Subversion Repositories ALCASAR

Rev

Rev 2357 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2487 2018-02-25 12:49:14Z lucas.echard $
3
 
1191 crox53 4
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
5
JAIL_CONF="/etc/fail2ban/jail.conf"
6
DIR_FILTER="/etc/fail2ban/filter.d/"
7
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
8
 
1388 richard 9
#########################################################
10
## Mise à jour du fichier de configuration de fail2ban ##
11
#########################################################
2271 tom.houday 12
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
1191 crox53 13
cat << EOF > $FAIL_CONF
14
 
15
[Definition]
16
 
17
# Option:  loglevel
18
# Notes.:  Set the log level output.
19
#          1 = ERROR
20
#          2 = WARN
21
#          3 = INFO
22
#          4 = DEBUG
23
# Values:  NUM  Default:  3
24
#
25
loglevel = 3
26
 
27
# Option:  logtarget
28
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
#          Only one log target can be specified.
30
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
31
#
32
logtarget = /var/log/fail2ban.log
33
 
34
# Option: socket
35
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
36
#         not remove this file when Fail2ban runs. It will not be possible to
37
#         communicate with the server afterwards.
38
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
39
#
40
socket = /var/run/fail2ban/fail2ban.sock
1410 richard 41
 
42
# Option: pidfile
43
# Notes.: Set the PID file. This is used to store the process ID of the
44
#         fail2ban server.
45
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
46
#
47
pidfile = /var/run/fail2ban/fail2ban.pid
1191 crox53 48
EOF
49
 
50
#########################################################
51
## Mise à jour de la configuration de jail de fail2ban ##
52
#########################################################
2271 tom.houday 53
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 54
cat << EOF > $JAIL_CONF
55
 
56
# Fail2Ban configuration file
57
#
58
# Author: Cyril Jaquier
1388 richard 59
# Adapted by ALCASAR team
1191 crox53 60
 
1388 richard 61
 
1191 crox53 62
# The DEFAULT allows a global definition of the options. They can be overridden
63
# in each jail afterwards.
64
 
65
[DEFAULT]
66
 
67
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
68
# ban a host which matches an address in this list. Several addresses can be
69
# defined using space separator.
70
ignoreip = 127.0.0.1/8
71
 
72
# "bantime" is the number of seconds that a host is banned.
1270 richard 73
bantime  = 300
1191 crox53 74
 
1388 richard 75
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
76
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
77
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 78
findtime  = 60
79
 
80
# "maxretry" is the number of failures before a host get banned.
81
maxretry = 5
82
 
83
# "backend" specifies the backend used to get files modification. Available
84
# options are "gamin", "polling" and "auto". This option can be overridden in
85
# each jail too (use "gamin" for a jail and "polling" for another).
86
#
87
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
88
#          is not installed, Fail2ban will use polling.
89
# polling: uses a polling algorithm which does not require external libraries.
90
# auto:    will choose Gamin if available and polling otherwise.
91
backend = auto
92
 
1410 richard 93
# "usedns" specifies if jails should trust hostnames in logs,
94
# warn when DNS lookups are performed, or ignore all hostnames in logs
95
#
96
# yes: if a hostname is encountered, a DNS lookup will be performed.
97
# warn: if a hostname is encountered, a DNS lookup will be performed,
98
# but it will be logged as a warning.
99
# no: if a hostname is encountered, will not be used for banning,
100
# but it will be logged as info.
101
usedns = warn
102
 
1388 richard 103
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
104
[alcasar_mod-evasive]
1191 crox53 105
 
1410 richard 106
#enabled = true
107
enabled = false
2487 lucas.echa 108
backend = auto
1410 richard 109
filter = alcasar_mod-evasive
1388 richard 110
action = iptables-allports[name=alcasar_mod-evasive]
1191 crox53 111
logpath = /var/log/httpd/error_log
2271 tom.houday 112
          /var/log/httpd/ssl_error_log
1191 crox53 113
maxretry = 2
114
 
