WebSVN – ALCASAR – Diff – /conf/fail2ban.sh


#!/bin/sh
# $Id: fail2ban.sh 2271 2017-06-04 18:45:27Z tom.houdayer $
 
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
JAIL_CONF="/etc/fail2ban/jail.conf"
DIR_FILTER="/etc/fail2ban/filter.d/"
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 
#########################################################
## Mise à jour du fichier de configuration de fail2ban ##
#########################################################
 
 
[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default
 
cat << EOF > $FAIL_CONF
 
[Definition]
 
# Option:  loglevel
# Notes.:  Set the log level output.
#          1 = ERROR
#          2 = WARN
#          3 = INFO
#          4 = DEBUG
# Values:  NUM  Default:  3
#
loglevel = 3
 
# Option:  logtarget
# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
#          Only one log target can be specified.
# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log
 
# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
#         not remove this file when Fail2ban runs. It will not be possible to
#         communicate with the server afterwards.
# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock
 
# Option: pidfile
# Notes.: Set the PID file. This is used to store the process ID of the
#         fail2ban server.
# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
#
pidfile = /var/run/fail2ban/fail2ban.pid
EOF
 
#########################################################
## Mise à jour de la configuration de jail de fail2ban ##
#########################################################
 
 
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
 
cat << EOF > $JAIL_CONF
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 300
 
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
findtime  = 60
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
 
# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)
[alcasar_mod-evasive]
 
#enabled = true
enabled = false
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/httpd/error_log
          /var/log/httpd/ssl_error_log
maxretry = 2
 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
[ssh-iptables]
 
enabled = true
#enabled  = false
filter   = sshd
action   = iptables-allports[name=SSH]
logpath  = /var/log/auth.log
maxretry = 3
 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
[alcasar_acc-htdigest]
 
enabled = true
#enabled = false
filter = alcasar_acc-htdigest
action = iptables-allports[name=alcasar_acc-htdigest]
logpath = /var/log/httpd/ssl_error_log
maxretry = 5
 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
[alcasar_intercept]
 
enabled = true
#enabled = false
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
 
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
[alcasar_change-pwd]
 
enabled = true
#enabled = false
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/httpd/ssl_request_log
maxretry = 5
 
EOF
 
##################################################
## Mise en place des filtres spécifiques	##
## - Mod_evasive.conf				##
## - acc-htdigest.conf				##
## - intercept.conf				##
## - change-pwd.conf				##
##################################################
 
######################
## MOD-EVASIVE.CONF ##
######################
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  \[client <HOST>:[0-9]+\] .*client denied by server configuration
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#######################
## ACC-HTDIGEST.CONF ##
#######################
cat << EOF > $DIR_FILTER/alcasar_acc-htdigest.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)
 
 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
####################
## INTERCEPT.CONF ##
####################
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
 
failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#####################
## CHANGE-PWD.CONF ##
#####################
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
 
failregex = \[<HOST>\] \"POST \/pass
 
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
##############################################
##   Log sur ULOG quand iptables-allports   ##
##############################################
 
 
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
 
cat << EOF > $ACTION_ALLPORTS
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
            iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
              iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
 
[Init]
 
