diff --git a/config/fail2ban.conf.hostsdeny b/config/fail2ban.conf.hostsdeny new file mode 100644 index 00000000..693d28a9 --- /dev/null +++ b/config/fail2ban.conf.hostsdeny @@ -0,0 +1,287 @@ +# Fail2Ban configuration file +# +# $Revision$ +# +# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de + +[DEFAULT] +# Option: background +# Notes.: start fail2ban as a daemon. Output is redirect to logfile. +# Values: [true | false] Default: false +# +background = false + +# Option: logtargets +# Notes.: log targets. Space separated list of logging targets. +# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log +# +logtargets = /var/log/fail2ban.log + +# Option: syslog-target +# Notes.: where to find syslog facility if logtarget SYSLOG. +# Values: SOCKET HOST HOST:PORT Default: /dev/log +# +syslog-target = /dev/log + +# Option: syslog-facility +# Notes.: which syslog facility to use if logtarget SYSLOG. +# Values: NUM Default: 1 +# +syslog-facility = 1 + +# Option: pidlock +# Notes.: path of the PID lock file (must be able to write to file). +# Values: FILE Default: /var/run/fail2ban.pid +# +pidlock = /var/run/fail2ban.pid + +# Option: maxfailures +# Notes.: number of failures before IP gets banned. +# Values: NUM Default: 5 +# +maxfailures = 5 + +# Option: bantime +# Notes.: number of seconds an IP will be banned. If set to a negative +# value, IP will never be unbanned (permanent banning). +# Values: NUM Default: 600 +# +bantime = 600 + +# Option: findtime +# Notes.: lifetime in seconds of a "failed" log entry. +# Values: NUM Default: 600 +# +findtime = 600 + +# Option: ignoreip +# Notes.: space separated list of IP's to be ignored by fail2ban. +# You can use CIDR mask in order to specify a range. +# Example: ignoreip = 192.168.0.1/24 123.45.235.65 +# Values: IP Default: +# +ignoreip = + +# Option: cmdstart +# Notes.: command executed once at the start of Fail2Ban +# Values: CMD Default: +# +cmdstart = + +# Option: cmdend +# Notes.: command executed once at the end of Fail2Ban. +# Values: CMD Default: +# +cmdend = + +# Option: polltime +# Notes.: number of seconds fail2ban sleeps between iterations. +# Values: NUM Default: 1 +# +polltime = 1 + +# Option: reinittime +# Notes.: minimal number of seconds between the re-initialization of +# firewalls due to external changes in their rules (see fwcheck) +# Values: NUM Default: 100 +# +reinittime = 10 + +# Option: maxreinits +# Notes.: maximal number of re-initialization of firewalls due to external +# changes. -1 stays for infinite, so only reinittime is of importance +# Values: NUM Default: -1 +# +maxreinits = -1 + +# NOTE: Interpolations +# +# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations +# so %(__name__)s will be substituted by a name of each section +# (unless the option is overriden in a section). +# If you are going to use interpolations in your setup, please make +# sure that you specified options port and protocol (which also has +# an option in DEFAULT). +# + +# Option: hostsdeny +# Notes.: hosts.deny file path. +# Values: STR Default: /etc/hosts.deny +# +hostsdeny = /etc/hosts.deny + +# Option: fwban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +# unix timestamp of the last failure +# unix timestamp of the ban time +# Values: CMD +# Default: iptables -I INPUT 1 -s -j DROP +# +fwban = IP= && echo "ALL: $IP" >> %(hostsdeny)s + +# Option: fwunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# unix timestamp of the ban time +# unix timestamp of the unban time +# Values: CMD +# Default: iptables -D INPUT -s -j DROP +# +fwunban = IP= && sed -i.old s/ALL:\ $IP// %(hostsdeny)s + +[MAIL] +# Option: enabled +# Notes.: enable mail notification when banning an IP address. +# Values: [true | false] Default: false +# +enabled = false + +# Option: host +# Notes.: host running the mail server. +# Values: STR Default: localhost +# +host = localhost + +# Option: port +# Notes.: port of the mail server. +# Values: INT Default: 25 +# +port = 25 + +# Option: user +# Notes.: the username for smtp-server if authentification is required. +# if user is empty, no authentification is done. +# Values: STR Default: +# +user = + +# Option: password +# Notes.: the smtp-user's password if authentification is required. +# Values: STR Default: +# +password = + +# Option: from +# Notes.: e-mail address of the sender. +# Values: MAIL Default: fail2ban +# +from = fail2ban + +# Option: to +# Notes.: e-mail addresses of the receiver. Addresses are space +# separated. +# Values: MAIL Default: root +# +to = root + +# Option: localtime +# Notes.: report local time (including timezone) or GMT +# Values: [true | false] Default: false +# +localtime = true + +# Option: subject +# Notes.: subject of the e-mail. +# Tags:
active section (eg ssh, apache, etc) +# IP address +# number of failures +# unix timestamp of the last failure +# Values: TEXT Default: [Fail2Ban]
: Banned +# +subject = [Fail2Ban]
: Banned + +# Option: message +# Notes.: message of the e-mail. +# Tags:
active section (eg ssh, apache, etc) +# IP address +# number of failures +# unix timestamp of the last failure +#
new line +# Values: TEXT Default: +# +message = Hi,
+ The IP has just been banned by Fail2Ban after + attempts against
.