1388 richard 115
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 116
[ssh-iptables]
117
 
118
enabled = true
119
#enabled  = false
120
filter   = sshd
121
action   = iptables-allports[name=SSH]
122
logpath  = /var/log/auth.log
123
maxretry = 3
124
 
1388 richard 125
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 126
[alcasar_acc]
1191 crox53 127
 
128
enabled = true
129
#enabled = false
2487 lucas.echa 130
backend = auto
2284 tom.houday 131
filter = alcasar_acc
132
action = iptables-allports[name=alcasar_acc]
2271 tom.houday 133
logpath = /var/log/httpd/ssl_error_log
1191 crox53 134
maxretry = 5
135
 
1388 richard 136
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
137
[alcasar_intercept]
1191 crox53 138
 
139
enabled = true
140
#enabled = false
2487 lucas.echa 141
backend = auto
1410 richard 142
filter = alcasar_intercept
1388 richard 143
action = iptables-allports[name=alcasar_intercept]
1191 crox53 144
logpath = /var/log/httpd/ssl_request_log
145
maxretry = 5
146
 
1388 richard 147
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 148
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 149
[alcasar_change-pwd]
1191 crox53 150
 
151
enabled = true
152
#enabled = false
2487 lucas.echa 153
backend = auto
1410 richard 154
filter = alcasar_change-pwd
155
action = iptables-allports[name=alcasar_change-pwd]
1191 crox53 156
logpath = /var/log/httpd/ssl_request_log
157
maxretry = 5
1410 richard 158
 
1191 crox53 159
EOF
160
 
1388 richard 161
##################################################
162
## Mise en place des filtres spécifiques       ##
163
## - Mod_evasive.conf                           ##
2271 tom.houday 164
## - acc-htdigest.conf                          ##
1388 richard 165
## - intercept.conf                             ##
2271 tom.houday 166
## - change-pwd.conf                            ##
1388 richard 167
##################################################
1191 crox53 168
 
169
######################
170
## MOD-EVASIVE.CONF ##
171
######################
1388 richard 172
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 173
# Fail2Ban configuration file
174
#
175
# Author: Cyril Jaquier
1388 richard 176
# Adapted by ALCASAR team
1191 crox53 177
 
178
[Definition]
179
 
180
# Option:  failregex
181
# Notes.:  regex to match the password failure messages in the logfile. The
182
#          host must be matched by a group named "host". The tag "<HOST>" can
183
#          be used for standard IP/hostname matching and is only an alias for
184
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
185
# Values:  TEXT
186
#
2271 tom.houday 187
failregex =  \[client <HOST>:[0-9]+\] .*client denied by server configuration
1191 crox53 188
 
189
# Option:  ignoreregex
190
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
191
# Values:  TEXT
192
#
193
ignoreregex =
194
EOF
195
 
2271 tom.houday 196
#######################
197
## ACC-HTDIGEST.CONF ##
198
#######################
2284 tom.houday 199
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 200
# Fail2Ban configuration file
201
#
202
# Author: Cyril Jaquier
1388 richard 203
# Adapted by ALCASAR team
1191 crox53 204
 
205
[Definition]
206
 
207
# Option:  failregex
208
# Notes.:  regex to match the password failure messages in the logfile. The
209
#          host must be matched by a group named "host". The tag "<HOST>" can
210
#          be used for standard IP/hostname matching and is only an alias for
211
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
212
# Values:  TEXT
213
#
2271 tom.houday 214
failregex =  \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)
1191 crox53 215
 
1410 richard 216
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
217
 
1191 crox53 218
# Option:  ignoreregex
219
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
220
# Values:  TEXT
221
#
222
ignoreregex =
223
EOF
224
 
