- Added actions to report abuse to ISP, DShield and myNetWatchman. Thanks to Russell Odom.

git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/branches/FAIL2BAN-0_8@717 a942ae1a-1317-0410-a47c-b1dcaea8d605

ChangeLog

@@ -18,6 +18,8 @@ ver. 0.8.4 (2008/??/??) - stable
   valid date/time. Described in Debian #491253. Thanks to
   Yaroslav Halchenko.
 - Added/improved filters and date formats.
+- Added actions to report abuse to ISP, DShield and
+  myNetWatchman. Thanks to Russell Odom.
 
 ver. 0.8.3 (2008/07/17) - stable
 ----------

MANIFEST

@@ -79,6 +79,8 @@ config/filter.d/vsftpd.conf
 config/filter.d/webmin-auth.conf
 config/filter.d/wuftpd.conf
 config/filter.d/xinetd-fail.conf
+config/action.d/complain.conf
+config/action.d/dshield.conf
 config/action.d/hostsdeny.conf
 config/action.d/ipfw.conf
 config/action.d/iptables.conf
@@ -90,6 +92,7 @@ config/action.d/mail.conf
 config/action.d/mail-buffered.conf
 config/action.d/mail-whois.conf
 config/action.d/mail-whois-lines.conf
+config/action.d/mynetwatchman.conf
 config/action.d/sendmail.conf
 config/action.d/sendmail-buffered.conf
 config/action.d/sendmail-whois.conf

README

@@ -76,7 +76,8 @@ René Berber, mEDI, Axel Thimm, Eric Gerbier, Christian Rauch,
 Michael C. Haller, Jonathan Underwood, Hanno 'Rince' Wagner,
 Daniel B. Cid, David Nutter, Raphaël Marichez, Guillaume
 Delvit, Vaclav Misek, Adrien Clerc, Michael Hanselmann,
-Vincent Deffontaines, Bill Heaton and many others.
+Vincent Deffontaines, Bill Heaton, Russell Odom and many
+others.
 
 License:
 --------

config/action.d/complain.conf

@@ -0,0 +1,86 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Sends a complaint e-mail to addresses listed in the whois record for an
+# offending IP address.
+#
+# You should provide the <logpath> in the jail config - lines from the log
+# matching the given IP address will be provided in the complaint as evidence.
+#
+# Note that we will try to use e-mail addresses that are most likely to be abuse
+# addresses (based on various keywords). If they aren't found we fall back on
+# any other addresses found in the whois record, with a few exceptions.
+# If no addresses are found, no e-mail is sent.
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <failtime>  unix timestamp of the last failure
+#          <bantime>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = ADDRESSES=`whois <ip> | perl -e 'while (<STDIN>) { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'`
+	    IP=<ip>
+            if [ ! -z "$ADDRESSES" ]; then
+                (printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '<ip>' <logpath>) | <mailcmd> "Abuse from <ip>" $ADDRESSES <mailargs>
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <bantime>  unix timestamp of the ban time
+#          <unbantime>  unix timestamp of the unban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n
+
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD  Default: mail -s
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address - the '--' indicates
+#          arguments to be passed to Sendmail:
+#              -- -f me@example.com
+# Values:  [ STRING ]  Default: (empty)
+#
+mailargs =
+

