Subversion Repositories ALCASAR

Rev

Rev 1192 | Go to most recent revision | Only display areas with differences | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1192 Rev 1196
1 
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
 1 
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
2 
JAIL_CONF="/etc/fail2ban/jail.conf"
 2 
JAIL_CONF="/etc/fail2ban/jail.conf"
3 
DIR_FILTER="/etc/fail2ban/filter.d/"
 3 
DIR_FILTER="/etc/fail2ban/filter.d/"
4 
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 4 
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
5 
 
 5 
 
6 
if(test -f $FAIL_CONF)
 6 
if(test -f $FAIL_CONF)
7 
then
 7 
then
8 
	mv $FAIL_CONF $FAIL_CONF.old
 8 
	mv $FAIL_CONF $FAIL_CONF.old
9 
fi
 9 
fi
10 
 
 10 
 
11 
if(test -f $JAIL_CONF)
 11 
if(test -f $JAIL_CONF)
12 
then
 12 
then
13 
	mv $JAIL_CONF $JAIL_CONF.old
 13 
	mv $JAIL_CONF $JAIL_CONF.old
14 
fi
 14 
fi
15 
 
 15 
 
16 
#########################################################
 16 
#########################################################
17 
## Mise à jour du fichier de configuration de fail2ban ##
 17 
## Mise à jour du fichier de configuration de fail2ban ##
18 
#########################################################
 18 
#########################################################
19 
 
 19 
 
20 
cat << EOF > $FAIL_CONF
 20 
cat << EOF > $FAIL_CONF
21 
 
 21 
 
22 
[Definition]
 22 
[Definition]
23 
 
 23 
 
24 
# Option:  loglevel
 24 
# Option:  loglevel
25 
# Notes.:  Set the log level output.
 25 
# Notes.:  Set the log level output.
26 
#          1 = ERROR
 26 
#          1 = ERROR
27 
#          2 = WARN
 27 
#          2 = WARN
28 
#          3 = INFO
 28 
#          3 = INFO
29 
#          4 = DEBUG
 29 
#          4 = DEBUG
30 
# Values:  NUM  Default:  3
 30 
# Values:  NUM  Default:  3
31 
#
 31 
#
32 
loglevel = 3
 32 
loglevel = 3
33 
 
 33 
 
34 
# Option:  logtarget
 34 
# Option:  logtarget
35 
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
 35 
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
36 
#          Only one log target can be specified.
 36 
#          Only one log target can be specified.
37 
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
 37 
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
38 
#
 38 
#
39 
logtarget = /var/log/fail2ban.log
 39 
logtarget = /var/log/fail2ban.log
40 
 
 40 
 
41 
# Option: socket
 41 
# Option: socket
42 
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
 42 
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
43 
#         not remove this file when Fail2ban runs. It will not be possible to
 43 
#         not remove this file when Fail2ban runs. It will not be possible to
44 
#         communicate with the server afterwards.
 44 
#         communicate with the server afterwards.
45 
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
 45 
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
46 
#
 46 
#
47 
socket = /var/run/fail2ban/fail2ban.sock
 47 
socket = /var/run/fail2ban/fail2ban.sock
48 
EOF
 48 
EOF
49 
 
 49 
 
50 
#########################################################
 50 
#########################################################
51 
## Mise à jour de la configuration de jail de fail2ban ##
 51 
## Mise à jour de la configuration de jail de fail2ban ##
52 
#########################################################
 52 
#########################################################
53 
 
 53 
 
54 
cat << EOF > $JAIL_CONF
 54 
cat << EOF > $JAIL_CONF
55 
 
 55 
 
56 
# Fail2Ban configuration file
 56 
# Fail2Ban configuration file
57 
#
 57 
#
58 
# Author: Cyril Jaquier
 58 
# Author: Cyril Jaquier
59 
#
 59 
#
60 
# $Revision$
 60 
# $Revision$
61 
#
 61 
#
62 
 
 62 
 
63 
# The DEFAULT allows a global definition of the options. They can be overridden
 63 
# The DEFAULT allows a global definition of the options. They can be overridden
64 
# in each jail afterwards.
 64 
# in each jail afterwards.
65 
 
 65 
 
66 
[DEFAULT]
 66 
[DEFAULT]
67 
 
 67 
 
68 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 68 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
69 
# ban a host which matches an address in this list. Several addresses can be
 69 
# ban a host which matches an address in this list. Several addresses can be
70 
# defined using space separator.
 70 
# defined using space separator.
71 
ignoreip = 127.0.0.1/8
 71 
ignoreip = 127.0.0.1/8
72 
 
 72 
 
73 
# "bantime" is the number of seconds that a host is banned.
 73 
# "bantime" is the number of seconds that a host is banned.
74 
bantime  = 600
 74 
bantime  = 600
75 
 
