From 5d60700c0ca0910275629db956caffb117618cde Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Viktor=20Sz=C3=A9pe?= Date: Fri, 10 Jul 2015 16:22:43 +0200 Subject: [PATCH] Added pass2allow (knocking with fail2ban) --- ChangeLog | 3 + config/action.d/allow-iptables-multiport.conf | 59 +++++++++++++++++++ config/filter.d/apache-pass.conf | 20 +++++++ config/jail.conf | 13 ++++ 4 files changed, 95 insertions(+) create mode 100644 config/action.d/allow-iptables-multiport.conf create mode 100644 config/filter.d/apache-pass.conf diff --git a/ChangeLog b/ChangeLog index bc849aaa..ac61693f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -34,6 +34,9 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released - New Features: * New filters: - froxlor-auth Thanks Joern Muehlencord + * New type of operation: + - pass2allow: use fail2ban for "knocking", opening a closed port + (apache-pass filter, allow-iptables-multiport action) - Enhancements: * action.d/cloudflare.conf - improved documentation on how to allow diff --git a/config/action.d/allow-iptables-multiport.conf b/config/action.d/allow-iptables-multiport.conf new file mode 100644 index 00000000..6f9ffd71 --- /dev/null +++ b/config/action.d/allow-iptables-multiport.conf @@ -0,0 +1,59 @@ +# Fail2Ban configuration file for allowing hosts +# +# WARNING +# Please be aware that all users behind NAT will access the service on the specified port. +# You should protect this service with another jail that has very long bantime. + +[INCLUDES] + +before = iptables-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = iptables -N f2b- + iptables -A f2b- -j + iptables -I -p -m multiport --dports -j f2b- + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = iptables -D -p -m multiport --dports -j f2b- + iptables -F f2b- + iptables -X f2b- + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = iptables -n -L | grep -q 'f2b-[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = iptables -I f2b- 1 -s -j + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = iptables -D f2b- -s -j + +[Init] + +# Option: allowtype +# Notes: ACCEPT skips other chains +# Value: [ RETURN | ACCEPT ] +# +allowtype = RETURN + +# Author: Viktor Szépe diff --git a/config/filter.d/apache-pass.conf b/config/filter.d/apache-pass.conf new file mode 100644 index 00000000..dd00f953 --- /dev/null +++ b/config/filter.d/apache-pass.conf @@ -0,0 +1,20 @@ +# Fail2Ban Apache pass filter +# This filter is for access.log, NOT for error.log +# +# The knocking request must have a referer. + +[INCLUDES] + +before = apache-common.conf + +[Definition] + +failregex = ^ - \w+ \[\] "GET HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ + +ignoreregex = + +[Init] + +knocking_url = /knocking/ + +# Author: Viktor Szépe diff --git a/config/jail.conf b/config/jail.conf index 67eda24e..ca0a2bfa 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -767,3 +767,16 @@ port = 2222 enabled = false logpath = /var/lib/portsentry/portsentry.history maxretry = 1 + +[pass2allow] +# allow FTP traffic after successful HTTP auth +enabled = false +filter = apache-pass +banaction = allow-iptables-multiport +# access log of the website with HTTP auth +logpath = /var/log/apache2/access.log +port = ftp,ftp-data,ftps,ftps-data +protocol = tcp +bantime = 3600 +maxretry = 1 +findtime = 1