From ef504c869f0b00d3bbc80d837d00bc867305229d Mon Sep 17 00:00:00 2001 From: Andy Fragen Date: Mon, 26 Aug 2013 16:06:23 -0700 Subject: [PATCH 1/9] added osx specific ipfw action with random rulenum --- config/action.d/osx-ipfw.conf | 67 +++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 config/action.d/osx-ipfw.conf diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf new file mode 100644 index 00000000..8cd36df6 --- /dev/null +++ b/config/action.d/osx-ipfw.conf @@ -0,0 +1,67 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Andy Fragen +# +# Mod for OS X, using random rulenum +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = + + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionban = ipfw add set 10 deny log tcp from to + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# Values: CMD +# +actionunban = ipfw delete `ipfw list | grep -i | awk '{print $1;}'` + +[Init] + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] +# +port = ssh + +# Option: localhost +# Notes.: the local IP address of the network interface +# Values: IP +# +localhost = 127.0.0.1 + +# Option: number for ipfw rule +# Values: 1 - 65535 +# Random value between 10000 and 12000 +rulenum = "`echo $((RANDOM%%2000+10000))`" + From 908d4adf6f736bf2c6cf7a3a1dadbc8246287fbe Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 31 Aug 2013 09:37:15 +1000 Subject: [PATCH 2/9] DOC: credits and thanks for Andy for osx-ipfw --- ChangeLog | 3 +++ THANKS | 1 + 2 files changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index c3811a47..e46e9e4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -41,6 +41,9 @@ ver. 0.8.11 (2013/XX/XXX) - loves-unittests closes gh-343. - New Features: + Andy Fragen and Daniel Black + * filter.d/osx-ipfw.conf - ipfw action for OSX based on random rule + numbers. Daniel Black & ykimon * filter.d/3proxy.conf -- filter added Daniel Black diff --git a/THANKS b/THANKS index e3d2cd13..41780856 100644 --- a/THANKS +++ b/THANKS @@ -7,6 +7,7 @@ will be added Adrien Clerc ache Andrey G. Grozin +Andy Fragen Arturo 'Buanzo' Busleiman Axel Thimm Bill Heaton From 5741348f45df3fd061786ab102686b3742d1bac8 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 31 Aug 2013 09:38:18 +1000 Subject: [PATCH 3/9] ENH: more options and ruggedness to prevent unintensional consequences --- config/action.d/osx-ipfw.conf | 41 +++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index 8cd36df6..b7f2f376 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -1,9 +1,9 @@ # Fail2Ban configuration file # # Author: Nick Munger -# Modified by: Andy Fragen +# Modified by: Andy Fragen and Daniel Black # -# Mod for OS X, using random rulenum +# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables # [Definition] @@ -35,7 +35,7 @@ actioncheck = # Tags: IP address # Values: CMD # -actionban = ipfw add set 10 deny log tcp from to +actionban = ipfw add set log from to # Option: actionunban @@ -44,24 +44,41 @@ actionban = ipfw add set 10 deny log tcp from to IP address # Values: CMD # -actionunban = ipfw delete `ipfw list | grep -i | awk '{print $1;}'` +actionunban = ipfw delete `ipfw list | sed -n '/^\([0-9]*\) set log from to $/s//\1/p'` [Init] # Option: port -# Notes.: specifies port to monitor +# Notes.: specifies port to block # Values: [ NUM | STRING ] # port = ssh -# Option: localhost +# Option: dst # Notes.: the local IP address of the network interface -# Values: IP +# Values: IP, any, me or anything support by ipfw as a dst # -localhost = 127.0.0.1 +dst = me -# Option: number for ipfw rule -# Values: 1 - 65535 -# Random value between 10000 and 12000 -rulenum = "`echo $((RANDOM%%2000+10000))`" +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = tcp +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 8 ipfw +# Common values: deny, unreach port, reset +# Values: STRING +# +blocktype = unreach port + +# Option: set number +# Notes.: The ipset number this is added to. +# Values: 0-31 +setnum = 10 + +# Option: number for ipfw rule +# Notes: This is ment to be automaticly generated and not overwritten +# Values: Random value between 10000 and 12000 +rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`" From 808aa1a792302a07b6a0334c932d5f38a6461fd7 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 31 Aug 2013 09:39:21 +1000 Subject: [PATCH 4/9] ENH: added jail.conf example. closes gh-340 --- config/jail.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 86c61911..7f1e40b5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -416,3 +416,8 @@ filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog +[osx-ssh-ipfw] +enabled = false +filter = sshd +action = osx-ipfw +logpath = /var/log/secure.log From 8b22fa15b55a590d72f21b1d02533f46b0af43b3 Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 31 Aug 2013 11:03:01 +1000 Subject: [PATCH 5/9] BF: reverted to simplier random rulenum. If your machine is handling 1000s of block the addition complexity isnt what you want --- config/action.d/osx-ipfw.