mirror of https://github.com/fail2ban/fail2ban
* Added a filter pam_generic to catch any login errors.
* Added iptables-allports.pull/3/head
parent
bc0806d459
commit
2e55bc57c7
|
@ -4,6 +4,8 @@ fail2ban (0.8.0-3~pre1) unstable; urgency=low
|
||||||
Andrewartha.
|
Andrewartha.
|
||||||
* Added optional regexp entry for process PID in some entries (closes:
|
* Added optional regexp entry for process PID in some entries (closes:
|
||||||
#426050). Thanks Roderick Schertler.
|
#426050). Thanks Roderick Schertler.
|
||||||
|
* Added a filter pam_generic to catch any login errors.
|
||||||
|
* Added iptables-allports.
|
||||||
|
|
||||||
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400
|
-- Yaroslav Halchenko <debian@onerussian.com> Tue, 19 Jun 2007 23:04:02 -0400
|
||||||
|
|
||||||
|
|
|
@ -87,6 +87,16 @@ filter = sshd
|
||||||
logpath = /var/log/auth.log
|
logpath = /var/log/auth.log
|
||||||
maxretry = 6
|
maxretry = 6
|
||||||
|
|
||||||
|
# Generic filter for pam. Has to be used with action which bans all ports
|
||||||
|
# such as iptables-allports, shorewall
|
||||||
|
[pam-generic]
|
||||||
|
|
||||||
|
enabled = false
|
||||||
|
filter = pam-generic
|
||||||
|
banaction = iptables-allports
|
||||||
|
logpath = /var/log/auth.log
|
||||||
|
maxretry = 6
|
||||||
|
|
||||||
|
|
||||||
[ssh-ddos]
|
[ssh-ddos]
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,82 @@
|
||||||
|
#! /bin/sh /usr/share/dpatch/dpatch-run
|
||||||
|
## 00_iptables_allports.dpatch by Yaroslav Halchenko <debian@onerussian.com>
|
||||||
|
##
|
||||||
|
## All lines beginning with `## DP:' are a description of the patch.
|
||||||
|
## DP: No description.
|
||||||
|
|
||||||
|
@DPATCH@
|
||||||
|
diff -urNad trunk~/config/action.d/iptables-allports.conf trunk/config/action.d/iptables-allports.conf
|
||||||
|
--- trunk~/config/action.d/iptables-allports.conf 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ trunk/config/action.d/iptables-allports.conf 2007-06-25 12:49:34.000000000 -0400
|
||||||
|
@@ -0,0 +1,71 @@
|
||||||
|
+# Fail2Ban configuration file
|
||||||
|
+#
|
||||||
|
+# Author: Cyril Jaquier
|
||||||
|
+# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
|
||||||
|
+# made active on all ports from original iptables.conf
|
||||||
|
+#
|
||||||
|
+# $Revision: $
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+[Definition]
|
||||||
|
+
|
||||||
|
+# Option: actionstart
|
||||||
|
+# Notes.: command executed once at the start of Fail2Ban.
|
||||||
|
+# Values: CMD
|
||||||
|
+#
|
||||||
|
+actionstart = iptables -N fail2ban-<name>
|
||||||
|
+ iptables -A fail2ban-<name> -j RETURN
|
||||||
|
+ iptables -I INPUT -p <protocol> -j fail2ban-<name>
|
||||||
|
+
|
||||||
|
+# Option: actionend
|
||||||
|
+# Notes.: command executed once at the end of Fail2Ban
|
||||||
|
+# Values: CMD
|
||||||
|
+#
|
||||||
|
+actionstop = iptables -D INPUT -p <protocol> -j fail2ban-<name>
|
||||||
|
+ iptables -F fail2ban-<name>
|
||||||
|
+ iptables -X fail2ban-<name>
|
||||||
|
+
|
||||||
|
+# Option: actioncheck
|
||||||
|
+# Notes.: command executed once before each actionban command
|
||||||
|
+# Values: CMD
|
||||||
|
+#
|
||||||
|
+actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>
|
||||||
|
+
|
||||||
|
+# Option: actionban
|
||||||
|
+# Notes.: command executed when banning an IP. Take care that the
|
||||||
|
+# command is executed with Fail2Ban user rights.
|
||||||
|
+# Tags: <ip> IP address
|
||||||
|
+# <failures> number of failures
|
||||||
|
+# <time> unix timestamp of the ban time
|
||||||
|
+# Values: CMD
|
||||||
|
+#
|
||||||
|
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
|
||||||
|
+
|
||||||
|
+# Option: actionunban
|
||||||
|
+# Notes.: command executed when unbanning an IP. Take care that the
|
||||||
|
+# command is executed with Fail2Ban user rights.
|
||||||
|
+# Tags: <ip> IP address
|
||||||
|
+# <failures> number of failures
|
||||||
|
+# <time> unix timestamp of the ban time
|
||||||
|
+# Values: CMD
|
||||||
|
+#
|
||||||
|
+actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
|
||||||
|
+
|
||||||
|
+[Init]
|
||||||
|
+
|
||||||
|
+# Defaut name of the chain
|
||||||
|
+#
|
||||||
|
+name = default
|
||||||
|
+
|
||||||
|
+# Option: port
|
||||||
|
+# Notes.: specifies port to monitor
|
||||||
|
+# Values: [ NUM | STRING ] Default:
|
||||||
|
+#
|
||||||
|
+port = ssh
|
||||||
|
+
|
||||||
|
+# Option: protocol
|
||||||
|
+# Notes.: internally used by config reader for interpolations.
|
||||||
|
+# Values: [ tcp | udp | icmp | all ] Default: tcp
|
||||||
|
+#
|
||||||
|
+protocol = tcp
|
||||||
|
+
|
|
@ -0,0 +1,46 @@
|
||||||
|
#! /bin/sh /usr/share/dpatch/dpatch-run
|
||||||
|
## 00_pam_generic.dpatch by Yaroslav Halchenko <debian@onerussian.com>
|
||||||
|
##
|
||||||
|
## All lines beginning with `## DP:' are a description of the patch.
|
||||||
|
## DP: Filter and examples for a filter generic for any login errors reported with pam_unix.so
|
||||||
|
|
||||||
|
@DPATCH@
|
||||||
|
diff -urNad trunk~/config/filter.d/pam-generic.conf trunk/config/filter.d/pam-generic.conf
|
||||||
|
--- trunk~/config/filter.d/pam-generic.conf 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ trunk/config/filter.d/pam-generic.conf 2007-06-25 12:41:38.000000000 -0400
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+# Fail2Ban configuration file for wuftpd
|
||||||
|
+#
|
||||||
|
+# Author: Yaroslav Halchenko
|
||||||
|
+#
|
||||||
|
+# $Revision: $
|
||||||
|
+#
|
||||||
|
+
|
||||||
|
+[Definition]
|
||||||
|
+
|
||||||
|
+# if you want to catch only login erros from specific daemons, use smth like
|
||||||
|
+#_ttys_re=(?:ssh|pure-ftpd)
|
||||||
|
+# To catch all failed logins
|
||||||
|
+_ttys_re=\S*
|
||||||
|
+
|
||||||
|
+#
|
||||||
|
+# Shortcuts for easier comprehension of the failregex
|
||||||
|
+__pid_re=(?:\[\d+\])
|
||||||
|
+__pam_re=\(pam_unix\)
|
||||||
|
+__pam_combs_re=(?:%(__pid_re)s?:\s+%(__pam_re)s|%(__pam_re)s%(__pid_re)s?:)
|
||||||
|
+
|
||||||
|
+# Option: failregex
|
||||||
|
+# Notes.: regex to match the password failures messages in the logfile.
|
||||||
|
+# Values: TEXT
|
||||||
|
+#
|
||||||
|
+failregex = \s\S+ \S+%(__pam_combs_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||||
|
+
|
||||||
|
diff -urNad trunk~/config/filter.d/pam-generic.examples trunk/config/filter.d/pam-generic.examples
|
||||||
|
--- trunk~/config/filter.d/pam-generic.examples 1969-12-31 19:00:00.000000000 -0500
|
||||||
|
+++ trunk/config/filter.d/pam-generic.examples 2007-06-25 12:41:38.000000000 -0400
|
||||||
|
@@ -0,0 +1,5 @@
|
||||||
|
+Feb 7 15:10:42 example pure-ftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=pure-ftpd ruser=sample-user rhost=192.168.1.1
|
||||||
|
+May 12 09:47:54 vaio sshd[16004]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com user=root
|
||||||
|
+May 12 09:48:03 vaio sshd[16021]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=71-13-115-12.static.mdsn.wi.charter.com
|
||||||
|
+May 15 18:02:12 localhost proftpd: (pam_unix) authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=66.232.129.62 user=mark
|
||||||
|
+Nov 25 17:12:13 webmail pop(pam_unix)[4920]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=192.168.10.3 user=mailuser
|
|
@ -2,3 +2,5 @@
|
||||||
00_HOST_ignoreregex
|
00_HOST_ignoreregex
|
||||||
00_daemon_pids
|
00_daemon_pids
|
||||||
10_dbts_manpages
|
10_dbts_manpages
|
||||||
|
00_iptables_allports
|
||||||
|
00_pam_generic
|
||||||
|
|
Loading…
Reference in New Issue