From e810ec009d56a51478fd740c60f2770448a7a752 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 5 Dec 2013 08:22:20 +0000 Subject: [PATCH 1/5] ENH: Added blocklist.de reporting API action --- config/action.d/blocklist_de.conf | 55 +++++++++++++++++++++++++++++++ config/jail.conf | 12 +++++++ 2 files changed, 67 insertions(+) create mode 100644 config/action.d/blocklist_de.conf diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf new file mode 100644 index 00000000..d11b175b --- /dev/null +++ b/config/action.d/blocklist_de.conf @@ -0,0 +1,55 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +# Action to report IP address to blocklist.de +# Blocklist.de must be signed up to at www.blocklist.de +# Once registered, one or more servers can be added. +# This action requires the server 'email address' and the assoicate apikey. +# +# From blocklist.de: +# www.blocklist.de is a free and voluntary service provided by a +# Fraud/Abuse-specialist, whose servers are often attacked on SSH-, +# Mail-Login-, FTP-, Webserver- and other services. +# The mission is to report all attacks to the abuse deparments of the +# infected PCs/servers to ensure that the responsible provider can inform +# the customer about the infection and disable them +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = ! curl --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' "https://www.blocklist.de/en/httpreports.html" | grep "status: error" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = diff --git a/config/jail.conf b/config/jail.conf index 33d1d439..cbcfb758 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -532,3 +532,15 @@ filter = selinux-ssh action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5 + +# Report block via blocklist.de fail2ban reporting service API +# See action.d/blocklist_de.conf for more information +[ssh-blocklist] + +enabled = false +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] + blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] +logpath = /var/log/sshd.log +maxretry = 5 From f742ed0e4bc3182f36f348345bce2858b6db4369 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 5 Dec 2013 18:06:53 +0000 Subject: [PATCH 2/5] DOC: when to use blocklist.de reporting Taken from commit 1846056606d24abe4e7d3f2e1cf56407c65b9008 --- config/action.d/blocklist_de.conf | 10 ++++++++++ config/jail.conf | 5 ++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index d11b175b..468f3fc9 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -17,6 +17,16 @@ # infected PCs/servers to ensure that the responsible provider can inform # the customer about the infection and disable them # +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelyhood of receiving human errors +# [Definition] diff --git a/config/jail.conf b/config/jail.conf index cbcfb758..3b8220e5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -533,6 +533,9 @@ action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5 +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action +# # Report block via blocklist.de fail2ban reporting service API # See action.d/blocklist_de.conf for more information [ssh-blocklist] @@ -543,4 +546,4 @@ action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"] blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log -maxretry = 5 +maxretry = 20 From a19b33cc7263c0758d6848ecbaa0e5ad4e24b962 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Thu, 5 Dec 2013 18:12:15 +0000 Subject: [PATCH 3/5] ENH: blocklist.de action added fail2ban version as user agent --- config/action.d/blocklist_de.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index 468f3fc9..6f47d87b 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -54,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ! curl --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' "https://www.blocklist.de/en/httpreports.html" | grep "status: error" +actionban = ! curl --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "`fail2ban-client --version | head -1`" "https://www.blocklist.de/en/httpreports.html" | grep "status: error" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the From b3c173795e1fe023adcc4a781674075d071bc756 Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Fri, 6 Dec 2013 08:22:21 +0000 Subject: [PATCH 4/5] ENH: blocklist.de action error on HTTP response code 4xx --- config/action.d/blocklist_de.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index 6f47d87b..f45882d3 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -54,7 +54,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ! curl --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "`fail2ban-client --version | head -1`" "https://www.blocklist.de/en/httpreports.html" | grep "status: error" +actionban = curl --fail --data-urlencode 'server=' --data 'apikey=' --data 'service=' --data 'ip=' --data-urlencode 'logs=' --data 'format=text' --user-agent "fail2ban v0.8.12" "https://www.blocklist.de/en/httpreports.html" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the From 630dd91dcdd6a3f5501b2e15a06577cee32dab0c Mon Sep 17 00:00:00 2001 From: Steven Hiscocks Date: Fri, 6 Dec 2013 18:01:36 +0000 Subject: [PATCH 5/5] BF: Add [Init] section to blocklist.de action --- config/action.d/blocklist_de.conf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index f45882d3..d4170cab 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -63,3 +63,24 @@ actionban = curl --fail --data-urlencode 'server=' --data 'apikey=