 75 
 
76 
# A host is banned if it has generated "maxretry" during the last "findtime"
 76 
# A host is banned if it has generated "maxretry" during the last "findtime"
77 
# seconds.
 77 
# seconds.
78 
# Un client est banni dans le cas ou il genere "maxretry" pendant le temps
 78 
# Un client est banni dans le cas ou il genere "maxretry" pendant le temps
79 
# findtime en seconds
 79 
# findtime en seconds
80 
# Ici 5 requetes remplissant les filtres en 60 secondes
 80 
# Ici 5 requetes remplissant les filtres en 60 secondes
81 
 
 81 
 
82 
findtime  = 60
 82 
findtime  = 60
83 
 
 83 
 
84 
# "maxretry" is the number of failures before a host get banned.
 84 
# "maxretry" is the number of failures before a host get banned.
85 
maxretry = 5
 85 
maxretry = 5
86 
 
 86 
 
87 
# "backend" specifies the backend used to get files modification. Available
 87 
# "backend" specifies the backend used to get files modification. Available
88 
# options are "gamin", "polling" and "auto". This option can be overridden in
 88 
# options are "gamin", "polling" and "auto". This option can be overridden in
89 
# each jail too (use "gamin" for a jail and "polling" for another).
 89 
# each jail too (use "gamin" for a jail and "polling" for another).
90 
#
 90 
#
91 
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
 91 
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
92 
#          is not installed, Fail2ban will use polling.
 92 
#          is not installed, Fail2ban will use polling.
93 
# polling: uses a polling algorithm which does not require external libraries.
 93 
# polling: uses a polling algorithm which does not require external libraries.
94 
# auto:    will choose Gamin if available and polling otherwise.
 94 
# auto:    will choose Gamin if available and polling otherwise.
95 
backend = auto
 95 
backend = auto
96 
 
 96 
 
97 
 
 97 
 
98 
# This jail corresponds to the standard configuration in Fail2ban 0.6.
 98 
# This jail corresponds to the standard configuration in Fail2ban 0.6.
99 
# The mail-whois action send a notification e-mail with a whois request
 99 
# The mail-whois action send a notification e-mail with a whois request
100 
# in the body.
 100 
# in the body.
101 
 
 101 
 
102 
 
 102 
 
103 
# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports
 103 
# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports
104 
 
 104 
 
105 
[mod-evasive]
 105 
[mod-evasive]
106 
 
 106 
 
107 
enabled = true
 107 
enabled = true
108 
#enabled = false
 108 
#enabled = false
109 
filter = mod-evasive
 109 
filter = mod-evasive
110 
action = iptables-allports[name=mod-evasive]
 110 
action = iptables-allports[name=mod-evasive]
111 
logpath = /var/log/httpd/error_log
 111 
logpath = /var/log/httpd/error_log
112 
maxretry = 2
 112 
maxretry = 2
113 
 
 113 
 
114 
# Bannissement pour SSH-Brute-Force
 114 
# Bannissement pour SSH-Brute-Force
115 
 
 115 
 
116 
[ssh-iptables]
 116 
[ssh-iptables]
117 
 
 117 
 
118 
enabled = true
 118 
enabled = true
119 
#enabled  = false
 119 
#enabled  = false
120 
filter   = sshd
 120 
filter   = sshd
121 
action   = iptables-allports[name=SSH]
 121 
action   = iptables-allports[name=SSH]
122 
logpath  = /var/log/auth.log
 122 
logpath  = /var/log/auth.log
123 
maxretry = 3
 123 
maxretry = 3
124 
 
 124 
 
125 
# Bannissement si 5 tentatives de connexion echouer en alcasar/acc
 125 
# Bannissement si 5 tentatives de connexion echouer en alcasar/acc
126 
 
 126 
 
127 
[htdigest]
 127 
[htdigest]
128 
 
 128 
 
129 
enabled = true
 129 
enabled = true
130 
#enabled = false
 130 
#enabled = false
131 
filter = htdigest
 131 
filter = htdigest
132 
action = iptables-allports[name=htdigest]
 132 
action = iptables-allports[name=htdigest]
133 
logpath = /var/log/httpd/ssl_error_log
 133 
logpath = /var/log/httpd/ssl_error_log
134 
maxretry = 5
 134 
maxretry = 5
135 
 
 135 
 
136 
# Bannissement si 5 tentatives de connexion avec intercept.php avec reason=reject
 136 
# Bannissement si 5 tentatives de connexion avec intercept.php avec reason=reject
137 
 
 137 
 
138 
[intercept]
 138 
[intercept]
139 
 
 139 
 
140 
enabled = true
 140 
enabled = true
141 
#enabled = false
 141 
#enabled = false
142 
filter = intercept
 142 
filter = intercept
143 
action = iptables-allports[name=intercept]
 143 
action = iptables-allports[name=intercept]
144 
logpath = /var/log/httpd/ssl_request_log
 144 
logpath = /var/log/httpd/ssl_request_log
145 
maxretry = 5
 145 
maxretry = 5
146 
 
