mirror of https://github.com/fail2ban/fail2ban
create crowdsec.conf
commit
3e2ee14085
|
@ -12,10 +12,6 @@
|
|||
# crowdsec[lapi_url="http://local-api:8080", machine_id="ReverseProxy", password="******"]
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
#before = mail-whois-common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
# bypass action for restored tickets
|
||||
|
@ -46,11 +42,8 @@ actioncheck =
|
|||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = WHOIS_RESULT=$(whois <ip>)
|
||||
WHOIS_COUNTRY=$(echo "$WHOIS_RESULT" | grep -a -i -m 1 Country | sed -n -e 's/^.*[Cc]ountry:\s*//p')
|
||||
WHOIS_ASN=$(echo "$WHOIS_RESULT" | grep -a -i Origin | tail -1 | sed -n -e 's/^.*[Oo]rigin.*:\s*AS//p')
|
||||
WHOIS_ASNAME=$(echo "$WHOIS_RESULT" | grep -a netname | tail -1 | sed -n -e 's/^.*netname:\s*//p')
|
||||
TIME=$(LC_ALL=C date -d "@<time>" +"%%Y-%%m-%%d, %%H:%%M:%%S")
|
||||
actionban = <lookup-<lookup>/lookupinfo>
|
||||
TIME=$(LC_ALL=C date -d "@<time>" +"%%Y-%%m-%%dT%%H:%%M:%%S%%:z")
|
||||
JSON_STRING=$(/usr/bin/jq -s -R -n \
|
||||
--arg ip "<ip>" \
|
||||
--arg scenario "fail2ban/<name>" \
|
||||
|
@ -101,7 +94,7 @@ actionban = WHOIS_RESULT=$(whois <ip>)
|
|||
"as_number": $an,
|
||||
"as_name": $nm,
|
||||
"cn": $cn }}]')
|
||||
curl -H "Authorization: Bearer $(curl -s -X POST -H 'Content-Type: application/json' -d '{"machine_id": "<machine_id>","password": "<password>"}' <lapi_url>/v1/watchers/login | jq -r ".token")" -X POST <lapi_url>/v1/alerts -H 'Content-Type: application/json' -d "$JSON_STRING"
|
||||
nohup curl -H "Authorization: Bearer $(curl -s -X POST -H 'Content-Type: application/json' -d '{"machine_id": "<machine_id>","password": "<password>"}' <lapi_url>/v1/watchers/login | jq -r ".token")" -X POST <lapi_url>/v1/alerts -H 'Content-Type: application/json' -d "$JSON_STRING" > /dev/null 2>&1
|
||||
|
||||
|
||||
# Option: actionunban
|
||||
|
@ -112,4 +105,18 @@ actionban = WHOIS_RESULT=$(whois <ip>)
|
|||
#
|
||||
actionunban =
|
||||
|
||||
# Option `lookup` (default `none`) - supply `whois` to perform a lookup for country and ASN using whois command
|
||||
lookup = none
|
||||
|
||||
[lookup-none]
|
||||
lookupinfo = WHOIS_COUNTRY=''
|
||||
WHOIS_ASN=''
|
||||
WHOIS_ASNAME=''
|
||||
|
||||
[lookup-whois]
|
||||
lookupinfo = WHOIS_RESULT=$(whois <ip>)
|
||||
WHOIS_COUNTRY=$(echo "$WHOIS_RESULT" | grep -a -i -m 1 Country | sed -n -e 's/^.*[Cc]ountry:\s*//p')
|
||||
WHOIS_ASN=$(echo "$WHOIS_RESULT" | grep -a -i Origin | tail -1 | sed -n -e 's/^.*[Oo]rigin.*:\s*AS//p')
|
||||
WHOIS_ASNAME=$(echo "$WHOIS_RESULT" | grep -a netname | tail -1 | sed -n -e 's/^.*netname:\s*//p')
|
||||
|
||||
[Init]
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
# Fail2Ban filter for dante
|
||||
#
|
||||
# Make sure you have "log: error" set in your "client pass" directive
|
||||
#
|
||||
|
||||
[INCLUDES]
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
_daemon = danted
|
||||
|
||||
failregex = ^%(__prefix_line)sinfo: block\(1\): tcp/accept \]: <HOST>\.\d+ [\d.]+: error after reading \d+ bytes? in \d+ seconds?: (?:could not access |system password authentication failed for )user "<F-USER>[^"]+</F-USER>"
