From 1e1c4ac62a2bb4cc693c963c2ba794c6666cd730 Mon Sep 17 00:00:00 2001 From: SATO Kentaro Date: Mon, 16 Jun 2014 21:15:03 +0900 Subject: [PATCH 1/2] ENH: Add to iptables-ipsets. --- ChangeLog | 1 + THANKS | 1 + config/action.d/iptables-ipset-proto4.conf | 10 ++++++++-- config/action.d/iptables-ipset-proto6-allports.conf | 10 ++++++++-- config/action.d/iptables-ipset-proto6.conf | 10 ++++++++-- 5 files changed, 26 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index d4ea774a7..2aeb2fb08 100644 --- a/ChangeLog +++ b/ChangeLog @@ -38,6 +38,7 @@ ver. 0.9.1 (2014/xx/xx) - better, faster, stronger * Fail2ban-regex - add print-all-matched option. Closes gh-652 * Suppress fail2ban-client warnings for non-critical config options * Match non "Bye Bye" disconnect messages for sshd locked account regex + * Add tag to iptables-ipsets. ver. 0.9.0 (2014/03/14) - beta ---------- diff --git a/THANKS b/THANKS index 27165492b..080794905 100644 --- a/THANKS +++ b/THANKS @@ -85,6 +85,7 @@ Robert Edeker Rolf Fokkens Roman Gelfand Russell Odom +SATO Kentaro Sebastian Arcus Sireyessire silviogarbes diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index fc03c68c0..4714f0df9 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -28,13 +28,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset --create f2b- iphash - iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j + iptables -I -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j +actionstop = iptables -D -p -m multiport --dports -m set --match-set f2b- src -j ipset --flush f2b- ipset --destroy f2b- @@ -60,6 +60,12 @@ actionunban = ipset --test f2b- && ipset --del f2b- # name = default +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: ssh diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index 72fba9cde..a3726873f 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -25,13 +25,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset create f2b- hash:ip timeout - iptables -I INPUT -m set --match-set f2b- src -j + iptables -I -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -m set --match-set f2b- src -j +actionstop = iptables -D -m set --match-set f2b- src -j ipset flush f2b- ipset destroy f2b- @@ -57,6 +57,12 @@ actionunban = ipset del f2b- -exist # name = default +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index 5d8481103..a3081ea07 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -25,13 +25,13 @@ before = iptables-blocktype.conf # Values: CMD # actionstart = ipset create f2b- hash:ip timeout - iptables -I INPUT -p -m multiport --dports -m set --match-set f2b- src -j + iptables -I -p -m multiport --dports -m set --match-set f2b- src -j # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # -actionstop = iptables -D INPUT -p -m multiport --dports -m set --match-set f2b- src -j +actionstop = iptables -D -p -m multiport --dports -m set --match-set f2b- src -j ipset flush f2b- ipset destroy f2b- @@ -57,6 +57,12 @@ actionunban = ipset del f2b- -exist # name = default +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: ssh From 65ff3e960498fc78282787ca5a4bbe1c2604f8f2 Mon Sep 17 00:00:00 2001 From: SATO Kentaro Date: Wed, 18 Jun 2014 19:04:57 +0900 Subject: [PATCH 2/2] ENH: Introduce iptables-common.conf. --- MANIFEST | 2 +- config/action.d/firewallcmd-ipset.conf | 18 +------- config/action.d/firewallcmd-new.conf | 18 +------- config/action.d/iptables-allports.conf | 17 +------ config/action.d/iptables-blocktype.conf | 22 --------- config/action.d/iptables-common.conf | 45 +++++++++++++++++++ config/action.d/iptables-ipset-proto4.conf | 23 +--------- .../iptables-ipset-proto6-allports.conf | 15 +------ config/action.d/iptables-ipset-proto6.conf | 27 +---------- config/action.d/iptables-multiport-log.conf | 23 +--------- config/action.d/iptables-multiport.conf | 23 +--------- config/action.d/iptables-new.conf | 24 +--------- config/action.d/iptables-xt_recent-echo.conf | 16 ++----- config/action.d/iptables.conf | 23 +--------- 14 files changed, 61 insertions(+), 235 deletions(-) delete mode 100644 config/action.d/iptables-blocktype.conf create mode 100644 config/action.d/iptables-common.conf diff --git a/MANIFEST b/MANIFEST index 7df491999..92edcca8a 100644 --- a/MANIFEST +++ b/MANIFEST @@ -258,7 +258,7 @@ config/action.d/dummy.conf config/action.d/firewallcmd-new.conf config/action.d/firewallcmd-ipset.conf config/action.d/iptables-ipset-proto6-allports.conf -config/action.d/iptables-blocktype.conf +config/action.d/iptables-common.conf config/action.d/iptables-ipset-proto4.conf config/action.d/iptables-ipset-proto6.conf config/action.d/iptables-xt_recent-echo.conf diff --git a/config/action.d/firewallcmd-ipset.conf b/config/action.d/firewallcmd-ipset.conf index 03e30c3c8..38b0f3d33 100644 --- a/config/action.d/firewallcmd-ipset.conf +++ b/config/action.d/firewallcmd-ipset.conf @@ -14,7 +14,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -31,22 +31,6 @@ actionunban = ipset del fail2ban- -exist [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] -# -protocol = tcp - # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added diff --git a/config/action.d/firewallcmd-new.conf b/config/action.d/firewallcmd-new.conf index 628879673..9754e3f32 100644 --- a/config/action.d/firewallcmd-new.conf +++ b/config/action.d/firewallcmd-new.conf @@ -4,7 +4,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -24,22 +24,6 @@ actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -s -j [Init] -# Default name of the chain -# -name = default - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-blocktype.conf b/config/action.d/iptables-blocktype.conf deleted file mode 100644 index c505e49cd..000000000 --- a/config/action.d/iptables-blocktype.conf +++ /dev/null @@ -1,22 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Daniel Black -# -# This is a included configuration file and includes the defination for the blocktype -# used in all iptables based actions by default. -# -# The user can override the default in iptables-blocktype.local - -[INCLUDES] - -after = iptables-blocktype.local - -[Init] - -# Option: blocktype -# Note: This is what the action does with rules. This can be any jump target -# as per the iptables man page (section 8). Common values are DROP -# REJECT, REJECT --reject-with icmp-port-unreachable -# Values: STRING -blocktype = REJECT --reject-with icmp-port-unreachable - diff --git a/config/action.d/iptables-common.conf b/config/action.d/iptables-common.conf new file mode 100644 index 000000000..c191c5a17 --- /dev/null +++ b/config/action.d/iptables-common.conf @@ -0,0 +1,45 @@ +# Fail2Ban configuration file +# +# Author: Daniel Black +# +# This is a included configuration file and includes the definitions for the iptables +# used in all iptables based actions by default. +# +# The user can override the defaults in iptables-common.local + +[INCLUDES] + +after = iptables-blocktype.local + iptables-common.local +# iptables-blocktype.local is obsolete + +[Init] + +# Option: chain +# Notes specifies the iptables chain to which the Fail2Ban rules should be +# added +# Values: STRING Default: INPUT +chain = INPUT + +# Default name of the chain +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the iptables man page (section 8). Common values are DROP +# REJECT, REJECT --reject-with icmp-port-unreachable +# Values: STRING +blocktype = REJECT --reject-with icmp-port-unreachable diff --git a/config/action.d/iptables-ipset-proto4.conf b/config/action.d/iptables-ipset-proto4.conf index 4714f0df9..c72b1a85f 100644 --- a/config/action.d/iptables-ipset-proto4.conf +++ b/config/action.d/iptables-ipset-proto4.conf @@ -19,7 +19,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -56,24 +56,3 @@ actionunban = ipset --test f2b- && ipset --del f2b- [Init] -# Default name of the ipset -# -name = default - -# Option: chain -# Notes specifies the iptables chain to which the Fail2Ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: ssh -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp diff --git a/config/action.d/iptables-ipset-proto6-allports.conf b/config/action.d/iptables-ipset-proto6-allports.conf index a3726873f..aaeee4617 100644 --- a/config/action.d/iptables-ipset-proto6-allports.conf +++ b/config/action.d/iptables-ipset-proto6-allports.conf @@ -15,8 +15,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -53,18 +52,8 @@ actionunban = ipset del f2b- -exist [Init] -# Default name of the ipset -# -name = default - -# Option: chain -# Notes specifies the iptables chain to which the Fail2Ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT - # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 - +# bantime = 600 diff --git a/config/action.d/iptables-ipset-proto6.conf b/config/action.d/iptables-ipset-proto6.conf index a3081ea07..bd36c49e0 100644 --- a/config/action.d/iptables-ipset-proto6.conf +++ b/config/action.d/iptables-ipset-proto6.conf @@ -15,8 +15,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -53,30 +52,8 @@ actionunban = ipset del f2b- -exist [Init] -# Default name of the ipset -# -name = default - -# Option: chain -# Notes specifies the iptables chain to which the Fail2Ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: ssh -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 - +# bantime = 600 diff --git a/config/action.d/iptables-multiport-log.conf b/config/action.d/iptables-multiport-log.conf index 5a6110330..f4d80d6c6 100644 --- a/config/action.d/iptables-multiport-log.conf +++ b/config/action.d/iptables-multiport-log.conf @@ -11,7 +11,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -60,24 +60,3 @@ actionunban = iptables -D f2b- -s -j f2b--log [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-multiport.conf b/config/action.d/iptables-multiport.conf index ab3225bc8..b70baf92b 100644 --- a/config/action.d/iptables-multiport.conf +++ b/config/action.d/iptables-multiport.conf @@ -6,7 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -50,24 +50,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-new.conf b/config/action.d/iptables-new.conf index 9a4587b1d..3c6657d98 100644 --- a/config/action.d/iptables-new.conf +++ b/config/action.d/iptables-new.conf @@ -8,8 +8,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -53,24 +52,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT diff --git a/config/action.d/iptables-xt_recent-echo.conf b/config/action.d/iptables-xt_recent-echo.conf index 5d309b56a..1a72968f9 100644 --- a/config/action.d/iptables-xt_recent-echo.conf +++ b/config/action.d/iptables-xt_recent-echo.conf @@ -6,8 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf - +before = iptables-common.conf [Definition] @@ -33,14 +32,14 @@ before = iptables-blocktype.conf # own rules. The 3600 second timeout is independent and acts as a # safeguard in case the fail2ban process dies unexpectedly. The # shorter of the two timeouts actually matters. -actionstart = if [ `id -u` -eq 0 ];then iptables -I INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi +actionstart = if [ `id -u` -eq 0 ];then iptables -I -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = echo / > /proc/net/xt_recent/f2b- - if [ `id -u` -eq 0 ];then iptables -D INPUT -m recent --update --seconds 3600 --name f2b- -j ;fi + if [ `id -u` -eq 0 ];then iptables -D -m recent --update --seconds 3600 --name f2b- -j ;fi # Option: actioncheck # Notes.: command executed once before each actionban command @@ -66,12 +65,3 @@ actionunban = echo - > /proc/net/xt_recent/f2b- [Init] -# Default name of the chain -# -name = default - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 5afe4bf13..a956fc55f 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -6,7 +6,7 @@ [INCLUDES] -before = iptables-blocktype.conf +before = iptables-common.conf [Definition] @@ -50,24 +50,3 @@ actionunban = iptables -D f2b- -s -j [Init] -# Default name of the chain -# -name = default - -# Option: port -# Notes.: specifies port to monitor -# Values: [ NUM | STRING ] Default: -# -port = ssh - -# Option: protocol -# Notes.: internally used by config reader for interpolations. -# Values: [ tcp | udp | icmp | all ] Default: tcp -# -protocol = tcp - -# Option: chain -# Notes specifies the iptables chain to which the fail2ban rules should be -# added -# Values: STRING Default: INPUT -chain = INPUT