1191 |
crox53 |
1 |
FAIL_CONF="/etc/fail2ban/fail2ban.conf"
|
|
|
2 |
JAIL_CONF="/etc/fail2ban/jail.conf"
|
|
|
3 |
DIR_FILTER="/etc/fail2ban/filter.d/"
|
|
|
4 |
ACTION_ALLPORTS="/etc/fail2ban/action.d/iptables-allports.conf"
|
|
|
5 |
|
|
|
6 |
if(test -f $FAIL_CONF)
|
|
|
7 |
then
|
|
|
8 |
mv $FAIL_CONF $FAIL_CONF.old
|
|
|
9 |
fi
|
|
|
10 |
|
|
|
11 |
if(test -f $JAIL_CONF)
|
|
|
12 |
then
|
|
|
13 |
mv $JAIL_CONF $JAIL_CONF.old
|
|
|
14 |
fi
|
|
|
15 |
|
|
|
16 |
#########################################################
|
|
|
17 |
## Mise à jour du fichier de configuration de fail2ban ##
|
|
|
18 |
#########################################################
|
|
|
19 |
|
|
|
20 |
cat << EOF > $FAIL_CONF
|
|
|
21 |
|
|
|
22 |
[Definition]
|
|
|
23 |
|
|
|
24 |
# Option: loglevel
|
|
|
25 |
# Notes.: Set the log level output.
|
|
|
26 |
# 1 = ERROR
|
|
|
27 |
# 2 = WARN
|
|
|
28 |
# 3 = INFO
|
|
|
29 |
# 4 = DEBUG
|
|
|
30 |
# Values: NUM Default: 3
|
|
|
31 |
#
|
|
|
32 |
loglevel = 3
|
|
|
33 |
|
|
|
34 |
# Option: logtarget
|
|
|
35 |
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
|
|
|
36 |
# Only one log target can be specified.
|
|
|
37 |
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
|
|
|
38 |
#
|
|
|
39 |
logtarget = /var/log/fail2ban.log
|
|
|
40 |
|
|
|
41 |
# Option: socket
|
|
|
42 |
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
|
|
|
43 |
# not remove this file when Fail2ban runs. It will not be possible to
|
|
|
44 |
# communicate with the server afterwards.
|
|
|
45 |
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
|
|
|
46 |
#
|
|
|
47 |
socket = /var/run/fail2ban/fail2ban.sock
|
|
|
48 |
EOF
|
|
|
49 |
|
|
|
50 |
#########################################################
|
|
|
51 |
## Mise à jour de la configuration de jail de fail2ban ##
|
|
|
52 |
#########################################################
|
|
|
53 |
|
|
|
54 |
cat << EOF > $JAIL_CONF
|
|
|
55 |
|
|
|
56 |
# Fail2Ban configuration file
|
|
|
57 |
#
|
|
|
58 |
# Author: Cyril Jaquier
|
|
|
59 |
#
|
|
|
60 |
# $Revision$
|
|
|
61 |
#
|
|
|
62 |
|
|
|
63 |
# The DEFAULT allows a global definition of the options. They can be overridden
|
|
|
64 |
# in each jail afterwards.
|
|
|
65 |
|
|
|
66 |
[DEFAULT]
