Merge pull request #1112 from szepeviktor/pass2allow

Added pass2allow (knocking with fail2ban)

ChangeLog

@@ -32,8 +32,14 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released
      currently not banned or persistent)
 
 - New Features:
+   * RETURN iptables target is now a variable: <returntype>
+   * New type of operation: pass2allow, use fail2ban for "knocking",
+     opening a closed port by swapping blocktype and returntype
    * New filters:
      - froxlor-auth  Thanks Joern Muehlencord
+     - apache-pass - filter Apache access log for successfull authentication
+   * New jails:
+     - pass2allow-ftp - allows FTP traffic after successful HTTP authentication
 
 - Enhancements:
    * action.d/cloudflare.conf - improved documentation on how to allow

config/action.d/iptables-allports.conf

@@ -18,7 +18,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> -j f2b-<name>
 
 # Option:  actionstop

config/action.d/iptables-common.conf

@@ -43,3 +43,9 @@ protocol = tcp
 #          REJECT, REJECT --reject-with icmp-port-unreachable
 # Values:  STRING
 blocktype = REJECT --reject-with icmp-port-unreachable
+
+# Option:  returntype
+# Note:    This is the default rule on "actionstart". This should be RETURN
+#          in all (blocking) actions, except REJECT in allowing actions.
+# Values:  STRING
+returntype = RETURN

config/action.d/iptables-multiport-log.conf

@@ -20,7 +20,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
               iptables -N f2b-<name>-log
               iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2

config/action.d/iptables-multiport.conf

@@ -15,7 +15,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
 
 # Option:  actionstop

config/action.d/iptables-new.conf

@@ -17,7 +17,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
 
 # Option:  actionstop

config/action.d/iptables.conf

@@ -15,7 +15,7 @@ before = iptables-common.conf
 # Values:  CMD
 #
 actionstart = iptables -N f2b-<name>
-              iptables -A f2b-<name> -j RETURN
+              iptables -A f2b-<name> -j <returntype>
               iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
 
 # Option:  actionstop

config/filter.d/apache-pass.conf

@@ -0,0 +1,20 @@
+# Fail2Ban Apache pass filter
+# This filter is for access.log, NOT for error.log
+#
+# The knocking request must have a referer.
+
+[INCLUDES]
+
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
+
+ignoreregex =
+
+[Init]
+
+knocking_url = /knocking/
+
+# Author: Viktor Szépe

config/jail.conf

@@ -767,3 +767,16 @@ port = 2222
 enabled  = false
 logpath  = /var/lib/portsentry/portsentry.history
 maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port         = ftp,ftp-data,ftps,ftps-data
+# knocking URL needs to be customized in apache-pass.local
+filter       = apache-pass
+# access log of the website with HTTP auth
+logpath      = %(apache_access_log)s
+blocktype    = RETURN
+returntype   = DROP
+bantime      = 3600
+maxretry     = 1
+findtime     = 1

fail2ban/tests/files/logs/apache-pass

@@ -0,0 +1,2 @@
+# failJSON: { "time": "2013-06-27T11:55:44", "match": true , "host": "192.0.2.12" }
+192.0.2.12 - user1 [27/Jun/2013:11:55:44] "GET /knocking/ HTTP/1.1" 200 266 "http://domain.net/hello-world/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"