Subversion Repositories ALCASAR

Rev

Rev 1388 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
1191 crox53 1
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
2
JAIL_CONF="/etc/fail2ban/jail.conf"
3
DIR_FILTER="/etc/fail2ban/filter.d/"
4
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
5
 
1388 richard 6
#########################################################
7
## Mise à jour du fichier de configuration de fail2ban ##
8
#########################################################
1191 crox53 9
if(test -f $FAIL_CONF)
10
then
1388 richard 11
        mv $FAIL_CONF $FAIL_CONF.default
1191 crox53 12
fi
13
cat << EOF > $FAIL_CONF
14
 
15
[Definition]
16
 
17
# Option:  loglevel
18
# Notes.:  Set the log level output.
19
#          1 = ERROR
20
#          2 = WARN
21
#          3 = INFO
22
#          4 = DEBUG
23
# Values:  NUM  Default:  3
24
#
25
loglevel = 3
26
 
27
# Option:  logtarget
28
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
#          Only one log target can be specified.
30
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
31
#
32
logtarget = /var/log/fail2ban.log
33
 
34
# Option: socket
35
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
36
#         not remove this file when Fail2ban runs. It will not be possible to
37
#         communicate with the server afterwards.
38
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
39
#
40
socket = /var/run/fail2ban/fail2ban.sock
1410 richard 41
 
42
# Option: pidfile
43
# Notes.: Set the PID file. This is used to store the process ID of the
44
#         fail2ban server.
45
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
46
#
47
pidfile = /var/run/fail2ban/fail2ban.pid
1191 crox53 48
EOF
49
 
50
#########################################################
51
## Mise à jour de la configuration de jail de fail2ban ##
52
#########################################################
1388 richard 53
if(test -f $JAIL_CONF)
54
then
55
        mv $JAIL_CONF $JAIL_CONF.default
56
fi
1191 crox53 57
cat << EOF > $JAIL_CONF
58
 
59
# Fail2Ban configuration file
60
#
61
# Author: Cyril Jaquier
1388 richard 62
# Adapted by ALCASAR team
1191 crox53 63
 
1388 richard 64
 
1191 crox53 65
# The DEFAULT allows a global definition of the options. They can be overridden
66
# in each jail afterwards.
67
 
68
[DEFAULT]
69
 
70
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
71
# ban a host which matches an address in this list. Several addresses can be
72
# defined using space separator.
73
ignoreip = 127.0.0.1/8
74
 
75
# "bantime" is the number of seconds that a host is banned.
1270 richard 76
bantime  = 300
1191 crox53 77
 
1388 richard 78
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
79
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
80
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 81
findtime  = 60
82
 
83
# "maxretry" is the number of failures before a host get banned.
84
maxretry = 5
85
 
86
# "backend" specifies the backend used to get files modification. Available
87
# options are "gamin", "polling" and "auto". This option can be overridden in
88
# each jail too (use "gamin" for a jail and "polling" for another).
89
#
90
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
91
#          is not installed, Fail2ban will use polling.
92
# polling: uses a polling algorithm which does not require external libraries.
93
# auto:    will choose Gamin if available and polling otherwise.
94
backend = auto
95
 
1410 richard 96
# "usedns" specifies if jails should trust hostnames in logs,
97
# warn when DNS lookups are performed, or ignore all hostnames in logs
98
#
99
# yes: if a hostname is encountered, a DNS lookup will be performed.
100
# warn: if a hostname is encountered, a DNS lookup will be performed,
101
# but it will be logged as a warning.
102
# no: if a hostname is encountered, will not be used for banning,
103
# but it will be logged as info.
104
usedns = warn
105
 
1388 richard 106
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
107
[alcasar_mod-evasive]
1191 crox53 108
 
1410 richard 109
#enabled = true
110
enabled = false
111
filter = alcasar_mod-evasive
1388 richard 112
action = iptables-allports[name=alcasar_mod-evasive]
1191 crox53 113
logpath = /var/log/httpd/error_log
114
maxretry = 2
115
 
1388 richard 116
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 117
[ssh-iptables]
118
 
119
enabled = true
120
#enabled  = false
121
filter   = sshd
122
action   = iptables-allports[name=SSH]
123
logpath  = /var/log/auth.log
124
maxretry = 3
125
 
1388 richard 126
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
127
[alcasar_htdigest]
1191 crox53 128
 
129
enabled = true
130
#enabled = false
1410 richard 131
filter = alcasar_htdigest
1388 richard 132
action = iptables-allports[name=alcasar_htdigest]
1410 richard 133
logpath = /var/log/httpd/ssl_request_log
1191 crox53 134
maxretry = 5
135
 
1388 richard 136
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
137
[alcasar_intercept]
1191 crox53 138
 
139
enabled = true
140
#enabled = false
1410 richard 141
filter = alcasar_intercept
1388 richard 142
action = iptables-allports[name=alcasar_intercept]
1191 crox53 143
logpath = /var/log/httpd/ssl_request_log
144
maxretry = 5
145
 
1388 richard 146
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 147
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 148
[alcasar_change-pwd]
1191 crox53 149
 
150
enabled = true
151
#enabled = false
1410 richard 152
filter = alcasar_change-pwd
153
action = iptables-allports[name=alcasar_change-pwd]
1191 crox53 154
logpath = /var/log/httpd/ssl_request_log
155
maxretry = 5
1410 richard 156
 
1191 crox53 157
EOF
158
 
1388 richard 159
##################################################
160
## Mise en place des filtres spécifiques       ##
161
## - Mod_evasive.conf                           ##
162
## - htdigest.conf                              ##
163
## - intercept.conf                             ##
164
## - mot de passe                               ##
165
##################################################
1191 crox53 166
 
