WebSVN – ALCASAR – Diff – /conf/fail2ban.sh

 FAIL_CONF="/etc/fail2ban/fail2ban.conf"
 JAIL_CONF="/etc/fail2ban/jail.conf"
 DIR_FILTER="/etc/fail2ban/filter.d/"
 ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
-if(test -f $FAIL_CONF)
-then
-	mv $FAIL_CONF $FAIL_CONF.old
-fi
-if(test -f $JAIL_CONF)
-then
-	mv $JAIL_CONF $JAIL_CONF.old
-fi
 #########################################################
 ## Mise à jour du fichier de configuration de fail2ban ##
 #########################################################
+if(test -f $FAIL_CONF)
+then
+	mv $FAIL_CONF $FAIL_CONF.default
+fi
 cat << EOF > $FAIL_CONF
 [Definition]
 # Option:  loglevel
 EOF
 #########################################################
 ## Mise à jour de la configuration de jail de fail2ban ##
 #########################################################
+if(test -f $JAIL_CONF)
+then
+	mv $JAIL_CONF $JAIL_CONF.default
+fi
 cat << EOF > $JAIL_CONF
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 ignoreip = 127.0.0.1/8
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 300
-# A host is banned if it has generated "maxretry" during the last "findtime"
+# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
-# seconds.
-# Un client est banni dans le cas ou il genere "maxretry" pendant le temps
+# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
-# findtime en seconds
-# Ici 5 requetes remplissant les filtres en 60 secondes
+# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
 findtime  = 60
 # "maxretry" is the number of failures before a host get banned.
 maxretry = 5
 #          is not installed, Fail2ban will use polling.
 # polling: uses a polling algorithm which does not require external libraries.
 # auto:    will choose Gamin if available and polling otherwise.
 backend = auto
-# This jail corresponds to the standard configuration in Fail2ban 0.6.
-# The mail-whois action send a notification e-mail with a whois request
-# in the body.
-# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports
+# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
-[mod-evasive]
+[alcasar_mod-evasive]
 enabled = true
 #enabled = false
 filter = mod-evasive
-action = iptables-allports[name=mod-evasive]
+action = iptables-allports[name=alcasar_mod-evasive]
 logpath = /var/log/httpd/error_log
 maxretry = 2
-# Bannissement pour SSH-Brute-Force
+# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
 [ssh-iptables]
 enabled = true
 #enabled  = false
 filter   = sshd
 action   = iptables-allports[name=SSH]
 logpath  = /var/log/auth.log
 maxretry = 3
-# Bannissement si 5 échec de connexion sur alcasar/acc
+# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
-[htdigest]
+[alcasar_htdigest]
 enabled = true
 #enabled = false
 filter = htdigest
-action = iptables-allports[name=htdigest]
+action = iptables-allports[name=alcasar_htdigest]
 logpath = /var/log/httpd/ssl_error_log
 maxretry = 5
-# Bannissement si 5 echec de connexion sur intercept.php (reason=reject)
+# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
-[intercept]
+[alcasar_intercept]
 enabled = true
 #enabled = false
 filter = intercept
-action = iptables-allports[name=intercept]
+action = iptables-allports[name=alcasar_intercept]
 logpath = /var/log/httpd/ssl_request_log
 maxretry = 5
-# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min
+# Bannissement sur tout les port après 5 échecs de changement de mot de passe
 # 5 POST pour changer le mot de passe que le POST soit ok ou non.
-[mot_de_passe]
+[alcasar_change-password]
 enabled = true
 #enabled = false
 filter = mot_de_passe
-action = iptables-allports[name=Mot_de_Passe]
+action = iptables-allports[name=alcasar_change-password]
 logpath = /var/log/httpd/ssl_request_log
 maxretry = 5
-[proftpd-iptables]
-enabled  = false
-filter   = proftpd
-action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=ProFTPD, dest=you@example.com]
-logpath  = /var/log/proftpd/proftpd.log
-maxretry = 6
-# This jail forces the backend to "polling".
-[sasl-iptables]
-enabled  = false
-filter   = sasl
-backend  = polling
-action   = iptables[name=sasl, port=smtp, protocol=tcp]
-           sendmail-whois[name=sasl, dest=you@example.com]
-logpath  = /var/log/mail.log
-# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
-# used to avoid banning the user "myuser".
-[ssh-tcpwrapper]
-enabled     = false
-filter      = sshd
-action      = hostsdeny
-              sendmail-whois[name=SSH, dest=you@example.com]
-ignoreregex = for myuser from
-logpath     = /var/log/auth.log
-# This jail demonstrates the use of wildcards in "logpath".
-# Moreover, it is possible to give other files on a new line.
-[apache-tcpwrapper]
-enabled  = false
-filter	 = apache-auth
-action   = hostsdeny
-logpath  = /var/log/apache*/*error.log
-           /home/www/myhomepage/error.log
-maxretry = 6
-# The hosts.deny path can be defined with the "file" argument if it is
-# not in /etc.
-[postfix-tcpwrapper]
-enabled  = false
-filter   = postfix
-action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           sendmail[name=Postfix, dest=you@example.com]
-logpath  = /var/log/postfix.log
-bantime  = 300
-# Do not ban anybody. Just report information about the remote host.
-# A notification is sent at most every 600 seconds (bantime).
-[vsftpd-notification]
-enabled  = false
-filter   = vsftpd
-action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
-logpath  = /var/log/vsftpd.log
-maxretry = 5
-bantime  = 1800
-# Same as above but with banning the IP address.
