|
|
|
# Fail2Ban configuration file
|
|
|
|
#
|
|
|
|
# Author: Russell Odom <russ@gloomytrousers.co.uk>
|
|
|
|
# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
|
|
|
|
#
|
|
|
|
# You MUST configure at least:
|
|
|
|
# <port> (the port that's being attacked - use number not name).
|
|
|
|
# <mnwlogin> (your mNW login).
|
|
|
|
# <mnwpass> (your mNW password).
|
|
|
|
#
|
|
|
|
# You SHOULD also provide:
|
|
|
|
# <myip> (your public IP address, if it's not the address of eth0)
|
|
|
|
# <protocol> (the protocol in use - defaults to tcp)
|
|
|
|
#
|
|
|
|
# Best practice is to provide <port> and <protocol> in jail.conf like this:
|
|
|
|
# action = mynetwatchman[port=1234,protocol=udp]
|
|
|
|
#
|
|
|
|
# ...and create "mynetwatchman.local" with contents something like this:
|
|
|
|
# [Init]
|
|
|
|
# mnwlogin = me@example.com
|
|
|
|
# mnwpass = SECRET
|
|
|
|
# myip = 10.0.0.1
|
|
|
|
#
|
|
|
|
# Another useful configuration value is <getcmd>, if you don't have wget
|
|
|
|
# installed (an example config for curl is given below)
|
|
|
|
#
|
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
|
|
|
# Option: actionstart
|
|
|
|
# Notes.: command executed once at the start of Fail2Ban.
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionstart =
|
|
|
|
|
|
|
|
# Option: actionstop
|
|
|
|
# Notes.: command executed once at the end of Fail2Ban
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionstop =
|
|
|
|
|
|
|
|
# Option: actioncheck
|
|
|
|
# Notes.: command executed once before each actionban command
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actioncheck =
|
|
|
|
|
|
|
|
# Option: actionban
|
|
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: See jail.conf(5) man page
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# Note: We are currently using <time> for the timestamp because no tag is
|
|
|
|
# available to indicate the timestamp of the log message(s) which triggered the
|
|
|
|
# ban. Therefore the timestamps we are using in the report, whilst often only a
|
|
|
|
# few seconds out, are incorrect. See
|
|
|
|
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
|
|
|
|
#
|
|
|
|
actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
|
|
|
|
MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
|
|
|
|
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
|
|
|
|
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
|
|
|
|
DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
|
|
|
|
<getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
|
|
|
|
|
|
|
|
# Option: actionunban
|
|
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: See jail.conf(5) man page
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionunban =
|
|
|
|
|
|
|
|
[Init]
|
|
|
|
# Option: port
|
|
|
|
# Notes.: The target port for the attack (numerical). MUST be provided in
|
|
|
|
# the jail config, as it cannot be detected here.
|
|
|
|
# Values: [ NUM ] Default: ???
|
|
|
|
#
|
|
|
|
port = 0
|
|
|
|
|
|
|
|
# Option: mnwlogin
|
|
|
|
# Notes.: Your mNW login e-mail address. MUST be provided either in the jail
|
|
|
|
# config or in a .local file.
|
|
|
|
# Register at http://www.mynetwatchman.com/reg.asp
|
|
|
|
# Values: [ STRING ] Default: (empty)
|
|
|
|
#
|
|
|
|
mnwlogin =
|
|
|
|
|
|
|
|
# Option: mnwpass
|
|
|
|
# Notes.: The password corresponding to your mNW login e-mail address. MUST be
|
|
|
|
# provided either in the jail config or in a .local file.
|
|
|
|
# Values: [ STRING ] Default: (empty)
|
|
|
|
#
|
|
|
|
mnwpass =
|
|
|
|
|
|
|
|
# Option: myip
|
|
|
|
# Notes.: The target IP for the attack (your public IP). Should be overridden
|
|
|
|
# either in the jail config or in a .local file unless your PUBLIC IP
|
|
|
|
# is the first IP assigned to eth0
|
|
|
|
# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
|
|
|
|
# which in most cases will be a private IP, and therefore incorrect
|
|
|
|
#
|
|
|
|
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
|
|
|
|
|
|
|
|
# Option: protocol
|
|
|
|
# Notes.: The protocol over which the attack is happening
|
|
|
|
# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
|
|
|
|
#
|
|
|
|
protocol = tcp
|
|
|
|
|
|
|
|
# Option: getcmd
|
|
|
|
# Notes.: A command to fetch a URL. Should output page to STDOUT
|
|
|
|
# Values: CMD Default: wget
|
|
|
|
#
|
|
|
|
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
|
|
|
|
# Alternative value:
|
|
|
|
# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
|
|
|
|
|
|
|
|
# Option: srcport
|
|
|
|
# Notes.: The source port of the attack. You're unlikely to have this info, so
|
|
|
|
# you can leave the default
|
|
|
|
# Values: [ NUM ] Default: 0
|
|
|
|
#
|
|
|
|
srcport = 0
|
|
|
|
|
|
|
|
# Option: mnwurl
|
|
|
|
# Notes.: The report service URL on the mNW site
|
|
|
|
# Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp
|
|
|
|
#
|
|
|
|
mnwurl = http://mynetwatchman.com/insertwebreport.asp
|
|
|
|
|
|
|
|
# Option: tmpfile
|
|
|
|
# Notes.: Base name of temporary files
|
|
|
|
# Values: [ STRING ] Default: /var/run/fail2ban/tmp-mynetwatchman
|
|
|
|
#
|
|
|
|
tmpfile = /var/run/fail2ban/tmp-mynetwatchman
|