|
|
|
# Fail2Ban configuration file
|
|
|
|
#
|
|
|
|
# Author: Russell Odom <russ@gloomytrousers.co.uk>
|
|
|
|
# Submits attack reports to DShield (http://www.dshield.org/)
|
|
|
|
#
|
|
|
|
# You MUST configure at least:
|
|
|
|
# <port> (the port that's being attacked - use number not name).
|
|
|
|
#
|
|
|
|
# You SHOULD also provide:
|
|
|
|
# <myip> (your public IP address, if it's not the address of eth0)
|
|
|
|
# <userid> (your DShield userID, if you have one - recommended, but reports will
|
|
|
|
# be used anonymously if not)
|
|
|
|
# <protocol> (the protocol in use - defaults to tcp)
|
|
|
|
#
|
|
|
|
# Best practice is to provide <port> and <protocol> in jail.conf like this:
|
|
|
|
# action = dshield[port=1234,protocol=tcp]
|
|
|
|
#
|
|
|
|
# ...and create "dshield.local" with contents something like this:
|
|
|
|
# [Init]
|
|
|
|
# myip = 10.0.0.1
|
|
|
|
# userid = 12345
|
|
|
|
#
|
|
|
|
# Other useful configuration values are <mailargs> (you can use for specifying
|
|
|
|
# a different sender address for the report e-mails, which should match what is
|
|
|
|
# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
|
|
|
|
# configure how often the buffer is flushed).
|
|
|
|
#
|
|
|
|
|
|
|
|
[Definition]
|
|
|
|
|
|
|
|
# bypass ban/unban for restored tickets
|
|
|
|
norestored = 1
|
|
|
|
|
|
|
|
# Option: actionstart
|
|
|
|
# Notes.: command executed once at the start of Fail2Ban.
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionstart =
|
|
|
|
|
|
|
|
# Option: actionstop
|
|
|
|
# Notes.: command executed once at the end of Fail2Ban
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionstop = if [ -f <tmpfile>.buffer ]; then
|
|
|
|
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
|
|
|
|
date +%%s > <tmpfile>.lastsent
|
|
|
|
fi
|
|
|
|
rm -f <tmpfile>.buffer <tmpfile>.first
|
|
|
|
|
|
|
|
# Option: actioncheck
|
|
|
|
# Notes.: command executed once before each actionban command
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actioncheck =
|
|
|
|
|
|
|
|
# Option: actionban
|
|
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: See jail.conf(5) man page
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
# See http://www.dshield.org/specs.html for more on report format/notes
|
|
|
|
#
|
|
|
|
# Note: We are currently using <time> for the timestamp because no tag is
|
|
|
|
# available to indicate the timestamp of the log message(s) which triggered the
|
|
|
|
# ban. Therefore the timestamps we are using in the report, whilst often only a
|
|
|
|
# few seconds out, are incorrect. See
|
|
|
|
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
|
|
|
|
#
|
|
|
|
actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
|
|
|
|
DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
|
|
|
|
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
|
|
|
|
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
|
|
|
|
printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
|
|
|
|
NOW=`date +%%s`
|
|
|
|
if [ ! -f <tmpfile>.first ]; then
|
|
|
|
echo <time> | cut -d. -f1 > <tmpfile>.first
|
|
|
|
fi
|
|
|
|
if [ ! -f <tmpfile>.lastsent ]; then
|
|
|
|
echo 0 > <tmpfile>.lastsent
|
|
|
|
fi
|
|
|
|
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
|
|
|
|
LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
|
|
|
|
LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
|
|
|
|
if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
|
|
|
|
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
|
|
|
|
rm -f <tmpfile>.buffer <tmpfile>.first
|
|
|
|
echo $NOW > <tmpfile>.lastsent
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Option: actionunban
|
|
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
|
|
# command is executed with Fail2Ban user rights.
|
|
|
|
# Tags: See jail.conf(5) man page
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
actionunban = if [ -f <tmpfile>.first ]; then
|
|
|
|
NOW=`date +%%s`
|
|
|
|
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
|
|
|
|
if [ $LOGAGE -gt <maxbufferage> ]; then
|
|
|
|
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
|
|
|
|
rm -f <tmpfile>.buffer <tmpfile>.first
|
|
|
|
echo $NOW > <tmpfile>.lastsent
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
[Init]
|
|
|
|
# Option: port
|
|
|
|
# Notes.: The target port for the attack (numerical). MUST be provided in the
|
|
|
|
# jail config, as it cannot be detected here.
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
port = ???
