diff --git a/config/filter.d/psad.conf b/config/filter.d/psad.conf new file mode 100644 index 00000000..b19d45da --- /dev/null +++ b/config/filter.d/psad.conf @@ -0,0 +1,19 @@ +# Fail2Ban configuration file +# +# Author: Arturo 'Buanzo' Busleiman +# + +[Definition] + +# Option: failregex +# Notes.: regex to match psad "scan detected" line, example: +# +# Apr 30 23:35:06 mx4 psad: scan detected: 221.192.199.49 -> 85.13.200.90 tcp: [8000] flags: SYN tcp pkts: 1 DL: 2 +# +failregex = ^.*\ psad\:\ scan\ detected\:\ \ \-\>\ .*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 1fc8c4aa..75c53b76 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -153,8 +153,9 @@ action = shorewall logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. +# through GET/POST variables. +# Make sure you edit the filter if you need to allow certain requests. +# Adapt logpath as required! [php-url-fopen] @@ -231,3 +232,16 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 + +# PSAD support for fail2ban by Buanzo. +# psad detects portscans, and logs the details to /var/log/messages +# With this jail, you can ban attackers that portscan you (for example, with the excellent Nmap) +# TODO: It needs a proper action, and decide on default port range/list + +[psad] + +enabled = false +port = ssh,http,https,smtp,ftp +filter = psad +logpath = /var/log/messages +maxretry = 1