 146 
 
147 
# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min
 147 
# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min
148 
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
 148 
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
149 
 
 149 
 
150 
[mot_de_passe]
 150 
[mot_de_passe]
151 
 
 151 
 
152 
enabled = true
 152 
enabled = true
153 
#enabled = false
 153 
#enabled = false
154 
filter = mot_de_passe
 154 
filter = mot_de_passe
155 
action = iptables-allports[name=Mot_de_Passe]
 155 
action = iptables-allports[name=Mot_de_Passe]
156 
logpath = /var/log/httpd/ssl_request_log
 156 
logpath = /var/log/httpd/ssl_request_log
157 
maxretry = 5
 157 
maxretry = 5
158 
 
 158 
 
159 
 
 159 
 
160 
[proftpd-iptables]
 160 
[proftpd-iptables]
161 
 
 161 
 
162 
enabled  = false
 162 
enabled  = false
163 
filter   = proftpd
 163 
filter   = proftpd
164 
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
 164 
action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
165 
           sendmail-whois[name=ProFTPD, dest=you@example.com]
 165 
           sendmail-whois[name=ProFTPD, dest=you@example.com]
166 
logpath  = /var/log/proftpd/proftpd.log
 166 
logpath  = /var/log/proftpd/proftpd.log
167 
maxretry = 6
 167 
maxretry = 6
168 
 
 168 
 
169 
# This jail forces the backend to "polling".
 169 
# This jail forces the backend to "polling".
170 
 
 170 
 
171 
[sasl-iptables]
 171 
[sasl-iptables]
172 
 
 172 
 
173 
enabled  = false
 173 
enabled  = false
174 
filter   = sasl
 174 
filter   = sasl
175 
backend  = polling
 175 
backend  = polling
176 
action   = iptables[name=sasl, port=smtp, protocol=tcp]
 176 
action   = iptables[name=sasl, port=smtp, protocol=tcp]
177 
           sendmail-whois[name=sasl, dest=you@example.com]
 177 
           sendmail-whois[name=sasl, dest=you@example.com]
178 
logpath  = /var/log/mail.log
 178 
logpath  = /var/log/mail.log
179 
 
 179 
 
180 
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 180 
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
181 
# used to avoid banning the user "myuser".
 181 
# used to avoid banning the user "myuser".
182 
 
 182 
 
183 
[ssh-tcpwrapper]
 183 
[ssh-tcpwrapper]
184 
 
 184 
 
185 
enabled     = false
 185 
enabled     = false
186 
filter      = sshd
 186 
filter      = sshd
187 
action      = hostsdeny
 187 
action      = hostsdeny
188 
              sendmail-whois[name=SSH, dest=you@example.com]
 188 
              sendmail-whois[name=SSH, dest=you@example.com]
189 
ignoreregex = for myuser from
 189 
ignoreregex = for myuser from
190 
logpath     = /var/log/auth.log
 190 
logpath     = /var/log/auth.log
191 
 
 191 
 
192 
# This jail demonstrates the use of wildcards in "logpath".
 192 
# This jail demonstrates the use of wildcards in "logpath".
193 
# Moreover, it is possible to give other files on a new line.
 193 
# Moreover, it is possible to give other files on a new line.
194 
 
 194 
 
195 
[apache-tcpwrapper]
 195 
[apache-tcpwrapper]
196 
 
 196 
 
197 
enabled  = false
 197 
enabled  = false
198 
filter	 = apache-auth
 198 
filter	 = apache-auth
199 
action   = hostsdeny
 199 
action   = hostsdeny
200 
logpath  = /var/log/apache*/*error.log
 200 
logpath  = /var/log/apache*/*error.log
201 
           /home/www/myhomepage/error.log
 201 
           /home/www/myhomepage/error.log
202 
maxretry = 6
 202 
maxretry = 6
203 
 
 203 
 
204 
# The hosts.deny path can be defined with the "file" argument if it is
 204 
# The hosts.deny path can be defined with the "file" argument if it is
205 
# not in /etc.
 205 
# not in /etc.
206 
 
 206 
 
207 
[postfix-tcpwrapper]
 207 
[postfix-tcpwrapper]
208 
 
 208 
 
209 
enabled  = false
 209 
enabled  = false
210 
filter   = postfix
 210 
filter   = postfix
211 
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
 211 
action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
212 
           sendmail[name=Postfix, dest=you@example.com]
 212 
           sendmail[name=Postfix, dest=you@example.com]
213 
logpath  = /var/log/postfix.log
 213 
logpath  = /var/log/postfix.log
214 
bantime  = 300
 214 
bantime  = 300
215 
 
