WebSVN – ALCASAR – Diff – /conf/fail2ban.sh


FAIL_CONF="/etc/fail2ban/fail2ban.conf"
JAIL_CONF="/etc/fail2ban/jail.conf"
DIR_FILTER="/etc/fail2ban/filter.d/"
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 
#########################################################
## Mise à jour du fichier de configuration de fail2ban ##
#########################################################
if(test -f $FAIL_CONF)
then
	mv $FAIL_CONF $FAIL_CONF.default
fi
cat << EOF > $FAIL_CONF
 
[Definition]
 
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3
 
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
 
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
 
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid
EOF
 
#########################################################
## Mise à jour de la configuration de jail de fail2ban ##
#########################################################
if(test -f $JAIL_CONF)
then
	mv $JAIL_CONF $JAIL_CONF.default
fi
cat << EOF > $JAIL_CONF
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 300
 
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
findtime  = 60
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
 
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
[alcasar_mod-evasive]
 
#enabled = true
enabled = false
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/httpd/error_log
maxretry = 2
 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
[ssh-iptables]
 
enabled = true
#enabled  = false
filter   = sshd
action   = iptables-allports[name=SSH]
logpath  = /var/log/auth.log
maxretry = 3
 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
[alcasar_htdigest]
 
enabled = true
#enabled = false
filter = alcasar_htdigest
action = iptables-allports[name=alcasar_htdigest]
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
[alcasar_intercept]
 
enabled = true
#enabled = false
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
 
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
[alcasar_change-pwd]
 
enabled = true
#enabled = false
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
 
EOF
 
##################################################
## Mise en place des filtres spécifiques	##
## - Mod_evasive.conf				##
## - htdigest.conf                      	##
## - intercept.conf				##
## - mot de passe				##
##################################################
 
######################
## MOD-EVASIVE.CONF ##
######################
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = [[]client <HOST>[]] client denied by server configuration
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
###################
## HTDIGEST.CONF ##
###################
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#failregex = [[]error[]] [[]client <HOST>[]] Digest:
failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972
 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
####################
## INTERCEPT.CONF ##
####################
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#######################
## MOT_DE_PASSE.CONF ##
#######################
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169
 
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
##############################################
##   Log sur ULOG quand iptables-allports   ##
##############################################
if ( test -f $ACTION_ALLPORTS )
then
	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
fi
cat << EOF > $ACTION_ALLPORTS
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
	    iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
	      iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 
[Init]
 