config/action.d/dshield.conf

@@ -0,0 +1,210 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+# $Revision$
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                 date +%%s > <tmpfile>.lastsent
+             fi
+             rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+            NOW=`date +%%s`
+            if [ ! -f <tmpfile>.first ]; then
+                echo <time> | cut -d. -f1 > <tmpfile>.first
+            fi
+            if [ ! -f <tmpfile>.lastsent ]; then
+                echo 0 > <tmpfile>.lastsent
+            fi
+            LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <dest> <mailargs>
+                rm -f <tmpfile>.buffer <tmpfile>.first
+                echo $NOW > <tmpfile>.lastsent
+            fi
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+                  NOW=`date +%%s`
+                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+                  if [ $LOGAGE -gt <maxbufferage> ]; then
+                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <dest> <mailargs>
+                      rm -f <tmpfile>.buffer <tmpfile>.first
+                      echo $NOW > <tmpfile>.lastsent
+                  fi
+              fi
+
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in the
+#          jail config, as it cannot be detected here.
+# Values:  [ NUM ]  Default: ???
+#
+port = ???
+
+# Option:  userid
+# Notes.:  Your DSheild user ID. Should be provided either in the jail config or
+#          in a .local file.
+#          Register at https://secure.dshield.org/register.html
+# Values:  [ NUM ]  Default: 0
+#
+userid = 0
+
+# Option:  myip
+# Notes.:  TThe target IP for the attack (your public IP). Should be provided
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  lines
+# Notes.:  How many lines to buffer before making a report. Regardless of this,
+#          reports are sent a minimum of <minreportinterval> apart, or if the
+#          buffer contains an event over <maxbufferage> old, or on shutdown
+# Values:  [ NUM ]  Default: 50
+#
+lines = 50
+
+# Option:  minreportinterval
+# Notes.:  Minimum period (in seconds) that must elapse before we submit another
+#          batch of reports. DShield request a minimum of 1 hour (3600 secs)
+#          between reports.
+# Values:  [ NUM ]  Default: 3600
+#
+minreportinterval = 3600
+
+# Option:  maxbufferage
+# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we
+#          submit the batch, even if we haven't reached <lines> yet. Note that
+#          this is only checked on each ban/unban, and that we always send
+#          anything in the buffer on shutdown. Must be greater than
+#          <minreportinterval>.
+# Values:  [ NUM ]  Default: 21600 (6 hours)
+#
+maxbufferage = 21600
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]  Default: ???
+#
+srcport = ???
+
+# Option:  tcpflags
+# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
+#          leave empty
+# Values:  [ STRING ]  Default: (empty)
+#
+tcpflags =
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
+# Values:  CMD  Default: mail -s
+#
+mailcmd = mail -s
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address (the From address must match
+#          the one configured at DShield - the '--' indicates arguments to be
+#          passed to Sendmail):
+#              -- -f me@example.com
+# Values:  [ STRING ]  Default: (empty)
+#
+mailargs =
+
+# Option:  dest
+# Notes.:  Destination e-mail address for reports
+# Values:  [ STRING ]  Default: reports@dshield.org
+#
+dest = reports@dshield.org
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files used for buffering
+# Values:  [ STRING ]  Default: /tmp/fail2ban-dshield
+#
+tmpfile = /tmp/fail2ban-dshield
+

config/action.d/mynetwatchman.conf

@@ -0,0 +1,144 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+# <mnwlogin> (your mNW login).
+# <mnwpass> (your mNW password).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = mynetwatchman[port=1234,protocol=udp]
+#
+# ...and create "mynetwatchman.local" with contents something like this:
+# [Init]
+# mnwlogin = me@example.com
+# mnwpass = SECRET
+# myip = 10.0.0.1
+#
+# Another useful configuration value is <getcmd>, if you don't have wget
+# installed (an example config for curl is given below)
+#
+# $Revision$
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
+            MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
+	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+	    DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
+            <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+# Option:  port
+# Notes.:  The target port for the attack (numerical). MUST be provided in
+#          the jail config, as it cannot be detected here.
+# Values:  [ NUM ]  Default: ???
+#
+port = 0
+
+# Option:  mnwlogin
+# Notes.:  Your mNW login e-mail address. MUST be provided either in the jail
+#          config or in a .local file.
+#          Register at http://www.mynetwatchman.com/reg.asp
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwlogin =
+
+# Option:  mnwpass
+# Notes.:  The password corresponding to your mNW login e-mail address. MUST be
+#          provided either in the jail config or in a .local file.
+# Values:  [ STRING ]  Default: (empty)
+#
+mnwpass =
+
+# Option:  myip
+# Notes.:  TThe target IP for the attack (your public IP). Should be overridden
+#          either in the jail config or in a .local file unless your PUBLIC IP
+#          is the first IP assigned to eth0
+# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
+#          which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option:  protocol
+# Notes.:  The protocol over which the attack is happening
+# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option:  getcmd
+# Notes.:  A command to fetch a URL. Should output page to STDOUT
+# Values:  CMD  Default: wget
+#
+getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
+# Alternative value:
+# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
+
+# Option:  srcport
+# Notes.:  The source port of the attack. You're unlikely to have this info, so
+#          you can leave the default
+# Values:  [ NUM ]  Default: 0
+#
+srcport = 0
+
+# Option:  mnwurl
+# Notes.:  The report service URL on the mNW site
+# Values:  STRING  Default: http://mynetwatchman.com/insertwebreport.asp
+#
+mnwurl = http://mynetwatchman.com/insertwebreport.asp
+
+# Option:  tmpfile
+# Notes.:  Base name of temporary files
+# Values:  [ STRING ]  Default: /tmp/fail2ban-mynetwatchman
+#
+tmpfile = /tmp/fail2ban-mynetwatchman