From a220184fc1da67cbef682fc225f35cf0ac9e1edb Mon Sep 17 00:00:00 2001 From: Robb Ballard Date: Mon, 4 Nov 2013 13:33:35 -0700 Subject: [PATCH 1/5] Initial pwhois config additions. --- config/action.d/complain-pwhois.conf | 95 ++++++++++++++++++++++ config/action.d/sendmail-pwhois-lines.conf | 82 +++++++++++++++++++ config/action.d/sendmail-pwhois.conf | 76 +++++++++++++++++ 3 files changed, 253 insertions(+) create mode 100644 config/action.d/complain-pwhois.conf create mode 100644 config/action.d/sendmail-pwhois-lines.conf create mode 100644 config/action.d/sendmail-pwhois.conf diff --git a/config/action.d/complain-pwhois.conf b/config/action.d/complain-pwhois.conf new file mode 100644 index 00000000..7390db3e --- /dev/null +++ b/config/action.d/complain-pwhois.conf @@ -0,0 +1,95 @@ +# Fail2Ban configuration file +# +# Author: Russell Odom +# Sends a complaint e-mail to addresses listed in the whois record for an +# offending IP address. +# +# You should provide the in the jail config - lines from the log +# matching the given IP address will be provided in the complaint as evidence. +# +# Note that we will try to use e-mail addresses that are most likely to be abuse +# addresses (based on various keywords). If they aren't found we fall back on +# any other addresses found in the whois record, with a few exceptions. +# If no addresses are found, no e-mail is sent. +# +# WARNING +# ------- +# +# Please do not use this action unless you are certain that fail2ban +# does not result in "false positives" for your deployment. False +# positive reports could serve a mis-favor to the original cause by +# flooding corresponding contact addresses, and complicating the work +# of administration personnel responsible for handling (verified) legit +# complains. +# +# Please consider using e.g. sendmail-whois-lines.conf action which +# would send the reports with relevant information to you, so the +# report could be first reviewed and then forwarded to a corresponding +# contact if legit. +# + + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = ADDRESSES=`/usr/bin/whois -h whois.pwhois.org 'app="fail2ban:" type=all ' | perl -e 'while () { next if /^changed|@(ripe|apnic)\.net/io; $m += (/abuse|trouble:|report|spam|security/io?3:0); if (/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)/io) { while (s/([a-z0-9_\-\.+]+@[a-z0-9\-]+(\.[[a-z0-9\-]+)+)//io) { if ($m) { $a{lc($1)}=$m } else { $b{lc($1)}=$m } } $m=0 } else { $m && --$m } } if (%%a) {print join(",",keys(%%a))} else {print join(",",keys(%%b))}'` + IP= + if [ ! -z "$ADDRESSES" ]; then + (printf %%b "\n"; date '+Note: Local timezone is %%z (%%Z)'; grep '' ) | "Abuse from " $ADDRESSES + fi + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a whois lookup is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process. This mail was generated by Fail2Ban.)\n + +# Path to the log files which contain relevant lines for the abuser IP +# +logpath = /dev/null + +# Option: mailcmd +# Notes.: Your system mail command. Is passed 2 args: subject and recipient +# Values: CMD +# +mailcmd = mail -s + +# Option: mailargs +# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +# CC reports to another address: +# -c me@example.com +# Appear to come from a different address - the '--' indicates +# arguments to be passed to Sendmail: +# -- -f me@example.com +# Values: [ STRING ] +# +mailargs = + diff --git a/config/action.d/sendmail-pwhois-lines.conf b/config/action.d/sendmail-pwhois-lines.conf new file mode 100644 index 00000000..20b05d48 --- /dev/null +++ b/config/action.d/sendmail-pwhois-lines.conf @@ -0,0 +1,82 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# + +[INCLUDES] + +before = sendmail-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = printf %%b "Subject: [Fail2Ban] : started on `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The jail has been started successfully.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = printf %%b "Subject: [Fail2Ban] : stopped on `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The jail has been stopped.