enabled = true
134
#enabled = false
135
filter = mot_de_passe
1388 richard 136
action = iptables-allports[name=alcasar_change-password]
1191 crox53 137
logpath = /var/log/httpd/ssl_request_log
138
maxretry = 5
139
EOF
140
 
1388 richard 141
##################################################
142
## Mise en place des filtres spécifiques       ##
143
## - Mod_evasive.conf                           ##
144
## - htdigest.conf                              ##
145
## - intercept.conf                             ##
146
## - mot de passe                               ##
147
##################################################
1191 crox53 148
 
149
######################
150
## MOD-EVASIVE.CONF ##
151
######################
1388 richard 152
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 153
# Fail2Ban configuration file
154
#
155
# Author: Cyril Jaquier
1388 richard 156
# Adapted by ALCASAR team
1191 crox53 157
 
158
[Definition]
159
 
160
# Option:  failregex
161
# Notes.:  regex to match the password failure messages in the logfile. The
162
#          host must be matched by a group named "host". The tag "<HOST>" can
163
#          be used for standard IP/hostname matching and is only an alias for
164
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
165
# Values:  TEXT
166
#
167
failregex = [[]client <HOST>[]] client denied by server configuration
168
 
169
# Option:  ignoreregex
170
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
171
# Values:  TEXT
172
#
173
ignoreregex =
174
EOF
175
 
176
###################
177
## HTDIGEST.CONF ##
178
###################
1388 richard 179
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf
1191 crox53 180
# Fail2Ban configuration file
181
#
182
# Author: Cyril Jaquier
1388 richard 183
# Adapted by ALCASAR team
1191 crox53 184
 
185
[Definition]
186
 
187
# Option:  failregex
188
# Notes.:  regex to match the password failure messages in the logfile. The
189
#          host must be matched by a group named "host". The tag "<HOST>" can
190
#          be used for standard IP/hostname matching and is only an alias for
191
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
192
# Values:  TEXT
193
#
194
failregex = [[]error[]] [[]client <HOST>[]] Digest:
195
 
196
# Option:  ignoreregex
197
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
198
# Values:  TEXT
199
#
200
ignoreregex =
201
EOF
202
 
203
####################
204
## INTERCEPT.CONF ##
205
####################
1388 richard 206
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 207
# Fail2Ban configuration file
208
#
209
# Author: Cyril Jaquier
1388 richard 210
# Adapted by ALCASAR team
1191 crox53 211
 
212
[Definition]
213
 
214
# Option:  failregex
215
# Notes.:  regex to match the password failure messages in the logfile. The
216
#          host must be matched by a group named "host". The tag "<HOST>" can
217
#          be used for standard IP/hostname matching and is only an alias for
218
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
219
# Values:  TEXT
220
#
221
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
222
 
223
# Option:  ignoreregex
224
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
225
# Values:  TEXT
226
#
227
ignoreregex =
228
EOF
229
 
230
#######################
231
## MOT_DE_PASSE.CONF ##
232
#######################
1388 richard 233
cat << EOF > $DIR_FILTER/alcasar_change-password.conf
1191 crox53 234
 
235
# Fail2Ban configuration file
236
#
237
# Author: Cyril Jaquier
1388 richard 238
# Adapted by ALCASAR team
1191 crox53 239
 
240
[Definition]
241
 
242
# Option:  failregex
243
# Notes.:  regex to match the password failure messages in the logfile. The
244
#          host must be matched by a group named "host". The tag "<HOST>" can
245
#          be used for standard IP/hostname matching and is only an alias for
246
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
247
# Values:  TEXT
248
#
249
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
250
 
251
# Option:  ignoreregex
252
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
253
# Values:  TEXT
254
#
255
ignoreregex =
256
EOF
257
 
258
##############################################
1388 richard 259
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 260
##############################################
261
if ( test -f $ACTION_ALLPORTS )
262
then
1388 richard 263
        mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 264
fi
265
cat << EOF > $ACTION_ALLPORTS
266
# Fail2Ban configuration file
267
#
268
# Author: Cyril Jaquier
269
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
270
#                       made active on all ports from original iptables.conf
1388 richard 271
# Adapted by ALCASAR team
1191 crox53 272
 
273
[Definition]
274
 
275
# Option:  actionstart
276
# Notes.:  command executed once at the start of Fail2Ban.
277
# Values:  CMD
278
#
279
actionstart = iptables -N fail2ban-<name>
280
              iptables -A fail2ban-<name> -j RETURN
281
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
282
 
283
# Option:  actionstop
284
# Notes.:  command executed once at the end of Fail2Ban
285
# Values:  CMD
286
#
287
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
288
             iptables -F fail2ban-<name>
289
             iptables -X fail2ban-<name>
290
 
291
# Option:  actioncheck
292
# Notes.:  command executed once before each actionban command
293
# Values:  CMD
294
#
295
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
296
 
297
# Option:  actionban
298
# Notes.:  command executed when banning an IP. Take care that the
299
#          command is executed with Fail2Ban user rights.
300
# Tags:    <ip>  IP address
301
#          <failures>  number of failures
302
#          <time>  unix timestamp of the ban time
303
# Values:  CMD
304
 
305
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
306
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
307
 
308
# Option:  actionunban
309
# Notes.:  command executed when unbanning an IP. Take care that the
310
#          command is executed with Fail2Ban user rights.
311
# Tags:    <ip>  IP address
312
#          <failures>  number of failures
313
#          <time>  unix timestamp of the ban time
314
# Values:  CMD
315
#
316
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
317
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
318
 
319
[Init]
320
 
321
# Defaut name of the chain
322
#
323
name = default
324
 
325
# Option:  protocol
326
# Notes.:  internally used by config reader for interpolations.
327
# Values:  [ tcp | udp | icmp | all ] Default: tcp
328
#
329
protocol = tcp
330
 
331
# Option:  chain
332
# Notes    specifies the iptables chain to which the fail2ban rules should be
333
#          added
334
# Values:  STRING  Default: INPUT
335
chain = INPUT
336
 
337
EOF