github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

RF: adjusted all iptables/shorewall rules to use fail2ban-46 dispatcher + fixed its name in setup.py 

also introduced action.d/common.conf to contain some common definitions to
be used in other action files. Similar setup to filter.d/
_tent/ipv6_adapter_cmd
Yaroslav Halchenko 2012-11-08 21:55:54 -05:00
parent 2715bda1d7
commit 61097d17bb
8 changed files with 98 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
config/action.d/common.conf Normal file
View File

@ -0,0 +1,12 @@
[INCLUDES]
# Load customizations if any available
after = common.local
[DEFAULT]
# Use ip v4/v6 dispatcher for iptables
iptables = fail2ban-46 iptables ip6tables
# for shorewall
shorewall = fail2ban-46 shorewall shorewall6

25
config/action.d/iptables-allports.conf
View File

@ -5,8 +5,11 @@
# made active on all ports from original fail2ban-iptables.conf
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
@ -14,23 +17,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -j fail2ban-<name>
actionstart = %(iptables)s -N fail2ban-<name>
%(iptables)s -A fail2ban-<name> -j RETURN
%(iptables)s -I <chain> -p <protocol> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptables -D <chain> -p <protocol> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
actionstop = %(iptables)s -D <chain> -p <protocol> -j fail2ban-<name>
%(iptables)s -F fail2ban-<name>
%(iptables)s -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actioncheck = %(iptables)s -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -40,7 +43,7 @@ actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = %(iptables)s -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -50,7 +53,7 @@ actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = %(iptables)s -D fail2ban-<name> -s <ip> -j DROP
[Init]

35
config/action.d/iptables-multiport-log.conf
View File

@ -8,8 +8,11 @@
# make "fail2ban-<name>-log" chain to log and drop
# insert a jump to fail2ban-<name> from -I <chain> if proto/port match
#
# $Revision$
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
@ -17,28 +20,28 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -N fail2ban-<name>-log
fail2ban-iptables -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
fail2ban-iptables -A fail2ban-<name>-log -j DROP
actionstart = %(iptables)s -N fail2ban-<name>
%(iptables)s -A fail2ban-<name> -j RETURN
%(iptables)s -I <chain> 1 -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
%(iptables)s -N fail2ban-<name>-log
%(iptables)s -I fail2ban-<name>-log -j LOG --log-prefix "$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
%(iptables)s -A fail2ban-<name>-log -j DROP
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>-log
fail2ban-iptables -X fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>-log
actionstop = %(iptables)s -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
%(iptables)s -F fail2ban-<name>
%(iptables)s -F fail2ban-<name>-log
%(iptables)s -X fail2ban-<name>
%(iptables)s -X fail2ban-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
actioncheck = %(iptables)s -n -L fail2ban-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -48,7 +51,7 @@ actioncheck = fail2ban-iptables -n -L fail2ban-<name>-log >/dev/null
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
actionban = %(iptables)s -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -58,7 +61,7 @@ actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j fail2ban-<name>-lo
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
actionunban = %(iptables)s -D fail2ban-<name> -s <ip> -j fail2ban-<name>-log
[Init]

24
config/action.d/iptables-multiport.conf
View File

@ -3,32 +3,36 @@
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
# Modified by Paul J aka Thanat0s for ipv6 support
# $Revision$
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
actionstart = %(iptables)s -N fail2ban-<name>
%(iptables)s -A fail2ban-<name> -j RETURN
%(iptables)s -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
actionstop = %(iptables)s -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
%(iptables)s -F fail2ban-<name>
%(iptables)s -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actioncheck = %(iptables)s -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -38,7 +42,7 @@ actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = %(iptables)s -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,7 +52,7 @@ actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = %(iptables)s -D fail2ban-<name> -s <ip> -j DROP
[Init]

27
config/action.d/iptables-new.conf
View File

@ -1,12 +1,15 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
# Copied from fail2ban-iptables.conf and modified by Yaroslav Halchenko
# to fullfill the needs of bugreporter dbts#350746.
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
@ -14,23 +17,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = %(iptables)s -N fail2ban-<name>
%(iptables)s -A fail2ban-<name> -j RETURN
%(iptables)s -I <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
actionstop = %(iptables)s -D <chain> -m state --state NEW -p <protocol> --dport <port> -j fail2ban-<name>
%(iptables)s -F fail2ban-<name>
%(iptables)s -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actioncheck = %(iptables)s -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -40,7 +43,7 @@ actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = %(iptables)s -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -50,7 +53,7 @@ actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = %(iptables)s -D fail2ban-<name> -s <ip> -j DROP
[Init]

26
config/action.d/iptables.conf
View File

@ -1,10 +1,14 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav Halchenko
# Modified by Paul J aka Thanat0s for ipv6 support
#
# $Revision$
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
@ -12,23 +16,23 @@
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = fail2ban-iptables -N fail2ban-<name>
fail2ban-iptables -A fail2ban-<name> -j RETURN
fail2ban-iptables -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
actionstart = %(iptables)s -N fail2ban-<name>
%(iptables)s -A fail2ban-<name> -j RETURN
%(iptables)s -I <chain> -p <protocol> --dport <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = fail2ban-iptables -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
fail2ban-iptables -F fail2ban-<name>
fail2ban-iptables -X fail2ban-<name>
actionstop = %(iptables)s -D <chain> -p <protocol> --dport <port> -j fail2ban-<name>
%(iptables)s -F fail2ban-<name>
%(iptables)s -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
actioncheck = %(iptables)s -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
@ -38,7 +42,7 @@ actioncheck = fail2ban-iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
actionban = %(iptables)s -I fail2ban-<name> 1 -s <ip> -j DROP
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -48,7 +52,7 @@ actionban = fail2ban-iptables -I fail2ban-<name> 1 -s <ip> -j DROP
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = fail2ban-iptables -D fail2ban-<name> -s <ip> -j DROP
actionunban = %(iptables)s -D fail2ban-<name> -s <ip> -j DROP
[Init]

13
config/action.d/shorewall.conf
View File

@ -2,8 +2,6 @@
#
# Author: Cyril Jaquier
#
# $Revision$
#
# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
# new shorewall rule to ban an IP address, that rule will affect only new
@ -11,7 +9,12 @@
# he could even log in. In order to get the same behavior of the iptable
# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
# file should me modified with "BLACKLISTNEWONLY=No".
#
#
[INCLUDES]
# Read common definitions, e.g. for %(iptables)s.
before = common.conf
[Definition]
@ -41,7 +44,7 @@ actioncheck =
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = shorewall drop <ip>
actionban = %(shorewall)s drop <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
@ -51,4 +54,4 @@ actionban = shorewall drop <ip>
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = shorewall allow <ip>
actionunban = %(shorewall)s allow <ip>

2
setup.py
View File

@ -55,7 +55,7 @@ setup(
'fail2ban-client',
'fail2ban-server',
'fail2ban-regex' ,
'fail2ban-iptables'
'fail2ban-46'
],
packages = [
'common',