WebSVN – ALCASAR – Diff – /conf/fail2ban.sh

 #!/bin/sh
-# $Id: fail2ban.sh 2837 2020-06-16 22:24:15Z rexy $
+# $Id: fail2ban.sh 2864 2020-10-18 09:06:17Z rexy $
 JAIL_CONF="/etc/fail2ban/jail.conf"
 DIR_FILTER="/etc/fail2ban/filter.d/"
-ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 #########################################################
 ## Mise à jour de la configuration de jail de fail2ban ##
 #########################################################
 [ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
 cat << EOF > $JAIL_CONF
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Adapted by ALCASAR team
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 # ban a host which matches an address in this list. Several addresses can be
 # defined using space separator.
 ignoreip = 127.0.0.1/8
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 180
 # A host is banned if it has generated "maxretry" during the last "findtime" seconds.
 # Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
 # Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
 findtime  = 60
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 # "backend" specifies the backend used to get files modification. Available
 # options are "gamin", "polling" and "auto". This option can be overridden in
 # each jail too (use "gamin" for a jail and "polling" for another).
+#
 # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
 #          is not installed, Fail2ban will use polling.
 # polling: uses a polling algorithm which does not require external libraries.
 # auto:    will choose Gamin if available and polling otherwise.
 backend = auto
 # "usedns" specifies if jails should trust hostnames in logs,
 # warn when DNS lookups are performed, or ignore all hostnames in logs
+#
 # yes: if a hostname is encountered, a DNS lookup will be performed.
 # warn: if a hostname is encountered, a DNS lookup will be performed,
 # but it will be logged as a warning.
 # no: if a hostname is encountered, will not be used for banning,
 # but it will be logged as info.
 usedns = warn
 # Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
 [alcasar_mod-evasive]
 #enabled = true
 enabled = false
 backend = auto
 filter = alcasar_mod-evasive
 action = iptables-allports[name=alcasar_mod-evasive]
 logpath = /var/log/lighttpd/access.log
 maxretry = 3
 # Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
 [ssh-iptables]
 enabled = true
 #enabled  = false
 filter   = sshd
 action   = iptables-allports[name=SSH]
 logpath  = /var/log/auth.log
 maxretry = 3
 # Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
 [alcasar_acc]
 enabled = true
 #enabled = false
 backend = auto
 filter = alcasar_acc
 action = iptables-allports[name=alcasar_acc]
 logpath = /var/log/lighttpd/access.log
-maxretry = 6
+maxretry = 5
 # Bannissement sur tout les ports après 5 echecs de connexion pour un usager
 [alcasar_intercept]
 enabled = true
 #enabled = false
 backend = auto
 filter = alcasar_intercept
 action = iptables-allports[name=alcasar_intercept]
 logpath = /var/log/lighttpd/access.log
-maxretry = 6
+maxretry = 5
 # Bannissement sur tout les port après 5 échecs de changement de mot de passe
 # 5 POST pour changer le mot de passe que le POST soit ok ou non.
 [alcasar_change-pwd]
 enabled = true
 #enabled = false
 backend = auto
 filter = alcasar_change-pwd
 action = iptables-allports[name=alcasar_change-pwd]
 logpath = /var/log/lighttpd/access.log
 maxretry = 5
 EOF
-##################################################
+##############################################
 ## Mise en place des filtres spécifiques	##
-## - Mod_evasive.conf				##
+## - Mod_evasive.conf						##
-## - acc-htdigest.conf				##
+## - acc-htdigest.conf						##
-## - intercept.conf				##
+## - intercept.conf							##
-## - change-pwd.conf				##
+## - change-pwd.conf						##
-##################################################
+##############################################
 ######################
 ## MOD-EVASIVE.CONF ##
 ######################
 cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Adapted by ALCASAR team
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
+#
 failregex =  <HOST> .+\] "[^"]+" 403
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
+#
 ignoreregex =
 EOF
 #######################
 ## ACC-HTDIGEST.CONF ##
 #######################
 cat << EOF > $DIR_FILTER/alcasar_acc.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Adapted by ALCASAR team
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
+#
 failregex =  <HOST> .+\] "[^"]+" 401
 #[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
+#
 ignoreregex =
 EOF
 ####################
 ## INTERCEPT.CONF ##
 ####################
 cat << EOF > $DIR_FILTER/alcasar_intercept.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Adapted by ALCASAR team
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
+#
 failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
+#
 ignoreregex =
 EOF
 #####################
 ## CHANGE-PWD.CONF ##
 #####################
 cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Adapted by ALCASAR team
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 #          host must be matched by a group named "host". The tag "<HOST>" can
 #          be used for standard IP/hostname matching and is only an alias for
 #          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 # Values:  TEXT
+#
 failregex = <HOST> .* \"POST \/password\.php
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
+#
 ignoreregex =
 EOF
-##############################################
-##   Log sur ULOG quand iptables-allports   ##
-##############################################
-[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
-cat << EOF > $ACTION_ALLPORTS
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
-# Adapted by ALCASAR team
-[Definition]
-# Option:  actionstart
-# Notes.:  command executed once at the start of Fail2Ban.
-# Values:  CMD
-#
-actionstart = iptables -N fail2ban-<name>
-              iptables -A fail2ban-<name> -j RETURN
-              iptables -I <chain> -p <protocol> -j fail2ban-<name>
-# Option:  actionstop
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD
-#
-actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
-             iptables -F fail2ban-<name>
-             iptables -X fail2ban-<name>
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
-[Init]
-# Defaut name of the chain
-#
-name = default
-# Option:  protocol
-# Notes.:  internally used by config reader for interpolations.
-# Values:  [ tcp | udp | icmp | all ] Default: tcp
-#
-protocol = tcp
-# Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
-#          added
-# Values:  STRING  Default: INPUT
-chain = INPUT
-EOF

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh @ 2864 – Rev 2837 → 2864