WebSVN – ALCASAR – Diff – /conf/fail2ban.sh


#!/bin/sh
# $Id: fail2ban.sh 2837 2020-06-16 22:24:15Z rexy $
 
JAIL_CONF="/etc/fail2ban/jail.conf"
DIR_FILTER="/etc/fail2ban/filter.d/"
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
 
#########################################################
## Mise à jour de la configuration de jail de fail2ban ##
#########################################################
[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default
cat << EOF > $JAIL_CONF
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
 
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
 
[DEFAULT]
 
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
 
# "bantime" is the number of seconds that a host is banned.
bantime  = 180
 
# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)
# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes
findtime  = 60
 
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
 
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
 
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
 
# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)
[alcasar_mod-evasive]
 
#enabled = true
enabled = false
backend = auto
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/lighttpd/access.log
maxretry = 3
 
# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)
[ssh-iptables]
 
enabled = true
#enabled  = false
filter   = sshd
action   = iptables-allports[name=SSH]
logpath  = /var/log/auth.log
maxretry = 3
 
# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)
[alcasar_acc]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_acc
action = iptables-allports[name=alcasar_acc]
logpath = /var/log/lighttpd/access.log
maxretry = 6
 
# Bannissement sur tout les ports après 5 echecs de connexion pour un usager
[alcasar_intercept]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/lighttpd/access.log
maxretry = 6
 
# Bannissement sur tout les port après 5 échecs de changement de mot de passe
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
[alcasar_change-pwd]
 
enabled = true
#enabled = false
backend = auto
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/lighttpd/access.log
maxretry = 5
 
EOF
 
##################################################
## Mise en place des filtres spécifiques	##
## - Mod_evasive.conf				##
## - acc-htdigest.conf				##
## - intercept.conf				##
## - change-pwd.conf				##
##################################################
 
######################
## MOD-EVASIVE.CONF ##
######################
cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  <HOST> .+\] "[^"]+" 403
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#######################
## ACC-HTDIGEST.CONF ##
#######################
cat << EOF > $DIR_FILTER/alcasar_acc.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex =  <HOST> .+\] "[^"]+" 401
 
#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
####################
## INTERCEPT.CONF ##
####################
cat << EOF > $DIR_FILTER/alcasar_intercept.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
#####################
## CHANGE-PWD.CONF ##
#####################
cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf
 
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  failregex
# Notes.:  regex to match the password failure messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = <HOST> .* \"POST \/password\.php
 
 
# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex = 
EOF
 
##############################################
##   Log sur ULOG quand iptables-allports   ##
##############################################
[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default
cat << EOF > $ACTION_ALLPORTS
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Adapted by ALCASAR team
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
 
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
 
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 
[Init]
 
