Added pass2allow (knocking with fail2ban)

2015-07-10 16:22:43 +02:00 · 2015-07-10 16:22:43 +02:00 · 5d60700c0c
parent 95c2a2976f
commit 5d60700c0c
4 changed files with 95 additions and 0 deletions
--- a/3
+++ b/3
@ -34,6 +34,9 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released
 - New Features:
   * New filters:
     - froxlor-auth  Thanks Joern Muehlencord
+   * New type of operation:
+     - pass2allow: use fail2ban for "knocking", opening a closed port
+       (apache-pass filter, allow-iptables-multiport action)

 - Enhancements:
   * action.d/cloudflare.conf - improved documentation on how to allow
--- a/config/action.d/allow-iptables-multiport.conf
+++ b/config/action.d/allow-iptables-multiport.conf
@ -0,0 +1,59 @@
+# Fail2Ban configuration file for allowing hosts
+#
+# WARNING
+# Please be aware that all users behind NAT will access the service on the specified port.
+# You should protect this service with another jail that has very long bantime.
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = iptables -N f2b-<name>
+              iptables -A f2b-<name> -j <blocktype>
+              iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+             iptables -F f2b-<name>
+             iptables -X f2b-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = iptables -I f2b-<name> 1 -s <ip> -j <allowtype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = iptables -D f2b-<name> -s <ip> -j <allowtype>
+
+[Init]
+
+# Option: allowtype
+# Notes: ACCEPT skips other chains
+# Value: [ RETURN | ACCEPT ]
+#
+allowtype = RETURN
+
+# Author: Viktor Szépe
--- a/config/filter.d/apache-pass.conf
+++ b/config/filter.d/apache-pass.conf
@ -0,0 +1,20 @@
+# Fail2Ban Apache pass filter
+# This filter is for access.log, NOT for error.log
+#
+# The knocking request must have a referer.
+
+[INCLUDES]
+
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
+
+ignoreregex =
+
+[Init]
+
+knocking_url = /knocking/
+
+# Author: Viktor Szépe
--- a/config/jail.conf
+++ b/config/jail.conf
@ -767,3 +767,16 @@ port = 2222
 enabled  = false
 logpath  = /var/lib/portsentry/portsentry.history
 maxretry = 1
+
+[pass2allow]
+# allow FTP traffic after successful HTTP auth
+enabled   = false
+filter    = apache-pass
+banaction = allow-iptables-multiport
+# access log of the website with HTTP auth
+logpath   = /var/log/apache2/access.log
+port      = ftp,ftp-data,ftps,ftps-data
+protocol  = tcp
+bantime   = 3600
+maxretry  = 1
+findtime  = 1