-[vsftpd-iptables]
-enabled  = false
-filter   = vsftpd
-action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
-           sendmail-whois[name=VSFTPD, dest=you@example.com]
-logpath  = /var/log/vsftpd.log
-maxretry = 5
-bantime  = 1800
-# Ban hosts which agent identifies spammer robots crawling the web
-# for email addresses. The mail outputs are buffered.
-[apache-badbots]
-enabled  = false
-filter   = apache-badbots
-action   = iptables-multiport[name=BadBots, port="http,https"]
-           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
-logpath  = /var/www/*/logs/access_log
-bantime  = 172800
-maxretry = 1
-# Use shorewall instead of iptables.
-[apache-shorewall]
-enabled  = false
-filter   = apache-noscript
-action   = shorewall
-           sendmail[name=Postfix, dest=you@example.com]
-logpath  = /var/log/apache2/error_log
-# Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
-[php-url-fopen]
-enabled = false
-port    = http,https
-filter  = php-url-fopen
-logpath = /var/www/*/logs/access_log
-maxretry = 1
-# A simple PHP-fastcgi jail which works with lighttpd.
-# If you run a lighttpd server, then you probably will
-# find these kinds of messages in your error_log:
-# ALERT – tried to register forbidden variable ‘GLOBALS’
-# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
-# This jail would block the IP 1.2.3.4.
-[lighttpd-fastcgi]
-enabled = false
-port    = http,https
-filter  = lighttpd-fastcgi
-# adapt the following two items as needed
-logpath = /var/log/lighttpd/error.log
-maxretry = 2
-# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
-# option is overridden in this jail. Moreover, the action "mail-whois" defines
-# the variable "name" which contains a comma using "". The characters '' are
-# valid too.
-[ssh-ipfw]
-enabled  = false
-filter   = sshd
-action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath  = /var/log/auth.log
-ignoreip = 168.192.0.1
-# These jails block attacks against named (bind9). By default, logging is off
-# with bind9 installation. You will need something like this:
-#
-# logging {
-#     channel security_file {
-#         file "/var/log/named/security.log" versions 3 size 30m;
-#         severity dynamic;
-#         print-time yes;
-#     };
-#     category security {
-#         security_file;
-#     };
-# };
-#
-# in your named.conf to provide proper logging.
-# This jail blocks UDP traffic for DNS requests.
-# !!! WARNING !!!
-#   Since UDP is connection-less protocol, spoofing of IP and imitation
-#   of illegal actions is way too simple.  Thus enabling of this filter
-#   might provide an easy way for implementing a DoS against a chosen
-#   victim. See
-#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-#   Please DO NOT USE this jail unless you know what you are doing.
-#
-# [named-refused-udp]
-#
-# enabled  = false
-# filter   = named-refused
-# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
-#            sendmail-whois[name=Named, dest=you@example.com]
-# logpath  = /var/log/named/security.log
-# ignoreip = 168.192.0.1
-# This jail blocks TCP traffic for DNS requests.
-[named-refused-tcp]
-enabled  = false
-filter   = named-refused
-action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
-           sendmail-whois[name=Named, dest=you@example.com]
-logpath  = /var/log/named/security.log
-ignoreip = 168.192.0.1
 EOF
-###########################################
+##################################################
-## Mise en place des filters spécifiques ##
+## Mise en place des filtres spécifiques	##
-## - Mod_evasive.conf                    ##
+## - Mod_evasive.conf				##
-## - htdigest.conf                       ##
+## - htdigest.conf                      	##
-## -
+## - intercept.conf				##
-## -
+## - mot de passe				##
-###########################################
+##################################################
 ######################
 ## MOD-EVASIVE.CONF ##
 ######################
-if (test -f $DIR_FILTER/mod-evasive.conf)
-then
-	mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old
-fi
-cat << EOF > $DIR_FILTER/mod-evasive.conf
+cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 EOF
 ###################
 ## HTDIGEST.CONF ##
 ###################
-if ( test -f $DIR_FILTER/htdigest.conf)
-then
-	mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old
-fi
-cat << EOF > $DIR_FILTER/htdigest.conf
+cat << EOF > $DIR_FILTER/alcasar_htdigest.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 EOF
 ####################
 ## INTERCEPT.CONF ##
 ####################
-if ( test -f $DIR_FILTER/intercept.conf)
-then
-	mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old
-fi
-cat << EOF > $DIR_FILTER/intercept.conf
+cat << EOF > $DIR_FILTER/alcasar_intercept.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 EOF
 #######################
 ## MOT_DE_PASSE.CONF ##
 #######################
-if ( test -f $DIR_FILTER/mot_de_passe.conf )
-then
-	mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old
-fi
-cat << EOF > $DIR_FILTER/mot_de_passe.conf
+cat << EOF > $DIR_FILTER/alcasar_change-password.conf
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 [Definition]
 # Option:  failregex
 # Notes.:  regex to match the password failure messages in the logfile. The
 # Values:  TEXT
+#
 ignoreregex =
 EOF
 ##############################################
-## Log sur Iptables quand iptables-allports ##
+##   Log sur ULOG quand iptables-allports   ##
 ##############################################
 if ( test -f $ACTION_ALLPORTS )
 then
-	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old
+	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
 fi
 cat << EOF > $ACTION_ALLPORTS
 # Fail2Ban configuration file
+#
 # Author: Cyril Jaquier
 # Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 # 			made active on all ports from original iptables.conf
-#
-# $Revision$
+# Adapted by ALCASAR team
-#
 [Definition]
 # Option:  actionstart
 # Notes.:  command executed once at the start of Fail2Ban.
 #          added
 # Values:  STRING  Default: INPUT
 chain = INPUT
 EOF
-#Activation de l'unité
-systemctl enable fail2ban.service

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh – Rev 1270 → 1388