From 4f4f0399efa4309beb8027c533a6fff9709921af Mon Sep 17 00:00:00 2001
From: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
Date: Sat, 1 May 2010 13:26:02 +0000
Subject: [PATCH] added psad filter and jail, needs some reviewing. works OK.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@759 a942ae1a-1317-0410-a47c-b1dcaea8d605
---
 config/filter.d/psad.conf | 19 +++++++++++++++++++
 config/jail.conf          | 18 ++++++++++++++++--
 2 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 config/filter.d/psad.conf

diff --git a/config/filter.d/psad.conf b/config/filter.d/psad.conf
new file mode 100644
index 00000000..b19d45da
--- /dev/null
+++ b/config/filter.d/psad.conf
@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match psad "scan detected" line, example:
+#
+# Apr 30 23:35:06 mx4 psad: scan detected: 221.192.199.49 -> 85.13.200.90 tcp: [8000] flags: SYN tcp pkts: 1 DL: 2
+#
+failregex = ^.*\ psad\:\ scan\ detected\:\ <HOST>\ \-\>\ .*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
diff --git a/config/jail.conf b/config/jail.conf
index 1fc8c4aa..75c53b76 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -153,8 +153,9 @@ action   = shorewall
 logpath  = /var/log/apache2/error_log
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
+# through GET/POST variables.
+# Make sure you edit the filter if you need to allow certain requests.
+# Adapt logpath as required!
 
 [php-url-fopen]
 
@@ -231,3 +232,16 @@ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 
+
+# PSAD support for fail2ban by Buanzo.
+# psad detects portscans, and logs the details to /var/log/messages
+# With this jail, you can ban attackers that portscan you (for example, with the excellent Nmap)
+# TODO: It needs a proper action, and decide on default port range/list
+
+[psad]
+
+enabled	= false
+port	= ssh,http,https,smtp,ftp
+filter	= psad
+logpath	= /var/log/messages
+maxretry = 1