Add support for scanlogd (taken from upstream) (Closes: #983399)

debian
Sylvestre Ledru 2021-10-23 16:40:40 +02:00
parent d82412d442
commit 95856280fd
3 changed files with 62 additions and 0 deletions

2
debian/changelog vendored
View File

@ -17,6 +17,8 @@ fail2ban (0.11.2-3) unstable; urgency=medium
* Adjust the systemd path from /var/run => /run * Adjust the systemd path from /var/run => /run
(Closes: #902413) (Closes: #902413)
Thanks to Gabriel Filion for the patch Thanks to Gabriel Filion for the patch
* Add support for scanlogd (taken from upstream)
(Closes: #983399)
-- Sylvestre Ledru <sylvestre@debian.org> Sat, 23 Oct 2021 16:09:47 +0200 -- Sylvestre Ledru <sylvestre@debian.org> Sat, 23 Oct 2021 16:09:47 +0200

59
debian/patches/scanlogd.patch vendored Normal file
View File

@ -0,0 +1,59 @@
From f15ed356198728c18470794ce6d88fb786571dc4 Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Thu, 25 Feb 2021 20:13:18 +0100
Subject: [PATCH 1/5] config/: Add support for filtering out detected port
scans via scanlogd.
---
config/filter.d/scanlogd.conf | 17 +++++++++++++++++
config/jail.conf | 3 +++
2 files changed, 20 insertions(+)
create mode 100644 config/filter.d/scanlogd.conf
Index: fail2ban/config/filter.d/scanlogd.conf
===================================================================
--- /dev/null
+++ fail2ban/config/filter.d/scanlogd.conf
@@ -0,0 +1,17 @@
+# Fail2Ban filter for port scans detected by scanlogd
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = scanlogd
+
+failregex = ^%(__prefix_line)s<ADDR>(?::<F-PORT/>)? to \S+ ports\b
+
+ignoreregex =
+
+# Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Index: fail2ban/config/jail.conf
===================================================================
--- fail2ban.orig/config/jail.conf
+++ fail2ban/config/jail.conf
@@ -962,3 +962,7 @@ logpath = %(apache_error_log)s
# see `filter.d/traefik-auth.conf` for details and service example.
port = http,https
logpath = /var/log/traefik/access.log
+
+[scanlogd]
+logpath = %(syslog_local0)s
+banaction = %(banaction_allports)s
Index: fail2ban/fail2ban/tests/files/logs/scanlogd
===================================================================
--- /dev/null
+++ fail2ban/fail2ban/tests/files/logs/scanlogd
@@ -0,0 +1,8 @@
+# failJSON: { "time": "2005-03-05T21:44:43", "match": true , "host": "192.0.2.123" }
+Mar 5 21:44:43 srv scanlogd: 192.0.2.123 to 192.0.2.1 ports 80, 81, 83, 88, 99, 443, 1080, 3128, ..., f????uxy, TOS 00, TTL 49 @20:44:43
+# failJSON: { "time": "2005-03-05T21:44:44", "match": true , "host": "192.0.2.123" }
+Mar 5 21:44:44 srv scanlogd: 192.0.2.123 to 192.0.2.1 ports 497, 515, 544, 543, 464, 513, ..., fSrpauxy, TOS 00 @09:04:25
+# failJSON: { "time": "2005-03-05T21:44:45", "match": true , "host": "192.0.2.123" }
+Mar 5 21:44:45 srv scanlogd: 192.0.2.123 to 192.0.2.1 ports 593, 548, 636, 646, 625, 631, ..., fSrpauxy, TOS 00, TTL 239 @17:34:00
+# failJSON: { "time": "2005-03-05T21:44:46", "match": true , "host": "192.0.2.123" }
+Mar 5 21:44:46 srv scanlogd: 192.0.2.123 to 192.0.2.1 ports 22, 26, 37, 80, 25, 79, ..., fSrpauxy, TOS 00 @22:38:37

View File

@ -9,3 +9,4 @@ roundcube.diff
fix-mail.patch fix-mail.patch
debian_roundcube.diff debian_roundcube.diff
systemd-run.diff systemd-run.diff
scanlogd.patch