diff --git a/ChangeLog b/ChangeLog index 782ba7c9..5e078a14 100644 --- a/ChangeLog +++ b/ChangeLog @@ -54,12 +54,13 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released - New actions: - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt - action.d/sendmail-geoip-lines.conf + - action.d/nsupdate to update DNSBL. Thanks Andrew St. Jean - New status argument, flavor: - fail2ban-client status [flavor] - empty or "basic" works as-is - "cymru" additionally prints (ASN, Country RIR) per banned IP - Requires dnspython or dnspython3 - + - Enhancements: * Enable multiport for firewallcmd-new action. Closes gh-834 * files/debian-initd migrated from the debian branch and should be diff --git a/THANKS b/THANKS index 583dda58..5482b21d 100644 --- a/THANKS +++ b/THANKS @@ -13,6 +13,7 @@ ag4ve (Shawn) Alasdair D. Campbell Amir Caspi Amy +Andrew St. Jean Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman diff --git a/config/action.d/nsupdate.conf b/config/action.d/nsupdate.conf new file mode 100644 index 00000000..7886825c --- /dev/null +++ b/config/action.d/nsupdate.conf @@ -0,0 +1,114 @@ +# Fail2Ban configuration file +# +# Author: Andrew St. Jean +# +# Use nsupdate to perform dynamic DNS updates on a BIND zone file. +# One may want to do this to update a local RBL with banned IP addresses. +# +# Options +# +# domain DNS domain that will appear in nsupdate add and delete +# commands. +# +# ttl The time to live (TTL) in seconds of the TXT resource +# record. +# +# rdata Data portion of the TXT resource record. +# +# nsupdatecmd Full path to the nsupdate command. +# +# keyfile Full path to TSIG key file used for authentication between +# nsupdate and BIND. +# +# Create an nsupdate.local to set at least the and +# options as they don't have default values. +# +# The ban and unban commands assume nsupdate will authenticate to the BIND +# server using a TSIG key. The full path to the key file must be specified +# in the parameter. Use this command to generate your TSIG key. +# +# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST +# +# Replace with some meaningful name. +# +# This command will generate two files. Specify the .private file in the +# option. Note that the .key file must also be present in the same +# directory for nsupdate to use the key. +# +# Don't forget to add the key and appropriate allow-update or update-policy +# option to your named.conf file. +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = echo | awk -F. '{print "prereq nxrrset "$4"."$3"."$2"."$1". TXT"; print "update add "$4"."$3"."$2"."$1". IN TXT \"\""; print "send"}' | -k + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = echo | awk -F. '{print "update delete "$4"."$3"."$2"."$1"."; print "send"}' | -k + +[Init] + +# Option: domain +# Notes.: DNS domain that nsupdate will update. +# Values: STRING +# +domain = + +# Option: ttl +# Notes.: time to live (TTL) in seconds of TXT resource record +# added by nsupdate. +# Values: NUM +# +ttl = 60 + +# Option: rdata +# Notes.: data portion of the TXT resource record added by nsupdate. +# Values: STRING +# +rdata = Your IP has been banned + +# Option: nsupdatecmd +# Notes.: specifies the full path to the nsupdate program that dynamically +# updates BIND zone files. +# Values: CMD +# +nsupdatecmd = /usr/bin/nsupdate + +# Option: keyfile +# Notes.: specifies the full path to the file containing the +# TSIG key for communicating with BIND. +# Values: STRING +# +keyfile = +