From eb76dcd5a00079b39b1b200f3c9f12fdc4c0fa6a Mon Sep 17 00:00:00 2001 From: rumple010 Date: Sun, 25 Jan 2015 23:15:07 -0500 Subject: [PATCH 1/4] add nsupdate action Adds a new action file that uses nsupdate to dynamically update a BIND zone file with a TXT resource record representing a banned IP address. Resource record is deleted from the zone when the ban expires. --- config/action.d/nsupdate.conf | 110 ++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) create mode 100644 config/action.d/nsupdate.conf diff --git a/config/action.d/nsupdate.conf b/config/action.d/nsupdate.conf new file mode 100644 index 00000000..9ecb6f95 --- /dev/null +++ b/config/action.d/nsupdate.conf @@ -0,0 +1,110 @@ +# Fail2Ban configuration file +# +# Author: Andrew St. Jean +# +# Use nsupdate to perform dynamic DNS updates on a BIND zone file. +# One may want to do this to update a local RBL with banned IP addresses. +# +# Options +# +# domain DNS domain that will appear in nsupdate add and delete +# commands. +# +# ttl The time to live (TTL) in seconds of the TXT resource +# record. +# +# rdata Data portion of the TXT resource record. +# +# nsupdatecmd Full path to the nsupdate command. +# +# keyfile Full path to TSIG key file used for authentication between +# nsupdate and BIND. +# +# The ban and unban commands assume nsupdate will authenticate to the BIND +# server using a TSIG key. The full path to the key file must be specified +# in the parameter. Use this command to generate your TSIG key. +# +# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST +# +# Replace with some meaningful name. +# +# This command will generate two files. Specify the .private file in the +# option. Note that the .key file must also be present in the same +# directory for nsupdate to use the key. +# +# Don't forget to add the key and appropriate allow-update or update-policy +# option to your named.conf file. +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = echo | awk -F. '{print "prereq nxrrset "$4"."$3"."$2"."$1". TXT"; print "update add "$4"."$3"."$2"."$1". IN TXT \"\""; print "send"}' | -k + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = echo | awk -F. '{print "update delete "$4"."$3"."$2"."$1"."; print "send"}' | -k + +[Init] + +# Option: domain +# Notes.: DNS domain that nsupdate will update. +# Values: STRING +# +domain = + +# Option: ttl +# Notes.: time to live (TTL) of TXT resource record added by nsupdate. +# Values: NUM +# +ttl = 600 + +# Option: rdata +# Notes.: data portion of the TXT resource record added by nsupdate. +# Values: STRING +# +rdata = Your IP has been banned + +# Option: nsupdatecmd +# Notes.: specifies the full path to the nsupdate program that dynamically +# updates BIND zone files. +# Values: CMD +# +nsupdatecmd = /usr/bin/nsupdate + +# Option: keyfile +# Notes.: specifies the full path to the file containing the +# TSIG key for communicating with BIND. +# Values: STRING +# +keyfile = + From e0f11ae722fbb2463c07fccb74832a0c7f5ab681 Mon Sep 17 00:00:00 2001 From: "Andrew St. Jean" Date: Mon, 26 Jan 2015 11:30:41 -0500 Subject: [PATCH 2/4] Modified the ChangeLog and THANKS files to reflect the addition of action.d/nsupdate.conf. --- ChangeLog | 1 + THANKS | 1 + 2 files changed, 2 insertions(+) diff --git a/ChangeLog b/ChangeLog index f01ed930..299642d3 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,7 @@ ver. 0.9.2 (2014/XX/XXX) - wanna-be-released - Monit config for fail2ban in /files/monit - New actions: - action.d/firewallcmd-multiport and action.d/firewallcmd-allports Thanks Donald Yandt + - action.d/nsupdate Thanks Andrew St. Jean - Enhancements: * Enable multiport for firewallcmd-new action. Closes gh-834 diff --git a/THANKS b/THANKS index 1185f6b9..1becaf04 100644 --- a/THANKS +++ b/THANKS @@ -13,6 +13,7 @@ ag4ve (Shawn) Alasdair D. Campbell Amir Caspi Amy +Andrew St. Jean Andrey G. Grozin Andy Fragen Arturo 'Buanzo' Busleiman From 43732acae166dff8c3a86cc3d8adc846bc5c74bb Mon Sep 17 00:00:00 2001 From: "Andrew St. Jean" Date: Mon, 26 Jan 2015 21:48:16 -0500 Subject: [PATCH 3/4] Added a reminder to create an nsupdate.local file to set required options. --- config/action.d/nsupdate.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/action.d/nsupdate.conf b/config/action.d/nsupdate.conf index 9ecb6f95..f845a44b 100644 --- a/config/action.d/nsupdate.conf +++ b/config/action.d/nsupdate.conf @@ -20,6 +20,9 @@ # keyfile Full path to TSIG key file used for authentication between # nsupdate and BIND. # +# Create an nsupdate.local to set at least the and +# options as they don't have default values. +# # The ban and unban commands assume nsupdate will authenticate to the BIND # server using a TSIG key. The full path to the key file must be specified # in the parameter. Use this command to generate your TSIG key. From 6bdfe756cffbc9f975abd252b00cf346c6fd135b Mon Sep 17 00:00:00 2001 From: "Andrew St. Jean" Date: Wed, 28 Jan 2015 22:46:43 -0500 Subject: [PATCH 4/4] Changed default TTL value to 60 seconds. --- config/action.d/nsupdate.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/action.d/nsupdate.conf b/config/action.d/nsupdate.conf index f845a44b..7886825c 100644 --- a/config/action.d/nsupdate.conf +++ b/config/action.d/nsupdate.conf @@ -86,10 +86,11 @@ actionunban = echo | awk -F. '{print "update delete "$4"."$3"."$2"."$1".