Subversion Repositories ALCASAR

Rev

Rev 2487 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log

Rev Author Line No. Line
2271 tom.houday 1
#!/bin/sh
2
# $Id: fail2ban.sh 2488 2018-02-25 14:53:54Z lucas.echard $
3
 
1191 crox53 4
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
5
JAIL_CONF="/etc/fail2ban/jail.conf"
6
DIR_FILTER="/etc/fail2ban/filter.d/"
7
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
8
 
1388 richard 9
#########################################################
10
## Mise à jour du fichier de configuration de fail2ban ##
11
#########################################################
2271 tom.houday 12
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
1191 crox53 13
cat << EOF > $FAIL_CONF
14
 
15
[Definition]
16
 
17
# Option:  loglevel
18
# Notes.:  Set the log level output.
19
#          1 = ERROR
20
#          2 = WARN
21
#          3 = INFO
22
#          4 = DEBUG
23
# Values:  NUM  Default:  3
24
#
25
loglevel = 3
26
 
27
# Option:  logtarget
28
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
29
#          Only one log target can be specified.
30
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
31
#
32
logtarget = /var/log/fail2ban.log
33
 
34
# Option: socket
35
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
36
#         not remove this file when Fail2ban runs. It will not be possible to
37
#         communicate with the server afterwards.
38
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
39
#
40
socket = /var/run/fail2ban/fail2ban.sock
1410 richard 41
 
42
# Option: pidfile
43
# Notes.: Set the PID file. This is used to store the process ID of the
44
#         fail2ban server.
45
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
46
#
47
pidfile = /var/run/fail2ban/fail2ban.pid
1191 crox53 48
EOF
49
 
50
#########################################################
51
## Mise à jour de la configuration de jail de fail2ban ##
52
#########################################################
2271 tom.houday 53
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
1191 crox53 54
cat << EOF > $JAIL_CONF
55
 
56
# Fail2Ban configuration file
57
#
58
# Author: Cyril Jaquier
1388 richard 59
# Adapted by ALCASAR team
1191 crox53 60
 
1388 richard 61
 
1191 crox53 62
# The DEFAULT allows a global definition of the options. They can be overridden
63
# in each jail afterwards.
64
 
65
[DEFAULT]
66
 
67
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
68
# ban a host which matches an address in this list. Several addresses can be
69
# defined using space separator.
70
ignoreip = 127.0.0.1/8
71
 
72
# "bantime" is the number of seconds that a host is banned.
1270 richard 73
bantime  = 300
1191 crox53 74
 
1388 richard 75
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
76
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
77
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
1191 crox53 78
findtime  = 60
79
 
80
# "maxretry" is the number of failures before a host get banned.
81
maxretry = 5
82
 
83
# "backend" specifies the backend used to get files modification. Available
84
# options are "gamin", "polling" and "auto". This option can be overridden in
85
# each jail too (use "gamin" for a jail and "polling" for another).
86
#
87
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
88
#          is not installed, Fail2ban will use polling.
89
# polling: uses a polling algorithm which does not require external libraries.
90
# auto:    will choose Gamin if available and polling otherwise.
91
backend = auto
92
 
1410 richard 93
# "usedns" specifies if jails should trust hostnames in logs,
94
# warn when DNS lookups are performed, or ignore all hostnames in logs
95
#
96
# yes: if a hostname is encountered, a DNS lookup will be performed.
97
# warn: if a hostname is encountered, a DNS lookup will be performed,
98
# but it will be logged as a warning.
99
# no: if a hostname is encountered, will not be used for banning,
100
# but it will be logged as info.
101
usedns = warn
102
 
1388 richard 103
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
104
[alcasar_mod-evasive]
1191 crox53 105
 
1410 richard 106
#enabled = true
107
enabled = false
2487 lucas.echa 108
backend = auto
1410 richard 109
filter = alcasar_mod-evasive
1388 richard 110
action = iptables-allports[name=alcasar_mod-evasive]
2488 lucas.echa 111
logpath = /var/log/lighttpd/access.log
1191 crox53 112
maxretry = 2
113
 