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n\n + Here are more information about :\n + `/usr/bin/whois -h whois.pwhois.org 'app="fail2ban:" type=all '`\n\n + Lines containing IP: in \n + `grep '\<\>' `\n\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Default name of the chain +# +name = default + +# Path to the log files which contain relevant lines for the abuser IP +# +logpath = /dev/null + diff --git a/config/action.d/sendmail-pwhois.conf b/config/action.d/sendmail-pwhois.conf new file mode 100644 index 00000000..482596e0 --- /dev/null +++ b/config/action.d/sendmail-pwhois.conf @@ -0,0 +1,76 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# + +[INCLUDES] + +before = sendmail-common.conf + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = printf %%b "Subject: [Fail2Ban] : started on `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The jail has been started successfully.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = printf %%b "Subject: [Fail2Ban] : stopped on `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The jail has been stopped.\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` + Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"` + From: <> + To: \n + Hi,\n + The IP has just been banned by Fail2Ban after + attempts against .\n\n + Here are more information about :\n + `/usr/bin/whois -h whois.pwhois.org 'app="fail2ban:" type=all '`\n + Regards,\n + Fail2Ban" | /usr/sbin/sendmail -f + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Default name of the chain +# +name = default + From ee02f6cf533b759f24ad9fbbdccb6913d5f1fe81 Mon Sep 17 00:00:00 2001 From: Robb Ballard Date: Thu, 7 Nov 2013 13:16:11 -0700 Subject: [PATCH 2/5] Added README.pwhois --- README.pwhois | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 README.pwhois diff --git a/README.pwhois b/README.pwhois new file mode 100644 index 00000000..bafc7589 --- /dev/null +++ b/README.pwhois @@ -0,0 +1,96 @@ +Fail2ban Prefix Whois Modifications +----------------------------------- + +We (the Prefix Whois folks) have been using fail2ban to protect various +services, and over time we have found that whois doesn't always provide +useful information without additional digging (see examples below). The +modified action configuration files use whois.pwhois.org with the standard +whois client installed on your operating system. The changes also include +passing a parameter that indicates the query is coming from a fail2ban +installation, as well as the service being blocked. We plan on making a +blacklist with automatic age-outs built with this data available to the +community in the future. + +Files: +------ +action.d/complain-pwhois.conf +action.d/sendmail-pwhois-lines.conf +action.d/sendmail-pwhois.conf + + +Example Whois Output: +--------------------- +[whois.arin.net] + +# +# ARIN WHOIS data and services are subject to the Terms of Use +# available at: https://www.arin.net/whois_tou.html +# + + +# +# Query terms are ambiguous. The query is assumed to be: +# "n 142.54.168.146" +# +# Use "?" to get help. +# + +# +# The following results may also be obtained via: +# http://whois.arin.net/rest/nets;q=142.54.168.146?showDetails=true&showARIN=false&ext=netref2 +# + +DataShack, LC DSV4-4 (NET-142-54-160-0-1) 142.54.160.0 - 142.54.191.255 +MMO Solution DS-168-146-150 (NET-142-54-168-144-1) 142.54.168.144 - 142.54.168.151 + + + +# +# ARIN WHOIS data and services are subject to the Terms of Use +# available at: https://www.arin.net/whois_tou.html +# + +Example Pwhois Output: +---------------------- +[whois.pwhois.org] +IP: 142.54.168.146 +Origin-AS: 33387 +Prefix: 142.54.160.0/19 +AS-Path: 1239 174 32097 33387 +AS-Org-Name: DataShack, LC +Org-Name: MMO Solution +Net-Name: DS-168-146-150 +Cache-Date: 1383626547 +Latitude: 39.147840 +Longitude: -94.568880 +City: KANSAS CITY +Region: MISSOURI +Country: UNITED STATES +Country-Code: US +AS-Org-Name-Source: ARIN +Org-Name-Source: ARIN +Net-Name-Source: ARIN +Route-Create-Date: Aug 22 2012 00:01:25 +Route-Modify-Date: Nov 05 2013 00:01:21 +Next-Hop: 