# Defaut name of the chain
#
name = default
 
# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
 
# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
 
EOF
 

Rev 1410	Rev 2271
-		1	`#!/bin/sh`
-		2	`# $Id: fail2ban.sh 2271 2017-06-04 18:45:27Z tom.houdayer $`
-		3
1	`FAIL_CONF="/etc/fail2ban/fail2ban.conf"`	4	`FAIL_CONF="/etc/fail2ban/fail2ban.conf"`
2	`JAIL_CONF="/etc/fail2ban/jail.conf"`	5	`JAIL_CONF="/etc/fail2ban/jail.conf"`
3	`DIR_FILTER="/etc/fail2ban/filter.d/"`	6	`DIR_FILTER="/etc/fail2ban/filter.d/"`
4	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`	7	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`
5		8
6	`#########################################################`	9	`#########################################################`
7	`## Mise à jour du fichier de configuration de fail2ban ##`	10	`## Mise à jour du fichier de configuration de fail2ban ##`
8	`#########################################################`	11	`#########################################################`
9	`if(test -f $FAIL_CONF)`	-
10	`then`	-
11	`mv $FAIL_CONF $FAIL_CONF.default`	12	`[ -f $FAIL_CONF ] && [ ! -e $FAIL_CONF.default ] && mv $FAIL_CONF $FAIL_CONF.default`
12	`fi`	-
13	`cat << EOF > $FAIL_CONF`	13	`cat << EOF > $FAIL_CONF`
14		14
15	`[Definition]`	15	`[Definition]`
16		16
17	`# Option: loglevel`	17	`# Option: loglevel`
18	`# Notes.: Set the log level output.`	18	`# Notes.: Set the log level output.`
19	`# 1 = ERROR`	19	`# 1 = ERROR`
20	`# 2 = WARN`	20	`# 2 = WARN`
21	`# 3 = INFO`	21	`# 3 = INFO`
22	`# 4 = DEBUG`	22	`# 4 = DEBUG`
23	`# Values: NUM Default: 3`	23	`# Values: NUM Default: 3`
24	`#`	24	`#`
25	`loglevel = 3`	25	`loglevel = 3`
26		26
27	`# Option: logtarget`	27	`# Option: logtarget`
28	`# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.`	28	`# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.`
29	`# Only one log target can be specified.`	29	`# Only one log target can be specified.`
30	`# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log`	30	`# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log`
31	`#`	31	`#`
32	`logtarget = /var/log/fail2ban.log`	32	`logtarget = /var/log/fail2ban.log`
33		33
34	`# Option: socket`	34	`# Option: socket`
35	`# Notes.: Set the socket file. This is used to communicate with the daemon. Do`	35	`# Notes.: Set the socket file. This is used to communicate with the daemon. Do`
36	`# not remove this file when Fail2ban runs. It will not be possible to`	36	`# not remove this file when Fail2ban runs. It will not be possible to`
37	`# communicate with the server afterwards.`	37	`# communicate with the server afterwards.`
38	`# Values: FILE Default: /var/run/fail2ban/fail2ban.sock`	38	`# Values: FILE Default: /var/run/fail2ban/fail2ban.sock`
39	`#`	39	`#`
40	`socket = /var/run/fail2ban/fail2ban.sock`	40	`socket = /var/run/fail2ban/fail2ban.sock`
41		41
42	`# Option: pidfile`	42	`# Option: pidfile`
43	`# Notes.: Set the PID file. This is used to store the process ID of the`	43	`# Notes.: Set the PID file. This is used to store the process ID of the`
44	`# fail2ban server.`	44	`# fail2ban server.`
45	`# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid`	45	`# Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid`
46	`#`	46	`#`
47	`pidfile = /var/run/fail2ban/fail2ban.pid`	47	`pidfile = /var/run/fail2ban/fail2ban.pid`
48	`EOF`	48	`EOF`
49		49
50	`#########################################################`	50	`#########################################################`
51	`## Mise à jour de la configuration de jail de fail2ban ##`	51	`## Mise à jour de la configuration de jail de fail2ban ##`
52	`#########################################################`	52	`#########################################################`
53	`if(test -f $JAIL_CONF)`	-
54	`then`	-
55	`mv $JAIL_CONF $JAIL_CONF.default`	53	`[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default`
56	`fi`	-
57	`cat << EOF > $JAIL_CONF`	54	`cat << EOF > $JAIL_CONF`
58		55
59	`# Fail2Ban configuration file`	56	`# Fail2Ban configuration file`
60	`#`	57	`#`
61	`# Author: Cyril Jaquier`	58	`# Author: Cyril Jaquier`
62	`# Adapted by ALCASAR team`	59	`# Adapted by ALCASAR team`
63		60
64		61
65	`# The DEFAULT allows a global definition of the options. They can be overridden`	62	`# The DEFAULT allows a global definition of the options. They can be overridden`
66	`# in each jail afterwards.`	63	`# in each jail afterwards.`
67		64
68	`[DEFAULT]`	65	`[DEFAULT]`
69		66
70	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`	67	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`
71	`# ban a host which matches an address in this list. Several addresses can be`	68	`# ban a host which matches an address in this list. Several addresses can be`