|
|
|
|
|
|
|
|
# Option: userid
|
|
|
|
# Notes.: Your DShield user ID. Should be provided either in the jail config or
|
|
|
|
# in a .local file.
|
|
|
|
# Register at https://secure.dshield.org/register.html
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
userid = 0
|
|
|
|
|
|
|
|
# Option: myip
|
|
|
|
# Notes.: The target IP for the attack (your public IP). Should be provided
|
|
|
|
# either in the jail config or in a .local file unless your PUBLIC IP
|
|
|
|
# is the first IP assigned to eth0
|
|
|
|
# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
|
|
|
|
# which in most cases will be a private IP, and therefore incorrect
|
|
|
|
#
|
|
|
|
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
|
|
|
|
|
|
|
|
# Option: protocol
|
|
|
|
# Notes.: The protocol over which the attack is happening
|
|
|
|
# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
|
|
|
|
#
|
|
|
|
protocol = tcp
|
|
|
|
|
|
|
|
# Option: lines
|
|
|
|
# Notes.: How many lines to buffer before making a report. Regardless of this,
|
|
|
|
# reports are sent a minimum of <minreportinterval> apart, or if the
|
|
|
|
# buffer contains an event over <maxbufferage> old, or on shutdown
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
lines = 50
|
|
|
|
|
|
|
|
# Option: minreportinterval
|
|
|
|
# Notes.: Minimum period (in seconds) that must elapse before we submit another
|
|
|
|
# batch of reports. DShield request a minimum of 1 hour (3600 secs)
|
|
|
|
# between reports.
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
minreportinterval = 3600
|
|
|
|
|
|
|
|
# Option: maxbufferage
|
|
|
|
# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we
|
|
|
|
# submit the batch, even if we haven't reached <lines> yet. Note that
|
|
|
|
# this is only checked on each ban/unban, and that we always send
|
|
|
|
# anything in the buffer on shutdown. Must be greater than
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
maxbufferage = 21600
|
|
|
|
|
|
|
|
# Option: srcport
|
|
|
|
# Notes.: The source port of the attack. You're unlikely to have this info, so
|
|
|
|
# you can leave the default
|
|
|
|
# Values: [ NUM ]
|
|
|
|
#
|
|
|
|
srcport = ???
|
|
|
|
|
|
|
|
# Option: tcpflags
|
|
|
|
# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
|
|
|
|
# leave empty
|
|
|
|
# Values: [ STRING ]
|
|
|
|
#
|
|
|
|
tcpflags =
|
|
|
|
|
|
|
|
# Option: mailcmd
|
|
|
|
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
|
|
|
|
# Values: CMD
|
|
|
|
#
|
|
|
|
mailcmd = mail -s
|
|
|
|
|
|
|
|
# Option: mailargs
|
|
|
|
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
|
|
|
|
# CC reports to another address:
|
|
|
|
# -c me@example.com
|
|
|
|
# Appear to come from a different address (the From address must match
|
|
|
|
# the one configured at DShield - the '--' indicates arguments to be
|
|
|
|
# passed to Sendmail):
|
|
|
|
# -- -f me@example.com
|
|
|
|
# Values: [ STRING ]
|
|
|
|
#
|
|
|
|
mailargs =
|
|
|
|
|
|
|
|
# Option: dest
|
|
|
|
# Notes.: Destination e-mail address for reports
|
|
|
|
# Values: [ STRING ]
|
|
|
|
#
|
|
|
|
dest = reports@dshield.org
|
|
|
|
|
|
|
|
# Option: tmpfile
|
|
|
|
# Notes.: Base name of temporary files used for buffering
|
|
|
|
# Values: [ STRING ]
|
|
|
|
#
|
|
|
|
tmpfile = /var/run/fail2ban/tmp-dshield
|
|
|
|
|