# Defaut name of the chain
#
name = default
 
# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
 
# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
 
EOF
 

Rev 1388	Rev 1410
1	`FAIL_CONF="/etc/fail2ban/fail2ban.conf"`	1	`FAIL_CONF="/etc/fail2ban/fail2ban.conf"`
2	`JAIL_CONF="/etc/fail2ban/jail.conf"`	2	`JAIL_CONF="/etc/fail2ban/jail.conf"`
3	`DIR_FILTER="/etc/fail2ban/filter.d/"`	3	`DIR_FILTER="/etc/fail2ban/filter.d/"`
4	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`	4	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`
5		5
6	`#########################################################`	6	`#########################################################`
7	`## Mise à jour du fichier de configuration de fail2ban ##`	7	`## Mise à jour du fichier de configuration de fail2ban ##`
8	`#########################################################`	8	`#########################################################`
9	`if(test -f $FAIL_CONF)`	9	`if(test -f $FAIL_CONF)`
10	`then`	10	`then`
11	`mv $FAIL_CONF $FAIL_CONF.default`	11	`mv $FAIL_CONF $FAIL_CONF.default`
12	`fi`	12	`fi`
13	`cat << EOF > $FAIL_CONF`	13	`cat << EOF > $FAIL_CONF`
14		14
15	`[Definition]`	15	`[Definition]`
16		16
17	`# Option: loglevel`	17	`# Option: loglevel`
18	`# Notes.: Set the log level output.`	18	`# Notes.: Set the log level output.`
19	`# 1 = ERROR`	19	`# 1 = ERROR`
20	`# 2 = WARN`	20	`# 2 = WARN`
21	`# 3 = INFO`	21	`# 3 = INFO`
22	`# 4 = DEBUG`	22	`# 4 = DEBUG`
23	`# Values: NUM Default: 3`	23	`# Values: NUM Default: 3`
24	`#`	24	`#`
25	`loglevel = 3`	25	`loglevel = 3`
26		26
27	`# Option: logtarget`	27	`# Option: logtarget`
28	`# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.`	28	`# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.`
29	`# Only one log target can be specified.`	29	`# Only one log target can be specified.`
30	`# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log`	30	`# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log`
31	`#`	31	`#`
32	`logtarget = /var/log/fail2ban.log`	32	`logtarget = /var/log/fail2ban.log`
33		33
34	`# Option: socket`	34	`# Option: socket`
35	`# Notes.: Set the socket file. This is used to communicate with the daemon. Do`	35	`# Notes.: Set the socket file. This is used to communicate with the daemon. Do`
36	`# not remove this file when Fail2ban runs. It will not be possible to`	36	`# not remove this file when Fail2ban runs. It will not be possible to`
37	`# communicate with the server afterwards.`	37	`# communicate with the server afterwards.`
38	`# Values: FILE Default: /var/run/fail2ban/fail2ban.sock`	38	`# Values: FILE Default: /var/run/fail2ban/fail2ban.sock`
39	`#`	39	`#`
40	`socket = /var/run/fail2ban/fail2ban.sock`	40	`socket = /var/run/fail2ban/fail2ban.sock`
-		41
-		42	`# Option: pidfile`
-		43	`# Notes.: Set the PID file. This is used to store the process ID of the`
-		44	`# fail2ban server.`
-		45	`# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid`
-		46	`#`
-		47	`pidfile = /var/run/fail2ban/fail2ban.pid`
41	`EOF`	48	`EOF`
42		49
43	`#########################################################`	50	`#########################################################`
44	`## Mise à jour de la configuration de jail de fail2ban ##`	51	`## Mise à jour de la configuration de jail de fail2ban ##`
45	`#########################################################`	52	`#########################################################`
46	`if(test -f $JAIL_CONF)`	53	`if(test -f $JAIL_CONF)`
47	`then`	54	`then`
48	`mv $JAIL_CONF $JAIL_CONF.default`	55	`mv $JAIL_CONF $JAIL_CONF.default`
49	`fi`	56	`fi`
50	`cat << EOF > $JAIL_CONF`	57	`cat << EOF > $JAIL_CONF`
51		58
52	`# Fail2Ban configuration file`	59	`# Fail2Ban configuration file`
53	`#`	60	`#`
54	`# Author: Cyril Jaquier`	61	`# Author: Cyril Jaquier`
55	`# Adapted by ALCASAR team`	62	`# Adapted by ALCASAR team`
56		63
57		64
58	`# The DEFAULT allows a global definition of the options. They can be overridden`	65	`# The DEFAULT allows a global definition of the options. They can be overridden`
59	`# in each jail afterwards.`	66	`# in each jail afterwards.`
60		67
61	`[DEFAULT]`	68	`[DEFAULT]`
62		69
63	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`	70	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`
64	`# ban a host which matches an address in this list. Several addresses can be`	71	`# ban a host which matches an address in this list. Several addresses can be`
65	`# defined using space separator.`	72	`# defined using space separator.`
