mirror of https://github.com/fail2ban/fail2ban
BF/ENH: fixed so xarf-login-attack works
parent
5cc7173fd4
commit
d015f7f4fc
|
@ -31,18 +31,23 @@ actioncheck =
|
|||
actionban = ADDRESSES=`querycontacts <ip>`
|
||||
IP=<ip>
|
||||
FROM=<sender>
|
||||
SERVICE=<name>
|
||||
SERVICE=<service>
|
||||
FAILURES=<failures>
|
||||
MATCHES=<matches>
|
||||
REPORTID=<time>@`uname -n`
|
||||
TLP=<tlp>
|
||||
PORT=<port>
|
||||
DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
|
||||
if [ ! -z "$ADDRESSES" ]; then
|
||||
(printf %%b -- "<header>\n<message>\n<report>\n${MATCHES}\n"; date '+Note: Local timezone is %%z (%%Z)'; tail -n 9000 <logpath> | grep '[^0-9]<ip>[^0-9]'; printf %%b -- "<footer>") | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
|
||||
(printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
|
||||
date '+Note: Local timezone is %%z (%%Z)';
|
||||
tail -n <loglines> <logpath> | grep '[^0-9]<ip>[^0-9]';
|
||||
printf -- %%b "<footer>") | tee /tmp/message | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
|
||||
fi
|
||||
|
||||
actionunban =
|
||||
|
||||
[Init]
|
||||
|
||||
# Option: header
|
||||
# Notes: This is really a fixed value
|
||||
header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
|
||||
|
@ -50,21 +55,19 @@ header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encodi
|
|||
# Option: footer
|
||||
# Notes: This is really a fixed value and needs to match the report and header
|
||||
# mime delimiters
|
||||
footer = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
|
||||
footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
|
||||
|
||||
# Option: report
|
||||
# Notes: Intended to be fixed
|
||||
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name="report.txt";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.1.2\nUser-Agent: Fail2ban v0.8\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name="logfile.log";
|
||||
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
||||
|
||||
# Option: Message
|
||||
# Notes: This cane be modified by the users
|
||||
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.)\n
|
||||
# Notes: This can be modified by the users
|
||||
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n
|
||||
|
||||
# Option: logpath
|
||||
# Notes: Path to the log files which contain relevant lines for the abuser IP
|
||||
# Values: Filename(s) space separated and can contain wildcards (these are
|
||||
# greped for the IP so make sure these aren't too long
|
||||
logpath = /dev/null
|
||||
# Option: loglines
|
||||
# Notes.: The number of log lines to search for the IP for the report
|
||||
loglines = 9000
|
||||
|
||||
# Option: mailcmd
|
||||
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
||||
|
@ -83,6 +86,31 @@ mailcmd = mail -s
|
|||
#
|
||||
mailargs =
|
||||
|
||||
# Option: tlp
|
||||
# Notes.: Traffic light protocol defining the sharing of this information.
|
||||
# http://www.trusted-introducer.org/ISTLPv11.pdf
|
||||
# green is share to those involved in network security but it is not
|
||||
# to be released to the public.
|
||||
tlp = green
|
||||
|
||||
# ALL of the following parameters should be set so the report contains
|
||||
# meaningful information
|
||||
|
||||
# Option: service
|
||||
# Notes.: This is the service type that was attacked. e.g. ssh, pop3
|
||||
service = unspecified
|
||||
|
||||
# Option: logpath
|
||||
# Notes: Path to the log files which contain relevant lines for the abuser IP
|
||||
# Values: Filename(s) space separated and can contain wildcards (these are
|
||||
# greped for the IP so make sure these aren't too long
|
||||
logpath = /dev/null
|
||||
|
||||
# Option: sender
|
||||
# Notes.: This is the sender that is included in the XARF report
|
||||
sender =
|
||||
sender = fail2ban@`uname -n`
|
||||
|
||||
# Option: port
|
||||
# Notes.: This is the port number that received the login-attack
|
||||
port = 0
|
||||
|
||||
|
|
Loading…
Reference in New Issue