1388 richard 114
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
1191 crox53 115
[ssh-iptables]
116
 
117
enabled = true
118
#enabled  = false
119
filter   = sshd
120
action   = iptables-allports[name=SSH]
121
logpath  = /var/log/auth.log
122
maxretry = 3
123
 
1388 richard 124
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
2284 tom.houday 125
[alcasar_acc]
1191 crox53 126
 
127
enabled = true
128
#enabled = false
2487 lucas.echa 129
backend = auto
2284 tom.houday 130
filter = alcasar_acc
131
action = iptables-allports[name=alcasar_acc]
2488 lucas.echa 132
logpath = /var/log/lighttpd/access.log
133
maxretry = 6
1191 crox53 134
 
1388 richard 135
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
136
[alcasar_intercept]
1191 crox53 137
 
138
enabled = true
139
#enabled = false
2487 lucas.echa 140
backend = auto
1410 richard 141
filter = alcasar_intercept
1388 richard 142
action = iptables-allports[name=alcasar_intercept]
2488 lucas.echa 143
logpath = /var/log/lighttpd/access.log
1191 crox53 144
maxretry = 5
145
 
1388 richard 146
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
1191 crox53 147
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
1410 richard 148
[alcasar_change-pwd]
1191 crox53 149
 
150
enabled = true
151
#enabled = false
2487 lucas.echa 152
backend = auto
1410 richard 153
filter = alcasar_change-pwd
154
action = iptables-allports[name=alcasar_change-pwd]
2488 lucas.echa 155
logpath = /var/log/lighttpd/access.log
1191 crox53 156
maxretry = 5
1410 richard 157
 
1191 crox53 158
EOF
159
 
1388 richard 160
##################################################
161
## Mise en place des filtres spécifiques       ##
162
## - Mod_evasive.conf                           ##
2271 tom.houday 163
## - acc-htdigest.conf                          ##
1388 richard 164
## - intercept.conf                             ##
2271 tom.houday 165
## - change-pwd.conf                            ##
1388 richard 166
##################################################
1191 crox53 167
 
168
######################
169
## MOD-EVASIVE.CONF ##
170
######################
1388 richard 171
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
1191 crox53 172
# Fail2Ban configuration file
173
#
174
# Author: Cyril Jaquier
1388 richard 175
# Adapted by ALCASAR team
1191 crox53 176
 
177
[Definition]
178
 
179
# Option:  failregex
180
# Notes.:  regex to match the password failure messages in the logfile. The
181
#          host must be matched by a group named "host". The tag "<HOST>" can
182
#          be used for standard IP/hostname matching and is only an alias for
183
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
184
# Values:  TEXT
185
#
2488 lucas.echa 186
failregex =  <HOST> .+\] "[^"]+" 403
1191 crox53 187
 
188
# Option:  ignoreregex
189
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
190
# Values:  TEXT
191
#
192
ignoreregex =
193
EOF
194
 
2271 tom.houday 195
#######################
196
## ACC-HTDIGEST.CONF ##
197
#######################
2284 tom.houday 198
cat << EOF > $DIR_FILTER/alcasar_acc.conf
1191 crox53 199
# Fail2Ban configuration file
200
#
201
# Author: Cyril Jaquier
1388 richard 202
# Adapted by ALCASAR team
1191 crox53 203
 
204
[Definition]
205
 
206
# Option:  failregex
207
# Notes.:  regex to match the password failure messages in the logfile. The
208
#          host must be matched by a group named "host". The tag "<HOST>" can
209
#          be used for standard IP/hostname matching and is only an alias for
210
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
211
# Values:  TEXT
212
#
2488 lucas.echa 213
failregex =  <HOST> .+\] "[^"]+" 401
1191 crox53 214
 
1410 richard 215
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
216
 
1191 crox53 217
# Option:  ignoreregex
218
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
219
# Values:  TEXT
220
#
221
ignoreregex =
222
EOF
223
 
