reset
This commit is contained in:
parent
c05312664d
commit
23f2b1688f
|
@ -1,85 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
## Update fail2ban iptables with globally known attackers.
|
||||
## Actually, runs 100% independently now, without needing fail2ban installed.
|
||||
##
|
||||
## /etc/cron.daily/sync-fail2ban
|
||||
##
|
||||
## Author: Marcos Kobylecki <fail2ban.globalBlackList@askmarcos.com>
|
||||
## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/
|
||||
|
||||
|
||||
## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES.
|
||||
#PROGRAM=/etc/init.d/fail2ban
|
||||
#[ -x $PROGRAM ] || exit 0
|
||||
|
||||
datadir=/etc/fail2ban
|
||||
[[ -d "$datadir" ]] || datadir=/tmp
|
||||
|
||||
## Get default settings of fail2ban (optional?)
|
||||
[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban
|
||||
|
||||
umask 000
|
||||
blacklistf=$datadir/blacklist.blocklist.de.txt
|
||||
|
||||
mv -vf $blacklistf $blacklistf.last
|
||||
|
||||
badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt"
|
||||
|
||||
|
||||
iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does.
|
||||
|
||||
# Grab list(s) at https://www.blocklist.de/en/export.html . Block.
|
||||
echo "Adding new blocks:"
|
||||
time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \
|
||||
|sort -u \
|
||||
|tee $blacklistf \
|
||||
|grep -v '^#\|:' \
|
||||
|while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done
|
||||
|
||||
|
||||
|
||||
# Which listings had been removed since last time? Unblock.
|
||||
echo "Removing old blocks:"
|
||||
if [[ -r $blacklistf.diff ]]; then
|
||||
# comm is brittle, cannot use sort -rn
|
||||
time comm -23 $blacklistf.last $blacklistf \
|
||||
|tee $blacklistf.delisted \
|
||||
|grep -v '^#\|:' \
|
||||
|while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done
|
||||
|
||||
fi
|
||||
|
||||
|
||||
# prepare for next time.
|
||||
diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Saves a copy of current iptables rules, should you like to check them later.
|
||||
(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log &
|
||||
|
||||
|
||||
exit
|
||||
|
||||
# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found
|
||||
# So weed out IPv6, try |grep -v ':'
|
||||
|
||||
## http://ix.io/fpC
|
||||
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype># Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: See jail.conf(5) man page
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
|
|
@ -6,39 +6,21 @@
|
|||
# ours too. The string is substituted during installation.
|
||||
ignoreip = 127.0.0.1/8 PUBLIC_IP
|
||||
|
||||
action = %(action_mwl)s
|
||||
|
||||
# JAILS
|
||||
# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses, in addition to blocklist.de
|
||||
|
||||
[ssh]
|
||||
maxretry = 7
|
||||
bantime = 3600
|
||||
|
||||
|
||||
[ssh-ddos]
|
||||
enabled = true
|
||||
|
||||
[sasl]
|
||||
enabled = true
|
||||
|
||||
|
||||
[nginx]
|
||||
|
||||
enabled = true
|
||||
filter = nginx-http-auth
|
||||
port = http,https
|
||||
|
||||
[nginx-badbots]
|
||||
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-badbots
|
||||
logpath = /var/log/nginx/access.log
|
||||
maxretry = 2
|
||||
|
||||
[dovecot]
|
||||
enabled = true
|
||||
filter = dovecotimap
|
||||
enabled = true
|
||||
filter = dovecotimap
|
||||
findtime = 30
|
||||
maxretry = 20
|
||||
logpath = /var/log/mail.log
|
||||
|
@ -47,7 +29,6 @@ logpath = /var/log/mail.log
|
|||
enabled = true
|
||||
maxretry = 10
|
||||
action = iptables-allports[name=recidive]
|
||||
|
||||
# In the recidive section of jail.conf the action contains:
|
||||
#
|
||||
# action = iptables-allports[name=recidive]
|
||||
|
@ -58,44 +39,3 @@ action = iptables-allports[name=recidive]