|
|
|
67 |
|
|
|
68 |
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
|
|
|
69 |
# ban a host which matches an address in this list. Several addresses can be
|
|
|
70 |
# defined using space separator.
|
|
|
71 |
ignoreip = 127.0.0.1/8
|
|
|
72 |
|
|
|
73 |
# "bantime" is the number of seconds that a host is banned.
|
|
|
74 |
bantime = 600
|
|
|
75 |
|
|
|
76 |
# A host is banned if it has generated "maxretry" during the last "findtime"
|
|
|
77 |
# seconds.
|
|
|
78 |
# Un client est banni dans le cas ou il genere "maxretry" pendant le temps
|
|
|
79 |
# findtime en seconds
|
|
|
80 |
# Ici 5 requetes remplissant les filtres en 60 secondes
|
|
|
81 |
|
|
|
82 |
findtime = 60
|
|
|
83 |
|
|
|
84 |
# "maxretry" is the number of failures before a host get banned.
|
|
|
85 |
maxretry = 5
|
|
|
86 |
|
|
|
87 |
# "backend" specifies the backend used to get files modification. Available
|
|
|
88 |
# options are "gamin", "polling" and "auto". This option can be overridden in
|
|
|
89 |
# each jail too (use "gamin" for a jail and "polling" for another).
|
|
|
90 |
#
|
|
|
91 |
# gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
|
|
|
92 |
# is not installed, Fail2ban will use polling.
|
|
|
93 |
# polling: uses a polling algorithm which does not require external libraries.
|
|
|
94 |
# auto: will choose Gamin if available and polling otherwise.
|
|
|
95 |
backend = auto
|
|
|
96 |
|
|
|
97 |
|
|
|
98 |
# This jail corresponds to the standard configuration in Fail2ban 0.6.
|
|
|
99 |
# The mail-whois action send a notification e-mail with a whois request
|
|
|
100 |
# in the body.
|
|
|
101 |
|
|
|
102 |
|
|
|
103 |
# Bannissement si Mod_evasive bannie un @IP après 2 interdit par Apache alors BAN sur tous les ports
|
|
|
104 |
|
|
|
105 |
[mod-evasive]
|
|
|
106 |
|
|
|
107 |
enabled = true
|
|
|
108 |
#enabled = false
|
|
|
109 |
filter = mod-evasive
|
|
|
110 |
action = iptables-allports[name=mod-evasive]
|
|
|
111 |
logpath = /var/log/httpd/error_log
|
|
|
112 |
maxretry = 2
|
|
|
113 |
|
|
|
114 |
# Bannissement pour SSH-Brute-Force
|
|
|
115 |
|
|
|
116 |
[ssh-iptables]
|
|
|
117 |
|
|
|
118 |
enabled = true
|
|
|
119 |
#enabled = false
|
|
|
120 |
filter = sshd
|
|
|
121 |
action = iptables-allports[name=SSH]
|
|
|
122 |
logpath = /var/log/auth.log
|
|
|
123 |
maxretry = 3
|
|
|
124 |
|
|
|
125 |
# Bannissement si 5 tentatives de connexion echouer en alcasar/acc
|
|
|
126 |
|
|
|
127 |
[htdigest]
|
|
|
128 |
|
|
|
129 |
enabled = true
|
|
|
130 |
#enabled = false
|
|
|
131 |
filter = htdigest
|
|
|
132 |
action = iptables-allports[name=htdigest]
|
|
|
133 |
logpath = /var/log/httpd/ssl_error_log
|
|
|
134 |
maxretry = 5
|
|
|
135 |
|
|
|
136 |
# Bannissement si 5 tentatives de connexion avec intercept.php avec reason=reject
|
|
|
137 |
|
|
|
138 |
[intercept]
|
|
|
139 |
|
|
|
140 |
enabled = true
|
|
|
141 |
#enabled = false
|
|
|
142 |
filter = intercept
|
|
|
143 |
action = iptables-allports[name=intercept]
|
|
|
144 |
logpath = /var/log/httpd/ssl_request_log
|
|
|
145 |
maxretry = 5
|
|
|
146 |
|
|
|
147 |
# Bannissement si 5 tentatives de changement de mot de passe en moins de 1 min
|
|
|
148 |
# 5 POST pour changer le mot de passe que le POST soit ok ou non.
|
|
|
149 |
|
|
|
150 |
[mot_de_passe]
|
|
|
151 |
|
|
|
152 |
enabled = true
|
|
|
153 |
#enabled = false
|
|
|
154 |
filter = mot_de_passe
|
|
|
155 |
action = iptables-allports[name=Mot_de_Passe]
|
|
|
156 |
logpath = /var/log/httpd/ssl_request_log
|
|
|
157 |
maxretry = 5
|
|
|
158 |
|
|
|
159 |
|
|
|
160 |
[proftpd-iptables]
|
|
|
161 |
|
|
|
162 |
enabled = false
|
|
|
163 |
filter = proftpd
|
|
|
164 |
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
|
|
|
165 |
sendmail-whois[name=ProFTPD, dest=you@example.com]
|
|
|
166 |
logpath = /var/log/proftpd/proftpd.log
|
|
|
167 |
maxretry = 6
|
|
|
168 |
|
|
|
169 |
# This jail forces the backend to "polling".
|
|
|
170 |
|
|
|
171 |
[sasl-iptables]
|
|
|
172 |
|
|
|
173 |
enabled = false
|
|
|
174 |
filter = sasl
|
|
|
175 |
backend = polling
|
|
|
176 |
action = iptables[name=sasl, port=smtp, protocol=tcp]
|
|
|
177 |
sendmail-whois[name=sasl, dest=you@example.com]
|
|
|
178 |
logpath = /var/log/mail.log
|
|
|
179 |
|
|
|
180 |
# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
|
|
|
181 |
# used to avoid banning the user "myuser".
|
|
|
182 |
|
|
|
183 |
[ssh-tcpwrapper]
|
|
|
184 |
|
|
|
185 |
enabled = false
|
|
|
186 |
filter = sshd
|
|
|
187 |
action = hostsdeny
|
|
|
188 |
sendmail-whois[name=SSH, dest=you@example.com]
|
|
|
189 |
ignoreregex = for myuser from
|
|
|
190 |
logpath = /var/log/auth.log
|
|
|
191 |
|
|
|
192 |
# This jail demonstrates the use of wildcards in "logpath".
|
|
|
193 |
# Moreover, it is possible to give other files on a new line.
|
|
|
194 |
|
|
|
195 |
[apache-tcpwrapper]
|
|
|
196 |
|
|
|
197 |
enabled = false
|
|
|
198 |
filter = apache-auth
|
|
|
199 |
action = hostsdeny
|
|
|
200 |
logpath = /var/log/apache*/*error.log
|
|
|
201 |
/home/www/myhomepage/error.log
|
|
|
202 |
maxretry = 6
|
|
|
203 |
|
|
|
204 |
# The hosts.deny path can be defined with the "file" argument if it is
|
|
|
205 |
# not in /etc.
|
|
|
206 |
|
|
|
207 |
[postfix-tcpwrapper]
|
|
|
208 |
|
|
|
209 |
enabled = false
|
|
|
210 |
filter = postfix
|
|
|
211 |
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
|
|
|
212 |
sendmail[name=Postfix, dest=you@example.com]
|
|
|
213 |
logpath = /var/log/postfix.log
|
|
|
214 |
bantime = 300
|
|
|
215 |
|
|
|
216 |
# Do not ban anybody. Just report information about the remote host.
|
|
|
217 |
# A notification is sent at most every 600 seconds (bantime).
|
|
|
218 |
|
|
|
219 |
[vsftpd-notification]
|
|
|
220 |
|
|
|
221 |
enabled = false
|
|
|
222 |
filter = vsftpd
|
|
|
223 |
action = sendmail-whois[name=VSFTPD, dest=you@example.com]
|
|
|
224 |
logpath = /var/log/vsftpd.log
|
|
|
225 |
maxretry = 5
|
|
|
226 |
bantime = 1800
|
|
|
227 |
|
|
|
228 |
# Same as above but with banning the IP address.
|
|
|
229 |
|
|
|
230 |
[vsftpd-iptables]
|
|
|
231 |
|
|
|
232 |
enabled = false
|
|
|
233 |
filter = vsftpd
|
|
|
234 |
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
|
|
|
235 |
sendmail-whois[name=VSFTPD, dest=you@example.com]