66	`ignoreip = 127.0.0.1/8`	73	`ignoreip = 127.0.0.1/8`
67		74
68	`# "bantime" is the number of seconds that a host is banned.`	75	`# "bantime" is the number of seconds that a host is banned.`
69	`bantime = 300`	76	`bantime = 300`
70		77
71	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`	78	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`
72	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`	79	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`
73	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`	80	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`
74	`findtime = 60`	81	`findtime = 60`
75		82
76	`# "maxretry" is the number of failures before a host get banned.`	83	`# "maxretry" is the number of failures before a host get banned.`
77	`maxretry = 5`	84	`maxretry = 5`
78		85
79	`# "backend" specifies the backend used to get files modification. Available`	86	`# "backend" specifies the backend used to get files modification. Available`
80	`# options are "gamin", "polling" and "auto". This option can be overridden in`	87	`# options are "gamin", "polling" and "auto". This option can be overridden in`
81	`# each jail too (use "gamin" for a jail and "polling" for another).`	88	`# each jail too (use "gamin" for a jail and "polling" for another).`
82	`#`	89	`#`
83	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`	90	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`
84	`# is not installed, Fail2ban will use polling.`	91	`# is not installed, Fail2ban will use polling.`
85	`# polling: uses a polling algorithm which does not require external libraries.`	92	`# polling: uses a polling algorithm which does not require external libraries.`
86	`# auto: will choose Gamin if available and polling otherwise.`	93	`# auto: will choose Gamin if available and polling otherwise.`
87	`backend = auto`	94	`backend = auto`
88		95
-		96	`# "usedns" specifies if jails should trust hostnames in logs,`
-		97	`# warn when DNS lookups are performed, or ignore all hostnames in logs`
-		98	`#`
-		99	`# yes: if a hostname is encountered, a DNS lookup will be performed.`
-		100	`# warn: if a hostname is encountered, a DNS lookup will be performed,`
-		101	`# but it will be logged as a warning.`
-		102	`# no: if a hostname is encountered, will not be used for banning,`
-		103	`# but it will be logged as info.`
-		104	`usedns = warn`
-		105
89	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`	106	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`
90	`[alcasar_mod-evasive]`	107	`[alcasar_mod-evasive]`
91		108
92	`enabled = true`	109	`#enabled = true`
93	`#enabled = false`	110	`enabled = false`
94	`filter = mod-evasive`	111	`filter = alcasar_mod-evasive`
95	`action = iptables-allports[name=alcasar_mod-evasive]`	112	`action = iptables-allports[name=alcasar_mod-evasive]`
96	`logpath = /var/log/httpd/error_log`	113	`logpath = /var/log/httpd/error_log`
97	`maxretry = 2`	114	`maxretry = 2`
98		115
99	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`	116	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`
100	`[ssh-iptables]`	117	`[ssh-iptables]`
101		118
102	`enabled = true`	119	`enabled = true`
103	`#enabled = false`	120	`#enabled = false`
104	`filter = sshd`	121	`filter = sshd`
105	`action = iptables-allports[name=SSH]`	122	`action = iptables-allports[name=SSH]`
106	`logpath = /var/log/auth.log`	123	`logpath = /var/log/auth.log`
107	`maxretry = 3`	124	`maxretry = 3`
108		125
109	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`	126	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`
110	`[alcasar_htdigest]`	127	`[alcasar_htdigest]`
111		128
112	`enabled = true`	129	`enabled = true`
113	`#enabled = false`	130	`#enabled = false`
114	`filter = htdigest`	131	`filter = alcasar_htdigest`
115	`action = iptables-allports[name=alcasar_htdigest]`	132	`action = iptables-allports[name=alcasar_htdigest]`
116	`logpath = /var/log/httpd/ssl_error_log`	133	`logpath = /var/log/httpd/ssl_request_log`
117	`maxretry = 5`	134	`maxretry = 5`
118		135
119	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`	136	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`
120	`[alcasar_intercept]`	137	`[alcasar_intercept]`
121		138
122	`enabled = true`	139	`enabled = true`
123	`#enabled = false`	140	`#enabled = false`
124	`filter = intercept`	141	`filter = alcasar_intercept`
125	`action = iptables-allports[name=alcasar_intercept]`	142	`action = iptables-allports[name=alcasar_intercept]`
126	`logpath = /var/log/httpd/ssl_request_log`	143	`logpath = /var/log/httpd/ssl_request_log`