224
####################
225
## INTERCEPT.CONF ##
226
####################
1388 richard 227
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
1191 crox53 228
# Fail2Ban configuration file
229
#
230
# Author: Cyril Jaquier
1388 richard 231
# Adapted by ALCASAR team
1191 crox53 232
 
233
[Definition]
234
 
235
# Option:  failregex
236
# Notes.:  regex to match the password failure messages in the logfile. The
237
#          host must be matched by a group named "host". The tag "<HOST>" can
238
#          be used for standard IP/hostname matching and is only an alias for
239
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
240
# Values:  TEXT
241
#
2488 lucas.echa 242
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1191 crox53 243
 
244
# Option:  ignoreregex
245
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
246
# Values:  TEXT
247
#
248
ignoreregex =
249
EOF
250
 
2271 tom.houday 251
#####################
252
## CHANGE-PWD.CONF ##
253
#####################
1410 richard 254
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
1191 crox53 255
 
256
# Fail2Ban configuration file
257
#
258
# Author: Cyril Jaquier
1388 richard 259
# Adapted by ALCASAR team
1191 crox53 260
 
261
[Definition]
262
 
263
# Option:  failregex
264
# Notes.:  regex to match the password failure messages in the logfile. The
265
#          host must be matched by a group named "host". The tag "<HOST>" can
266
#          be used for standard IP/hostname matching and is only an alias for
267
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
268
# Values:  TEXT
269
#
2488 lucas.echa 270
failregex = <HOST> .* \"POST \/password\.php
1191 crox53 271
 
1410 richard 272
 
1191 crox53 273
# Option:  ignoreregex
274
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
275
# Values:  TEXT
276
#
277
ignoreregex =
278
EOF
279
 
280
##############################################
1388 richard 281
##   Log sur ULOG quand iptables-allports   ##
1191 crox53 282
##############################################
2271 tom.houday 283
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
1191 crox53 284
cat << EOF > $ACTION_ALLPORTS
285
# Fail2Ban configuration file
286
#
287
# Author: Cyril Jaquier
288
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
289
#                       made active on all ports from original iptables.conf
1388 richard 290
# Adapted by ALCASAR team
1191 crox53 291
 
292
[Definition]
293
 
294
# Option:  actionstart
295
# Notes.:  command executed once at the start of Fail2Ban.
296
# Values:  CMD
297
#
298
actionstart = iptables -N fail2ban-<name>
299
              iptables -A fail2ban-<name> -j RETURN
300
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
301
 
302
# Option:  actionstop
303
# Notes.:  command executed once at the end of Fail2Ban
304
# Values:  CMD
305
#
306
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
307
             iptables -F fail2ban-<name>
308
             iptables -X fail2ban-<name>
309
 
310
# Option:  actioncheck
311
# Notes.:  command executed once before each actionban command
312
# Values:  CMD
313
#
314
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
315
 
316
# Option:  actionban
317
# Notes.:  command executed when banning an IP. Take care that the
318
#          command is executed with Fail2Ban user rights.
319
# Tags:    <ip>  IP address
320
#          <failures>  number of failures
321
#          <time>  unix timestamp of the ban time
322
# Values:  CMD
323
 
2357 tom.houday 324
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
1191 crox53 325
 
326
# Option:  actionunban
327
# Notes.:  command executed when unbanning an IP. Take care that the
328
#          command is executed with Fail2Ban user rights.
329
# Tags:    <ip>  IP address
330
#          <failures>  number of failures
331
#          <time>  unix timestamp of the ban time
332
# Values:  CMD
333
#
2357 tom.houday 334
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
1191 crox53 335
 
336
[Init]
337
 
338
# Defaut name of the chain
339
#
340
name = default
341
 
342
# Option:  protocol
343
# Notes.:  internally used by config reader for interpolations.
344
# Values:  [ tcp | udp | icmp | all ] Default: tcp
345
#
346
protocol = tcp
347
 
348
# Option:  chain
349
# Notes    specifies the iptables chain to which the fail2ban rules should be
350
#          added
351
# Values:  STRING  Default: INPUT
352
chain = INPUT
353
 
354
EOF