# Defaut name of the chain
#
name = default
 
# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
 
# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: INPUT
chain = INPUT
 
EOF
 

Rev 2815	Rev 2837
1	`#!/bin/sh`	1	`#!/bin/sh`
2	`# $Id: fail2ban.sh 2815 2020-05-03 22:10:04Z rexy $`	2	`# $Id: fail2ban.sh 2837 2020-06-16 22:24:15Z rexy $`
3		3
4	`JAIL_CONF="/etc/fail2ban/jail.conf"`	4	`JAIL_CONF="/etc/fail2ban/jail.conf"`
5	`DIR_FILTER="/etc/fail2ban/filter.d/"`	5	`DIR_FILTER="/etc/fail2ban/filter.d/"`
6	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`	6	`ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"`
7		7
8	`#########################################################`	8	`#########################################################`
9	`## Mise à jour de la configuration de jail de fail2ban ##`	9	`## Mise à jour de la configuration de jail de fail2ban ##`
10	`#########################################################`	10	`#########################################################`
11	`[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default`	11	`[ -f $JAIL_CONF ] && [ ! -e $JAIL_CONF.default ] && mv $JAIL_CONF $JAIL_CONF.default`
12	`cat << EOF > $JAIL_CONF`	12	`cat << EOF > $JAIL_CONF`
13		13
14	`# Fail2Ban configuration file`	14	`# Fail2Ban configuration file`
15	`#`	15	`#`
16	`# Author: Cyril Jaquier`	16	`# Author: Cyril Jaquier`
17	`# Adapted by ALCASAR team`	17	`# Adapted by ALCASAR team`
18		18
19		19
20	`# The DEFAULT allows a global definition of the options. They can be overridden`	20	`# The DEFAULT allows a global definition of the options. They can be overridden`
21	`# in each jail afterwards.`	21	`# in each jail afterwards.`
22		22
23	`[DEFAULT]`	23	`[DEFAULT]`
24		24
25	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`	25	`# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not`
26	`# ban a host which matches an address in this list. Several addresses can be`	26	`# ban a host which matches an address in this list. Several addresses can be`
27	`# defined using space separator.`	27	`# defined using space separator.`
28	`ignoreip = 127.0.0.1/8`	28	`ignoreip = 127.0.0.1/8`
29		29
30	`# "bantime" is the number of seconds that a host is banned.`	30	`# "bantime" is the number of seconds that a host is banned.`
31	`bantime = 180`	31	`bantime = 180`
32		32
33	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`	33	`# A host is banned if it has generated "maxretry" during the last "findtime" seconds.`
34	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`	34	`# Un client est banni s'il génere "maxretry" requêtes pendant "findtime" (en secondes)`
35	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`	35	`# Pour ALCASAR : 5 requetes pour chaque filtres en 60 secondes`
36	`findtime = 60`	36	`findtime = 60`
37		37
38	`# "maxretry" is the number of failures before a host get banned.`	38	`# "maxretry" is the number of failures before a host get banned.`
39	`maxretry = 5`	39	`maxretry = 5`
40		40
41	`# "backend" specifies the backend used to get files modification. Available`	41	`# "backend" specifies the backend used to get files modification. Available`
42	`# options are "gamin", "polling" and "auto". This option can be overridden in`	42	`# options are "gamin", "polling" and "auto". This option can be overridden in`
43	`# each jail too (use "gamin" for a jail and "polling" for another).`	43	`# each jail too (use "gamin" for a jail and "polling" for another).`
44	`#`	44	`#`
45	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`	45	`# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin`
46	`# is not installed, Fail2ban will use polling.`	46	`# is not installed, Fail2ban will use polling.`
47	`# polling: uses a polling algorithm which does not require external libraries.`	47	`# polling: uses a polling algorithm which does not require external libraries.`
48	`# auto: will choose Gamin if available and polling otherwise.`	48	`# auto: will choose Gamin if available and polling otherwise.`
49	`backend = auto`	49	`backend = auto`
50		50