127	`maxretry = 5`	144	`maxretry = 5`
128		145
129	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`	146	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`
130	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`	147	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`
131	`[alcasar_change-password]`	148	`[alcasar_change-pwd]`
132		149
133	`enabled = true`	150	`enabled = true`
134	`#enabled = false`	151	`#enabled = false`
135	`filter = mot_de_passe`	152	`filter = alcasar_change-pwd`
136	`action = iptables-allports[name=alcasar_change-password]`	153	`action = iptables-allports[name=alcasar_change-pwd]`
137	`logpath = /var/log/httpd/ssl_request_log`	154	`logpath = /var/log/httpd/ssl_request_log`
138	`maxretry = 5`	155	`maxretry = 5`
-		156
139	`EOF`	157	`EOF`
140		158
141	`##################################################`	159	`##################################################`
142	`## Mise en place des filtres spécifiques ##`	160	`## Mise en place des filtres spécifiques ##`
143	`## - Mod_evasive.conf ##`	161	`## - Mod_evasive.conf ##`
144	`## - htdigest.conf ##`	162	`## - htdigest.conf ##`
145	`## - intercept.conf ##`	163	`## - intercept.conf ##`
146	`## - mot de passe ##`	164	`## - mot de passe ##`
147	`##################################################`	165	`##################################################`
148		166
149	`######################`	167	`######################`
150	`## MOD-EVASIVE.CONF ##`	168	`## MOD-EVASIVE.CONF ##`
151	`######################`	169	`######################`
152	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`	170	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`
153	`# Fail2Ban configuration file`	171	`# Fail2Ban configuration file`
154	`#`	172	`#`
155	`# Author: Cyril Jaquier`	173	`# Author: Cyril Jaquier`
156	`# Adapted by ALCASAR team`	174	`# Adapted by ALCASAR team`
157		175
158	`[Definition]`	176	`[Definition]`
159		177
160	`# Option: failregex`	178	`# Option: failregex`
161	`# Notes.: regex to match the password failure messages in the logfile. The`	179	`# Notes.: regex to match the password failure messages in the logfile. The`
162	`# host must be matched by a group named "host". The tag "<HOST>" can`	180	`# host must be matched by a group named "host". The tag "<HOST>" can`
163	`# be used for standard IP/hostname matching and is only an alias for`	181	`# be used for standard IP/hostname matching and is only an alias for`
164	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	182	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
165	`# Values: TEXT`	183	`# Values: TEXT`
166	`#`	184	`#`
167	`failregex = [[]client <HOST>[]] client denied by server configuration`	185	`failregex = [[]client <HOST>[]] client denied by server configuration`
168		186
169	`# Option: ignoreregex`	187	`# Option: ignoreregex`
170	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	188	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
171	`# Values: TEXT`	189	`# Values: TEXT`
172	`#`	190	`#`
173	`ignoreregex =`	191	`ignoreregex =`
174	`EOF`	192	`EOF`
175		193
176	`###################`	194	`###################`
177	`## HTDIGEST.CONF ##`	195	`## HTDIGEST.CONF ##`
178	`###################`	196	`###################`
179	`cat << EOF > $DIR_FILTER/alcasar_htdigest.conf`	197	`cat << EOF > $DIR_FILTER/alcasar_htdigest.conf`
180	`# Fail2Ban configuration file`	198	`# Fail2Ban configuration file`
181	`#`	199	`#`
182	`# Author: Cyril Jaquier`	200	`# Author: Cyril Jaquier`
183	`# Adapted by ALCASAR team`	201	`# Adapted by ALCASAR team`
184		202
185	`[Definition]`	203	`[Definition]`
186		204
187	`# Option: failregex`	205	`# Option: failregex`
188	`# Notes.: regex to match the password failure messages in the logfile. The`	206	`# Notes.: regex to match the password failure messages in the logfile. The`
189	`# host must be matched by a group named "host". The tag "<HOST>" can`	207	`# host must be matched by a group named "host". The tag "<HOST>" can`
190	`# be used for standard IP/hostname matching and is only an alias for`	208	`# be used for standard IP/hostname matching and is only an alias for`
191	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	209	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
192	`# Values: TEXT`	210	`# Values: TEXT`
193	`#`	211	`#`
194	`failregex = [[]error[]] [[]client <HOST>[]] Digest:`	212	`#failregex = [[]error[]] [[]client <HOST>[]] Digest:`
-		213	`failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972`
-		214
-		215	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`
195		216
196	`# Option: ignoreregex`	217	`# Option: ignoreregex`
197	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	218	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
198	`# Values: TEXT`	219	`# Values: TEXT`
199	`#`	220	`#`
200	`ignoreregex =`	221	`ignoreregex =`
201	`EOF`	222	`EOF`
202		223
203	`####################`	224	`####################`
204	`## INTERCEPT.CONF ##`	225	`## INTERCEPT.CONF ##`
205	`####################`	226	`####################`
206	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`	227	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`
207	`# Fail2Ban configuration file`	228	`# Fail2Ban configuration file`
208	`#`	229	`#`
209	`# Author: Cyril Jaquier`	230	`# Author: Cyril Jaquier`
210	`# Adapted by ALCASAR team`	231	`# Adapted by ALCASAR team`
211		232
212	`[Definition]`	233	`[Definition]`
213		234
214	`# Option: failregex`	235	`# Option: failregex`
215	`# Notes.: regex to match the password failure messages in the logfile. The`	236	`# Notes.: regex to match the password failure messages in the logfile. The`
216	`# host must be matched by a group named "host". The tag "<HOST>" can`	237	`# host must be matched by a group named "host". The tag "<HOST>" can`
217	`# be used for standard IP/hostname matching and is only an alias for`	238	`# be used for standard IP/hostname matching and is only an alias for`
218	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	239	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
219	`# Values: TEXT`	240	`# Values: TEXT`
220	`#`	241	`#`
221	`failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject`	242	`#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject`
-		243	`failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject`
222		244
223	`# Option: ignoreregex`	245	`# Option: ignoreregex`
224	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	246	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
225	`# Values: TEXT`	247	`# Values: TEXT`
226	`#`	248	`#`
227	`ignoreregex =`	249	`ignoreregex =`
228	`EOF`	250	`EOF`
229		251
230	`#######################`	252	`#######################`
231	`## MOT_DE_PASSE.CONF ##`	253	`## MOT_DE_PASSE.CONF ##`
232	`#######################`	254	`#######################`
233	`cat << EOF > $DIR_FILTER/alcasar_change-password.conf`	255	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`
234		256
235	`# Fail2Ban configuration file`	257	`# Fail2Ban configuration file`
236	`#`	258	`#`
237	`# Author: Cyril Jaquier`	259	`# Author: Cyril Jaquier`
238	`# Adapted by ALCASAR team`	260	`# Adapted by ALCASAR team`
239		261
240	`[Definition]`	262	`[Definition]`
241		263
242	`# Option: failregex`	264	`# Option: failregex`
243	`# Notes.: regex to match the password failure messages in the logfile. The`	265	`# Notes.: regex to match the password failure messages in the logfile. The`
244	`# host must be matched by a group named "host". The tag "<HOST>" can`	266	`# host must be matched by a group named "host". The tag "<HOST>" can`
245	`# be used for standard IP/hostname matching and is only an alias for`	267	`# be used for standard IP/hostname matching and is only an alias for`
246	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	268	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
247	`# Values: TEXT`	269	`# Values: TEXT`
248	`#`	270	`#`
249	`failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP`	271	`#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP`
-		272	`failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169`
-		273
250		274
251	`# Option: ignoreregex`	275	`# Option: ignoreregex`
252	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	276	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
253	`# Values: TEXT`	277	`# Values: TEXT`
254	`#`	278	`#`
255	`ignoreregex =`	279	`ignoreregex =`
256	`EOF`	280	`EOF`
257		281
258	`##############################################`	282	`##############################################`
259	`## Log sur ULOG quand iptables-allports ##`	283	`## Log sur ULOG quand iptables-allports ##`
260	`##############################################`	284	`##############################################`
261	`if ( test -f $ACTION_ALLPORTS )`	285	`if ( test -f $ACTION_ALLPORTS )`
262	`then`	286	`then`
263	`mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`	287	`mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`
264	`fi`	288	`fi`
265	`cat << EOF > $ACTION_ALLPORTS`	289	`cat << EOF > $ACTION_ALLPORTS`
266	`# Fail2Ban configuration file`	290	`# Fail2Ban configuration file`
267	`#`	291	`#`
268	`# Author: Cyril Jaquier`	292	`# Author: Cyril Jaquier`
269	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`	293	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`
270	`# made active on all ports from original iptables.conf`	294	`# made active on all ports from original iptables.conf`
271	`# Adapted by ALCASAR team`	295	`# Adapted by ALCASAR team`
272		296
273	`[Definition]`	297	`[Definition]`
274		298
275	`# Option: actionstart`	299	`# Option: actionstart`
276	`# Notes.: command executed once at the start of Fail2Ban.`	300	`# Notes.: command executed once at the start of Fail2Ban.`
277	`# Values: CMD`	301	`# Values: CMD`
278	`#`	302	`#`
279	`actionstart = iptables -N fail2ban-<name>`	303	`actionstart = iptables -N fail2ban-<name>`
280	`iptables -A fail2ban-<name> -j RETURN`	304	`iptables -A fail2ban-<name> -j RETURN`
281	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`	305	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`
282		306
283	`# Option: actionstop`	307	`# Option: actionstop`
284	`# Notes.: command executed once at the end of Fail2Ban`	308	`# Notes.: command executed once at the end of Fail2Ban`
285	`# Values: CMD`	309	`# Values: CMD`
286	`#`	310	`#`
287	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`	311	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`
288	`iptables -F fail2ban-<name>`	312	`iptables -F fail2ban-<name>`
289	`iptables -X fail2ban-<name>`	313	`iptables -X fail2ban-<name>`
290		314
291	`# Option: actioncheck`	315	`# Option: actioncheck`
292	`# Notes.: command executed once before each actionban command`	316	`# Notes.: command executed once before each actionban command`
293	`# Values: CMD`	317	`# Values: CMD`
294	`#`	318	`#`
295	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`	319	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`
296		320
297	`# Option: actionban`	321	`# Option: actionban`
298	`# Notes.: command executed when banning an IP. Take care that the`	322	`# Notes.: command executed when banning an IP. Take care that the`
299	`# command is executed with Fail2Ban user rights.`	323	`# command is executed with Fail2Ban user rights.`
300	`# Tags: <ip> IP address`	324	`# Tags: <ip> IP address`
301	`# <failures> number of failures`	325	`# <failures> number of failures`
302	`# <time> unix timestamp of the ban time`	326	`# <time> unix timestamp of the ban time`
303	`# Values: CMD`	327	`# Values: CMD`
304		328
305	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`	329	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`
306	`iptables -I fail2ban-<name> 1 -s <ip> -j DROP`	330	`iptables -I fail2ban-<name> 1 -s <ip> -j DROP`
307		331
308	`# Option: actionunban`	332	`# Option: actionunban`
309	`# Notes.: command executed when unbanning an IP. Take care that the`	333	`# Notes.: command executed when unbanning an IP. Take care that the`
310	`# command is executed with Fail2Ban user rights.`	334	`# command is executed with Fail2Ban user rights.`
311	`# Tags: <ip> IP address`	335	`# Tags: <ip> IP address`
312	`# <failures> number of failures`	336	`# <failures> number of failures`
313	`# <time> unix timestamp of the ban time`	337	`# <time> unix timestamp of the ban time`
314	`# Values: CMD`	338	`# Values: CMD`
315	`#`	339	`#`
316	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`	340	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`
317	`iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`	341	`iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`
318		342
319	`[Init]`	343	`[Init]`
320		344
321	`# Defaut name of the chain`	345	`# Defaut name of the chain`
322	`#`	346	`#`
323	`name = default`	347	`name = default`
324		348
325	`# Option: protocol`	349	`# Option: protocol`
326	`# Notes.: internally used by config reader for interpolations.`	350	`# Notes.: internally used by config reader for interpolations.`
327	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`	351	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`
328	`#`	352	`#`
329	`protocol = tcp`	353	`protocol = tcp`
330		354
331	`# Option: chain`	355	`# Option: chain`
332	`# Notes specifies the iptables chain to which the fail2ban rules should be`	356	`# Notes specifies the iptables chain to which the fail2ban rules should be`
333	`# added`	357	`# added`
334	`# Values: STRING Default: INPUT`	358	`# Values: STRING Default: INPUT`
335	`chain = INPUT`	359	`chain = INPUT`
336		360
337	`EOF`	361	`EOF`
338		362

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh @ 2864 – Rev 1388 → 1410