72	`# defined using space separator.`	69	`# defined using space separator.`
73	`ignoreip = 127.0.0.1/8`	70	`ignoreip = 127.0.0.1/8`
74		71
75	`# "bantime" is the number of seconds that a host is banned.`	72	`# "bantime" is the number of seconds that a host is banned.`
76	`bantime = 300`	73	`bantime = 300`
77		74
78	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`	75	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`
79	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`	76	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`
80	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`	77	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`
81	`findtime = 60`	78	`findtime = 60`
82		79
83	`# "maxretry" is the number of failures before a host get banned.`	80	`# "maxretry" is the number of failures before a host get banned.`
84	`maxretry = 5`	81	`maxretry = 5`
85		82
86	`# "backend" specifies the backend used to get files modification. Available`	83	`# "backend" specifies the backend used to get files modification. Available`
87	`# options are "gamin", "polling" and "auto". This option can be overridden in`	84	`# options are "gamin", "polling" and "auto". This option can be overridden in`
88	`# each jail too (use "gamin" for a jail and "polling" for another).`	85	`# each jail too (use "gamin" for a jail and "polling" for another).`
89	`#`	86	`#`
90	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`	87	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`
91	`# is not installed, Fail2ban will use polling.`	88	`# is not installed, Fail2ban will use polling.`
92	`# polling: uses a polling algorithm which does not require external libraries.`	89	`# polling: uses a polling algorithm which does not require external libraries.`
93	`# auto: will choose Gamin if available and polling otherwise.`	90	`# auto: will choose Gamin if available and polling otherwise.`
94	`backend = auto`	91	`backend = auto`
95		92
96	`# "usedns" specifies if jails should trust hostnames in logs,`	93	`# "usedns" specifies if jails should trust hostnames in logs,`
97	`# warn when DNS lookups are performed, or ignore all hostnames in logs`	94	`# warn when DNS lookups are performed, or ignore all hostnames in logs`
98	`#`	95	`#`
99	`# yes: if a hostname is encountered, a DNS lookup will be performed.`	96	`# yes: if a hostname is encountered, a DNS lookup will be performed.`
100	`# warn: if a hostname is encountered, a DNS lookup will be performed,`	97	`# warn: if a hostname is encountered, a DNS lookup will be performed,`
101	`# but it will be logged as a warning.`	98	`# but it will be logged as a warning.`
102	`# no: if a hostname is encountered, will not be used for banning,`	99	`# no: if a hostname is encountered, will not be used for banning,`
103	`# but it will be logged as info.`	100	`# but it will be logged as info.`
104	`usedns = warn`	101	`usedns = warn`
105		102
106	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`	103	`# Bannissement sur tous les ports après 2 refus d'Apache (tentative d'accès sur des pages inexistentes)`
107	`[alcasar_mod-evasive]`	104	`[alcasar_mod-evasive]`
108		105
109	`#enabled = true`	106	`#enabled = true`
110	`enabled = false`	107	`enabled = false`
111	`filter = alcasar_mod-evasive`	108	`filter = alcasar_mod-evasive`
112	`action = iptables-allports[name=alcasar_mod-evasive]`	109	`action = iptables-allports[name=alcasar_mod-evasive]`
113	`logpath = /var/log/httpd/error_log`	110	`logpath = /var/log/httpd/error_log`
-		111	`/var/log/httpd/ssl_error_log`
114	`maxretry = 2`	112	`maxretry = 2`
115		113
116	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`	114	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`
117	`[ssh-iptables]`	115	`[ssh-iptables]`
118		116
119	`enabled = true`	117	`enabled = true`
120	`#enabled = false`	118	`#enabled = false`
121	`filter = sshd`	119	`filter = sshd`
122	`action = iptables-allports[name=SSH]`	120	`action = iptables-allports[name=SSH]`
123	`logpath = /var/log/auth.log`	121	`logpath = /var/log/auth.log`
124	`maxretry = 3`	122	`maxretry = 3`
125		123
126	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`	124	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`
127	`[alcasar_htdigest]`	125	`[alcasar_acc-htdigest]`
128		126
129	`enabled = true`	127	`enabled = true`
130	`#enabled = false`	128	`#enabled = false`
131	`filter = alcasar_htdigest`	129	`filter = alcasar_acc-htdigest`
132	`action = iptables-allports[name=alcasar_htdigest]`	130	`action = iptables-allports[name=alcasar_acc-htdigest]`
133	`logpath = /var/log/httpd/ssl_request_log`	131	`logpath = /var/log/httpd/ssl_error_log`
134	`maxretry = 5`	132	`maxretry = 5`
135		133
