Merge pull request #468 from grooverdan/xarf

ENH: action.d/Xarf reporting of messages

ChangeLog

@@ -39,6 +39,9 @@ code-review and minor additions from Yaroslav Halchenko.
    Daniel Black and John Thoe
    * Multiline regex for Disconnecting: Too many authentication failures for
      root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
+   Daniel Black
+   * Added action xarf-login-attack to report formatted attack messages
+     according to the XARF standard (v0.2). Close gh-105
 
 - Enhancements
   Steven Hiscocks

config/action.d/xarf-login-attack.conf

@@ -0,0 +1,126 @@
+# Fail2Ban action for sending xarf Login-Attack messages to IP owner
+#
+# IMPORTANT: 
+# 
+# Emailing a IP owner of abuse is a serious complain. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+#   * The recidive where the IP has been banned multiple times
+#   * Where maxretry has been set quite high, beyond the normal user typing
+#     password incorrectly.
+#   * For filters that have a low likelyhood of receiving human errors
+#
+# DEPENDANCIES:
+#
+# This requires the dig command from bind-utils
+#
+# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
+#
+# XARF is a specification for sending a formatted response
+# for non-messaging based abuse including:
+#
+# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
+#
+# For details see:
+# https://github.com/abusix/xarf-specification
+# http://www.x-arf.org/schemata.html
+#
+# Author: Daniel Black
+# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
+#
+#
+
+[Definition]
+
+actionstart =
+
+actionstop =
+
+actioncheck =
+
+actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP} ;ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
+            IP=<ip>
+            FROM=<sender>
+            SERVICE=<service>
+            FAILURES=<failures>
+            MATCHES=<matches>
+            REPORTID=<time>@`uname -n`
+            TLP=<tlp>
+            PORT=<port>
+            DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
+            if [ ! -z "$ADDRESSES" ]; then
+                (printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
+                 date '+Note: Local timezone is %%z (%%Z)';
+                 tail -n <loglines> <logpath> | grep '[^0-9]<ip>[^0-9]';
+                 printf -- %%b "<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
+            fi
+
+actionunban =
+
+[Init]
+# Option: header
+# Notes:  This is really a fixed value
+header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
+
+# Option: footer
+# Notes:  This is really a fixed value and needs to match the report and header
+#         mime delimiters
+footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
+
+# Option: report
+# Notes:  Intended to be fixed
+report =  --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
+
+# Option: Message
+# Notes:  This can be modified by the users 
+message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n
+
+# Option:  loglines
+# Notes.:  The number of log lines to search for the IP for the report
+loglines = 9000
+
+# Option:  mailcmd
+# Notes.:  Your system mail command. It is passed the recipient
+# Values:  CMD
+#
+mailcmd =  /usr/sbin/sendmail
+
+# Option:  mailargs
+# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
+#          CC reports to another address:
+#              -c me@example.com
+#          Appear to come from a different address - the '--' indicates
+#          arguments to be passed to Sendmail:
+#              -- -f me@example.com
+# Values:  [ STRING ]
+#
+mailargs = -f <sender>
+
+# Option:  tlp
+# Notes.:  Traffic light protocol defining the sharing of this information.
+#          http://www.trusted-introducer.org/ISTLPv11.pdf
+#          green is share to those involved in network security but it is not 
+#          to be released to the public.
+tlp = green
+
+# ALL of the following parameters should be set so the report contains
+# meaningful information
+
+# Option: service
+# Notes.: This is the service type that was attacked. e.g. ssh, pop3
+service = unspecified
+
+# Option:  logpath
+# Notes:   Path to the log files which contain relevant lines for the abuser IP
+# Values:  Filename(s) space separated and can contain wildcards (these are
+#          greped for the IP so make sure these aren't too long
+logpath = /dev/null
+
+# Option:  sender
+# Notes.:  This is the sender that is included in the XARF report
+sender = fail2ban@`uname -n`
+
+# Option:  port
+# Notes.:  This is the port number that received the login-attack
+port = 0
+

config/jail.conf

@@ -109,9 +109,12 @@ filter = %(__name__)s
 # Some options used for actions
 
 # Destination email address used solely for the interpolations in
-# jail.{conf,local} configuration files.
+# jail.{conf,local,d/*} configuration files.
 destemail = root@localhost
 
+# Sender email address used solely for some actions
+sender = root@localhost
+
 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 # mailing. Change mta configuration parameter to mail if you want to
 # revert to conventional 'mail'.
@@ -148,6 +151,13 @@ action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protoc
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section