|
||||
|
||||
[Init]
|
||||
journalmatch = _SYSTEMD_UNIT=danted.service
|
||||
|
|
@ -14,7 +14,7 @@
|
|||
|
||||
[Definition]
|
||||
|
||||
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
|
||||
failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$)
|
||||
|
||||
ignoreregex =
|
||||
|
||||
|
|
|
@ -15,7 +15,9 @@ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
|
|||
_exe =/usr/sbin/sshd
|
||||
_terminal = ssh
|
||||
|
||||
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
|
||||
_anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:"[^"]+"|\S*)
|
||||
|
||||
_msg = (?:%(_anygrp)s )*acct=(?:"<F-USER>[^"]+</F-USER>"|<F-ALT_USER>\S+</F-ALT_USER>) exe="%(_exe)s" (?:%(_anygrp)s )*addr=<ADDR> terminal=%(_terminal)s res=failed
|
||||
|
||||
# DEV Notes:
|
||||
#
|
||||
|
|
|
@ -978,3 +978,8 @@ banaction = %(banaction_allports)s
|
|||
[monitorix]
|
||||
port = 8080
|
||||
logpath = /var/log/monitorix-httpd
|
||||
|
||||
[dante]
|
||||
port = 1080
|
||||
logpath = %(syslog_daemon)s
|
||||
|
||||
|
|
|
@ -277,7 +277,7 @@ class ConfigReaderUnshared(SafeConfigParserWithIncludes):
|
|||
# TODO: validate error handling here.
|
||||
except NoOptionError:
|
||||
if not optvalue is None:
|
||||
logSys.warning("'%s' not defined in '%s'. Using default one: %r"
|
||||
logSys.debug("'%s' not defined in '%s'. Using default one: %r"
|
||||
% (optname, sec, optvalue))
|
||||
values[optname] = optvalue
|
||||
# elif logSys.getEffectiveLevel() <= logLevel:
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
# failJSON: { "time": "2005-04-14T15:35:03", "match": true , "host": "1.2.3.4" }
|
||||
Apr 14 15:35:03 vps111111 danted[17969]: info: block(1): tcp/accept ]: 1.2.3.4.50550 0.0.0.0.1080: error after reading 35 bytes in 0 seconds: could not access user "roooooooot"'s records in the system password file: no system error
|
||||
# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" }
|
||||
Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 18 bytes in 0 seconds: system password authentication failed for user "aland"
|
||||
# failJSON: { "time": "2005-04-14T15:44:26", "match": true , "host": "1.2.3.4" }
|
||||
Apr 14 15:44:26 vps111111 danted[1846]: info: block(1): tcp/accept ]: 1.2.3.4.57178 0.0.0.0.1080: error after reading 1 byte in 1 second: system password authentication failed for user "aland"
|
|
@ -27,3 +27,6 @@ type=USER_AUTH msg=audit(1383116263.000:603): pid=12887 uid=0 auid=4294967295 se
|
|||
|
||||
# failJSON: { "time": "2013-10-30T07:54:08", "match": false , "host": "192.168.3.100" }
|
||||
type=USER_LOGIN msg=audit(1383116048.000:595): pid=12354 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login acct="dan" exe="/usr/sbin/sshd" hostname=? addr=192.168.3.100 terminal=ssh res=failed'
|
||||
|
||||
# failJSON: { "time": "2022-11-14T00:11:11", "match": true , "host": "192.0.2.111" }
|
||||
type=USER_AUTH msg=audit(1668381071.000:373474): pid=173582 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=192.0.2.111 addr=192.0.2.111 terminal=ssh res=failed'UID="root" AUID="unset"
|
||||
|
|
Loading…
Reference in New Issue