|
|
|
236 |
logpath = /var/log/vsftpd.log
|
|
|
237 |
maxretry = 5
|
|
|
238 |
bantime = 1800
|
|
|
239 |
|
|
|
240 |
# Ban hosts which agent identifies spammer robots crawling the web
|
|
|
241 |
# for email addresses. The mail outputs are buffered.
|
|
|
242 |
|
|
|
243 |
[apache-badbots]
|
|
|
244 |
|
|
|
245 |
enabled = false
|
|
|
246 |
filter = apache-badbots
|
|
|
247 |
action = iptables-multiport[name=BadBots, port="http,https"]
|
|
|
248 |
sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
|
|
|
249 |
logpath = /var/www/*/logs/access_log
|
|
|
250 |
bantime = 172800
|
|
|
251 |
maxretry = 1
|
|
|
252 |
|
|
|
253 |
# Use shorewall instead of iptables.
|
|
|
254 |
|
|
|
255 |
[apache-shorewall]
|
|
|
256 |
|
|
|
257 |
enabled = false
|
|
|
258 |
filter = apache-noscript
|
|
|
259 |
action = shorewall
|
|
|
260 |
sendmail[name=Postfix, dest=you@example.com]
|
|
|
261 |
logpath = /var/log/apache2/error_log
|
|
|
262 |
|
|
|
263 |
# Ban attackers that try to use PHP's URL-fopen() functionality
|
|
|
264 |
# through GET/POST variables. - Experimental, with more than a year
|
|
|
265 |
# of usage in production environments.
|
|
|
266 |
|
|
|
267 |
[php-url-fopen]
|
|
|
268 |
|
|
|
269 |
enabled = false
|
|
|
270 |
port = http,https
|
|
|
271 |
filter = php-url-fopen
|
|
|
272 |
logpath = /var/www/*/logs/access_log
|
|
|
273 |
maxretry = 1
|
|
|
274 |
|
|
|
275 |
# A simple PHP-fastcgi jail which works with lighttpd.
|
|
|
276 |
# If you run a lighttpd server, then you probably will
|
|
|
277 |
# find these kinds of messages in your error_log:
|
|
|
278 |
# ALERT – tried to register forbidden variable ‘GLOBALS’
|
|
|
279 |
# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
|
|
|
280 |
# This jail would block the IP 1.2.3.4.
|
|
|
281 |
|
|
|
282 |
[lighttpd-fastcgi]
|
|
|
283 |
|
|
|
284 |
enabled = false
|
|
|
285 |
port = http,https
|
|
|
286 |
filter = lighttpd-fastcgi
|
|
|
287 |
# adapt the following two items as needed
|
|
|
288 |
logpath = /var/log/lighttpd/error.log
|
|
|
289 |
maxretry = 2
|
|
|
290 |
|
|
|
291 |
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
|
|
|
292 |
# option is overridden in this jail. Moreover, the action "mail-whois" defines
|
|
|
293 |
# the variable "name" which contains a comma using "". The characters '' are
|
|
|
294 |
# valid too.
|
|
|
295 |
|
|
|
296 |
[ssh-ipfw]
|
|
|
297 |
|
|
|
298 |
enabled = false
|
|
|
299 |
filter = sshd
|
|
|
300 |
action = ipfw[localhost=192.168.0.1]
|
|
|
301 |
sendmail-whois[name="SSH,IPFW", dest=you@example.com]