51	`# "usedns" specifies if jails should trust hostnames in logs,`	51	`# "usedns" specifies if jails should trust hostnames in logs,`
52	`# warn when DNS lookups are performed, or ignore all hostnames in logs`	52	`# warn when DNS lookups are performed, or ignore all hostnames in logs`
53	`#`	53	`#`
54	`# yes: if a hostname is encountered, a DNS lookup will be performed.`	54	`# yes: if a hostname is encountered, a DNS lookup will be performed.`
55	`# warn: if a hostname is encountered, a DNS lookup will be performed,`	55	`# warn: if a hostname is encountered, a DNS lookup will be performed,`
56	`# but it will be logged as a warning.`	56	`# but it will be logged as a warning.`
57	`# no: if a hostname is encountered, will not be used for banning,`	57	`# no: if a hostname is encountered, will not be used for banning,`
58	`# but it will be logged as info.`	58	`# but it will be logged as info.`
59	`usedns = warn`	59	`usedns = warn`
60		60
61	`# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)`	61	`# Bannissement sur tous les ports après 3 refus du serveur WEB (tentative d'accès sur des pages inexistentes)`
62	`[alcasar_mod-evasive]`	62	`[alcasar_mod-evasive]`
63		63
64	`#enabled = true`	64	`#enabled = true`
65	`enabled = false`	65	`enabled = false`
66	`backend = auto`	66	`backend = auto`
67	`filter = alcasar_mod-evasive`	67	`filter = alcasar_mod-evasive`
68	`action = iptables-allports[name=alcasar_mod-evasive]`	68	`action = iptables-allports[name=alcasar_mod-evasive]`
69	`logpath = /var/log/lighttpd/access.log`	69	`logpath = /var/log/lighttpd/access.log`
70	`maxretry = 3`	70	`maxretry = 3`
71		71
72	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`	72	`# Bannissement sur tout les ports après 3 refus de SSH (tentative d'accès par brute-force)`
73	`[ssh-iptables]`	73	`[ssh-iptables]`
74		74
75	`enabled = true`	75	`enabled = true`
76	`#enabled = false`	76	`#enabled = false`
77	`filter = sshd`	77	`filter = sshd`
78	`action = iptables-allports[name=SSH]`	78	`action = iptables-allports[name=SSH]`
79	`logpath = /var/log/auth.log`	79	`logpath = /var/log/auth.log`
80	`maxretry = 3`	80	`maxretry = 3`
81		81
82	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`	82	`# Bannissement sur tous les ports après 5 échecs de connexion sur le centre de contrôle (ACC)`
83	`[alcasar_acc]`	83	`[alcasar_acc]`
84		84
85	`enabled = true`	85	`enabled = true`
86	`#enabled = false`	86	`#enabled = false`
87	`backend = auto`	87	`backend = auto`
88	`filter = alcasar_acc`	88	`filter = alcasar_acc`
89	`action = iptables-allports[name=alcasar_acc]`	89	`action = iptables-allports[name=alcasar_acc]`
90	`logpath = /var/log/lighttpd/access.log`	90	`logpath = /var/log/lighttpd/access.log`
91	`maxretry = 6`	91	`maxretry = 6`
92		92
93	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`	93	`# Bannissement sur tout les ports après 5 echecs de connexion pour un usager`
94	`[alcasar_intercept]`	94	`[alcasar_intercept]`
95		95
96	`enabled = true`	96	`enabled = true`
97	`#enabled = false`	97	`#enabled = false`
98	`backend = auto`	98	`backend = auto`
99	`filter = alcasar_intercept`	99	`filter = alcasar_intercept`
100	`action = iptables-allports[name=alcasar_intercept]`	100	`action = iptables-allports[name=alcasar_intercept]`
101	`logpath = /var/log/lighttpd/access.log`	101	`logpath = /var/log/lighttpd/access.log`
102	`maxretry = 5`	102	`maxretry = 6`
103		103
104	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`	104	`# Bannissement sur tout les port après 5 échecs de changement de mot de passe`
105	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`	105	`# 5 POST pour changer le mot de passe que le POST soit ok ou non.`
106	`[alcasar_change-pwd]`	106	`[alcasar_change-pwd]`
107		107
108	`enabled = true`	108	`enabled = true`
109	`#enabled = false`	109	`#enabled = false`
110	`backend = auto`	110	`backend = auto`
111	`filter = alcasar_change-pwd`	111	`filter = alcasar_change-pwd`
112	`action = iptables-allports[name=alcasar_change-pwd]`	112	`action = iptables-allports[name=alcasar_change-pwd]`
113	`logpath = /var/log/lighttpd/access.log`	113	`logpath = /var/log/lighttpd/access.log`
114	`maxretry = 5`	114	`maxretry = 5`