136	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`	134	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`
137	`[alcasar_intercept]`	135	`[alcasar_intercept]`
138		136
139	`enabled = true`	137	`enabled = true`
140	`#enabled = false`	138	`#enabled = false`
141	`filter = alcasar_intercept`	139	`filter = alcasar_intercept`
142	`action = iptables-allports[name=alcasar_intercept]`	140	`action = iptables-allports[name=alcasar_intercept]`
143	`logpath = /var/log/httpd/ssl_request_log`	141	`logpath = /var/log/httpd/ssl_request_log`
144	`maxretry = 5`	142	`maxretry = 5`
145		143
146	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`	144	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`
147	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`	145	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`
148	`[alcasar_change-pwd]`	146	`[alcasar_change-pwd]`
149		147
150	`enabled = true`	148	`enabled = true`
151	`#enabled = false`	149	`#enabled = false`
152	`filter = alcasar_change-pwd`	150	`filter = alcasar_change-pwd`
153	`action = iptables-allports[name=alcasar_change-pwd]`	151	`action = iptables-allports[name=alcasar_change-pwd]`
154	`logpath = /var/log/httpd/ssl_request_log`	152	`logpath = /var/log/httpd/ssl_request_log`
155	`maxretry = 5`	153	`maxretry = 5`
156		154
157	`EOF`	155	`EOF`
158		156
159	`##################################################`	157	`##################################################`
160	`## Mise en place des filtres spécifiques ##`	158	`## Mise en place des filtres spécifiques ##`
161	`## - Mod_evasive.conf ##`	159	`## - Mod_evasive.conf ##`
162	`## - htdigest.conf ##`	160	`## - acc-htdigest.conf ##`
163	`## - intercept.conf ##`	161	`## - intercept.conf ##`
164	`## - mot de passe ##`	162	`## - change-pwd.conf ##`
165	`##################################################`	163	`##################################################`
166		164
167	`######################`	165	`######################`
168	`## MOD-EVASIVE.CONF ##`	166	`## MOD-EVASIVE.CONF ##`
169	`######################`	167	`######################`
170	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`	168	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`
171	`# Fail2Ban configuration file`	169	`# Fail2Ban configuration file`
172	`#`	170	`#`
173	`# Author: Cyril Jaquier`	171	`# Author: Cyril Jaquier`
174	`# Adapted by ALCASAR team`	172	`# Adapted by ALCASAR team`
175		173
176	`[Definition]`	174	`[Definition]`
177		175
178	`# Option: failregex`	176	`# Option: failregex`
179	`# Notes.: regex to match the password failure messages in the logfile. The`	177	`# Notes.: regex to match the password failure messages in the logfile. The`
180	`# host must be matched by a group named "host". The tag "<HOST>" can`	178	`# host must be matched by a group named "host". The tag "<HOST>" can`
181	`# be used for standard IP/hostname matching and is only an alias for`	179	`# be used for standard IP/hostname matching and is only an alias for`
182	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	180	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
183	`# Values: TEXT`	181	`# Values: TEXT`
184	`#`	182	`#`
185	`failregex = [[]client <HOST>[]] client denied by server configuration`	183	`failregex = \[client <HOST>:[0-9]+\] .*client denied by server configuration`
186		184
187	`# Option: ignoreregex`	185	`# Option: ignoreregex`
188	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	186	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
189	`# Values: TEXT`	187	`# Values: TEXT`
190	`#`	188	`#`
191	`ignoreregex =`	189	`ignoreregex =`
192	`EOF`	190	`EOF`
193		191
194	`###################`	192	`#######################`
195	`## HTDIGEST.CONF ##`	193	`## ACC-HTDIGEST.CONF ##`
196	`###################`	194	`#######################`
197	`cat << EOF > $DIR_FILTER/alcasar_htdigest.conf`	195	`cat << EOF > $DIR_FILTER/alcasar_acc-htdigest.conf`
198	`# Fail2Ban configuration file`	196	`# Fail2Ban configuration file`
199	`#`	197	`#`
200	`# Author: Cyril Jaquier`	198	`# Author: Cyril Jaquier`
201	`# Adapted by ALCASAR team`	199	`# Adapted by ALCASAR team`
202		200
203	`[Definition]`	201	`[Definition]`
204		202
205	`# Option: failregex`	203	`# Option: failregex`
206	`# Notes.: regex to match the password failure messages in the logfile. The`	204	`# Notes.: regex to match the password failure messages in the logfile. The`
207	`# host must be matched by a group named "host". The tag "<HOST>" can`	205	`# host must be matched by a group named "host". The tag "<HOST>" can`
208	`# be used for standard IP/hostname matching and is only an alias for`	206	`# be used for standard IP/hostname matching and is only an alias for`
209	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	207	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
