From 3b4a7b7926234fce415372d3d5b1d5ba43e5c4a5 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sun, 5 May 2013 15:43:18 +1000 Subject: [PATCH] ENH: add blocktype to all relevant actions. Also default the rejection to a ICMP reject rather than a drop --- config/action.d/ipfilter.conf | 9 +++++++-- config/action.d/ipfw.conf | 10 +++++++++- config/action.d/iptables-allports.conf | 11 +++++++++-- config/action.d/iptables-ipset-proto4.conf | 10 ++++++++-- config/action.d/iptables-ipset-proto6.conf | 6 ++++++ config/action.d/iptables-multiport-log.conf | 9 ++++++++- config/action.d/iptables-multiport.conf | 11 +++++++++-- config/action.d/iptables-new.conf | 11 +++++++++-- config/action.d/iptables-xt_recent-echo.conf | 9 ++++++++- config/action.d/iptables.conf | 12 ++++++++++-- config/action.d/route.conf | 13 ++++++------- config/action.d/shorewall.conf | 8 +++++++- 12 files changed, 96 insertions(+), 23 deletions(-) diff --git a/config/action.d/ipfilter.conf b/config/action.d/ipfilter.conf index d77de9bf..61420e38 100644 --- a/config/action.d/ipfilter.conf +++ b/config/action.d/ipfilter.conf @@ -37,7 +37,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = echo block in quick from /32 | /sbin/ipf -f - +actionban = echo block in quick from /32 | /sbin/ipf -f - # Option: actionunban @@ -47,7 +47,12 @@ actionban = echo block in quick from /32 | /sbin/ipf -f - # Values: CMD # # note -r option used to remove matching rule -actionunban = echo block in quick from /32 | /sbin/ipf -r -f - +actionunban = echo block in quick from /32 | /sbin/ipf -r -f - [Init] +# Option: Blocktype +# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent +# Shell expansion. This should be blank (unquoted) to drop the packet. +# Values: STRING +blocktype = "return-icmp(port-unr)" diff --git a/config/action.d/ipfw.conf b/config/action.d/ipfw.conf index 62612307..bf4dd43f 100644 --- a/config/action.d/ipfw.conf +++ b/config/action.d/ipfw.conf @@ -35,7 +35,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = ipfw add deny tcp from to +actionban = ipfw add tcp from to # Option: actionunban @@ -59,3 +59,11 @@ port = ssh # Values: IP # localhost = 127.0.0.1 + + +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 5 ipfw +# Common values: deny, unreach port, reset +# Values: STRING +# +blocktype = unreach port diff --git a/config/action.d/iptables-allports.conf b/config/action.d/iptables-allports.conf index a02ba63d..66ad0178 100644 --- a/config/action.d/iptables-allports.conf +++ b/config/action.d/iptables-allports.conf @@ -37,7 +37,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j DROP +actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -45,7 +45,7 @@ actionban = iptables -I fail2ban- 1 -s -j DROP # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j DROP +actionunban = iptables -D fail2ban- -s -j [Init] @@ -64,3 +64,10 @@ protocol = tcp # added # Values: STRING Default: INPUT chain = INPUT + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index 4221dd8d..0999bca0 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -25,13 +25,13 @@ # Values: CMD # actionstart = ipset --create fail2ban- iphash - iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP + iptables -I INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j DROP +actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set fail2ban- src -j ipset --flush fail2ban- ipset --destroy fail2ban- @@ -69,3 +69,9 @@ port = ssh # protocol = tcp +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index d90acd44..95ff27c9 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -76,3 +76,9 @@ protocol = tcp bantime = 600 +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 49958013..5ae93861 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -21,7 +21,7 @@ actionstart = iptables -N fail2ban- iptables -I 1 -p -m multiport --dports -j fail2ban- iptables -N fail2ban--log iptables -I fail2ban--log -j LOG --log-prefix "$(expr fail2ban- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 - iptables -A fail2ban--log -j DROP + iptables -A fail2ban--log -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -78,3 +78,10 @@ protocol = tcp # added # Values: STRING Default: INPUT chain = INPUT + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index ab0ee8de..b7827451 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -35,7 +35,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j DROP +actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -43,7 +43,7 @@ actionban = iptables -I fail2ban- 1 -s -j DROP # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j DROP +actionunban = iptables -D fail2ban- -s -j [Init] @@ -68,3 +68,10 @@ protocol = tcp # added # Values: STRING Default: INPUT chain = INPUT + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 12f398c7..f5467ee2 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -37,7 +37,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j DROP +actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -45,7 +45,7 @@ actionban = iptables -I fail2ban- 1 -s -j DROP # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j DROP +actionunban = iptables -D fail2ban- -s -j [Init] @@ -70,3 +70,10 @@ protocol = tcp # added # Values: STRING Default: INPUT chain = INPUT + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 887311be..e7d7182f 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -29,7 +29,7 @@ # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j DROP +actionstart = iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban- -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban @@ -70,3 +70,10 @@ name = default # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index a3412f6b..be4b880c 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -35,7 +35,7 @@ actioncheck = iptables -n -L | grep -q 'fail2ban-[ \t]' # Tags: See jail.conf(5) man page # Values: CMD # -actionban = iptables -I fail2ban- 1 -s -j DROP +actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -43,7 +43,7 @@ actionban = iptables -I fail2ban- 1 -s -j DROP # Tags: See jail.conf(5) man page # Values: CMD # -actionunban = iptables -D fail2ban- -s -j DROP +actionunban = iptables -D fail2ban- -s -j [Init] @@ -68,3 +68,11 @@ protocol = tcp # added # Values: STRING Default: INPUT chain = INPUT + +Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable + diff --git a/config/action.d/route.conf b/config/action.d/route.conf index ec940b74..9e3164cd 100644 --- a/config/action.d/route.conf +++ b/config/action.d/route.conf @@ -15,11 +15,10 @@ # - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts [Definition] -actionban = ip route add -actionunban = ip route del +actionban = ip route add +actionunban = ip route del -# Type of blocking -# -# Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. - -type = blackhole +# Option: blocktype +# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. +# Values: STRING +blocktype = prohibit diff --git a/config/action.d/shorewall.conf b/config/action.d/shorewall.conf index aca3a256..7e0cee25 100644 --- a/config/action.d/shorewall.conf +++ b/config/action.d/shorewall.conf @@ -39,7 +39,7 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = shorewall drop +actionban = shorewall # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the @@ -48,3 +48,9 @@ actionban = shorewall drop # Values: CMD # actionunban = shorewall allow + +# Option: blocktype +# Note: This is what the action does with rules. +# See man page of shorewall for options that include drop, logdrop, reject, or logreject +# Values: STRING +blocktype = reject