 215 
 
216 
# Do not ban anybody. Just report information about the remote host.
 216 
# Do not ban anybody. Just report information about the remote host.
217 
# A notification is sent at most every 600 seconds (bantime).
 217 
# A notification is sent at most every 600 seconds (bantime).
218 
 
 218 
 
219 
[vsftpd-notification]
 219 
[vsftpd-notification]
220 
 
 220 
 
221 
enabled  = false
 221 
enabled  = false
222 
filter   = vsftpd
 222 
filter   = vsftpd
223 
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 223 
action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
224 
logpath  = /var/log/vsftpd.log
 224 
logpath  = /var/log/vsftpd.log
225 
maxretry = 5
 225 
maxretry = 5
226 
bantime  = 1800
 226 
bantime  = 1800
227 
 
 227 
 
228 
# Same as above but with banning the IP address.
 228 
# Same as above but with banning the IP address.
229 
 
 229 
 
230 
[vsftpd-iptables]
 230 
[vsftpd-iptables]
231 
 
 231 
 
232 
enabled  = false
 232 
enabled  = false
233 
filter   = vsftpd
 233 
filter   = vsftpd
234 
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
 234 
action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
235 
           sendmail-whois[name=VSFTPD, dest=you@example.com]
 235 
           sendmail-whois[name=VSFTPD, dest=you@example.com]
236 
logpath  = /var/log/vsftpd.log
 236 
logpath  = /var/log/vsftpd.log
237 
maxretry = 5
 237 
maxretry = 5
238 
bantime  = 1800
 238 
bantime  = 1800
239 
 
 239 
 
240 
# Ban hosts which agent identifies spammer robots crawling the web
 240 
# Ban hosts which agent identifies spammer robots crawling the web
241 
# for email addresses. The mail outputs are buffered.
 241 
# for email addresses. The mail outputs are buffered.
242 
 
 242 
 
243 
[apache-badbots]
 243 
[apache-badbots]
244 
 
 244 
 
245 
enabled  = false
 245 
enabled  = false
246 
filter   = apache-badbots
 246 
filter   = apache-badbots
247 
action   = iptables-multiport[name=BadBots, port="http,https"]
 247 
action   = iptables-multiport[name=BadBots, port="http,https"]
248 
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
 248 
           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
249 
logpath  = /var/www/*/logs/access_log
 249 
logpath  = /var/www/*/logs/access_log
250 
bantime  = 172800
 250 
bantime  = 172800
251 
maxretry = 1
 251 
maxretry = 1
252 
 
 252 
 
253 
# Use shorewall instead of iptables.
 253 
# Use shorewall instead of iptables.
254 
 
 254 
 
255 
[apache-shorewall]
 255 
[apache-shorewall]
256 
 
 256 
 
257 
enabled  = false
 257 
enabled  = false
258 
filter   = apache-noscript
 258 
filter   = apache-noscript
259 
action   = shorewall
 259 
action   = shorewall
260 
           sendmail[name=Postfix, dest=you@example.com]
 260 
           sendmail[name=Postfix, dest=you@example.com]
261 
logpath  = /var/log/apache2/error_log
 261 
logpath  = /var/log/apache2/error_log
262 
 
 262 
 
263 
# Ban attackers that try to use PHP's URL-fopen() functionality
 263 
# Ban attackers that try to use PHP's URL-fopen() functionality
264 
# through GET/POST variables. - Experimental, with more than a year
 264 
# through GET/POST variables. - Experimental, with more than a year
265 
# of usage in production environments.
 265 
# of usage in production environments.
266 
 
 266 
 
267 
[php-url-fopen]
 267 
[php-url-fopen]
268 
 
 268 
 
269 
enabled = false
 269 
enabled = false
270 
port    = http,https
 270 
port    = http,https
271 
filter  = php-url-fopen
 271 
filter  = php-url-fopen
272 
logpath = /var/www/*/logs/access_log
 272 
logpath = /var/www/*/logs/access_log
273 
maxretry = 1
 273 
maxretry = 1
274 
 
 274 
 
275 
# A simple PHP-fastcgi jail which works with lighttpd.
 275 
# A simple PHP-fastcgi jail which works with lighttpd.
276 
# If you run a lighttpd server, then you probably will
 276 
# If you run a lighttpd server, then you probably will
277 
# find these kinds of messages in your error_log:
 277 
# find these kinds of messages in your error_log:
278 
# ALERT – tried to register forbidden variable ‘GLOBALS’
 278 
# ALERT – tried to register forbidden variable ‘GLOBALS’
279 
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
 279 
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
280 
# This jail would block the IP 1.2.3.4.
 280 
# This jail would block the IP 1.2.3.4.
281 
 