210	`# Values: TEXT`	208	`# Values: TEXT`
211	`#`	209	`#`
212	`#failregex = [[]error[]] [[]client <HOST>[]] Digest:`	210	`failregex = \[auth_digest:error\] \[client <HOST>:[0-9]+\] .*ALCASAR Control Center \(ACC\)`
213	`failregex = [[]<HOST>[]] "GET /acc HTTP/1.1" 972`	-
214		211
215	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`	212	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`
216		213
217	`# Option: ignoreregex`	214	`# Option: ignoreregex`
218	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	215	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
219	`# Values: TEXT`	216	`# Values: TEXT`
220	`#`	217	`#`
221	`ignoreregex =`	218	`ignoreregex =`
222	`EOF`	219	`EOF`
223		220
224	`####################`	221	`####################`
225	`## INTERCEPT.CONF ##`	222	`## INTERCEPT.CONF ##`
226	`####################`	223	`####################`
227	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`	224	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`
228	`# Fail2Ban configuration file`	225	`# Fail2Ban configuration file`
229	`#`	226	`#`
230	`# Author: Cyril Jaquier`	227	`# Author: Cyril Jaquier`
231	`# Adapted by ALCASAR team`	228	`# Adapted by ALCASAR team`
232		229
233	`[Definition]`	230	`[Definition]`
234		231
235	`# Option: failregex`	232	`# Option: failregex`
236	`# Notes.: regex to match the password failure messages in the logfile. The`	233	`# Notes.: regex to match the password failure messages in the logfile. The`
237	`# host must be matched by a group named "host". The tag "<HOST>" can`	234	`# host must be matched by a group named "host". The tag "<HOST>" can`
238	`# be used for standard IP/hostname matching and is only an alias for`	235	`# be used for standard IP/hostname matching and is only an alias for`
239	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	236	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
240	`# Values: TEXT`	237	`# Values: TEXT`
241	`#`	238	`#`
242	`#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject`	-
243	`failregex = [[]<HOST>[]] ["]GET \/intercept\.php\?res=failed[&]reason=reject`	239	`failregex = \[<HOST>\] \"GET \/intercept\.php\?res=failed\&reason=reject`
244		240
245	`# Option: ignoreregex`	241	`# Option: ignoreregex`
246	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	242	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
247	`# Values: TEXT`	243	`# Values: TEXT`
248	`#`	244	`#`
249	`ignoreregex =`	245	`ignoreregex =`
250	`EOF`	246	`EOF`
251		247
252	`#######################`	248	`#####################`
253	`## MOT_DE_PASSE.CONF ##`	249	`## CHANGE-PWD.CONF ##`
254	`#######################`	250	`#####################`
255	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`	251	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`
256		252
257	`# Fail2Ban configuration file`	253	`# Fail2Ban configuration file`
258	`#`	254	`#`
259	`# Author: Cyril Jaquier`	255	`# Author: Cyril Jaquier`
260	`# Adapted by ALCASAR team`	256	`# Adapted by ALCASAR team`
261		257
262	`[Definition]`	258	`[Definition]`
263		259
264	`# Option: failregex`	260	`# Option: failregex`
265	`# Notes.: regex to match the password failure messages in the logfile. The`	261	`# Notes.: regex to match the password failure messages in the logfile. The`
266	`# host must be matched by a group named "host". The tag "<HOST>" can`	262	`# host must be matched by a group named "host". The tag "<HOST>" can`
267	`# be used for standard IP/hostname matching and is only an alias for`	263	`# be used for standard IP/hostname matching and is only an alias for`
268	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	264	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
269	`# Values: TEXT`	265	`# Values: TEXT`
270	`#`	266	`#`
271	`#failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP`	-
272	`failregex = [[]<HOST>[]] ["]POST /pass/index.php HTTP/1.1" 11169`	267	`failregex = \[<HOST>\] \"POST \/pass`
273		268
274		269
275	`# Option: ignoreregex`	270	`# Option: ignoreregex`
276	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	271	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
277	`# Values: TEXT`	272	`# Values: TEXT`
278	`#`	273	`#`
279	`ignoreregex =`	274	`ignoreregex =`
280	`EOF`	275	`EOF`
281		276
282	`##############################################`	277	`##############################################`
283	`## Log sur ULOG quand iptables-allports ##`	278	`## Log sur ULOG quand iptables-allports ##`
284	`##############################################`	279	`##############################################`
285	`if ( test -f $ACTION_ALLPORTS )`	-
286	`then`	-
287	`mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`	280	`[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`
