Subversion Repositories ALCASAR

Rev

Rev 2272 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2284 2017-06-20 08:10:24Z tom.houdayer $
3
 
1191 crox53 4
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
5
JAIL_CONF="/etc/fail2ban/jail.conf"
6
DIR_FILTER="/etc/fail2ban/filter.d/"
7
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
8
 
1388 richard 9
#########################################################
10
## Mise à jour du fichier de configuration de fail2ban ##
11
#########################################################
2271 tom.houday 12
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
1191 crox53 13
cat << EOF > $FAIL_CONF
14
 
15
[Definition]
16
 
17
# Option:  loglevel
18
# Notes.:  Set the log level output.
19
#          1 = ERROR
20
#          2 = WARN
21
#          3 = INFO
22
#          4 = DEBUG
23
# Values:  NUM  Default:  3
24
#
25
loglevel = 3
26
 
27
# Option:  logtarget
28
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
#          Only one log target can be specified.
30
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
31
#
32
logtarget = /var/log/fail2ban.log
33
 
34
# Option: socket
35
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
36
#         not remove this file when Fail2ban runs. It will not be possible to
37
#         communicate with the server afterwards.
38
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
39
#
40
socket = /var/run/fail2ban/fail2ban.sock
1410 richard 41
 
42
# Option: pidfile
43
# Notes.: Set the PID file. This is used to store the process ID of the
44
#         fail2ban server.
45
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
46
#
47
pidfile = /var/run/fail2ban/fail2ban.pid
1191 crox53 48
EOF
49
 
50
#########################################################
51
## Mise à jour de la configuration de jail de fail2ban ##
52
#########################################################
2271 tom.houday 53
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 54
cat << EOF > $JAIL_CONF
55
 
56
# Fail2Ban configuration file
57
#
58
# Author: Cyril Jaquier
1388 richard 59
# Adapted by ALCASAR team
1191 crox53 60
 
1388 richard 61
 
1191 crox53 62
# The DEFAULT allows a global definition of the options. They can be overridden
63
# in each jail afterwards.
64
 
65
[DEFAULT]
66
 
67
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
68
# ban a host which matches an address in this list. Several addresses can be
69
# defined using space separator.
70
ignoreip = 127.0.0.1/8
71
 
72
# "bantime" is the number of seconds that a host is banned.
1270 richard 73
bantime  = 300
1191 crox53 74
 
1388 richard 75
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
76
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
77
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 78
findtime  = 60
79
 
80
# "maxretry" is the number of failures before a host get banned.
81
maxretry = 5
82
 
83
# "backend" specifies the backend used to get files modification. Available
84
# options are "gamin", "polling" and "auto". This option can be overridden in
85
# each jail too (use "gamin" for a jail and "polling" for another).
86
#
87
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
88
#          is not installed, Fail2ban will use polling.
89
# polling: uses a polling algorithm which does not require external libraries.
90
# auto:    will choose Gamin if available and polling otherwise.
91
backend = auto
92
 
1410 richard 93
# "usedns" specifies if jails should trust hostnames in logs,
94
# warn when DNS lookups are performed, or ignore all hostnames in logs
95
#
96
# yes: if a hostname is encountered, a DNS lookup will be performed.
97
# warn: if a hostname is encountered, a DNS lookup will be performed,
98
# but it will be logged as a warning.
99
# no: if a hostname is encountered, will not be used for banning,
100
# but it will be logged as info.
101
usedns = warn
102
 
1388 richard 103
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
104
[alcasar_mod-evasive]
1191 crox53 105
 
1410 richard 106
#enabled = true
107
enabled = false
108
filter = alcasar_mod-evasive
1388 richard 109
action = iptables-allports[name=alcasar_mod-evasive]
1191 crox53 110
logpath = /var/log/httpd/error_log
2271 tom.houday 111
          /var/log/httpd/ssl_error_log
1191 crox53 112
maxretry = 2
113
 
1388 richard 114
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 115
[ssh-iptables]
116
 
117
enabled = true
118
#enabled  = false
119
filter   = sshd
120
action   = iptables-allports[name=SSH]
121
logpath  = /var/log/auth.log
122
maxretry = 3
123
 
1388 richard 124
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 125
[alcasar_acc]
1191 crox53 126
 
127
enabled = true
128
#enabled = false
2284 tom.houday 129
filter = alcasar_acc
130
action = iptables-allports[name=alcasar_acc]
2271 tom.houday 131
logpath = /var/log/httpd/ssl_error_log
1191 crox53 132
maxretry = 5
133
 
1388 richard 134
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
135
[alcasar_intercept]
1191 crox53 136
 
137
enabled = true
138
#enabled = false
1410 richard 139
filter = alcasar_intercept
1388 richard 140
action = iptables-allports[name=alcasar_intercept]
1191 crox53 141
logpath = /var/log/httpd/ssl_request_log
142
maxretry = 5
143
 
1388 richard 144
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 145
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 146
[alcasar_change-pwd]
1191 crox53 147
 
148
enabled = true
149
#enabled = false
1410 richard 150
filter = alcasar_change-pwd
151
action = iptables-allports[name=alcasar_change-pwd]
1191 crox53 152
logpath = /var/log/httpd/ssl_request_log
153
maxretry = 5
1410 richard 154
 
1191 crox53 155
EOF
156
 
1388 richard 157
##################################################
158
## Mise en place des filtres spécifiques       ##
159
## - Mod_evasive.conf                           ##
2271 tom.houday 160
## - acc-htdigest.conf                          ##
1388 richard 161
## - intercept.conf                             ##
2271 tom.houday 162
## - change-pwd.conf                            ##
1388 richard 163
##################################################
1191 crox53 164
 
