diff --git a/fail2ban/actions/iptest.conf b/fail2ban/actions/iptest.conf new file mode 100644 index 0000000..087e442 --- /dev/null +++ b/fail2ban/actions/iptest.conf @@ -0,0 +1,45 @@ +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +#actionstart = /etc/fail2ban/action.d/fail.sh + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +#actionstop = p + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +#actionban = echo "test" >> /etc/fail2ban/action.d/test.log +#actionban = echo f2b-<name> <protocol> <port> <ip> <bantime> >> /etc/fail2ban/action.d/test.log +actionban = /etc/fail2ban/action.d/fail.sh <name> <protocol> <port> <ip> <bantime> + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +#actionunban = /etc/fail2ban/action.d/<Insert remove from database> + +#[Init] + +#init = 'Custom startup message diff --git a/fail2ban/filters/failtest.conf b/fail2ban/filters/failtest.conf new file mode 100644 index 0000000..045e939 --- /dev/null +++ b/fail2ban/filters/failtest.conf @@ -0,0 +1,19 @@ +# Fail2Ban filter for openssh +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +# (\d*)?( ssh\d+) +before = common.conf + + +[Definition] + +#failregex = ^2018-06-06 03:14:19\t*<HOST>\t*22\t*tcp$ +failregex = ^(.*?)\t+<HOST> +#failregex = ^<>\s+<HOST> +#ignoreregex = + + diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf new file mode 100644 index 0000000..9d7a5b9 --- /dev/null +++ b/fail2ban/jail.conf @@ -0,0 +1,419 @@ +# Fail2Ban jail base specification file +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwitten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 3600 +# +# [ssh-iptables] +# enabled = true + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not +# ban a host which matches an address in this list. Several addresses can be +# defined using space separator. +ignoreip = 127.0.0.1/8 172.16.2.10 + +# External command that will take an tagged arguments to ignore, e.g. <ip>, +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command <ip> +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime.increment = true +bantime = 600 + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 600 + +# "maxretry" is the number of failures before a host get banned. +maxretry = 3 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +usedns = warn + + +# This jail corresponds to the standard configuration in Fail2ban. +# The mail-whois action send a notification e-mail with a whois request +# in the body. + +[pam-generic] + +enabled = false +filter = pam-generic +port = all +action = iptables-multiport[name=SSH, port=ssh, protocol=tcp] +logpath = /var/log/secure + + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +action = iptables-allports[name=xinetd,protocol=all] +logpath = /var/log/daemon*log + + +[ssh-iptables] + +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + iptest[name=SSH, port=ssh, protocol=tcp, bantime=%(bantime)s] +logpath = /var/log/secure +maxretry = 3 +#bantime.increment = true +#bantime = 10 + + +[ssh-shared] + +enabled = true +filter = failtest +action = iptables[name=SSH-SHARED, port=ssh, protocol=tcp] +logpath = /etc/fail2ban/empty.log +maxretry = 1 +#bantime = 120 + + +[ssh-long] + +enabled = true +filter = failtest +logpath = /etc/fail2ban/long.log +maxretry = 5 +action = iptables[name=SSH-LONG, port=ssh, protocol=tcp] + iptest[name=SSH-LONG, port=ssh, protocol=tcp, bantime=%(bantime)s] +bantime = 300 + +[ssh-verylong] + +enabled = true +filter = failtest +logpath = /etc/fail2ban/verylong.log +maxretry = 4 +action = iptables[name=SSH-VLONG, port=ssh, protocol=tcp] + iptest[name=SSH-VLONG, port=ssh, protocol=tcp, bantime=%(bantime)s] +bantime = 40000 + +[ssh-ddos] + +enabled = false +filter = sshd-ddos +action = iptables[name=SSHDDOS, port=ssh, protocol=tcp] +logpath = /var/log/sshd.log +maxretry = 2 + + +[dropbear] + +enabled = false +filter = dropbear +action = iptables[name=dropbear, port=ssh, protocol=tcp] +logpath = /var/log/messages +maxretry = 5 + + +[proftpd-iptables] + +enabled = false +filter = proftpd +action = iptables[name=ProFTPD, port=ftp, protocol=tcp] + sendmail-whois[name=ProFTPD, dest=you@example.com] +logpath = /var/log/proftpd/proftpd.log +maxretry = 6 + + +[gssftpd-iptables] + +enabled = false +filter = gssftpd +action = iptables[name=GSSFTPd, port=ftp, protocol=tcp] + sendmail-whois[name=GSSFTPd, dest=you@example.com] +logpath = /var/log/daemon.log +maxretry = 6 + + +[pure-ftpd] + +enabled = false +filter = pure-ftpd +action = iptables[name=pureftpd, port=ftp, protocol=tcp] +logpath = /var/log/pureftpd.log +maxretry = 6 + + +[wuftpd] + +enabled = false +filter = wuftpd +action = iptables[name=wuftpd, port=ftp, protocol=tcp] +logpath = /var/log/daemon.log +maxretry = 6 + + +[sendmail-auth] + +enabled = false +filter = sendmail-auth +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] +logpath = /var/log/mail.log + + +[sendmail-reject] + +enabled = false +filter = sendmail-reject +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] +logpath = /var/log/mail.log + + +# This jail forces the backend to "polling". +[sasl-iptables] + +enabled = false +filter = postfix-sasl +backend = polling +action = iptables[name=sasl, port=smtp, protocol=tcp] + sendmail-whois[name=sasl, dest=you@example.com] +logpath = /var/log/mail.log + + +# ASSP SMTP Proxy Jail +[assp] + +enabled = false +filter = assp +action = iptables-multiport[name=assp,port="25,465,587"] +logpath = /root/path/to/assp/logs/maillog.txt + + +# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is +# used to avoid banning the user "myuser". +[ssh-tcpwrapper] + +enabled = false +filter = sshd +action = hostsdeny[daemon_list=sshd] + sendmail-whois[name=SSH, dest=you@example.com] +ignoreregex = for myuser from +logpath = /var/log/sshd.log + + +# Here we use blackhole routes for not requiring any additional kernel support +# to store large volumes of banned IPs +[ssh-route] +enabled = false +filter = sshd +action = route +logpath = /var/log/sshd.log +maxretry = 5 + + +# Here we use a combination of Netfilter/Iptables and IPsets +# for storing large volumes of banned IPs +# +# IPset comes in two versions. See ipset -V for which one to use +# requires the ipset package and kernel support. +[ssh-iptables-ipset4] + +enabled = false +filter = sshd +action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] +logpath = /var/log/sshd.log +maxretry = 5 + + +[ssh-iptables-ipset6] + +enabled = false +filter = sshd +action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] +logpath = /var/log/sshd.log +maxretry = 5 + + +# bsd-ipfw is ipfw used by BSD. It uses ipfw tables. +# table number must be unique. +# +# This will create a deny rule for that table ONLY if a rule +# for the table doesn't ready exist. +# +[ssh-bsd-ipfw] +enabled = false +filter = sshd +action = bsd-ipfw[port=ssh,table=1] +logpath = /var/log/auth.log +maxretry = 5 + + +# This jail demonstrates the use of wildcards in "logpath". +# Moreover, it is possible to give other files on a new line. +[apache-tcpwrapper] + +enabled = false +filter = apache-auth +action = hostsdeny +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 6 + + +[apache-modsecurity] + +enabled = false +filter = apache-modsecurity +action = iptables-multiport[name=apache-modsecurity,port="80,443"] +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 2 + + +[apache-overflows] + +enabled = false +filter = apache-overflows +action = iptables-multiport[name=apache-overflows,port="80,443"] +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 2 +[apache-nohome] + +enabled = false +filter = apache-nohome +action = iptables-multiport[name=apache-nohome,port="80,443"] +logpath = /var/log/apache*/*error.log + /home/www/myhomepage/error.log +maxretry = 2 + + +[nginx-http-auth] + +enabled = false +filter = nginx-http-auth +action = iptables-multiport[name=nginx-http-auth,port="80,443"] +logpath = /var/log/nginx/error.log + + +[squid] + +enabled = false +filter = squid +action = iptables-multiport[name=squid,port="80,443,8080"] +logpath = /var/log/squid/access.log + + +# The hosts.deny path can be defined with the "file" argument if it is +# not in /etc. +[postfix-tcpwrapper] + +enabled = false +filter = postfix +action = hostsdeny[file=/not/a/standard/path/hosts.deny] + sendmail[name=Postfix, dest=you@example.com] +logpath = /var/log/postfix.log +bantime = 300 +[cyrus-imap] + +enabled = false +filter = cyrus-imap +action = iptables-multiport[name=cyrus-imap,port="143,993"] +logpath = /var/log/mail*log + + +[courierlogin] + +enabled = false +filter = courierlogin +action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"] +logpath = /var/log/mail*log + + +[couriersmtp] + +enabled = false +filter = couriersmtp +action = iptables-multiport[name=couriersmtp,port="25,465,587"] +logpath = /var/log/mail*log + + + +[selinux-ssh] +enabled = false +filter = selinux-ssh +action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] +logpath = /var/log/audit/audit.log +maxretry = 5 + +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action +# +# Report block via blocklist.de fail2ban reporting service API +# See action.d/blocklist_de.conf for more information + + + +[ssh-blocklist] + +enabled = false +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] + blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] +logpath = /var/log/sshd.log +maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1 + + + + + diff --git a/fail2ban/logs/empty.log b/fail2ban/logs/empty.log new file mode 100755 index 0000000..8b13789 --- /dev/null +++ b/fail2ban/logs/empty.log @@ -0,0 +1 @@ + diff --git a/fail2ban/logs/long.log b/fail2ban/logs/long.log new file mode 100755 index 0000000..8b13789 --- /dev/null +++ b/fail2ban/logs/long.log @@ -0,0 +1 @@ + diff --git a/fail2ban/logs/verylong.log b/fail2ban/logs/verylong.log new file mode 100755 index 0000000..8b13789 --- /dev/null +++ b/fail2ban/logs/verylong.log @@ -0,0 +1 @@ + diff --git a/fail2ban/scripts/get/getban.sh b/fail2ban/scripts/get/getban.sh new file mode 100755 index 0000000..6020952 --- /dev/null +++ b/fail2ban/scripts/get/getban.sh @@ -0,0 +1,3 @@ +#!/bin/bash +host=$(hostname) +mysql -u fail1 -ppassword -h 172.16.2.10 -e "SELECT UNIX_TIMESTAMP(created), ip, port, protocol FROM fail2ban.fail2ban WHERE created>=DATE_ADD(NOW(), INTERVAL -10 MINUTE) AND name = 'SSH' AND hostname != '$host' ORDER BY created ASC;" -N -B > /etc/fail2ban/empty.log diff --git a/fail2ban/scripts/get/getlongban.sh b/fail2ban/scripts/get/getlongban.sh new file mode 100755 index 0000000..13b7468 --- /dev/null +++ b/fail2ban/scripts/get/getlongban.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +mysql -u fail1 -ppassword -h 172.16.2.10 -e "SELECT UNIX_TIMESTAMP(created), ip, port, protocol FROM fail2ban.fail2ban WHERE created>=DATE_ADD(NOW(), INTERVAL -60 MINUTE) AND hostname != '$host' ORDER BY created ASC;" -N -B > /etc/fail2ban/long.log diff --git a/fail2ban/scripts/get/getverylongban.sh b/fail2ban/scripts/get/getverylongban.sh new file mode 100755 index 0000000..729edac --- /dev/null +++ b/fail2ban/scripts/get/getverylongban.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +mysql -u fail1 -ppassword -h 172.16.2.10 -e "SELECT UNIX_TIMESTAMP(created), ip, port, protocol FROM fail2ban.fail2ban WHERE created>=DATE_ADD(NOW(), INTERVAL -50000 MINUTE) AND name = 'SSH-LONG' ORDER BY created ASC;" -N -B > /etc/fail2ban/verylong.log diff --git a/fail2ban/scripts/push/fail.sh b/fail2ban/scripts/push/fail.sh new file mode 100755 index 0000000..7abef2c --- /dev/null +++ b/fail2ban/scripts/push/fail.sh @@ -0,0 +1,14 @@ + #!/bin/bash + +host=$(hostname) +jailname=$1 +proto=$2 +port=$3 +ipadd=$4 +created=$(date +%y/%m/%d\ %H:%M:%S.00000) +bantime=$5 + +commands="INSERT INTO fail2ban SET hostname='$host', created='$created', name='$jailname', protocol='$proto', port='$port', ip='$ipadd', bantime='$5';" + +#echo $commands >> /etc/fail2ban/empty.log +echo $commands | /usr/bin/mysql --user=fail1 --password=password -h 172.16.2.10 fail2ban diff --git a/temp-notes/database b/temp-notes/database new file mode 100644 index 0000000..44ce589 --- /dev/null +++ b/temp-notes/database @@ -0,0 +1,13 @@ +Create database fail2ban +CREATE TABLE fail2ban ( `id` bigint(20) unsigned NOT NULL AUTO_INCREMENT, `hostname` varchar(255) COLLATE utf8_unicode_ci DEFAULT NULL, `created` datetime NOT NULL, `name` text COLLATE utf8_unicode_ci NOT NULL, `protocol` varchar(16) COLLATE utf8_unicode_ci NOT NULL, `port` varchar(32) COLLATE utf8_unicode_ci NOT NULL, `ip` varchar(64) COLLATE utf8_unicode_ci NOT NULL, `bantime` varchar(32) COLLATE utf8_unicode_ci NOT NULL, PRIMARY KEY (`id`), KEY `hostname` (`hostname`,`ip`) ); + +GRANT ALL PRIVILEGES ON *.* TO 'root'@'172.16.2.%' IDENTIFIED BY 'P@ssw0rd' WITH GRANT OPTION; + +CREATE USER 'fail1' IDENTIFIED BY 'password'; + +GRANT ALL privileges ON `fail2ban`.'fail2ban' TO 'fail1'@'172.16.2.%'; + +SELECT User, Host FROM mysql.user WHERE Host <> 'localhost'; + +flush privileges +