288	`fi`	-
289	`cat << EOF > $ACTION_ALLPORTS`	281	`cat << EOF > $ACTION_ALLPORTS`
290	`# Fail2Ban configuration file`	282	`# Fail2Ban configuration file`
291	`#`	283	`#`
292	`# Author: Cyril Jaquier`	284	`# Author: Cyril Jaquier`
293	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`	285	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`
294	`# made active on all ports from original iptables.conf`	286	`# made active on all ports from original iptables.conf`
295	`# Adapted by ALCASAR team`	287	`# Adapted by ALCASAR team`
296		288
297	`[Definition]`	289	`[Definition]`
298		290
299	`# Option: actionstart`	291	`# Option: actionstart`
300	`# Notes.: command executed once at the start of Fail2Ban.`	292	`# Notes.: command executed once at the start of Fail2Ban.`
301	`# Values: CMD`	293	`# Values: CMD`
302	`#`	294	`#`
303	`actionstart = iptables -N fail2ban-<name>`	295	`actionstart = iptables -N fail2ban-<name>`
304	`iptables -A fail2ban-<name> -j RETURN`	296	`iptables -A fail2ban-<name> -j RETURN`
305	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`	297	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`
306		298
307	`# Option: actionstop`	299	`# Option: actionstop`
308	`# Notes.: command executed once at the end of Fail2Ban`	300	`# Notes.: command executed once at the end of Fail2Ban`
309	`# Values: CMD`	301	`# Values: CMD`
310	`#`	302	`#`
311	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`	303	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`
312	`iptables -F fail2ban-<name>`	304	`iptables -F fail2ban-<name>`
313	`iptables -X fail2ban-<name>`	305	`iptables -X fail2ban-<name>`
314		306
315	`# Option: actioncheck`	307	`# Option: actioncheck`
316	`# Notes.: command executed once before each actionban command`	308	`# Notes.: command executed once before each actionban command`
317	`# Values: CMD`	309	`# Values: CMD`
318	`#`	310	`#`
319	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`	311	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`
320		312
321	`# Option: actionban`	313	`# Option: actionban`
322	`# Notes.: command executed when banning an IP. Take care that the`	314	`# Notes.: command executed when banning an IP. Take care that the`
323	`# command is executed with Fail2Ban user rights.`	315	`# command is executed with Fail2Ban user rights.`
324	`# Tags: <ip> IP address`	316	`# Tags: <ip> IP address`
325	`# <failures> number of failures`	317	`# <failures> number of failures`
326	`# <time> unix timestamp of the ban time`	318	`# <time> unix timestamp of the ban time`
327	`# Values: CMD`	319	`# Values: CMD`
328		320
329	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`	321	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`
330	`iptables -I fail2ban-<name> 1 -s <ip> -j DROP`	322	`iptables -I fail2ban-<name> 1 -s <ip> -j DROP`
331		323
332	`# Option: actionunban`	324	`# Option: actionunban`
333	`# Notes.: command executed when unbanning an IP. Take care that the`	325	`# Notes.: command executed when unbanning an IP. Take care that the`
334	`# command is executed with Fail2Ban user rights.`	326	`# command is executed with Fail2Ban user rights.`
335	`# Tags: <ip> IP address`	327	`# Tags: <ip> IP address`
336	`# <failures> number of failures`	328	`# <failures> number of failures`
337	`# <time> unix timestamp of the ban time`	329	`# <time> unix timestamp of the ban time`
338	`# Values: CMD`	330	`# Values: CMD`
339	`#`	331	`#`
340	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`	332	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`
341	`iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`	333	`iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"`
342		334
343	`[Init]`	335	`[Init]`
344		336
345	`# Defaut name of the chain`	337	`# Defaut name of the chain`
346	`#`	338	`#`
347	`name = default`	339	`name = default`
348		340
349	`# Option: protocol`	341	`# Option: protocol`
350	`# Notes.: internally used by config reader for interpolations.`	342	`# Notes.: internally used by config reader for interpolations.`
351	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`	343	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`
352	`#`	344	`#`
353	`protocol = tcp`	345	`protocol = tcp`
354		346
355	`# Option: chain`	347	`# Option: chain`
356	`# Notes specifies the iptables chain to which the fail2ban rules should be`	348	`# Notes specifies the iptables chain to which the fail2ban rules should be`
357	`# added`	349	`# added`
358	`# Values: STRING Default: INPUT`	350	`# Values: STRING Default: INPUT`
359	`chain = INPUT`	351	`chain = INPUT`
360		352
361	`EOF`	353	`EOF`
362		354

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh @ 2864 – Rev 1410 → 2271