 281 
 
282 
[lighttpd-fastcgi]
 282 
[lighttpd-fastcgi]
283 
 
 283 
 
284 
enabled = false
 284 
enabled = false
285 
port    = http,https
 285 
port    = http,https
286 
filter  = lighttpd-fastcgi
 286 
filter  = lighttpd-fastcgi
287 
# adapt the following two items as needed
 287 
# adapt the following two items as needed
288 
logpath = /var/log/lighttpd/error.log
 288 
logpath = /var/log/lighttpd/error.log
289 
maxretry = 2
 289 
maxretry = 2
290 
 
 290 
 
291 
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 291 
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
292 
# option is overridden in this jail. Moreover, the action "mail-whois" defines
 292 
# option is overridden in this jail. Moreover, the action "mail-whois" defines
293 
# the variable "name" which contains a comma using "". The characters '' are
 293 
# the variable "name" which contains a comma using "". The characters '' are
294 
# valid too.
 294 
# valid too.
295 
 
 295 
 
296 
[ssh-ipfw]
 296 
[ssh-ipfw]
297 
 
 297 
 
298 
enabled  = false
 298 
enabled  = false
299 
filter   = sshd
 299 
filter   = sshd
300 
action   = ipfw[localhost=192.168.0.1]
 300 
action   = ipfw[localhost=192.168.0.1]
301 
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 301 
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
302 
logpath  = /var/log/auth.log
 302 
logpath  = /var/log/auth.log
303 
ignoreip = 168.192.0.1
 303 
ignoreip = 168.192.0.1
304 
 
 304 
 
305 
# These jails block attacks against named (bind9). By default, logging is off
 305 
# These jails block attacks against named (bind9). By default, logging is off
306 
# with bind9 installation. You will need something like this:
 306 
# with bind9 installation. You will need something like this:
307 
#
 307 
#
308 
# logging {
 308 
# logging {
309 
#     channel security_file {
 309 
#     channel security_file {
310 
#         file "/var/log/named/security.log" versions 3 size 30m;
 310 
#         file "/var/log/named/security.log" versions 3 size 30m;
311 
#         severity dynamic;
 311 
#         severity dynamic;
312 
#         print-time yes;
 312 
#         print-time yes;
313 
#     };
 313 
#     };
314 
#     category security {
 314 
#     category security {
315 
#         security_file;
 315 
#         security_file;
316 
#     };
 316 
#     };
317 
# };
 317 
# };
318 
#
 318 
#
319 
# in your named.conf to provide proper logging.
 319 
# in your named.conf to provide proper logging.
320 
# This jail blocks UDP traffic for DNS requests.
 320 
# This jail blocks UDP traffic for DNS requests.
321 
 
 321 
 
322 
# !!! WARNING !!!
 322 
# !!! WARNING !!!
323 
#   Since UDP is connection-less protocol, spoofing of IP and imitation
 323 
#   Since UDP is connection-less protocol, spoofing of IP and imitation
324 
#   of illegal actions is way too simple.  Thus enabling of this filter
 324 
#   of illegal actions is way too simple.  Thus enabling of this filter
325 
#   might provide an easy way for implementing a DoS against a chosen
 325 
#   might provide an easy way for implementing a DoS against a chosen
326 
#   victim. See
 326 
#   victim. See
327 
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 327 
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
328 
#   Please DO NOT USE this jail unless you know what you are doing.
 328 
#   Please DO NOT USE this jail unless you know what you are doing.
329 
#
 329 
#
330 
# [named-refused-udp]
 330 
# [named-refused-udp]
331 
#
 331 
#
332 
# enabled  = false
 332 
# enabled  = false
333 
# filter   = named-refused
 333 
# filter   = named-refused
334 
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
 334 
# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
335 
#            sendmail-whois[name=Named, dest=you@example.com]
 335 
#            sendmail-whois[name=Named, dest=you@example.com]
336 
# logpath  = /var/log/named/security.log
 336 
# logpath  = /var/log/named/security.log
337 
# ignoreip = 168.192.0.1
 337 
# ignoreip = 168.192.0.1
338 
 
 338 
 
339 
# This jail blocks TCP traffic for DNS requests.
 339 
# This jail blocks TCP traffic for DNS requests.
340 
 
 340 
 
341 
[named-refused-tcp]
 341 
[named-refused-tcp]
342 
 
 342 
 
343 
enabled  = false
 343 
enabled  = false
344 
filter   = named-refused
 344 
filter   = named-refused
345 
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
 345 
action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
346 
           sendmail-whois[name=Named, dest=you@example.com]
 346 
           sendmail-whois[name=Named, dest=you@example.com]
347 
logpath  = /var/log/named/security.log
 347 
logpath  = /var/log/named/security.log
348 
ignoreip = 168.192.0.1
 348 
ignoreip = 168.192.0.1
349 
 
