mirror of https://github.com/fail2ban/fail2ban
117 lines
4.9 KiB
Plaintext
117 lines
4.9 KiB
Plaintext
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
|
|
#
|
|
# This requires querycontact ( http://pypi.python.org/pypi/querycontacts/ )
|
|
# sudo pip install querycontacts
|
|
#
|
|
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
|
|
#
|
|
#
|
|
# XARF is a specification for sending a formatted response
|
|
# for non-messaging based abuse including:
|
|
#
|
|
# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
|
|
#
|
|
# For details see:
|
|
# https://github.com/abusix/xarf-specification
|
|
# http://www.x-arf.org/schemata.html
|
|
#
|
|
#
|
|
# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
|
|
#
|
|
#
|
|
|
|
[Definition]
|
|
|
|
actionstart =
|
|
|
|
actionstop =
|
|
|
|
actioncheck =
|
|
|
|
actionban = ADDRESSES=`querycontacts <ip>`
|
|
IP=<ip>
|
|
FROM=<sender>
|
|
SERVICE=<service>
|
|
FAILURES=<failures>
|
|
MATCHES=<matches>
|
|
REPORTID=<time>@`uname -n`
|
|
TLP=<tlp>
|
|
PORT=<port>
|
|
DATE=`LC_TIME=C date -u --date=@<time> +"%%a, %%d %%h %%Y %%T +0000"`
|
|
if [ ! -z "$ADDRESSES" ]; then
|
|
(printf -- %%b "<header>\n<message>\n<report>\n${MATCHES}\n";
|
|
date '+Note: Local timezone is %%z (%%Z)';
|
|
tail -n <loglines> <logpath> | grep '[^0-9]<ip>[^0-9]';
|
|
printf -- %%b "<footer>") | <mailcmd> "abuse report about <ip> - $DATE" <mailargs> $ADDRESSES
|
|
fi
|
|
|
|
actionunban =
|
|
|
|
[Init]
|
|
# Option: header
|
|
# Notes: This is really a fixed value
|
|
header = Auto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n boundary=Abuse-bfbb0f920793ac03cb8634bde14d8a1e;\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
|
|
|
|
# Option: footer
|
|
# Notes: This is really a fixed value and needs to match the report and header
|
|
# mime delimiters
|
|
footer = \n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e--
|
|
|
|
# Option: report
|
|
# Notes: Intended to be fixed
|
|
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
|
|
|
|
# Option: Message
|
|
# Notes: This can be modified by the users
|
|
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to https://abusix.com/contactdb.html is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n
|
|
|
|
# Option: loglines
|
|
# Notes.: The number of log lines to search for the IP for the report
|
|
loglines = 9000
|
|
|
|
# Option: mailcmd
|
|
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
|
# Values: CMD
|
|
#
|
|
mailcmd = mail -s
|
|
|
|
# Option: mailargs
|
|
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
|
# CC reports to another address:
|
|
# -c me@example.com
|
|
# Appear to come from a different address - the '--' indicates
|
|
# arguments to be passed to Sendmail:
|
|
# -- -f me@example.com
|
|
# Values: [ STRING ]
|
|
#
|
|
mailargs =
|
|
|
|
# Option: tlp
|
|
# Notes.: Traffic light protocol defining the sharing of this information.
|
|
# http://www.trusted-introducer.org/ISTLPv11.pdf
|
|
# green is share to those involved in network security but it is not
|
|
# to be released to the public.
|
|
tlp = green
|
|
|
|
# ALL of the following parameters should be set so the report contains
|
|
# meaningful information
|
|
|
|
# Option: service
|
|
# Notes.: This is the service type that was attacked. e.g. ssh, pop3
|
|
service = unspecified
|
|
|
|
# Option: logpath
|
|
# Notes: Path to the log files which contain relevant lines for the abuser IP
|
|
# Values: Filename(s) space separated and can contain wildcards (these are
|
|
# greped for the IP so make sure these aren't too long
|
|
logpath = /dev/null
|
|
|
|
# Option: sender
|
|
# Notes.: This is the sender that is included in the XARF report
|
|
sender = fail2ban@`uname -n`
|
|
|
|
# Option: port
|
|
# Notes.: This is the port number that received the login-attack
|
|
port = 0
|
|
|