github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #1112 from szepeviktor/pass2allow 

Added pass2allow (knocking with fail2ban)
pull/1128/head
Yaroslav Halchenko 2015-07-16 21:54:10 -04:00
parent 95c2a2976f 948b12e5df
commit 80946ed54c
10 changed files with 52 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -32,8 +32,14 @@ ver. 0.9.3 (2015/XX/XXX) - wanna-be-released
currently not banned or persistent) currently not banned or persistent)
- New Features: - New Features:
* RETURN iptables target is now a variable: <returntype>
* New type of operation: pass2allow, use fail2ban for "knocking",
opening a closed port by swapping blocktype and returntype
* New filters: * New filters:
- froxlor-auth Thanks Joern Muehlencord - froxlor-auth Thanks Joern Muehlencord
- apache-pass - filter Apache access log for successfull authentication
* New jails:
- pass2allow-ftp - allows FTP traffic after successful HTTP authentication
- Enhancements: - Enhancements:
* action.d/cloudflare.conf - improved documentation on how to allow * action.d/cloudflare.conf - improved documentation on how to allow

2
config/action.d/iptables-allports.conf
View File

@ -18,7 +18,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> -j f2b-<name> iptables -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop # Option: actionstop

6
config/action.d/iptables-common.conf
View File

@ -43,3 +43,9 @@ protocol = tcp
# REJECT, REJECT --reject-with icmp-port-unreachable # REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING # Values: STRING
blocktype = REJECT --reject-with icmp-port-unreachable blocktype = REJECT --reject-with icmp-port-unreachable
# Option: returntype
# Note: This is the default rule on "actionstart". This should be RETURN
# in all (blocking) actions, except REJECT in allowing actions.
# Values: STRING
returntype = RETURN

2
config/action.d/iptables-multiport-log.conf
View File

@ -20,7 +20,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name> iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
iptables -N f2b-<name>-log iptables -N f2b-<name>-log
iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2

2
config/action.d/iptables-multiport.conf
View File

@ -15,7 +15,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name> iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

2
config/action.d/iptables-new.conf
View File

@ -17,7 +17,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name> iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

2
config/action.d/iptables.conf
View File

@ -15,7 +15,7 @@ before = iptables-common.conf
# Values: CMD # Values: CMD
# #
actionstart = iptables -N f2b-<name> actionstart = iptables -N f2b-<name>
iptables -A f2b-<name> -j RETURN iptables -A f2b-<name> -j <returntype>
iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name> iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop # Option: actionstop

20
config/filter.d/apache-pass.conf Normal file
View File

@ -0,0 +1,20 @@
# Fail2Ban Apache pass filter
# This filter is for access.log, NOT for error.log
#
# The knocking request must have a referer.
[INCLUDES]
before = apache-common.conf
[Definition]
failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
ignoreregex =
[Init]
knocking_url = /knocking/
# Author: Viktor Szépe

13
config/jail.conf
View File

@ -767,3 +767,16 @@ port = 2222
enabled = false enabled = false
logpath = /var/lib/portsentry/portsentry.history logpath = /var/lib/portsentry/portsentry.history
maxretry = 1 maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking URL needs to be customized in apache-pass.local
filter = apache-pass
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1

2
fail2ban/tests/files/logs/apache-pass Normal file
View File

@ -0,0 +1,2 @@
# failJSON: { "time": "2013-06-27T11:55:44", "match": true , "host": "192.0.2.12" }
192.0.2.12 - user1 [27/Jun/2013:11:55:44] "GET /knocking/ HTTP/1.1" 200 266 "http://domain.net/hello-world/" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:40.0) Gecko/20100101 Firefox/40.0"