|
|||
# By default we don't configure this address and no action is required from the admin anyway.
|
||||
# So the notification is ommited. This will prevent message appearing in the mail.log that mail
|
||||
# can't be delivered to fail2ban@$HOSTNAME.
|
||||
|
||||
# Copied from ChiefGyk's OwnCloud
|
||||
[owncloud]
|
||||
enabled = true
|
||||
filter = owncloud
|
||||
logpath = STORAGE_ROOT/owncloud/owncloud.log
|
||||
maxretry = 20
|
||||
findtime = 300
|
||||
|
||||
[miab-management]
|
||||
enabled = true
|
||||
filter = miab-management-daemon
|
||||
port = http,https
|
||||
logpath = /var/log/syslog
|
||||
maxretry = 20
|
||||
findtime = 30
|
||||
|
||||
[miab-munin]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = miab-munin
|
||||
logpath = /var/log/nginx/access.log
|
||||
maxretry = 20
|
||||
findtime = 30
|
||||
|
||||
[miab-postfix587]
|
||||
enabled = true
|
||||
port = 587
|
||||
filter = miab-postfix-submission
|
||||
logpath = /var/log/mail.log
|
||||
maxretry = 20
|
||||
findtime = 30
|
||||
|
||||
[miab-roundcube]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = miab-roundcube
|
||||
logpath = /var/log/roundcubemail/errors
|
||||
maxretry = 20
|
||||
findtime = 30
|
||||
|
||||
|
|
|
@ -1,12 +0,0 @@
|
|||
# Fail2Ban filter Mail-in-a-Box management daemon
|
||||
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
_daemon = mailinabox
|
||||
|
||||
failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip <HOST> - timestamp .*
|
||||
ignoreregex =
|
|
@ -1,7 +0,0 @@
|
|||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex=<HOST> - .*GET /admin/munin/.* HTTP/1.1\" 401.*
|
||||
ignoreregex =
|
|
@ -1,7 +0,0 @@
|
|||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex=Login failed: .*Remote IP: '<HOST>[\)']
|
||||
ignoreregex =
|
|
@ -1,7 +0,0 @@
|
|||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex=postfix/submission/smtpd.*warning.*\[<HOST>\]: .* authentication (failed|aborted)
|
||||
ignoreregex =
|
|
@ -1,9 +0,0 @@
|
|||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
|
||||
failregex = IMAP Error: Login failed for .*? from <HOST>\. AUTHENTICATE.*
|
||||
|
||||
ignoreregex =
|
|
@ -1,21 +0,0 @@
|
|||
# Fail2Ban configuration file
|
||||
#
|
||||
# Regexp to catch known spambots and software alike. Please verify
|
||||
# that it is your intent to block IPs which were driven by
|
||||
# above mentioned bots.
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
|
||||
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
|
||||
|
||||
failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV Notes:
|
||||
# List of bad bots fetched from http://www.user-agents.org
|
||||
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
|
||||
#
|
||||
# Author: Yaroslav Halchenko
|
|
@ -1,17 +0,0 @@
|
|||
# fail2ban filter configuration for nginx
|
||||
|
||||
|
||||
[Definition]
|
||||
|
||||
|
||||
failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
|
||||
^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
|
||||
|
||||
ignoreregex =
|
||||
|
||||
# DEV NOTES:
|
||||
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
|
||||
# Extensive search of all nginx auth failures not done yet.
|
||||
#
|
||||
# Author: Daniel Black
|
||||
# Second entry done by Alon Ganon
|
|
@ -1,8 +0,0 @@
|
|||
[INCLUDES]
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
_daemon = owncloud
|
||||
|
||||
failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: '<HOST>'\)","level":2,"time":".*","method":".*}
|
||||
ignoreregex =
|
File diff suppressed because it is too large
Load Diff
|
@ -118,26 +118,6 @@ apt_install python3 python3-dev python3-pip \
|
|||
netcat-openbsd wget curl git sudo coreutils bc \
|
||||
haveged pollinate \
|
||||
unattended-upgrades cron ntp fail2ban
|
||||
|
||||
# Add Rootkit hunter
|
||||
# I have it install and then update to install dependencies and such
|
||||
# It adds a crontab to check daily at 4:15AM
|
||||
# Added by Alon "Chief Gyk" Ganon
|
||||
apt_install rkhunter binutils libreadline5 ruby ruby1.9.1 unhide.rb
|
||||
wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz
|
||||
tar xzvf rkhunter*
|
||||
cd rkhunter*
|
||||
./installer.sh --layout /usr --install
|
||||
cd ..
|
||||
rm -rf rkhunter*
|
||||
cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf.local
|
||||
sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter
|
||||
rkhunter --update
|
||||
rkhunter --propupd
|
||||
(crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet
|
||||
")| crontab -
|
||||
|
||||
|
||||
|
||||
# ### Set the system timezone
|
||||
#
|
||||
|
@ -312,25 +292,9 @@ restart_service resolvconf
|
|||
# ### Fail2Ban Service
|
||||
|
||||
# Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh
|
||||
# ChiefGyk commented out a filter to use my own temporarily. May be removed later on line 322
|
||||
cat conf/fail2ban/jail.local \
|
||||
| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
|
||||
> /etc/fail2ban/jail.local
|
||||
cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
|
||||
cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf
|
||||
cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf
|
||||
cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf
|
||||
#cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf
|
||||
cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf
|
||||
cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf
|
||||
cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf
|
||||
|
||||
restart_service fail2ban
|
||||
|
||||
# Add Blocklist.de malicious IP Addresses to Daily Crontab
|
||||
# Added by Alon "ChiefGyk" Ganon
|
||||
cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban
|
||||
chmod a+x /etc/cron.daily/sync-fail2ban
|
||||
time /etc/cron.daily/sync-fail2ban
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue