Subversion Repositories ALCASAR

Rev

Rev 1410 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 1410 Rev 2271
Line -... Line 1...
- 
 
 1 
#!/bin/sh
- 
 
 2 
# $Id: fail2ban.sh 2271 2017-06-04 18:45:27Z tom.houdayer $
- 
 
 3 
 
1 
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
 4 
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
2 
JAIL_CONF="/etc/fail2ban/jail.conf"
 5 
JAIL_CONF="/etc/fail2ban/jail.conf"
3 
DIR_FILTER="/etc/fail2ban/filter.d/"
 6 
DIR_FILTER="/etc/fail2ban/filter.d/"
4 
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 7 
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
5 
 
 8 
 
6 
#########################################################
 9 
#########################################################
7 
## Mise à jour du fichier de configuration de fail2ban ##
 10 
## Mise à jour du fichier de configuration de fail2ban ##
8 
#########################################################
 11 
#########################################################
9 
if(test -f $FAIL_CONF)
 - 
 
10 
then
 - 
 
11 
	mv $FAIL_CONF $FAIL_CONF.default
 12 
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
12 
fi
 - 
 
13 
cat << EOF > $FAIL_CONF
 13 
cat << EOF > $FAIL_CONF
14 
 
 14 
 
15 
[Definition]
 15 
[Definition]
16 
 
 16 
 
17 
# Option:  loglevel
 17 
# Option:  loglevel
Line 48... Line 48...
48 
EOF
 48 
EOF
49 
 
 49 
 
50 
#########################################################
 50 
#########################################################
51 
## Mise à jour de la configuration de jail de fail2ban ##
 51 
## Mise à jour de la configuration de jail de fail2ban ##
52 
#########################################################
 52 
#########################################################
53 
if(test -f $JAIL_CONF)
 - 
 
54 
then
 - 
 
55 
	mv $JAIL_CONF $JAIL_CONF.default
 53 
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
56 
fi
 - 
 
57 
cat << EOF > $JAIL_CONF
 54 
cat << EOF > $JAIL_CONF
58 
 
 55 
 
59 
# Fail2Ban configuration file
 56 
# Fail2Ban configuration file
60 
#
 57 
#
61 
# Author: Cyril Jaquier
 58 
# Author: Cyril Jaquier
Line 109... Line 106...
109 
#enabled = true
 106 
#enabled = true
110 
enabled = false
 107 
enabled = false
111 
filter = alcasar_mod-evasive
 108 
filter = alcasar_mod-evasive
112 
action = iptables-allports[name=alcasar_mod-evasive]
 109 
action = iptables-allports[name=alcasar_mod-evasive]
113 
logpath = /var/log/httpd/error_log
 110 
logpath = /var/log/httpd/error_log
- 
 
 111 
          /var/log/httpd/ssl_error_log
114 
maxretry = 2
 112 
maxretry = 2
115 
 
 113 
 
116 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
 114 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
117 
[ssh-iptables]
 115 
[ssh-iptables]
118 
 
 116 
 
Line 122... Line 120...
122 
action   = iptables-allports[name=SSH]
 120 
action   = iptables-allports[name=SSH]
123 
logpath  = /var/log/auth.log
 121 
logpath  = /var/log/auth.log
124 
maxretry = 3
 122 
maxretry = 3
125 
 
 123 
 
126 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
 124 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
127 
[alcasar_htdigest]
 125 
[alcasar_acc-htdigest]
128 
 
 126 
 
129 
enabled = true
 127 
enabled = true
130 
#enabled = false
 128 
#enabled = false
131 
filter = alcasar_htdigest
 129 
filter = alcasar_acc-htdigest
132 
action = iptables-allports[name=alcasar_htdigest]
 130 
action = iptables-allports[name=alcasar_acc-htdigest]
133 
logpath = /var/log/httpd/ssl_request_log
 131 
logpath = /var/log/httpd/ssl_error_log
134 
maxretry = 5
 132 
maxretry = 5
135 
 
 133 
 
136 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
 134 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
137 
[alcasar_intercept]
 135 
[alcasar_intercept]
138 
 
 136 
 
Line 157... Line 155...
157 
EOF
 155 
EOF
158 
 
 156 
 
159 
##################################################
 157 
##################################################
160 
## Mise en place des filtres spécifiques	##
 158 
## Mise en place des filtres spécifiques	##
161 
## - Mod_evasive.conf				##
 159 
## - Mod_evasive.conf				##
162 
## - htdigest.conf                      	##
 160 
## - acc-htdigest.conf				##
163 
## - intercept.conf				##
 161 
## - intercept.conf				##
164 
## - mot de passe				##
 162 
## - change-pwd.conf				##
165 
##################################################
 163 
##################################################
166 
 
 164 
 
167 
######################
 165 
######################
168 
## MOD-EVASIVE.CONF ##
 166 
## MOD-EVASIVE.CONF ##
169 
######################
 167 
######################
Line 180... Line 178...
180 
#          host must be matched by a group named "host". The tag "<HOST>" can
 178 
#          host must be matched by a group named "host". The tag "<HOST>" can
181 
#          be used for standard IP/hostname matching and is only an alias for
 179 
#          be used for standard IP/hostname matching and is only an alias for
182 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 180 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
183 
# Values:  TEXT
 181 
# Values:  TEXT
184 
#
 182 
#
185 
failregex = [[]client <HOST>[]] client denied by server configuration
 183 
failregex =  \[client <HOST>:[0-9]+\] .*client denied by server configuration
186 
 
 184 
 
187 
# Option:  ignoreregex
 185 
# Option:  ignoreregex
188 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 186 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
189 
# Values:  TEXT
 187 
# Values:  TEXT
190 
#
 188 
#
191 
ignoreregex =
189 
ignoreregex =
192 
EOF
 190 
EOF
193 
 