115		115
116	`EOF`	116	`EOF`
117		117
118	`##################################################`	118	`##################################################`
119	`## Mise en place des filtres spécifiques ##`	119	`## Mise en place des filtres spécifiques ##`
120	`## - Mod_evasive.conf ##`	120	`## - Mod_evasive.conf ##`
121	`## - acc-htdigest.conf ##`	121	`## - acc-htdigest.conf ##`
122	`## - intercept.conf ##`	122	`## - intercept.conf ##`
123	`## - change-pwd.conf ##`	123	`## - change-pwd.conf ##`
124	`##################################################`	124	`##################################################`
125		125
126	`######################`	126	`######################`
127	`## MOD-EVASIVE.CONF ##`	127	`## MOD-EVASIVE.CONF ##`
128	`######################`	128	`######################`
129	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`	129	`cat << EOF > $DIR_FILTER/alcasar_mod-evasive.conf`
130	`# Fail2Ban configuration file`	130	`# Fail2Ban configuration file`
131	`#`	131	`#`
132	`# Author: Cyril Jaquier`	132	`# Author: Cyril Jaquier`
133	`# Adapted by ALCASAR team`	133	`# Adapted by ALCASAR team`
134		134
135	`[Definition]`	135	`[Definition]`
136		136
137	`# Option: failregex`	137	`# Option: failregex`
138	`# Notes.: regex to match the password failure messages in the logfile. The`	138	`# Notes.: regex to match the password failure messages in the logfile. The`
139	`# host must be matched by a group named "host". The tag "<HOST>" can`	139	`# host must be matched by a group named "host". The tag "<HOST>" can`
140	`# be used for standard IP/hostname matching and is only an alias for`	140	`# be used for standard IP/hostname matching and is only an alias for`
141	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	141	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
142	`# Values: TEXT`	142	`# Values: TEXT`
143	`#`	143	`#`
144	`failregex = <HOST> .+\] "[^"]+" 403`	144	`failregex = <HOST> .+\] "[^"]+" 403`
145		145
146	`# Option: ignoreregex`	146	`# Option: ignoreregex`
147	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	147	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
148	`# Values: TEXT`	148	`# Values: TEXT`
149	`#`	149	`#`
150	`ignoreregex =`	150	`ignoreregex =`
151	`EOF`	151	`EOF`
152		152
153	`#######################`	153	`#######################`
154	`## ACC-HTDIGEST.CONF ##`	154	`## ACC-HTDIGEST.CONF ##`
155	`#######################`	155	`#######################`
156	`cat << EOF > $DIR_FILTER/alcasar_acc.conf`	156	`cat << EOF > $DIR_FILTER/alcasar_acc.conf`
157	`# Fail2Ban configuration file`	157	`# Fail2Ban configuration file`
158	`#`	158	`#`
159	`# Author: Cyril Jaquier`	159	`# Author: Cyril Jaquier`
160	`# Adapted by ALCASAR team`	160	`# Adapted by ALCASAR team`
161		161
162	`[Definition]`	162	`[Definition]`
163		163
164	`# Option: failregex`	164	`# Option: failregex`
165	`# Notes.: regex to match the password failure messages in the logfile. The`	165	`# Notes.: regex to match the password failure messages in the logfile. The`
166	`# host must be matched by a group named "host". The tag "<HOST>" can`	166	`# host must be matched by a group named "host". The tag "<HOST>" can`
167	`# be used for standard IP/hostname matching and is only an alias for`	167	`# be used for standard IP/hostname matching and is only an alias for`
168	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	168	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
169	`# Values: TEXT`	169	`# Values: TEXT`
170	`#`	170	`#`
171	`failregex = <HOST> .+\] "[^"]+" 401`	171	`failregex = <HOST> .+\] "[^"]+" 401`
172		172
173	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`	173	`#[[]auth_digest:error[]] [[]client <HOST>:[0-9]\{1,5\}[]]`
174		174
175	`# Option: ignoreregex`	175	`# Option: ignoreregex`
176	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	176	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
177	`# Values: TEXT`	177	`# Values: TEXT`
178	`#`	178	`#`
179	`ignoreregex =`	179	`ignoreregex =`
180	`EOF`	180	`EOF`
181		181
182	`####################`	182	`####################`
183	`## INTERCEPT.CONF ##`	183	`## INTERCEPT.CONF ##`