+ Regards,
+ Fail2Ban + +# You can define a new section for each log file to check for +# password failure. Each section has to define the following +# options: logfile, fwban, fwunban, timeregex, timepattern, +# failregex. + + +[Apache] +# Option: enabled +# Notes.: enable monitoring for this section. +# Values: [true | false] Default: false +# +enabled = false + +# Option: logfile +# Notes.: logfile to monitor. +# Values: FILE Default: /var/log/httpd/access_log +# +logfile = /var/log/httpd/access_log + +# Option: timeregex +# Notes.: regex to match timestamp in Apache logfile. For TAI64N format, +# use timeregex = @[0-9a-f]{24} +# Values: [Wed Jan 05 15:08:01 2005] +# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} +# +timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} + +# Option: timepattern +# Notes.: format used in "timeregex" fields definition. Note that '%' must be +# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). +# For TAI64N format, use timepattern = tai64n +# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y +# +timepattern = %%a %%b %%d %%H:%%M:%%S %%Y + +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. +# Values: TEXT Default: authentication failure|user .* not found +# +failregex = authentication failure|user .* not found + + +[SSH] +# Option: enabled +# Notes.: enable monitoring for this section. +# Values: [true | false] Default: true +# +enabled = true + +# Option: logfile +# Notes.: logfile to monitor. +# Values: FILE Default: /var/log/secure +# +logfile = /var/log/secure + +# Option: timeregex +# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, +# use timeregex = @[0-9a-f]{24} +# Values: [Mar 7 17:53:28] +# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} +# +timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} + +# Option: timepattern +# Notes.: format used in "timeregex" fields definition. Note that '%' must be +# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). +# For TAI64N format, use timepattern = tai64n +# Values: TEXT Default: %%b %%d %%H:%%M:%%S +# +timepattern = %%b %%d %%H:%%M:%%S + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# +failregex = Authentication failure|Failed password|Invalid user diff --git a/config/fail2ban.conf.default b/config/fail2ban.conf.iptables similarity index 79% rename from config/fail2ban.conf.default rename to config/fail2ban.conf.iptables index ad28e1f9..4cf103b5 100644 --- a/config/fail2ban.conf.default +++ b/config/fail2ban.conf.iptables @@ -94,6 +94,66 @@ reinittime = 10 # maxreinits = -1 +# NOTE: Interpolations +# +# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations +# so %(__name__)s will be substituted by a name of each section +# (unless the option is overriden in a section). +# If you are going to use interpolations in your setup, please make +# sure that you specified options port and protocol (which also has +# an option in DEFAULT). +# + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp | icmp | all ] Default: tcp +# +protocol = tcp + +# Option: fwstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD Default: +# +fwstart = iptables -N fail2ban-%(__name__)s + iptables -A fail2ban-%(__name__)s -j RETURN + iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s + +# Option: fwend +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD Default: +# +fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s + iptables -F fail2ban-%(__name__)s + iptables -X fail2ban-%(__name__)s + +# Option: fwcheck +# Notes.: command executed once before each fwban command +# Values: CMD Default: +# +fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s + +# Option: fwban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +# unix timestamp of the last failure +# unix timestamp of the ban time +# Values: CMD +# Default: iptables -I INPUT 1 -s -j DROP +# +fwban = iptables -I fail2ban-%(__name__)s 1 -s -j DROP + +# Option: fwunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# unix timestamp of the ban time +# unix timestamp of the unban time +# Values: CMD +# Default: iptables -D INPUT -s -j DROP +# +fwunban = iptables -D fail2ban-%(__name__)s -s -j DROP [MAIL] # Option: enabled @@ -190,50 +250,11 @@ enabled = false # logfile = /var/log/httpd/access_log -# Option: fwstart -# Notes.: command executed once at the start of Fail2Ban -# Values: CMD Default: +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: # -fwstart = iptables -N fail2ban-http - iptables -I INPUT -p tcp --dport http -j fail2ban-http - iptables -A fail2ban-http -j RETURN - -# Option: fwend -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: -# -fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http - iptables -F fail2ban-http - iptables -X fail2ban-http - -# Option: fwcheck -# Notes.: command executed once before each fwban command -# Values: CMD Default: -# -fwcheck = iptables -L INPUT | grep -q fail2ban-http - -# Option: fwban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -# unix timestamp of the last failure -# unix timestamp of the ban time -# Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP -# -fwban = iptables -I fail2ban-http 1 -s -j DROP - -# Option: fwunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# unix timestamp of the ban time -# unix timestamp of the unban time -# Values: CMD -# Default: iptables -D INPUT -s -j DROP -# -fwunban = iptables -D fail2ban-http -s -j DROP +port = http # Option: timeregex # Notes.: regex to match timestamp in Apache logfile. For TAI64N format, @@ -269,52 +290,14 @@ enabled = true # Notes.: logfile to monitor. # Values: FILE Default: /var/log/secure # -logfile = /var/log/secure +#logfile = /var/log/secure +logfile = /home/cyril/workspace/fail2ban-stable/log-test/test -# Option: fwstart -# Notes.: command executed once at the start of Fail2Ban -# Values: CMD Default: +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: # -fwstart = iptables -N fail2ban-ssh - iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh - iptables -A fail2ban-ssh -j RETURN - -# Option: fwend -# Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: -# -fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh - iptables -F fail2ban-ssh - iptables -X fail2ban-ssh - -# Option: fwcheck -# Notes.: command executed once before each fwban command -# Values: CMD Default: -# -fwcheck = iptables -L INPUT | grep -q fail2ban-ssh - -# Option: fwbanrule -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# number of failures -# unix timestamp of the last failure -# unix timestamp of the ban time -# Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP -# -fwban = iptables -I fail2ban-ssh 1 -s -j DROP - -# Option: fwunbanrule -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: IP address -# unix timestamp of the ban time -# unix timestamp of the unban time -# Values: CMD -# Default: iptables -D INPUT -s -j DROP -# -fwunban = iptables -D fail2ban-ssh -s -j DROP +port = ssh # Option: timeregex # Notes.: regex to match timestamp in SSH logfile. For TAI64N format, diff --git a/config/fail2ban.conf.shorewall b/config/fail2ban.conf.shorewall new file mode 100644 index 00000000..570017fd --- /dev/null +++ b/config/fail2ban.conf.shorewall @@ -0,0 +1,281 @@ +# Fail2Ban configuration file +# +# $Revision$ +# +# 2005.06.21 modified for readability Iain Lea iain@bricbrac.de + +[DEFAULT] +# Option: background +# Notes.: start fail2ban as a daemon. Output is redirect to logfile. +# Values: [true | false] Default: false +# +background = false + +# Option: logtargets +# Notes.: log targets. Space separated list of logging targets. +# Values: STDERR SYSLOG file Default: /var/log/fail2ban.log +# +logtargets = /var/log/fail2ban.log + +# Option: syslog-target +# Notes.: where to find syslog facility if logtarget SYSLOG. +# Values: SOCKET HOST HOST:PORT Default: /dev/log +# +syslog-target = /dev/log + +# Option: syslog-facility +# Notes.: which syslog facility to use if logtarget SYSLOG. +# Values: NUM Default: 1 +# +syslog-facility = 1 + +# Option: pidlock +# Notes.: path of the PID lock file (must be able to write to file). +# Values: FILE Default: /var/run/fail2ban.pid +# +pidlock = /var/run/fail2ban.pid + +# Option: maxfailures +# Notes.: number of failures before IP gets banned. +# Values: NUM Default: 5 +# +maxfailures = 5 + +# Option: bantime +# Notes.: number of seconds an IP will be banned. If set to a negative +# value, IP will never be unbanned (permanent banning). +# Values: NUM Default: 600 +# +bantime = 600 + +# Option: findtime +# Notes.: lifetime in seconds of a "failed" log entry. +# Values: NUM Default: 600 +# +findtime = 600 + +# Option: ignoreip +# Notes.: space separated list of IP's to be ignored by fail2ban. +# You can use CIDR mask in order to specify a range. +# Example: ignoreip = 192.168.0.1/24 123.45.235.65 +# Values: IP Default: +# +ignoreip = + +# Option: cmdstart +# Notes.: command executed once at the start of Fail2Ban +# Values: CMD Default: +# +cmdstart = + +# Option: cmdend +# Notes.: command executed once at the end of Fail2Ban. +# Values: CMD Default: +# +cmdend = + +# Option: polltime +# Notes.: number of seconds fail2ban sleeps between iterations. +# Values: NUM Default: 1 +# +polltime = 1 + +# Option: reinittime +# Notes.: minimal number of seconds between the re-initialization of +# firewalls due to external changes in their rules (see fwcheck) +# Values: NUM Default: 100 +# +reinittime = 10 + +# Option: maxreinits +# Notes.: maximal number of re-initialization of firewalls due to external +# changes. -1 stays for infinite, so