|
|
|
302 |
logpath = /var/log/auth.log
|
|
|
303 |
ignoreip = 168.192.0.1
|
|
|
304 |
|
|
|
305 |
# These jails block attacks against named (bind9). By default, logging is off
|
|
|
306 |
# with bind9 installation. You will need something like this:
|
|
|
307 |
#
|
|
|
308 |
# logging {
|
|
|
309 |
# channel security_file {
|
|
|
310 |
# file "/var/log/named/security.log" versions 3 size 30m;
|
|
|
311 |
# severity dynamic;
|
|
|
312 |
# print-time yes;
|
|
|
313 |
# };
|
|
|
314 |
# category security {
|
|
|
315 |
# security_file;
|
|
|
316 |
# };
|
|
|
317 |
# };
|
|
|
318 |
#
|
|
|
319 |
# in your named.conf to provide proper logging.
|
|
|
320 |
# This jail blocks UDP traffic for DNS requests.
|
|
|
321 |
|
|
|
322 |
# !!! WARNING !!!
|
|
|
323 |
# Since UDP is connection-less protocol, spoofing of IP and imitation
|
|
|
324 |
# of illegal actions is way too simple. Thus enabling of this filter
|
|
|
325 |
# might provide an easy way for implementing a DoS against a chosen
|
|
|
326 |
# victim. See
|
|
|
327 |
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
|
|
|
328 |
# Please DO NOT USE this jail unless you know what you are doing.
|
|
|
329 |
#
|
|
|
330 |
# [named-refused-udp]
|
|
|
331 |
#
|
|
|
332 |
# enabled = false
|
|
|
333 |
# filter = named-refused
|
|
|
334 |
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
|
|
|
335 |
# sendmail-whois[name=Named, dest=you@example.com]
|
|
|
336 |
# logpath = /var/log/named/security.log
|
|
|
337 |
# ignoreip = 168.192.0.1
|
|
|
338 |
|
|
|
339 |
# This jail blocks TCP traffic for DNS requests.
|
|
|
340 |
|
|
|
341 |
[named-refused-tcp]
|
|
|
342 |
|
|
|
343 |
enabled = false
|
|
|
344 |
filter = named-refused
|
|
|
345 |
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
|
|
|
346 |
sendmail-whois[name=Named, dest=you@example.com]
|
|
|
347 |
logpath = /var/log/named/security.log
|
|
|
348 |
ignoreip = 168.192.0.1
|
|
|
349 |
|
|
|
350 |
EOF
|
|
|
351 |
|
|
|
352 |
###########################################
|
|
|
353 |
## Mise en place des filters spécifiques ##
|
|
|
354 |
## - Mod_evasive.conf ##
|
|
|
355 |
## - htdigest.conf ##
|
|
|
356 |
## -
|
|
|
357 |
## -
|
|
|
358 |
###########################################
|
|
|
359 |
|
|
|
360 |
######################
|
|
|
361 |
## MOD-EVASIVE.CONF ##
|
|
|
362 |
######################
|
|
|
363 |
|
|
|
364 |
if (test -f $DIR_FILTER/mod-evasive.conf)
|
|
|
365 |
then
|
|
|
366 |
mv $DIR_FILTER/mod-evasive.conf $DIR_FILTER/mod-evasive.conf.old
|
|
|
367 |
fi
|
|
|
368 |
|
|
|
369 |
cat << EOF > $DIR_FILTER/mod-evasive.conf
|
|
|
370 |
# Fail2Ban configuration file
|
|
|
371 |
#
|
|
|
372 |
# Author: Cyril Jaquier
|
|
|
373 |
#
|
|
|
374 |
# $Revision$
|
|
|
375 |
#
|
|
|
376 |
|
|
|
377 |
[Definition]
|
|
|
378 |
|
|
|
379 |
# Option: failregex
|
|
|
380 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
381 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
382 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
383 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
384 |
# Values: TEXT
|
|
|
385 |
#
|
|
|
386 |
failregex = [[]client <HOST>[]] client denied by server configuration
|
|
|
387 |
|
|
|
388 |
# Option: ignoreregex
|
|
|
389 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
390 |
# Values: TEXT
|
|
|
391 |
#
|
|
|
392 |
ignoreregex =
|
|
|
393 |
EOF
|
|
|
394 |
|
|
|
395 |
###################
|
|
|
396 |
## HTDIGEST.CONF ##
|
|
|
397 |
###################
|
|
|
398 |
|
|
|
399 |
if ( test -f $DIR_FILTER/htdigest.conf)
|
|
|
400 |
then
|
|
|
401 |
mv $DIR_FILTER/htdigest.conf $DIR_FILTER/htdigest.conf.old
|
|
|
402 |
fi
|
|
|
403 |
|
|
|
404 |
cat << EOF > $DIR_FILTER/htdigest.conf
|
|
|
405 |
# Fail2Ban configuration file
|
|
|
406 |
#
|
|
|
407 |
# Author: Cyril Jaquier
|
|
|
408 |
#
|
|
|
409 |
# $Revision$
|
|
|
410 |
#
|
|
|
411 |
|
|
|
412 |
[Definition]
|
|
|
413 |
|
|
|
414 |
# Option: failregex
|
|
|
415 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
416 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
417 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
418 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
419 |
# Values: TEXT
|
|
|
420 |
#
|
|
|
421 |
failregex = [[]error[]] [[]client <HOST>[]] Digest:
|
|
|
422 |
|
|
|
423 |
# Option: ignoreregex
|
|
|
424 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
425 |
# Values: TEXT
|
|
|
426 |
#
|
|
|
427 |
ignoreregex =
|
|
|
428 |
EOF
|
|
|
429 |
|
|
|
430 |
####################
|
|
|
431 |
## INTERCEPT.CONF ##
|
|
|
432 |
####################
|
|
|
433 |
|
|
|
434 |
if ( test -f $DIR_FILTER/intercept.conf)
|
|
|
435 |
then
|
|
|
436 |
mv $DIR_FILTER/intercept.conf $DIR_FILTER/intercept.conf.old
|
|
|
437 |
fi
|
|
|
438 |
|
|
|
439 |
cat << EOF > $DIR_FILTER/intercept.conf
|
|
|
440 |
|
|
|
441 |
# Fail2Ban configuration file
|
|
|
442 |
#
|
|
|
443 |
# Author: Cyril Jaquier
|
|
|
444 |
#
|
|
|
445 |
# $Revision$
|
|
|
446 |
#
|
|
|
447 |
|
|
|
448 |
[Definition]
|
|
|
449 |
|
|
|
450 |
# Option: failregex
|
|
|
451 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
452 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
453 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
454 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
455 |
# Values: TEXT
|
|
|
456 |
#
|
|
|
457 |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]GET \/intercept\.php\?res=failed[&]reason=reject
|
|
|
458 |
|
|
|
459 |
# Option: ignoreregex
|
|
|
460 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
461 |
# Values: TEXT
|
|
|
462 |
#
|
|
|
463 |
ignoreregex =
|
|
|
464 |
EOF
|
|
|
465 |
|
|
|
466 |
#######################
|
|
|
467 |
## MOT_DE_PASSE.CONF ##
|
|
|
468 |
#######################
|
|
|
469 |
|
|
|
470 |
if ( test -f $DIR_FILTER/mot_de_passe.conf )
|
|
|
471 |
then
|
|
|
472 |
mv $DIR_FILTER/mot_de_passe.conf $DIR_FILTER/mot_de_passe.conf.old
|
|
|
473 |
fi
|
|
|
474 |
|
|
|
475 |
cat << EOF > $DIR_FILTER/mot_de_passe.conf
|
|
|
476 |
|
|
|
477 |
# Fail2Ban configuration file
|
|
|
478 |
#
|
|
|
479 |
# Author: Cyril Jaquier
|
|
|
480 |
#
|
|
|
481 |
# $Revision$
|
|
|
482 |
#
|
|
|
483 |
|
|
|
484 |
[Definition]
|
|
|
485 |
|
|
|
486 |
# Option: failregex
|
|
|
487 |
# Notes.: regex to match the password failure messages in the logfile. The
|
|
|
488 |
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
|
489 |
# be used for standard IP/hostname matching and is only an alias for
|
|
|
490 |
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
|
491 |
# Values: TEXT
|
|
|
492 |
#
|
|
|
493 |
failregex = <HOST> TLSv1 DHE-RSA-AES256-SHA ["]POST \/pass\/index\.php HTTP
|
|
|
494 |
|
|
|
495 |
# Option: ignoreregex
|
|
|
496 |
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
|
|
497 |
# Values: TEXT
|
|
|
498 |
#
|
|
|
499 |
ignoreregex =
|
|
|
500 |
EOF
|
|
|
501 |
|
|
|
502 |
|
|
|
503 |
##############################################
|
|
|
504 |
## Log sur Iptables quand iptables-allports ##
|
|
|
505 |
##############################################
|
|
|
506 |
|
|
|
507 |
if ( test -f $ACTION_ALLPORTS )
|
|
|
508 |
then
|
|
|
509 |
mv $ACTION_ALLPORTS $ACTION_ALLPORTS.old
|
|
|
510 |
fi
|
|
|
511 |
|
|
|
512 |
cat << EOF > $ACTION_ALLPORTS
|
|
|
513 |
|
|
|
514 |
# Fail2Ban configuration file
|
|
|
515 |
#
|
|
|
516 |
# Author: Cyril Jaquier
|
|
|
517 |
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
|
|
|
518 |
# made active on all ports from original iptables.conf
|
|
|
519 |
#
|
|
|
520 |
# $Revision$
|
|
|
521 |
#
|
|
|
522 |
|
|
|
523 |
[Definition]