144.228.241.130 +Net-Range: 142.54.168.144 - 142.54.168.151 +Net-Type: reassignment +Net-Register-Date: 2013-10-21 +Net-Update-Date: 2013-10-21 +Net-Create-Date: Sep 19 2013 01:51:07 +Net-Modify-Date: Nov 05 2013 01:53:22 +Org-Record: 0 +Org-ID: C04738597 +Org-Name: MMO Solution +Can-Allocate: 0 +Street-1: 201 E. 16th st +City: North Kansas City +State: MO +Postal-Code: 64116 +Country: US +Register-Date: 2013-10-21 +Update-Date: 2013-10-21 +Create-Date: Oct 23 2013 01:52:34 +Modify-Date: Nov 05 2013 01:53:22 + + From c1c18b171c29bda8ec7c767f22d19012f94404f7 Mon Sep 17 00:00:00 2001 From: Robb Ballard Date: Mon, 23 Dec 2013 06:13:28 -0700 Subject: [PATCH 3/5] Moved README.pwhois to doc/ --- README.pwhois | 96 --------------------------------------------------- 1 file changed, 96 deletions(-) delete mode 100644 README.pwhois diff --git a/README.pwhois b/README.pwhois deleted file mode 100644 index bafc7589..00000000 --- a/README.pwhois +++ /dev/null @@ -1,96 +0,0 @@ -Fail2ban Prefix Whois Modifications ------------------------------------ - -We (the Prefix Whois folks) have been using fail2ban to protect various -services, and over time we have found that whois doesn't always provide -useful information without additional digging (see examples below). The -modified action configuration files use whois.pwhois.org with the standard -whois client installed on your operating system. The changes also include -passing a parameter that indicates the query is coming from a fail2ban -installation, as well as the service being blocked. We plan on making a -blacklist with automatic age-outs built with this data available to the -community in the future. - -Files: ------- -action.d/complain-pwhois.conf -action.d/sendmail-pwhois-lines.conf -action.d/sendmail-pwhois.conf - - -Example Whois Output: ---------------------- -[whois.arin.net] - -# -# ARIN WHOIS data and services are subject to the Terms of Use -# available at: https://www.arin.net/whois_tou.html -# - - -# -# Query terms are ambiguous. The query is assumed to be: -# "n 142.54.168.146" -# -# Use "?" to get help. -# - -# -# The following results may also be obtained via: -# http://whois.arin.net/rest/nets;q=142.54.168.146?showDetails=true&showARIN=false&ext=netref2 -# - -DataShack, LC DSV4-4 (NET-142-54-160-0-1) 142.54.160.0 - 142.54.191.255 -MMO Solution DS-168-146-150 (NET-142-54-168-144-1) 142.54.168.144 - 142.54.168.151 - - - -# -# ARIN WHOIS data and services are subject to the Terms of Use -# available at: https://www.arin.net/whois_tou.html -# - -Example Pwhois Output: ----------------------- -[whois.pwhois.org] -IP: 142.54.168.146 -Origin-AS: 33387 -Prefix: 142.54.160.0/19 -AS-Path: 1239 174 32097 33387 -AS-Org-Name: DataShack, LC -Org-Name: MMO Solution -Net-Name: DS-168-146-150 -Cache-Date: 1383626547 -Latitude: 39.147840 -Longitude: -94.568880 -City: KANSAS CITY -Region: MISSOURI -Country: UNITED STATES -Country-Code: US -AS-Org-Name-Source: ARIN -Org-Name-Source: ARIN -Net-Name-Source: ARIN -Route-Create-Date: Aug 22 2012 00:01:25 -Route-Modify-Date: Nov 05 2013 00:01:21 -Next-Hop: 144.228.241.130 -Net-Range: 142.54.168.144 - 142.54.168.151 -Net-Type: reassignment -Net-Register-Date: 2013-10-21 -Net-Update-Date: 2013-10-21 -Net-Create-Date: Sep 19 2013 01:51:07 -Net-Modify-Date: Nov 05 2013 01:53:22 -Org-Record: 0 -Org-ID: C04738597 -Org-Name: MMO Solution -Can-Allocate: 0 -Street-1: 201 E. 16th st -City: North Kansas City -State: MO -Postal-Code: 64116 -Country: US -Register-Date: 2013-10-21 -Update-Date: 2013-10-21 -Create-Date: Oct 23 2013 01:52:34 -Modify-Date: Nov 05 2013 01:53:22 - - From 40c879f7e6dbaebe799520a7baa3f4edafdbb003 Mon Sep 17 00:00:00 2001 From: Robb Ballard Date: Mon, 23 Dec 2013 06:14:26 -0700 Subject: [PATCH 4/5] Moved README.pwhois to doc/ --- doc/README.pwhois | 96 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 doc/README.pwhois diff --git a/doc/README.pwhois b/doc/README.pwhois new file mode 100644 index 00000000..bafc7589 --- /dev/null +++ b/doc/README.pwhois @@ -0,0 +1,96 @@ +Fail2ban Prefix Whois Modifications +----------------------------------- + +We (the Prefix Whois folks) have been using fail2ban to protect various +services, and over time we have found that whois doesn't always provide +useful information without additional digging (see examples below). The +modified action configuration files use whois.pwhois.org with the standard +whois client installed on your operating system. The changes also include +passing a parameter that indicates the query is coming from a fail2ban +installation, as well as the service being blocked. We plan on making a +blacklist with automatic age-outs built with this data available to the +community in the future. + +Files: +------ +action.d/complain-pwhois.conf +action.d/sendmail-pwhois-lines.conf +action.d/sendmail-pwhois.conf + + +Example Whois Output: +--------------------- +[whois.arin.net] + +# +# ARIN WHOIS data and services are subject to the Terms of Use +# available at: https://www.arin.net/whois_tou.html +# + + +# +# Query terms are ambiguous. The query is assumed to be: +# "n 142.54.168.146" +# +# Use "?" to get help. +# + +# +# The following results may also be obtained via: +# http://whois.arin.net/rest/nets;q=142.54.168.146?showDetails=true&showARIN=false&ext=netref2 +# + +DataShack, LC DSV4-4 (NET-142-54-160-0-1) 142.54.160.0 - 142.54.191.255 +MMO Solution DS-168-146-150 (NET-142-54-168-144-1) 142.54.168.144 - 142.54.168.151 + + + +# +# ARIN WHOIS data and services are subject to the Terms of Use +# available at: https://www.arin.net/whois_tou.html +# + +Example Pwhois Output: +---------------------- +[whois.pwhois.org] +IP: 142.54.168.146 +Origin-AS: 33387 +Prefix: 142.54.160.0/19 +AS-Path: 1239 174 32097 33387 +AS-Org-Name: DataShack, LC +Org-Name: MMO Solution +Net-Name: DS-168-146-150 +Cache-Date: 1383626547 +Latitude: 39.147840 +Longitude: -94.568880 +City: KANSAS CITY +Region: MISSOURI +Country: UNITED STATES +Country-Code: US +AS-Org-Name-Source: ARIN +Org-Name-Source: ARIN +Net-Name-Source: ARIN +Route-Create-Date: Aug 22 2012 00:01:25 +Route-Modify-Date: Nov 05 2013 00:01:21 +Next-Hop: 144.228.241.130 +Net-Range: 142.54.168.144 - 142.54.168.151 +Net-Type: reassignment +Net-Register-Date: 2013-10-21 +Net-Update-Date: 2013-10-21 +Net-Create-Date: Sep 19 2013 01:51:07 +Net-Modify-Date: Nov 05 2013 01:53:22 +Org-Record: 0 +Org-ID: C04738597 +Org-Name: MMO Solution +Can-Allocate: 0 +Street-1: 201 E. 16th st +City: North Kansas City +State: MO +Postal-Code: 64116 +Country: US +Register-Date: 2013-10-21 +Update-Date: 2013-10-21 +Create-Date: Oct 23 2013 01:52:34 +Modify-Date: Nov 05 2013 01:53:22 + + From 2fe2261f676105e01783b670d56c38e0c5d4bbd9 Mon Sep 17 00:00:00 2001 From: Robb Ballard Date: Mon, 23 Dec 2013 06:25:00 -0700 Subject: [PATCH 5/5] Added pwhois change author line to modified configs --- config/action.d/complain-pwhois.conf | 3 +++ config/action.d/sendmail-pwhois-lines.conf | 2 ++ config/action.d/sendmail-pwhois.conf | 2 ++ 3 files changed, 7 insertions(+) diff --git a/config/action.d/complain-pwhois.conf b/config/action.d/complain-pwhois.conf index 7390db3e..cd631773 100644 --- a/config/action.d/complain-pwhois.conf +++ b/config/action.d/complain-pwhois.conf @@ -1,6 +1,9 @@ # Fail2Ban configuration file # # Author: Russell Odom +# +# Pwhois modifications added by Robb Ballard +# # Sends a complaint e-mail to addresses listed in the whois record for an # offending IP address. # diff --git a/config/action.d/sendmail-pwhois-lines.conf b/config/action.d/sendmail-pwhois-lines.conf index 20b05d48..f46e6859 100644 --- a/config/action.d/sendmail-pwhois-lines.conf +++ b/config/action.d/sendmail-pwhois-lines.conf @@ -2,6 +2,8 @@ # # Author: Cyril Jaquier # +# Pwhois modifications added by Robb Ballard +# # [INCLUDES] diff --git a/config/action.d/sendmail-pwhois.conf b/config/action.d/sendmail-pwhois.conf index 482596e0..14f861d5 100644 --- a/config/action.d/sendmail-pwhois.conf +++ b/config/action.d/sendmail-pwhois.conf @@ -1,6 +1,8 @@ # Fail2Ban configuration file # # Author: Cyril Jaquier +# +# Pwhois modifications added by Robb Ballard # #