 349 
 
350 
EOF
 350 
EOF
351 
 
 351 
 
352 
###########################################
 352 
###########################################
353 
## Mise en place des filters spécifiques ##
 353 
## Mise en place des filters spécifiques ##
354 
## - Mod_evasive.conf                    ##
 354 
## - Mod_evasive.conf                    ##
355 
## - htdigest.conf                       ##
 355 
## - htdigest.conf                       ##
356 
## -
356 
## -
357 
## -
357 
## -
358 
###########################################
 358 
###########################################
359 
 
 359 
 
360 
######################
 360 
######################
361 
## MOD-EVASIVE.CONF ##
 361 
## MOD-EVASIVE.CONF ##
362 
######################
 362 
######################
363 
 
 363 
 
364 
if (test -f $DIR_FILTER/mod-evasive.conf)
 364 
if (test -f $DIR_FILTER/mod-evasive.conf)
365 
then
 365 
then
366 
	mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old
 366 
	mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old
367 
fi
 367 
fi
368 
 
 368 
 
369 
cat << EOF > $DIR_FILTER/mod-evasive.conf
 369 
cat << EOF > $DIR_FILTER/mod-evasive.conf
370 
# Fail2Ban configuration file
 370 
# Fail2Ban configuration file
371 
#
 371 
#
372 
# Author: Cyril Jaquier
 372 
# Author: Cyril Jaquier
373 
#
 373 
#
374 
# $Revision$
 374 
# $Revision$
375 
#
 375 
#
376 
 
 376 
 
377 
[Definition]
 377 
[Definition]
378 
 
 378 
 
379 
# Option:  failregex
 379 
# Option:  failregex
380 
# Notes.:  regex to match the password failure messages in the logfile. The
 380 
# Notes.:  regex to match the password failure messages in the logfile. The
381 
#          host must be matched by a group named "host". The tag "<HOST>" can
 381 
#          host must be matched by a group named "host". The tag "<HOST>" can
382 
#          be used for standard IP/hostname matching and is only an alias for
 382 
#          be used for standard IP/hostname matching and is only an alias for
383 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 383 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
384 
# Values:  TEXT
 384 
# Values:  TEXT
385 
#
 385 
#
386 
failregex = [[]client <HOST>[]] client denied by server configuration
 386 
failregex = [[]client <HOST>[]] client denied by server configuration
387 
 
 387 
 
388 
# Option:  ignoreregex
 388 
# Option:  ignoreregex
389 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 389 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
390 
# Values:  TEXT
 390 
# Values:  TEXT
391 
#
 391 
#
392 
ignoreregex =
392 
ignoreregex =
393 
EOF
 393 
EOF
394 
 
 394 
 
395 
###################
 395 
###################
396 
## HTDIGEST.CONF ##
 396 
## HTDIGEST.CONF ##
397 
###################
 397 
###################
398 
 
 398 
 
399 
if ( test -f $DIR_FILTER/htdigest.conf)
 399 
if ( test -f $DIR_FILTER/htdigest.conf)
400 
then
 400 
then
401 
	mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old
 401 
	mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old
402 
fi
 402 
fi
403 
 
 403 
 
404 
cat << EOF > $DIR_FILTER/htdigest.conf
 404 
cat << EOF > $DIR_FILTER/htdigest.conf
405 
# Fail2Ban configuration file
 405 
# Fail2Ban configuration file
406 
#
 406 
#
407 
# Author: Cyril Jaquier
 407 
# Author: Cyril Jaquier
408 
#
 408 
#
409 
# $Revision$
 409 
# $Revision$
410 
#
 410 
#
411 
 
 411 
 
412 
[Definition]
 412 
[Definition]
413 
 
 413 
 
414 
# Option:  failregex
 414 
# Option:  failregex
415 
# Notes.:  regex to match the password failure messages in the logfile. The
 415 
# Notes.:  regex to match the password failure messages in the logfile. The
416 
#          host must be matched by a group named "host". The tag "<HOST>" can
 416 
#          host must be matched by a group named "host". The tag "<HOST>" can
417 
#          be used for standard IP/hostname matching and is only an alias for
 417 
#          be used for standard IP/hostname matching and is only an alias for
418 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 418 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
419 
# Values:  TEXT
 419 
# Values:  TEXT
420 
#
 420 
#
421 
failregex = [[]error[]] [[]client <HOST>[]] Digest:
 421 
failregex = [[]error[]] [[]client <HOST>[]] Digest:
422 
 
 422 
 
423 
# Option:  ignoreregex
 423 
# Option:  ignoreregex
424 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 424 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
425 
# Values:  TEXT
 425 
# Values:  TEXT
426 
#
 426 
#
427 
ignoreregex =
427 
ignoreregex =
428 
EOF
 428 
EOF
429 
 
 429 
 
430 
####################
 430 
####################
431 
## INTERCEPT.CONF ##
 431 
## INTERCEPT.CONF ##
432 
####################
 432 
####################
433 
 