|
|
|
524 |
|
|
|
525 |
# Option: actionstart
|
|
|
526 |
# Notes.: command executed once at the start of Fail2Ban.
|
|
|
527 |
# Values: CMD
|
|
|
528 |
#
|
|
|
529 |
actionstart = iptables -N fail2ban-<name>
|
|
|
530 |
iptables -A fail2ban-<name> -j RETURN
|
|
|
531 |
iptables -I <chain> -p <protocol> -j fail2ban-<name>
|
|
|
532 |
|
|
|
533 |
# Option: actionstop
|
|
|
534 |
# Notes.: command executed once at the end of Fail2Ban
|
|
|
535 |
# Values: CMD
|
|
|
536 |
#
|
|
|
537 |
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
|
|
|
538 |
iptables -F fail2ban-<name>
|
|
|
539 |
iptables -X fail2ban-<name>
|
|
|
540 |
|
|
|
541 |
# Option: actioncheck
|
|
|
542 |
# Notes.: command executed once before each actionban command
|
|
|
543 |
# Values: CMD
|
|
|
544 |
#
|
|
|
545 |
actioncheck = iptables -n -L <chain> | grep -q fail2ban-<name>
|
|
|
546 |
|
|
|
547 |
# Option: actionban
|
|
|
548 |
# Notes.: command executed when banning an IP. Take care that the
|
|
|
549 |
# command is executed with Fail2Ban user rights.
|
|
|
550 |
# Tags: <ip> IP address
|
|
|
551 |
# <failures> number of failures
|
|
|
552 |
# <time> unix timestamp of the ban time
|
|
|
553 |
# Values: CMD
|
|
|
554 |
|
|
|
555 |
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
|
|
|
556 |
iptables -I fail2ban-<name> 1 -s <ip> -j DROP
|
|
|
557 |
|
|
|
558 |
# Option: actionunban
|
|
|
559 |
# Notes.: command executed when unbanning an IP. Take care that the
|
|
|
560 |
# command is executed with Fail2Ban user rights.
|
|
|
561 |
# Tags: <ip> IP address
|
|
|
562 |
# <failures> number of failures
|
|
|
563 |
# <time> unix timestamp of the ban time
|
|
|
564 |
# Values: CMD
|
|
|
565 |
#
|
|
|
566 |
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
|
|
|
567 |
iptables -D fail2ban-<name> -s <ip> -j ULOG --ulog-prefix "Fail2Ban -- DROP"
|
|
|
568 |
|
|
|
569 |
[Init]
|
|
|
570 |
|
|
|
571 |
# Defaut name of the chain
|
|
|
572 |
#
|
|
|
573 |
name = default
|
|
|
574 |
|
|
|
575 |
# Option: protocol
|
|
|
576 |
# Notes.: internally used by config reader for interpolations.
|
|
|
577 |
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
|
|
578 |
#
|
|
|
579 |
protocol = tcp
|
|
|
580 |
|
|
|
581 |
# Option: chain
|
|
|
582 |
# Notes specifies the iptables chain to which the fail2ban rules should be
|
|
|
583 |
# added
|
|
|
584 |
# Values: STRING Default: INPUT
|
|
|
585 |
chain = INPUT
|
|
|
586 |
|
|
|
587 |
EOF
|
1192 |
crox53 |
588 |
|
|
|
589 |
#Activation de l'unité
|
|
|
590 |
systemctl enable fail2ban.service
|