mirror of https://github.com/fail2ban/fail2ban
action.d/xarf-login-attack.conf: fixes gh-2372, correction for split of addresses, interpolation is shell-independent now, etc;
extended with option `boundary`, additionally dynamic boundary part is used (is not so predictable as it was previously);pull/2381/head
sebres
parent
ec2b5dc483
commit
e8401a7e65
|
|
@ -41,7 +41,12 @@ actionstop =
|
||||||
|
|
||||||
actioncheck =
|
actioncheck =
|
||||||
|
|
||||||
actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
|
actionban = oifs=${IFS};
|
||||||
|
RESOLVER_ADDR="%(addr_resolver)s"
|
||||||
|
if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
|
||||||
|
ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
|
||||||
|
IFS=,; ADDRESSES=$(echo $ADDRESSES)
|
||||||
|
IFS=${oifs}
|
||||||
IP=<ip>
|
IP=<ip>
|
||||||
FROM=<sender>
|
FROM=<sender>
|
||||||
SERVICE=<service>
|
SERVICE=<service>
|
||||||
|
|
@ -51,26 +56,37 @@ actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(di
|
||||||
PORT=<port>
|
PORT=<port>
|
||||||
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
|
DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
|
||||||
if [ ! -z "$ADDRESSES" ]; then
|
if [ ! -z "$ADDRESSES" ]; then
|
||||||
|
oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
|
||||||
|
IFS=${oifs}
|
||||||
(printf -- %%b "<header>\n<message>\n<report>\n\n";
|
(printf -- %%b "<header>\n<message>\n<report>\n\n";
|
||||||
date '+Note: Local timezone is %%z (%%Z)';
|
date '+Note: Local timezone is %%z (%%Z)';
|
||||||
printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> ${ADDRESSES//,/\" \"}
|
printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
|
||||||
fi
|
fi
|
||||||
|
|
||||||
actionunban =
|
actionunban =
|
||||||
|
|
||||||
[Init]
|
# Server as resolver used in dig command
|
||||||
|
#
|
||||||
|
addr_resolver = <ip-rev>abuse-contacts.abusix.org
|
||||||
|
|
||||||
|
# Option: boundary
|
||||||
|
# Notes: This can be overwritten to be safe for possible predictions
|
||||||
|
boundary = bfbb0f920793ac03cb8634bde14d8a1e
|
||||||
|
|
||||||
|
_boundary = Abuse<time>-<boundary>
|
||||||
|
|
||||||
# Option: header
|
# Option: header
|
||||||
# Notes: This is really a fixed value
|
# Notes: This is really a fixed value
|
||||||
header = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
|
header = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=%(_boundary)s;\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
|
||||||
|
|
||||||
# Option: footer
|
# Option: footer
|
||||||
# Notes: This is really a fixed value and needs to match the report and header
|
# Notes: This is really a fixed value and needs to match the report and header
|
||||||
# mime delimiters
|
# mime delimiters
|
||||||
footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
|
footer = \n\n--%(_boundary)s--
|
||||||
|
|
||||||
# Option: report
|
# Option: report
|
||||||
# Notes: Intended to be fixed
|
# Notes: Intended to be fixed
|
||||||
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
report = --%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
||||||
|
|
||||||
# Option: Message
|
# Option: Message
|
||||||
# Notes: This can be modified by the users
|
# Notes: This can be modified by the users
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue