added psad filter and jail, needs some reviewing. works OK.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@759 a942ae1a-1317-0410-a47c-b1dcaea8d605
2010-05-01 13:26:02 +00:00 · 2010-05-01 13:26:02 +00:00 · 4f4f0399ef
parent 5aec43ae35
commit 4f4f0399ef
2 changed files with 35 additions and 2 deletions
--- a/config/filter.d/psad.conf
+++ b/config/filter.d/psad.conf
@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match psad "scan detected" line, example:
+#
+# Apr 30 23:35:06 mx4 psad: scan detected: 221.192.199.49 -> 85.13.200.90 tcp: [8000] flags: SYN tcp pkts: 1 DL: 2
+#
+failregex = ^.*\ psad\:\ scan\ detected\:\ <HOST>\ \-\>\ .*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- a/config/jail.conf
+++ b/config/jail.conf
@ -153,8 +153,9 @@ action   = shorewall
 logpath  = /var/log/apache2/error_log

 # Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
+# through GET/POST variables.
+# Make sure you edit the filter if you need to allow certain requests.
+# Adapt logpath as required!

 [php-url-fopen]

@ -231,3 +232,16 @@ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1

+
+# PSAD support for fail2ban by Buanzo.
+# psad detects portscans, and logs the details to /var/log/messages
+# With this jail, you can ban attackers that portscan you (for example, with the excellent Nmap)
+# TODO: It needs a proper action, and decide on default port range/list
+
+[psad]
+
+enabled	= false
+port	= ssh,http,https,smtp,ftp
+filter	= psad
+logpath	= /var/log/messages
+maxretry = 1