165
######################
166
## MOD-EVASIVE.CONF ##
167
######################
1388 richard 168
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 169
# Fail2Ban configuration file
170
#
171
# Author: Cyril Jaquier
1388 richard 172
# Adapted by ALCASAR team
1191 crox53 173
 
174
[Definition]
175
 
176
# Option:  failregex
177
# Notes.:  regex to match the password failure messages in the logfile. The
178
#          host must be matched by a group named "host". The tag "<HOST>" can
179
#          be used for standard IP/hostname matching and is only an alias for
180
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
181
# Values:  TEXT
182
#
2271 tom.houday 183
failregex =  \[client <HOST>:[0-9]+\] .*client denied by server configuration
1191 crox53 184
 
185
# Option:  ignoreregex
186
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
187
# Values:  TEXT
188
#
189
ignoreregex =
190
EOF
191
 
2271 tom.houday 192
#######################
193
## ACC-HTDIGEST.CONF ##
194
#######################
2284 tom.houday 195
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 196
# Fail2Ban configuration file
197
#
198
# Author: Cyril Jaquier
1388 richard 199
# Adapted by ALCASAR team
1191 crox53 200
 
201
[Definition]
202
 
203
# Option:  failregex
204
# Notes.:  regex to match the password failure messages in the logfile. The
205
#          host must be matched by a group named "host". The tag "<HOST>" can
206
#          be used for standard IP/hostname matching and is only an alias for
207
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
208
# Values:  TEXT
209
#
2271 tom.houday 210
failregex =  \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)
1191 crox53 211
 
1410 richard 212
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
213
 
1191 crox53 214
# Option:  ignoreregex
215
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
216
# Values:  TEXT
217
#
218
ignoreregex =
219
EOF
220
 
221
####################
222
## INTERCEPT.CONF ##
223
####################
1388 richard 224
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 225
# Fail2Ban configuration file
226
#
227
# Author: Cyril Jaquier
1388 richard 228
# Adapted by ALCASAR team
1191 crox53 229
 
230
[Definition]
231
 
232
# Option:  failregex
233
# Notes.:  regex to match the password failure messages in the logfile. The
234
#          host must be matched by a group named "host". The tag "<HOST>" can
235
#          be used for standard IP/hostname matching and is only an alias for
236
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
237
# Values:  TEXT
238
#
2271 tom.houday 239
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 240
 
241
# Option:  ignoreregex
242
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
243
# Values:  TEXT
244
#
245
ignoreregex =
246
EOF
247
 
2271 tom.houday 248
#####################
249
## CHANGE-PWD.CONF ##
250
#####################
1410 richard 251
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 252
 
253
# Fail2Ban configuration file
254
#
255
# Author: Cyril Jaquier
1388 richard 256
# Adapted by ALCASAR team
1191 crox53 257
 
258
[Definition]
259
 
260
# Option:  failregex
261
# Notes.:  regex to match the password failure messages in the logfile. The
262
#          host must be matched by a group named "host". The tag "<HOST>" can
263
#          be used for standard IP/hostname matching and is only an alias for
264
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
265
# Values:  TEXT
266
#
2272 tom.houday 267
failregex = \[<HOST>\] \"POST \/password\.php
1191 crox53 268
 
1410 richard 269
 
1191 crox53 270
# Option:  ignoreregex
271
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
272
# Values:  TEXT
273
#
274
ignoreregex =
275
EOF
276
 
277
##############################################
1388 richard 278
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 279
##############################################
2271 tom.houday 280
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 281
cat << EOF > $ACTION_ALLPORTS
282
# Fail2Ban configuration file
283
#
284
# Author: Cyril Jaquier
285
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
286
#                       made active on all ports from original iptables.conf
1388 richard 287
# Adapted by ALCASAR team
1191 crox53 288
 
289
[Definition]
290
 
291
# Option:  actionstart
292
# Notes.:  command executed once at the start of Fail2Ban.
293
# Values:  CMD
294
#
295
actionstart = iptables -N fail2ban-<name>
296
              iptables -A fail2ban-<name> -j RETURN
297
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
298
 
299
# Option:  actionstop
300
# Notes.:  command executed once at the end of Fail2Ban
301
# Values:  CMD
302
#
303
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
304
             iptables -F fail2ban-<name>
305
             iptables -X fail2ban-<name>
306
 
307
# Option:  actioncheck
308
# Notes.:  command executed once before each actionban command
309
# Values:  CMD
310
#
311
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
312
 
313
# Option:  actionban
314
# Notes.:  command executed when banning an IP. Take care that the
315
#          command is executed with Fail2Ban user rights.
316
# Tags:    <ip>  IP address
317
#          <failures>  number of failures
318
#          <time>  unix timestamp of the ban time
319
# Values:  CMD
320
 
321
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
2272 tom.houday 322
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
1191 crox53 323
 
324
# Option:  actionunban
325
# Notes.:  command executed when unbanning an IP. Take care that the
326
#          command is executed with Fail2Ban user rights.
327
# Tags:    <ip>  IP address
328
#          <failures>  number of failures
329
#          <time>  unix timestamp of the ban time
330
# Values:  CMD
331
#
332
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
2272 tom.houday 333
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
1191 crox53 334
 
335
[Init]
336
 
337
# Defaut name of the chain
338
#
339
name = default
340
 
341
# Option:  protocol
342
# Notes.:  internally used by config reader for interpolations.
343
# Values:  [ tcp | udp | icmp | all ] Default: tcp
344
#
345
protocol = tcp
346
 
347
# Option:  chain
348
# Notes    specifies the iptables chain to which the fail2ban rules should be
349
#          added
350
# Values:  STRING  Default: INPUT
351
chain = INPUT
352
 
353
EOF