github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

BF/ENH: fixed so xarf-login-attack works

pull/468/head
Daniel Black 2013-12-01 17:49:35 +11:00
parent 5cc7173fd4
commit d015f7f4fc
1 changed files with 41 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
config/action.d/xarf-login-attack.conf
View File

@ -31,18 +31,23 @@ actioncheck =
actionban = ADDRESSES=`querycontacts <ip>`
IP=<ip>
FROM=<sender>
SERVICE=<name>
SERVICE=<service>
FAILURES=<failures>
MATCHES=<matches>
REPORTID=<time>@`uname -n`
TLP=<tlp>
PORT=<port>
DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
if [ ! -z "$ADDRESSES" ]; then
(printf %%b -- "<header>\n<message>\n<report>\n${MATCHES}\n"; date '+Note: Local timezone is %%z (%%Z)'; tail -n 9000 <logpath> | grep '[^0-9]<ip>[^0-9]'; printf %%b -- "<footer>") | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
(printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
date '+Note: Local timezone is %%z (%%Z)';
tail -n <loglines> <logpath> | grep '[^0-9]<ip>[^0-9]';
printf -- %%b "<footer>") | tee /tmp/message | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
fi
actionunban =
[Init]
# Option: header
# Notes: This is really a fixed value
header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
@ -50,21 +55,19 @@ header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encodi
# Option: footer
# Notes: This is really a fixed value and needs to match the report and header
# mime delimiters
footer = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
# Option: report
# Notes: Intended to be fixed
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name="report.txt";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.1.2\nUser-Agent: Fail2ban v0.8\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name="logfile.log";
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
# Option: Message
# Notes: This cane be modified by the users
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.)\n
# Notes: This can be modified by the users
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n
# Option: logpath
# Notes: Path to the log files which contain relevant lines for the abuser IP
# Values: Filename(s) space separated and can contain wildcards (these are
# greped for the IP so make sure these aren't too long
logpath = /dev/null
# Option: loglines
# Notes.: The number of log lines to search for the IP for the report
loglines = 9000
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
@ -83,6 +86,31 @@ mailcmd = mail -s
#
mailargs =
# Option: tlp
# Notes.: Traffic light protocol defining the sharing of this information.
# http://www.trusted-introducer.org/ISTLPv11.pdf
# green is share to those involved in network security but it is not
# to be released to the public.
tlp = green
# ALL of the following parameters should be set so the report contains
# meaningful information
# Option: service
# Notes.: This is the service type that was attacked. e.g. ssh, pop3
service = unspecified
# Option: logpath
# Notes: Path to the log files which contain relevant lines for the abuser IP
# Values: Filename(s) space separated and can contain wildcards (these are
# greped for the IP so make sure these aren't too long
logpath = /dev/null
# Option: sender
# Notes.: This is the sender that is included in the XARF report
sender =
sender = fail2ban@`uname -n`
# Option: port
# Notes.: This is the port number that received the login-attack
port = 0