184	`####################`	184	`####################`
185	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`	185	`cat << EOF > $DIR_FILTER/alcasar_intercept.conf`
186	`# Fail2Ban configuration file`	186	`# Fail2Ban configuration file`
187	`#`	187	`#`
188	`# Author: Cyril Jaquier`	188	`# Author: Cyril Jaquier`
189	`# Adapted by ALCASAR team`	189	`# Adapted by ALCASAR team`
190		190
191	`[Definition]`	191	`[Definition]`
192		192
193	`# Option: failregex`	193	`# Option: failregex`
194	`# Notes.: regex to match the password failure messages in the logfile. The`	194	`# Notes.: regex to match the password failure messages in the logfile. The`
195	`# host must be matched by a group named "host". The tag "<HOST>" can`	195	`# host must be matched by a group named "host". The tag "<HOST>" can`
196	`# be used for standard IP/hostname matching and is only an alias for`	196	`# be used for standard IP/hostname matching and is only an alias for`
197	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	197	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
198	`# Values: TEXT`	198	`# Values: TEXT`
199	`#`	199	`#`
200	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`	200	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`
201		201
202	`# Option: ignoreregex`	202	`# Option: ignoreregex`
203	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	203	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
204	`# Values: TEXT`	204	`# Values: TEXT`
205	`#`	205	`#`
206	`ignoreregex =`	206	`ignoreregex =`
207	`EOF`	207	`EOF`
208		208
209	`#####################`	209	`#####################`
210	`## CHANGE-PWD.CONF ##`	210	`## CHANGE-PWD.CONF ##`
211	`#####################`	211	`#####################`
212	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`	212	`cat << EOF > $DIR_FILTER/alcasar_change-pwd.conf`
213		213
214	`# Fail2Ban configuration file`	214	`# Fail2Ban configuration file`
215	`#`	215	`#`
216	`# Author: Cyril Jaquier`	216	`# Author: Cyril Jaquier`
217	`# Adapted by ALCASAR team`	217	`# Adapted by ALCASAR team`
218		218
219	`[Definition]`	219	`[Definition]`
220		220
221	`# Option: failregex`	221	`# Option: failregex`
222	`# Notes.: regex to match the password failure messages in the logfile. The`	222	`# Notes.: regex to match the password failure messages in the logfile. The`
223	`# host must be matched by a group named "host". The tag "<HOST>" can`	223	`# host must be matched by a group named "host". The tag "<HOST>" can`
224	`# be used for standard IP/hostname matching and is only an alias for`	224	`# be used for standard IP/hostname matching and is only an alias for`
225	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`	225	`# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)`
226	`# Values: TEXT`	226	`# Values: TEXT`
227	`#`	227	`#`
228	`failregex = <HOST> .* \"POST \/password\.php`	228	`failregex = <HOST> .* \"POST \/password\.php`
229		229
230		230
231	`# Option: ignoreregex`	231	`# Option: ignoreregex`
232	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`	232	`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
233	`# Values: TEXT`	233	`# Values: TEXT`
234	`#`	234	`#`
235	`ignoreregex =`	235	`ignoreregex =`
236	`EOF`	236	`EOF`
237		237
238	`##############################################`	238	`##############################################`
239	`## Log sur ULOG quand iptables-allports ##`	239	`## Log sur ULOG quand iptables-allports ##`
240	`##############################################`	240	`##############################################`
241	`[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`	241	`[ -f $ACTION_ALLPORTS ] && [ ! -e $ACTION_ALLPORTS.default ] && mv $ACTION_ALLPORTS $ACTION_ALLPORTS.default`
242	`cat << EOF > $ACTION_ALLPORTS`	242	`cat << EOF > $ACTION_ALLPORTS`
243	`# Fail2Ban configuration file`	243	`# Fail2Ban configuration file`
244	`#`	244	`#`
245	`# Author: Cyril Jaquier`	245	`# Author: Cyril Jaquier`
246	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`	246	`# Modified: Yaroslav O. Halchenko <debian@onerussian.com>`
247	`# made active on all ports from original iptables.conf`	247	`# made active on all ports from original iptables.conf`
248	`# Adapted by ALCASAR team`	248	`# Adapted by ALCASAR team`
249		249
250	`[Definition]`	250	`[Definition]`
251		251
252	`# Option: actionstart`	252	`# Option: actionstart`
253	`# Notes.: command executed once at the start of Fail2Ban.`	253	`# Notes.: command executed once at the start of Fail2Ban.`
254	`# Values: CMD`	254	`# Values: CMD`
255	`#`	255	`#`
256	`actionstart = iptables -N fail2ban-<name>`	256	`actionstart = iptables -N fail2ban-<name>`
257	`iptables -A fail2ban-<name> -j RETURN`	257	`iptables -A fail2ban-<name> -j RETURN`
258	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`	258	`iptables -I <chain> -p <protocol> -j fail2ban-<name>`
259		259
260	`# Option: actionstop`	260	`# Option: actionstop`
261	`# Notes.: command executed once at the end of Fail2Ban`	261	`# Notes.: command executed once at the end of Fail2Ban`
262	`# Values: CMD`	262	`# Values: CMD`
263	`#`	263	`#`
264	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`	264	`actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>`
265	`iptables -F fail2ban-<name>`	265	`iptables -F fail2ban-<name>`
266	`iptables -X fail2ban-<name>`	266	`iptables -X fail2ban-<name>`
267		267
268	`# Option: actioncheck`	268	`# Option: actioncheck`
269	`# Notes.: command executed once before each actionban command`	269	`# Notes.: command executed once before each actionban command`
270	`# Values: CMD`	270	`# Values: CMD`
271	`#`	271	`#`
272	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`	272	`actioncheck = iptables -n -L <chain> \| grep -q fail2ban-<name>`
273		273
274	`# Option: actionban`	274	`# Option: actionban`
275	`# Notes.: command executed when banning an IP. Take care that the`	275	`# Notes.: command executed when banning an IP. Take care that the`
276	`# command is executed with Fail2Ban user rights.`	276	`# command is executed with Fail2Ban user rights.`
277	`# Tags: <ip> IP address`	277	`# Tags: <ip> IP address`
278	`# <failures> number of failures`	278	`# <failures> number of failures`
279	`# <time> unix timestamp of the ban time`	279	`# <time> unix timestamp of the ban time`
280	`# Values: CMD`	280	`# Values: CMD`
281		281
282	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP`	282	`actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP`
283		283
284	`# Option: actionunban`	284	`# Option: actionunban`
285	`# Notes.: command executed when unbanning an IP. Take care that the`	285	`# Notes.: command executed when unbanning an IP. Take care that the`
286	`# command is executed with Fail2Ban user rights.`	286	`# command is executed with Fail2Ban user rights.`
287	`# Tags: <ip> IP address`	287	`# Tags: <ip> IP address`
288	`# <failures> number of failures`	288	`# <failures> number of failures`
289	`# <time> unix timestamp of the ban time`	289	`# <time> unix timestamp of the ban time`
290	`# Values: CMD`	290	`# Values: CMD`
291	`#`	291	`#`
292	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`	292	`actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP`
293		293
294	`[Init]`	294	`[Init]`
295		295
296	`# Defaut name of the chain`	296	`# Defaut name of the chain`
297	`#`	297	`#`
298	`name = default`	298	`name = default`
299		299
300	`# Option: protocol`	300	`# Option: protocol`
301	`# Notes.: internally used by config reader for interpolations.`	301	`# Notes.: internally used by config reader for interpolations.`
302	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`	302	`# Values: [ tcp \| udp \| icmp \| all ] Default: tcp`
303	`#`	303	`#`
304	`protocol = tcp`	304	`protocol = tcp`
305		305
306	`# Option: chain`	306	`# Option: chain`
307	`# Notes specifies the iptables chain to which the fail2ban rules should be`	307	`# Notes specifies the iptables chain to which the fail2ban rules should be`
308	`# added`	308	`# added`
309	`# Values: STRING Default: INPUT`	309	`# Values: STRING Default: INPUT`
310	`chain = INPUT`	310	`chain = INPUT`
311		311
312	`EOF`	312	`EOF`
313		313

Subversion Repositories ALCASAR

(root)/conf/fail2ban.sh – Rev 2815 → 2837