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index b7f2f376..416344a7 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -79,6 +79,9 @@ blocktype = unreach port setnum = 10 # Option: number for ipfw rule -# Notes: This is ment to be automaticly generated and not overwritten +# Notes: This is meant to be automaticly generated and not overwritten # Values: Random value between 10000 and 12000 -rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`" +rulenum="`echo $((RANDOM%%2000+10000))`" + +# Duplicate prevention mechanism +#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`" From 749f2150898710360789c502b55eebbf5486680c Mon Sep 17 00:00:00 2001 From: Daniel Black Date: Sat, 31 Aug 2013 11:07:15 +1000 Subject: [PATCH 6/9] ENH: port optional --- config/action.d/osx-ipfw.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index 416344a7..2aadd626 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -44,12 +44,12 @@ actionban = ipfw add set log from to # Tags: IP address # Values: CMD # -actionunban = ipfw delete `ipfw list | sed -n '/^\([0-9]*\) set log from to $/s//\1/p'` +actionunban = ipfw delete `ipfw list | sed -n '/^\([0-9]*\) set log from to ?$/s//\1/p'` [Init] # Option: port -# Notes.: specifies port to block +# Notes.: specifies port to block. Can be blank however may require block="ip" # Values: [ NUM | STRING ] # port = ssh From a4884f82cd57c2047f8cf1f41c1769493fbfaa22 Mon Sep 17 00:00:00 2001 From: Andy Fragen Date: Sat, 31 Aug 2013 08:39:19 -0700 Subject: [PATCH 7/9] add mods from grooverdan and fix actionunban actionunban still not working in grooverdan's mod. I made this one grep both and . It should be more specific if the same is banned on multiple ports. --- config/action.d/osx-ipfw.conf | 45 +++++++++++++++++++++++++---------- 1 file changed, 33 insertions(+), 12 deletions(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index 8cd36df6..4f421ffb 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -1,9 +1,9 @@ # Fail2Ban configuration file # # Author: Nick Munger -# Modified by: Andy Fragen +# Modified by: Andy Fragen and Daniel Black # -# Mod for OS X, using random rulenum +# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables # [Definition] @@ -35,7 +35,7 @@ actioncheck = # Tags: IP address # Values: CMD # -actionban = ipfw add set 10 deny log tcp from to +actionban = ipfw add set log from to # Option: actionunban @@ -44,24 +44,45 @@ actionban = ipfw add set 10 deny log tcp from to IP address # Values: CMD # -actionunban = ipfw delete `ipfw list | grep -i | awk '{print $1;}'` +actionunban = ipfw delete `ipfw list | grep -i | grep -i | awk '{print $1;}'` +#actionunban = ipfw delete `ipfw list | sed -n '/^\([0-9]*\) set log from to ?$/s//\1/p'` [Init] # Option: port -# Notes.: specifies port to monitor +# Notes.: specifies port to block. Can be blank however may require block="ip" # Values: [ NUM | STRING ] # port = ssh -# Option: localhost +# Option: dst # Notes.: the local IP address of the network interface -# Values: IP +# Values: IP, any, me or anything support by ipfw as a dst # -localhost = 127.0.0.1 +dst = me -# Option: number for ipfw rule -# Values: 1 - 65535 -# Random value between 10000 and 12000 -rulenum = "`echo $((RANDOM%%2000+10000))`" +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = tcp +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 8 ipfw +# Common values: deny, unreach port, reset +# Values: STRING +# +blocktype = deny + +# Option: set number +# Notes.: The ipset number this is added to. +# Values: 0-31 +setnum = 10 + +# Option: number for ipfw rule +# Notes: This is meant to be automaticly generated and not overwritten +# Values: Random value between 10000 and 12000 +rulenum="`echo $((RANDOM%%2000+10000))`" + +# Duplicate prevention mechanism +#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`" \ No newline at end of file From fe557e5900b79af1e563b32a5d59425f5580a507 Mon Sep 17 00:00:00 2001 From: Andy Fragen Date: Sun, 1 Sep 2013 13:09:51 -0700 Subject: [PATCH 8/9] more specific actionunban --- config/action.d/osx-ipfw.conf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index 4f421ffb..b90a136e 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -44,8 +44,7 @@ actionban = ipfw add set log from to # Tags: IP address # Values: CMD # -actionunban = ipfw delete `ipfw list | grep -i | grep -i | awk '{print $1;}'` -#actionunban = ipfw delete `ipfw list | sed -n '/^\([0-9]*\) set log from to ?$/s//\1/p'` +actionunban = ipfw delete `ipfw -S list | grep -i 'set log from to ' | awk '{print $1;}'` [Init] From d258a51a23ea296ef43d8a78cbeb9bd7100af694 Mon Sep 17 00:00:00 2001 From: Andy Fragen Date: Wed, 4 Sep 2013 11:28:03 -0700 Subject: [PATCH 9/9] after some research it looks like setting to unreachable better than deny --- config/action.d/osx-ipfw.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/action.d/osx-ipfw.conf b/config/action.d/osx-ipfw.conf index b90a136e..fe0caa2a 100644 --- a/config/action.d/osx-ipfw.conf +++ b/config/action.d/osx-ipfw.conf @@ -71,7 +71,7 @@ block = tcp # Common values: deny, unreach port, reset # Values: STRING # -blocktype = deny +blocktype = unreach port # Option: set number # Notes.: The ipset number this is added to.