From 3b1b70ed16fa5d65b3be9f09db2d36e5b3d493ce Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 10:57:59 -0400 Subject: [PATCH] added Fail2ban filters from #866, #767, and #798 on main branch --- conf/fail2ban/jail.local | 89 +++++++++++++++++++++- conf/fail2ban/miab-management-daemon.conf | 12 +++ conf/fail2ban/miab-munin.conf | 20 +++++ conf/fail2ban/miab-owncloud.conf | 28 +++++++ conf/fail2ban/miab-postfix-submission.conf | 7 ++ conf/fail2ban/miab-roundcube.conf | 9 +++ conf/fail2ban/nginx-badbots.conf | 38 +++++++++ conf/fail2ban/nginx.conf | 17 +++++ setup/system.sh | 6 ++ 9 files changed, 222 insertions(+), 4 deletions(-) create mode 100644 conf/fail2ban/miab-management-daemon.conf create mode 100644 conf/fail2ban/miab-munin.conf create mode 100644 conf/fail2ban/miab-owncloud.conf create mode 100644 conf/fail2ban/miab-postfix-submission.conf create mode 100644 conf/fail2ban/miab-roundcube.conf create mode 100644 conf/fail2ban/nginx-badbots.conf create mode 100644 conf/fail2ban/nginx.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index dc338803..20860098 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -6,29 +6,54 @@ # ours too. The string is substituted during installation. ignoreip = 127.0.0.1/8 PUBLIC_IP +action = %(action_mwl)s + # JAILS +# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses [ssh] maxretry = 7 bantime = 3600 - +# action = sendmail-whois-lines[name=ssh, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + [ssh-ddos] enabled = true +# action = sendmail-whois-lines[name=ssh-ddos, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] [sasl] enabled = true +# action = sendmail-whois-lines[name=sasl, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + + +[nginx] + +enabled = true +filter = nginx-http-auth +port = http,https +# action = sendmail-whois-lines[name=nginx-http-auth, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + +[nginx-badbots] + +enabled = true +port = http,https +filter = nginx-badbots +# action = sendmail-whois-lines[name=nginx-badbots, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/nginx/access.log +maxretry = 2 [dovecot] -enabled = true -filter = dovecotimap +enabled = true +filter = dovecotimap findtime = 30 maxretry = 20 -logpath = /var/log/mail.log +# action = sendmail-whois-lines[name=dovecot, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] [recidive] enabled = true maxretry = 10 action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + # In the recidive section of jail.conf the action contains: # # action = iptables-allports[name=recidive] @@ -39,3 +64,59 @@ action = iptables-allports[name=recidive] # By default we don't configure this address and no action is required from the admin anyway. # So the notification is ommited. This will prevent message appearing in the mail.log that mail # can't be delivered to fail2ban@$HOSTNAME. + +# Copied from ChiefGyk's OwnCloud +# [owncloud] +# enabled = true +# filter = owncloud +# action = sendmail-whois-lines[name=owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +# logpath = /home/user-data/owncloud/owncloud.log +# maxretry = 20 +# findtime = 300 +# bantime = 300 + +[miab-management] +enabled = true +filter = miab-management-daemon +# action = sendmail-whois-lines[name=miab-management, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +port = http,https +logpath = /var/log/syslog +maxretry = 20 +findtime = 30 + +[miab-munin] +enabled = true +port = http,https +filter = miab-munin +# action = sendmail-whois-lines[name=miab-munin, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 + +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +# action = sendmail-whois-lines[name=miab-owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /home/user-data/owncloud/owncloud.log +maxretry = 20 +findtime = 30 + +[miab-postfix587] +enabled = true +port = 587 +filter = miab-postfix-submission +# action = sendmail-whois-lines[name=miab-postfix-submission, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 + +[miab-roundcube] +enabled = true +port = http,https +filter = miab-roundcube +action = sendmail-whois-lines[name=miab-roundcube, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 + diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf new file mode 100644 index 00000000..0b0489c2 --- /dev/null +++ b/conf/fail2ban/miab-management-daemon.conf @@ -0,0 +1,12 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = diff --git a/conf/fail2ban/miab-munin.conf b/conf/fail2ban/miab-munin.conf new file mode 100644 index 00000000..a923be1e --- /dev/null +++ b/conf/fail2ban/miab-munin.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* +ignoreregex = diff --git a/conf/fail2ban/miab-owncloud.conf b/conf/fail2ban/miab-owncloud.conf new file mode 100644 index 00000000..153dffa7 --- /dev/null +++ b/conf/fail2ban/miab-owncloud.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-owncloud.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex=Login failed: .*Remote IP: '[\)'] +ignoreregex = diff --git a/conf/fail2ban/miab-postfix-submission.conf b/conf/fail2ban/miab-postfix-submission.conf new file mode 100644 index 00000000..236e1331 --- /dev/null +++ b/conf/fail2ban/miab-postfix-submission.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex=postfix/submission/smtpd.*warning.*\[\]: .* authentication (failed|aborted) +ignoreregex = diff --git a/conf/fail2ban/miab-roundcube.conf b/conf/fail2ban/miab-roundcube.conf new file mode 100644 index 00000000..c6979c85 --- /dev/null +++ b/conf/fail2ban/miab-roundcube.conf @@ -0,0 +1,9 @@ +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = IMAP Error: Login failed for .*? from \. AUTHENTICATE.* + +ignoreregex = diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf new file mode 100644 index 00000000..c32b9f2a --- /dev/null +++ b/conf/fail2ban/nginx-badbots.conf @@ -0,0 +1,38 @@ +# fail2ban filter configuration for nginx + + +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + +ignoreregex = + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black +alon@box:/etc/fail2ban$ cat filter.d/nginx-badbots.conf +# Fail2Ban configuration file +# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + + +[Definition] + +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider +badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +ignoreregex = + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. +# +# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/nginx.conf b/conf/fail2ban/nginx.conf new file mode 100644 index 00000000..74dfe184 --- /dev/null +++ b/conf/fail2ban/nginx.conf @@ -0,0 +1,17 @@ +# fail2ban filter configuration for nginx + + +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + +ignoreregex = + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black +# Second entry done by Alon Ganon \ No newline at end of file diff --git a/setup/system.sh b/setup/system.sh index cc152524..d6ddc5e9 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -296,5 +296,11 @@ cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf +cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf +cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf +cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf +cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf +cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf +cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf restart_service fail2ban