 191 
 
194 
###################
 192 
#######################
195 
## HTDIGEST.CONF ##
 193 
## ACC-HTDIGEST.CONF ##
196 
###################
 194 
#######################
197 
cat << EOF > $DIR_FILTER/alcasar_htdigest.conf
 195 
cat << EOF > $DIR_FILTER/alcasar_acc-htdigest.conf
198 
# Fail2Ban configuration file
 196 
# Fail2Ban configuration file
199 
#
 197 
#
200 
# Author: Cyril Jaquier
 198 
# Author: Cyril Jaquier
201 
# Adapted by ALCASAR team
 199 
# Adapted by ALCASAR team
202 
 
 200 
 
Line 207... Line 205...
207 
#          host must be matched by a group named "host". The tag "<HOST>" can
 205 
#          host must be matched by a group named "host". The tag "<HOST>" can
208 
#          be used for standard IP/hostname matching and is only an alias for
 206 
#          be used for standard IP/hostname matching and is only an alias for
209 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 207 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
210 
# Values:  TEXT
 208 
# Values:  TEXT
211 
#
 209 
#
212 
#failregex = [[]error[]] [[]client <HOST>[]] Digest:
 210 
failregex =  \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)
213 
failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972
 - 
 
214 
 
 211 
 
215 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 212 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
216 
 
 213 
 
217 
# Option:  ignoreregex
 214 
# Option:  ignoreregex
218 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 215 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
Line 237... Line 234...
237 
#          host must be matched by a group named "host". The tag "<HOST>" can
 234 
#          host must be matched by a group named "host". The tag "<HOST>" can
238 
#          be used for standard IP/hostname matching and is only an alias for
 235 
#          be used for standard IP/hostname matching and is only an alias for
239 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 236 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
240 
# Values:  TEXT
 237 
# Values:  TEXT
241 
#
 238 
#
242 
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
 - 
 
243 
failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject
 239 
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject
244 
 
 240 
 
245 
# Option:  ignoreregex
 241 
# Option:  ignoreregex
246 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 242 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
247 
# Values:  TEXT
 243 
# Values:  TEXT
248 
#
 244 
#
249 
ignoreregex =
245 
ignoreregex =
250 
EOF
 246 
EOF
251 
 
 247 
 
252 
#######################
 248 
#####################
253 
## MOT_DE_PASSE.CONF ##
 249 
## CHANGE-PWD.CONF ##
254 
#######################
 250 
#####################
255 
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 251 
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
256 
 
 252 
 
257 
# Fail2Ban configuration file
 253 
# Fail2Ban configuration file
258 
#
 254 
#
259 
# Author: Cyril Jaquier
 255 
# Author: Cyril Jaquier
Line 266... Line 262...
266 
#          host must be matched by a group named "host". The tag "<HOST>" can
 262 
#          host must be matched by a group named "host". The tag "<HOST>" can
267 
#          be used for standard IP/hostname matching and is only an alias for
 263 
#          be used for standard IP/hostname matching and is only an alias for
268 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
 264 
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
269 
# Values:  TEXT
 265 
# Values:  TEXT
270 
#
 266 
#
271 
#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
 - 
 
272 
failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169
 267 
failregex = \[<HOST>\] \"POST \/pass
273 
 
 268 
 
274 
 
 269 
 
275 
# Option:  ignoreregex
 270 
# Option:  ignoreregex
276 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
 271 
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
277 
# Values:  TEXT
 272 
# Values:  TEXT
Line 280... Line 275...
280 
EOF
 275 
EOF
281 
 
 276 
 
282 
##############################################
 277 
##############################################
283 
##   Log sur ULOG quand iptables-allports   ##
 278 
##   Log sur ULOG quand iptables-allports   ##
284 
##############################################
 279 
##############################################
285 
if ( test -f $ACTION_ALLPORTS )
 - 
 
286 
then
 - 
 
287 
	mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
 280 
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
288 
fi
 - 
 
289 
cat << EOF > $ACTION_ALLPORTS
 281 
cat << EOF > $ACTION_ALLPORTS
290 
# Fail2Ban configuration file
 282 
# Fail2Ban configuration file
291 
#
 283 
#
292 
# Author: Cyril Jaquier
 284 
# Author: Cyril Jaquier
293 
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
 285 
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
Line 325... Line 317...
325 
#          <failures>  number of failures
 317 
#          <failures>  number of failures
326 
#          <time>  unix timestamp of the ban time
 318 
#          <time>  unix timestamp of the ban time
327 
# Values:  CMD
 319 
# Values:  CMD
328 
 
 320 
 
329 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 321 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
330 
	    iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 322 
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
331 
 
 323 
 
332 
# Option:  actionunban
 324 
# Option:  actionunban
333 
# Notes.:  command executed when unbanning an IP. Take care that the
 325 
# Notes.:  command executed when unbanning an IP. Take care that the
334 
#          command is executed with Fail2Ban user rights.
 326 
#          command is executed with Fail2Ban user rights.
335 
# Tags:    <ip>  IP address
 327 
# Tags:    <ip>  IP address
336 
#          <failures>  number of failures
 328 
#          <failures>  number of failures
337 
#          <time>  unix timestamp of the ban time
 329 
#          <time>  unix timestamp of the ban time
338 
# Values:  CMD
 330 
# Values:  CMD
339 
#
 331 
#
340 
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 332 
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
341 
	      iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 333 
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
342 
 
 334 
 
343 
[Init]
 335 
[Init]
344 
 
 336 
 
345 
# Defaut name of the chain
 337 
# Defaut name of the chain
346 
#
 338 
#