167
######################
168
## MOD-EVASIVE.CONF ##
169
######################
1388 richard 170
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 171
# Fail2Ban configuration file
172
#
173
# Author: Cyril Jaquier
1388 richard 174
# Adapted by ALCASAR team
1191 crox53 175
 
176
[Definition]
177
 
178
# Option:  failregex
179
# Notes.:  regex to match the password failure messages in the logfile. The
180
#          host must be matched by a group named "host". The tag "<HOST>" can
181
#          be used for standard IP/hostname matching and is only an alias for
182
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
183
# Values:  TEXT
184
#
185
failregex = [[]client <HOST>[]] client denied by server configuration
186
 
187
# Option:  ignoreregex
188
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
189
# Values:  TEXT
190
#
191
ignoreregex =
192
EOF
193
 
194
###################
195
## HTDIGEST.CONF ##
196
###################
1388 richard 197
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf
1191 crox53 198
# Fail2Ban configuration file
199
#
200
# Author: Cyril Jaquier
1388 richard 201
# Adapted by ALCASAR team
1191 crox53 202
 
203
[Definition]
204
 
205
# Option:  failregex
206
# Notes.:  regex to match the password failure messages in the logfile. The
207
#          host must be matched by a group named "host". The tag "<HOST>" can
208
#          be used for standard IP/hostname matching and is only an alias for
209
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
210
# Values:  TEXT
211
#
1410 richard 212
#failregex = [[]error[]] [[]client <HOST>[]] Digest:
213
failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972
1191 crox53 214
 
1410 richard 215
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
216
 
1191 crox53 217
# Option:  ignoreregex
218
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
219
# Values:  TEXT
220
#
221
ignoreregex =
222
EOF
223
 
224
####################
225
## INTERCEPT.CONF ##
226
####################
1388 richard 227
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 228
# Fail2Ban configuration file
229
#
230
# Author: Cyril Jaquier
1388 richard 231
# Adapted by ALCASAR team
1191 crox53 232
 
233
[Definition]
234
 
235
# Option:  failregex
236
# Notes.:  regex to match the password failure messages in the logfile. The
237
#          host must be matched by a group named "host". The tag "<HOST>" can
238
#          be used for standard IP/hostname matching and is only an alias for
239
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
240
# Values:  TEXT
241
#
1410 richard 242
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
243
failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject
1191 crox53 244
 
245
# Option:  ignoreregex
246
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
247
# Values:  TEXT
248
#
249
ignoreregex =
250
EOF
251
 
252
#######################
253
## MOT_DE_PASSE.CONF ##
254
#######################
1410 richard 255
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 256
 
257
# Fail2Ban configuration file
258
#
259
# Author: Cyril Jaquier
1388 richard 260
# Adapted by ALCASAR team
1191 crox53 261
 
262
[Definition]
263
 
264
# Option:  failregex
265
# Notes.:  regex to match the password failure messages in the logfile. The
266
#          host must be matched by a group named "host". The tag "<HOST>" can
267
#          be used for standard IP/hostname matching and is only an alias for
268
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
269
# Values:  TEXT
270
#
1410 richard 271
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
272
failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169
1191 crox53 273
 
1410 richard 274
 
1191 crox53 275
# Option:  ignoreregex
276
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
277
# Values:  TEXT
278
#
279
ignoreregex =
280
EOF
281
 
282
##############################################
1388 richard 283
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 284
##############################################
285
if ( test -f $ACTION_ALLPORTS )
286
then
1388 richard 287
        mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 288
fi
289
cat << EOF > $ACTION_ALLPORTS
290
# Fail2Ban configuration file
291
#
292
# Author: Cyril Jaquier
293
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
294
#                       made active on all ports from original iptables.conf
1388 richard 295
# Adapted by ALCASAR team
1191 crox53 296
 
297
[Definition]
298
 
299
# Option:  actionstart
300
# Notes.:  command executed once at the start of Fail2Ban.
301
# Values:  CMD
302
#
303
actionstart = iptables -N fail2ban-<name>
304
              iptables -A fail2ban-<name> -j RETURN
305
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
306
 
307
# Option:  actionstop
308
# Notes.:  command executed once at the end of Fail2Ban
309
# Values:  CMD
310
#
311
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
312
             iptables -F fail2ban-<name>
313
             iptables -X fail2ban-<name>
314
 
315
# Option:  actioncheck
316
# Notes.:  command executed once before each actionban command
317
# Values:  CMD
318
#
319
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
320
 
321
# Option:  actionban
322
# Notes.:  command executed when banning an IP. Take care that the
323
#          command is executed with Fail2Ban user rights.
324
# Tags:    <ip>  IP address
325
#          <failures>  number of failures
326
#          <time>  unix timestamp of the ban time
327
# Values:  CMD
328
 
329
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
330
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
331
 
332
# Option:  actionunban
333
# Notes.:  command executed when unbanning an IP. Take care that the
334
#          command is executed with Fail2Ban user rights.
335
# Tags:    <ip>  IP address
336
#          <failures>  number of failures
337
#          <time>  unix timestamp of the ban time
338
# Values:  CMD
339
#
340
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
341
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
342
 
343
[Init]
344
 
345
# Defaut name of the chain
346
#
347
name = default
348
 
349
# Option:  protocol
350
# Notes.:  internally used by config reader for interpolations.
351
# Values:  [ tcp | udp | icmp | all ] Default: tcp
352
#
353
protocol = tcp
354
 
355
# Option:  chain
356
# Notes    specifies the iptables chain to which the fail2ban rules should be
357
#          added
358
# Values:  STRING  Default: INPUT
359
chain = INPUT
360
 
361
EOF