only reinittime is of importance +# Values: NUM Default: -1 +# +maxreinits = -1 + +# NOTE: Interpolations +# +# fwstart, as well as fwend, fwcheck, fwban, fwunban, use interpolations +# so %(__name__)s will be substituted by a name of each section +# (unless the option is overriden in a section). +# If you are going to use interpolations in your setup, please make +# sure that you specified options port and protocol (which also has +# an option in DEFAULT). +# + +# Option: fwban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +# unix timestamp of the last failure +# unix timestamp of the ban time +# Values: CMD +# Default: iptables -I INPUT 1 -s -j DROP +# +fwban = shorewall drop + +# Option: fwunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# unix timestamp of the ban time +# unix timestamp of the unban time +# Values: CMD +# Default: iptables -D INPUT -s -j DROP +# +fwunban = shorewall allow + +[MAIL] +# Option: enabled +# Notes.: enable mail notification when banning an IP address. +# Values: [true | false] Default: false +# +enabled = false + +# Option: host +# Notes.: host running the mail server. +# Values: STR Default: localhost +# +host = localhost + +# Option: port +# Notes.: port of the mail server. +# Values: INT Default: 25 +# +port = 25 + +# Option: user +# Notes.: the username for smtp-server if authentification is required. +# if user is empty, no authentification is done. +# Values: STR Default: +# +user = + +# Option: password +# Notes.: the smtp-user's password if authentification is required. +# Values: STR Default: +# +password = + +# Option: from +# Notes.: e-mail address of the sender. +# Values: MAIL Default: fail2ban +# +from = fail2ban + +# Option: to +# Notes.: e-mail addresses of the receiver. Addresses are space +# separated. +# Values: MAIL Default: root +# +to = root + +# Option: localtime +# Notes.: report local time (including timezone) or GMT +# Values: [true | false] Default: false +# +localtime = true + +# Option: subject +# Notes.: subject of the e-mail. +# Tags:
active section (eg ssh, apache, etc) +# IP address +# number of failures +# unix timestamp of the last failure +# Values: TEXT Default: [Fail2Ban]
: Banned +# +subject = [Fail2Ban]
: Banned + +# Option: message +# Notes.: message of the e-mail. +# Tags:
active section (eg ssh, apache, etc) +# IP address +# number of failures +# unix timestamp of the last failure +#
new line +# Values: TEXT Default: +# +message = Hi,
+ The IP has just been banned by Fail2Ban after + attempts against
.
+ Regards,
+ Fail2Ban + +# You can define a new section for each log file to check for +# password failure. Each section has to define the following +# options: logfile, fwban, fwunban, timeregex, timepattern, +# failregex. + + +[Apache] +# Option: enabled +# Notes.: enable monitoring for this section. +# Values: [true | false] Default: false +# +enabled = false + +# Option: logfile +# Notes.: logfile to monitor. +# Values: FILE Default: /var/log/httpd/access_log +# +logfile = /var/log/httpd/access_log + +# Option: timeregex +# Notes.: regex to match timestamp in Apache logfile. For TAI64N format, +# use timeregex = @[0-9a-f]{24} +# Values: [Wed Jan 05 15:08:01 2005] +# Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} +# +timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} + +# Option: timepattern +# Notes.: format used in "timeregex" fields definition. Note that '%' must be +# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). +# For TAI64N format, use timepattern = tai64n +# Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y +# +timepattern = %%a %%b %%d %%H:%%M:%%S %%Y + +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. +# Values: TEXT Default: authentication failure|user .* not found +# +failregex = authentication failure|user .* not found + + +[SSH] +# Option: enabled +# Notes.: enable monitoring for this section. +# Values: [true | false] Default: true +# +enabled = true + +# Option: logfile +# Notes.: logfile to monitor. +# Values: FILE Default: /var/log/secure +# +logfile = /var/log/secure + +# Option: timeregex +# Notes.: regex to match timestamp in SSH logfile. For TAI64N format, +# use timeregex = @[0-9a-f]{24} +# Values: [Mar 7 17:53:28] +# Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} +# +timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} + +# Option: timepattern +# Notes.: format used in "timeregex" fields definition. Note that '%' must be +# escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule). +# For TAI64N format, use timepattern = tai64n +# Values: TEXT Default: %%b %%d %%H:%%M:%%S +# +timepattern = %%b %%d %%H:%%M:%%S + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# +failregex = Authentication failure|Failed password|Invalid user