Subversion Repositories ALCASAR

#!/bin/sh

# $Id: fail2ban.sh 2271 2017-06-04 18:45:27Z tom.houdayer $

FAIL_CONF="/etc/fail2ban/fail2ban.conf"

JAIL_CONF="/etc/fail2ban/jail.conf"

DIR_FILTER="/etc/fail2ban/filter.d/"

ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"

#########################################################

## Mise à jour du fichier de configuration de fail2ban ##

#########################################################

[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default

cat << EOF > $FAIL_CONF

[Definition]

# Option:  loglevel

# Notes.:  Set the log level output.

#          1 = ERROR

#          2 = WARN

#          3 = INFO

#          4 = DEBUG

# Values:  NUM  Default:  3

#

loglevel = 3

# Option:  logtarget

# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.

#          Only one log target can be specified.

# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log

#

logtarget = /var/log/fail2ban.log

# Option: socket

# Notes.: Set the socket file. This is used to communicate with the daemon. Do

#         not remove this file when Fail2ban runs. It will not be possible to

#         communicate with the server afterwards.

# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock

#

socket = /var/run/fail2ban/fail2ban.sock

# Option: pidfile

# Notes.: Set the PID file. This is used to store the process ID of the

#         fail2ban server.

# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid

#

pidfile = /var/run/fail2ban/fail2ban.pid

EOF

#########################################################

## Mise à jour de la configuration de jail de fail2ban ##

#########################################################

[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default

cat << EOF > $JAIL_CONF

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.

bantime  = 300

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.

# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)

# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes

findtime  = 60

# "maxretry" is the number of failures before a host get banned.

maxretry = 5

# "backend" specifies the backend used to get files modification. Available

# options are "gamin", "polling" and "auto". This option can be overridden in

# each jail too (use "gamin" for a jail and "polling" for another).

#

# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin

#          is not installed, Fail2ban will use polling.

# polling: uses a polling algorithm which does not require external libraries.

# auto:    will choose Gamin if available and polling otherwise.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

# warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes: if a hostname is encountered, a DNS lookup will be performed.

# warn: if a hostname is encountered, a DNS lookup will be performed,

# but it will be logged as a warning.

# no: if a hostname is encountered, will not be used for banning,

# but it will be logged as info.

usedns = warn

# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)

[alcasar_mod-evasive]

#enabled = true

enabled = false

filter = alcasar_mod-evasive

action = iptables-allports[name=alcasar_mod-evasive]

logpath = /var/log/httpd/error_log

          /var/log/httpd/ssl_error_log

maxretry = 2

# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)

[ssh-iptables]

enabled = true

#enabled  = false

filter   = sshd

action   = iptables-allports[name=SSH]

logpath  = /var/log/auth.log

maxretry = 3

# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)

[alcasar_acc-htdigest]

enabled = true

#enabled = false

filter = alcasar_acc-htdigest

action = iptables-allports[name=alcasar_acc-htdigest]

logpath = /var/log/httpd/ssl_error_log

maxretry = 5

# Bannissement sur tout les ports après 5 echecs de connexion pour un usager

[alcasar_intercept]

enabled = true

#enabled = false

filter = alcasar_intercept

action = iptables-allports[name=alcasar_intercept]

logpath = /var/log/httpd/ssl_request_log

maxretry = 5

# Bannissement sur tout les port après 5 échecs de changement de mot de passe

# 5 POST pour changer le mot de passe que le POST soit ok ou non.

[alcasar_change-pwd]

enabled = true

#enabled = false

filter = alcasar_change-pwd

action = iptables-allports[name=alcasar_change-pwd]

logpath = /var/log/httpd/ssl_request_log

maxretry = 5

EOF

##################################################

## Mise en place des filtres spécifiques       ##

## - Mod_evasive.conf                           ##

## - acc-htdigest.conf                          ##

## - intercept.conf                             ##

## - change-pwd.conf                            ##

##################################################

######################

## MOD-EVASIVE.CONF ##

######################

cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex =  \[client <HOST>:[0-9]+\] .*client denied by server configuration

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

#######################

## ACC-HTDIGEST.CONF ##

#######################

cat << EOF > $DIR_FILTER/alcasar_acc-htdigest.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex =  \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)

#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

####################

## INTERCEPT.CONF ##

####################

cat << EOF > $DIR_FILTER/alcasar_intercept.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

#####################

## CHANGE-PWD.CONF ##

#####################

cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Adapted by ALCASAR team

[Definition]

# Option:  failregex

# Notes.:  regex to match the password failure messages in the logfile. The

#          host must be matched by a group named "host". The tag "<HOST>" can

#          be used for standard IP/hostname matching and is only an alias for

#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)

# Values:  TEXT

#

failregex = \[<HOST>\] \"POST \/pass

# Option:  ignoreregex

# Notes.:  regex to ignore. If this regex matches, the line is ignored.

# Values:  TEXT

#

ignoreregex =

EOF

##############################################

##   Log sur ULOG quand iptables-allports   ##

##############################################

[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default

cat << EOF > $ACTION_ALLPORTS

# Fail2Ban configuration file

#

# Author: Cyril Jaquier

# Modified: Yaroslav O. Halchenko <debian@onerussian.com>

#                       made active on all ports from original iptables.conf

# Adapted by ALCASAR team

[Definition]

# Option:  actionstart

# Notes.:  command executed once at the start of Fail2Ban.

# Values:  CMD

#

actionstart = iptables -N fail2ban-<name>

              iptables -A fail2ban-<name> -j RETURN

              iptables -I <chain> -p <protocol> -j fail2ban-<name>

# Option:  actionstop

# Notes.:  command executed once at the end of Fail2Ban

# Values:  CMD

#

actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>

             iptables -F fail2ban-<name>

             iptables -X fail2ban-<name>

# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>

# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    <ip>  IP address

#          <failures>  number of failures

#          <time>  unix timestamp of the ban time

# Values:  CMD

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"

            iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    <ip>  IP address

#          <failures>  number of failures

#          <time>  unix timestamp of the ban time

# Values:  CMD

#

actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"

[Init]

# Defaut name of the chain

#

name = default

# Option:  protocol

# Notes.:  internally used by config reader for interpolations.

# Values:  [ tcp | udp | icmp | all ] Default: tcp

#

protocol = tcp

# Option:  chain

# Notes    specifies the iptables chain to which the fail2ban rules should be

#          added

# Values:  STRING  Default: INPUT

chain = INPUT

EOF