225
####################
226
## INTERCEPT.CONF ##
227
####################
1388 richard 228
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 229
# Fail2Ban configuration file
230
#
231
# Author: Cyril Jaquier
1388 richard 232
# Adapted by ALCASAR team
1191 crox53 233
 
234
[Definition]
235
 
236
# Option:  failregex
237
# Notes.:  regex to match the password failure messages in the logfile. The
238
#          host must be matched by a group named "host". The tag "<HOST>" can
239
#          be used for standard IP/hostname matching and is only an alias for
240
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
241
# Values:  TEXT
242
#
2271 tom.houday 243
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 244
 
245
# Option:  ignoreregex
246
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
247
# Values:  TEXT
248
#
249
ignoreregex =
250
EOF
251
 
2271 tom.houday 252
#####################
253
## CHANGE-PWD.CONF ##
254
#####################
1410 richard 255
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 256
 
257
# Fail2Ban configuration file
258
#
259
# Author: Cyril Jaquier
1388 richard 260
# Adapted by ALCASAR team
1191 crox53 261
 
262
[Definition]
263
 
264
# Option:  failregex
265
# Notes.:  regex to match the password failure messages in the logfile. The
266
#          host must be matched by a group named "host". The tag "<HOST>" can
267
#          be used for standard IP/hostname matching and is only an alias for
268
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
269
# Values:  TEXT
270
#
2272 tom.houday 271
failregex = \[<HOST>\] \"POST \/password\.php
1191 crox53 272
 
1410 richard 273
 
1191 crox53 274
# Option:  ignoreregex
275
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
276
# Values:  TEXT
277
#
278
ignoreregex =
279
EOF
280
 
281
##############################################
1388 richard 282
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 283
##############################################
2271 tom.houday 284
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 285
cat << EOF > $ACTION_ALLPORTS
286
# Fail2Ban configuration file
287
#
288
# Author: Cyril Jaquier
289
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
290
#                       made active on all ports from original iptables.conf
1388 richard 291
# Adapted by ALCASAR team
1191 crox53 292
 
293
[Definition]
294
 
295
# Option:  actionstart
296
# Notes.:  command executed once at the start of Fail2Ban.
297
# Values:  CMD
298
#
299
actionstart = iptables -N fail2ban-<name>
300
              iptables -A fail2ban-<name> -j RETURN
301
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
302
 
303
# Option:  actionstop
304
# Notes.:  command executed once at the end of Fail2Ban
305
# Values:  CMD
306
#
307
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
308
             iptables -F fail2ban-<name>
309
             iptables -X fail2ban-<name>
310
 
311
# Option:  actioncheck
312
# Notes.:  command executed once before each actionban command
313
# Values:  CMD
314
#
315
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
316
 
317
# Option:  actionban
318
# Notes.:  command executed when banning an IP. Take care that the
319
#          command is executed with Fail2Ban user rights.
320
# Tags:    <ip>  IP address
321
#          <failures>  number of failures
322
#          <time>  unix timestamp of the ban time
323
# Values:  CMD
324
 
2357 tom.houday 325
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
1191 crox53 326
 
327
# Option:  actionunban
328
# Notes.:  command executed when unbanning an IP. Take care that the
329
#          command is executed with Fail2Ban user rights.
330
# Tags:    <ip>  IP address
331
#          <failures>  number of failures
332
#          <time>  unix timestamp of the ban time
333
# Values:  CMD
334
#
2357 tom.houday 335
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
1191 crox53 336
 
337
[Init]
338
 
339
# Defaut name of the chain
340
#
341
name = default
342
 
343
# Option:  protocol
344
# Notes.:  internally used by config reader for interpolations.
345
# Values:  [ tcp | udp | icmp | all ] Default: tcp
346
#
347
protocol = tcp
348
 
349
# Option:  chain
350
# Notes    specifies the iptables chain to which the fail2ban rules should be
351
#          added
352
# Values:  STRING  Default: INPUT
353
chain = INPUT
354
 
355
EOF