 433 
 
434 
if ( test -f $DIR_FILTER/intercept.conf)
 434 
if ( test -f $DIR_FILTER/intercept.conf)
435 
then
 435 
then
436 
	mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old
 436 
	mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old
437 
fi
 437 
fi
438 
 
 438 
 
439 
cat << EOF > $DIR_FILTER/intercept.conf
 439 
cat << EOF > $DIR_FILTER/intercept.conf
440 
 
 440 
 
441 
# Fail2Ban configuration file
 441 
# Fail2Ban configuration file
442 
#
 442 
#
443 
# Author: Cyril Jaquier
 443 
# Author: Cyril Jaquier
444 
#
 444 
#
445 
# $Revision$
 445 
# $Revision$
446 
#
 446 
#
447 
 
 447 
 
448 
[Definition]
 448 
[Definition]
449 
 
 449 
 
450 
# Option:  failregex
 450 
# Option:  failregex
451 
# Notes.:  regex to match the password failure messages in the logfile. The
 451 
# Notes.:  regex to match the password failure messages in the logfile. The
452 
#          host must be matched by a group named "host". The tag "<HOST>" can
 452 
#          host must be matched by a group named "host". The tag "<HOST>" can
453 
#          be used for standard IP/hostname matching and is only an alias for
 453 
#          be used for standard IP/hostname matching and is only an alias for
454 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 454 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
455 
# Values:  TEXT
 455 
# Values:  TEXT
456 
#
 456 
#
457 
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
 457 
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
458 
 
 458 
 
459 
# Option:  ignoreregex
 459 
# Option:  ignoreregex
460 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 460 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
461 
# Values:  TEXT
 461 
# Values:  TEXT
462 
#
 462 
#
463 
ignoreregex =
463 
ignoreregex =
464 
EOF
 464 
EOF
465 
 
 465 
 
466 
#######################
 466 
#######################
467 
## MOT_DE_PASSE.CONF ##
 467 
## MOT_DE_PASSE.CONF ##
468 
#######################
 468 
#######################
469 
 
 469 
 
470 
if ( test -f $DIR_FILTER/mot_de_passe.conf )
 470 
if ( test -f $DIR_FILTER/mot_de_passe.conf )
471 
then
 471 
then
472 
	mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old
 472 
	mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old
473 
fi
 473 
fi
474 
 
 474 
 
475 
cat << EOF > $DIR_FILTER/mot_de_passe.conf
 475 
cat << EOF > $DIR_FILTER/mot_de_passe.conf
476 
 
 476 
 
477 
# Fail2Ban configuration file
 477 
# Fail2Ban configuration file
478 
#
 478 
#
479 
# Author: Cyril Jaquier
 479 
# Author: Cyril Jaquier
480 
#
 480 
#
481 
# $Revision$
 481 
# $Revision$
482 
#
 482 
#
483 
 
 483 
 
484 
[Definition]
 484 
[Definition]
485 
 
 485 
 
486 
# Option:  failregex
 486 
# Option:  failregex
487 
# Notes.:  regex to match the password failure messages in the logfile. The
 487 
# Notes.:  regex to match the password failure messages in the logfile. The
488 
#          host must be matched by a group named "host". The tag "<HOST>" can
 488 
#          host must be matched by a group named "host". The tag "<HOST>" can
489 
#          be used for standard IP/hostname matching and is only an alias for
 489 
#          be used for standard IP/hostname matching and is only an alias for
490 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 490 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
491 
# Values:  TEXT
 491 
# Values:  TEXT
492 
#
 492 
#
493 
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
 493 
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
494 
 
 494 
 
495 
# Option:  ignoreregex
 495 
# Option:  ignoreregex
496 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 496 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
497 
# Values:  TEXT
 497 
# Values:  TEXT
498 
#
 498 
#
499 
ignoreregex =
499 
ignoreregex =
500 
EOF
 500 
EOF
501 
 
 501 
 
502 
 
 502 
 
503 
##############################################
 503 
##############################################
504 
## Log sur Iptables quand iptables-allports ##
 504 
## Log sur Iptables quand iptables-allports ##
505 
##############################################
 505 
##############################################
506 
 
 506 
 
507 
if ( test -f $ACTION_ALLPORTS )
 507 
if ( test -f $ACTION_ALLPORTS )
508 
then
 508 
then
509 
	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old
 509 
	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old
510 
fi
 510 
fi
511 
 
 511 
 
512 
cat << EOF > $ACTION_ALLPORTS
 512 
cat << EOF > $ACTION_ALLPORTS
513 
 
 513 
 
514 
# Fail2Ban configuration file
 514 
# Fail2Ban configuration file
515 
#
 515 
#
516 
# Author: Cyril Jaquier
 516 
# Author: Cyril Jaquier
517 
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 517 
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
518 
# 			made active on all ports from original iptables.conf
 518 
# 			made active on all ports from original iptables.conf
519 
#
 519 
#
520 
# $Revision$
 520 
# $Revision$
521 
#
 521 
#
522 
 
 522 
 
523 
[Definition]
 523 
[Definition]
524 
 
 524 
 
525 
# Option:  actionstart
 525 
# Option:  actionstart
526 
# Notes.:  command executed once at the start of Fail2Ban.
 526 
# Notes.:  command executed once at the start of Fail2Ban.
527 
# Values:  CMD
 527 
# Values:  CMD
528 
#
 528 
#
529 
actionstart = iptables -N fail2ban-<name>
 529 
actionstart = iptables -N fail2ban-<name>
530 
              iptables -A fail2ban-<name> -j RETURN
 530 
              iptables -A fail2ban-<name> -j RETURN
531 
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 531 
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
532 
 
 532 
 
533 
# Option:  actionstop
 533 
# Option:  actionstop
534 
# Notes.:  command executed once at the end of Fail2Ban
 534 
# Notes.:  command executed once at the end of Fail2Ban
535 
# Values:  CMD
 535 
# Values:  CMD
536 
#
 536 
#
537 
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
 537 
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
538 
             iptables -F fail2ban-<name>
 538 
             iptables -F fail2ban-<name>
539 
             iptables -X fail2ban-<name>
 539 
             iptables -X fail2ban-<name>
540 
 
 540 
 
541 
# Option:  actioncheck
 541 
# Option:  actioncheck
542 
# Notes.:  command executed once before each actionban command
 542 
# Notes.:  command executed once before each actionban command
543 
# Values:  CMD
 543 
# Values:  CMD
544 
#
 544 
#
545 
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 545 
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
546 
 
 546 
 
547 
# Option:  actionban
 547 
# Option:  actionban
548 
# Notes.:  command executed when banning an IP. Take care that the
 548 
# Notes.:  command executed when banning an IP. Take care that the
549 
#          command is executed with Fail2Ban user rights.
 549 
#          command is executed with Fail2Ban user rights.
550 
# Tags:    <ip>  IP address
 550 
# Tags:    <ip>  IP address
551 
#          <failures>  number of failures
 551 
#          <failures>  number of failures
552 
#          <time>  unix timestamp of the ban time
 552 
#          <time>  unix timestamp of the ban time
553 
# Values:  CMD
 553 
# Values:  CMD
554 
 
 554 
 
555 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 555 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
556 
	    iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 556 
	    iptables -I fail2ban-<name> 1 -s <ip> -j DROP
557 
 
 557 
 
558 
# Option:  actionunban
 558 
# Option:  actionunban
559 
# Notes.:  command executed when unbanning an IP. Take care that the
 559 
# Notes.:  command executed when unbanning an IP. Take care that the
560 
#          command is executed with Fail2Ban user rights.
 560 
#          command is executed with Fail2Ban user rights.
561 
# Tags:    <ip>  IP address
 561 
# Tags:    <ip>  IP address
562 
#          <failures>  number of failures
 562 
#          <failures>  number of failures
563 
#          <time>  unix timestamp of the ban time
 563 
#          <time>  unix timestamp of the ban time
564 
# Values:  CMD
 564 
# Values:  CMD
565 
#
 565 
#
566 
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 566 
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
567 
	      iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 567 
	      iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
568 
 
 568 
 
569 
[Init]
 569 
[Init]
570 
 
 570 
 
571 
# Defaut name of the chain
 571 
# Defaut name of the chain
572 
#
 572 
#
573 
name = default
 573 
name = default
574 
 
 574 
 
575 
# Option:  protocol
 575 
# Option:  protocol
576 
# Notes.:  internally used by config reader for interpolations.
 576 
# Notes.:  internally used by config reader for interpolations.
577 
# Values:  [ tcp | udp | icmp | all ] Default: tcp
 577 
# Values:  [ tcp | udp | icmp | all ] Default: tcp
578 
#
 578 
#
579 
protocol = tcp
 579 
protocol = tcp
580 
 
 580 
 
581 
# Option:  chain
 581 
# Option:  chain
582 
# Notes    specifies the iptables chain to which the fail2ban rules should be
 582 
# Notes    specifies the iptables chain to which the fail2ban rules should be
583 
#          added
 583 
#          added
584 
# Values:  STRING  Default: INPUT
 584 
# Values:  STRING  Default: INPUT
585 
chain = INPUT
 585 
chain = INPUT
586 
 
 586 
 
587 
EOF
 587 
EOF
588 
 
 588 
 
589 
#Activation de l'unité
 589 
#Activation de l'unité
590 
systemctl enable fail2ban.service
 590 
systemctl enable fail2ban.service
591 
 
 591