From 63255d321a562dea326e0218426501d3d649ac9b Mon Sep 17 00:00:00 2001
From: KiekerJan <kiekerjan@users.noreply.github.com>
Date: Sat, 28 Aug 2021 13:34:37 +0200
Subject: [PATCH] tuning fail2ban

---
 .../filter.d/miab-postfix-rdnsfail.conf       | 12 +++++++
 .../filter.d/miab-postfix-scanner.conf        |  7 +++++
 conf/fail2ban/filter.d/nginx-badrequests.conf |  8 +++++
 .../filter.d/nginx-missingresource.conf       |  6 ++++
 conf/fail2ban/filter.d/webexploits.conf       |  5 +--
 conf/fail2ban/jail.d/badrequests.conf         | 14 +++++++++
 conf/fail2ban/jail.d/postfix-extra.conf       | 31 +++++++++++++++++++
 conf/fail2ban/jail.d/webexploits.conf         |  8 +++--
 conf/fail2ban/jails.conf                      |  4 +--
 9 files changed, 89 insertions(+), 6 deletions(-)
 create mode 100644 conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
 create mode 100644 conf/fail2ban/filter.d/miab-postfix-scanner.conf
 create mode 100644 conf/fail2ban/filter.d/nginx-badrequests.conf
 create mode 100644 conf/fail2ban/filter.d/nginx-missingresource.conf
 create mode 100644 conf/fail2ban/jail.d/badrequests.conf
 create mode 100644 conf/fail2ban/jail.d/postfix-extra.conf

diff --git a/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
new file mode 100644
index 00000000..c2eb3634
--- /dev/null
+++ b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
@@ -0,0 +1,12 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>:.+
+miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>$
+ignoreregex =
+
+failregex = <miab-<mode>>
+
+mode = normal
\ No newline at end of file
diff --git a/conf/fail2ban/filter.d/miab-postfix-scanner.conf b/conf/fail2ban/filter.d/miab-postfix-scanner.conf
new file mode 100644
index 00000000..191dacd6
--- /dev/null
+++ b/conf/fail2ban/filter.d/miab-postfix-scanner.conf
@@ -0,0 +1,7 @@
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[<HOST>\].*HTTP.*$
+ignoreregex =
diff --git a/conf/fail2ban/filter.d/nginx-badrequests.conf b/conf/fail2ban/filter.d/nginx-badrequests.conf
new file mode 100644
index 00000000..5ba83405
--- /dev/null
+++ b/conf/fail2ban/filter.d/nginx-badrequests.conf
@@ -0,0 +1,8 @@
+# Ban requests for non-existing or not-allowed resources
+# Ban requests for 40x results
+
+[Definition]
+# first regex for error.log, second for access.log
+failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
+	    ^<HOST> - .*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404) .*$
+ignoreregex = ^.*(robots.txt|favicon.ico).*$
\ No newline at end of file
diff --git a/conf/fail2ban/filter.d/nginx-missingresource.conf b/conf/fail2ban/filter.d/nginx-missingresource.conf
new file mode 100644
index 00000000..22a26e7b
--- /dev/null
+++ b/conf/fail2ban/filter.d/nginx-missingresource.conf
@@ -0,0 +1,6 @@
+# Ban requests for non-existing or not-allowed resources
+
+[Definition]
+failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$ 
+ignoreregex = ^.*(robots.txt|favicon.ico).*$
+
diff --git a/conf/fail2ban/filter.d/webexploits.conf b/conf/fail2ban/filter.d/webexploits.conf
index ff5a101a..dbb297ae 100644
--- a/conf/fail2ban/filter.d/webexploits.conf
+++ b/conf/fail2ban/filter.d/webexploits.conf
@@ -97,7 +97,8 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
             ^<HOST> -.*(GET|POST|HEAD).*(/examples/file-manager\.html)
             ^<HOST> -.*(GET|POST|HEAD).*(/getcfg\.php)
             ^<HOST> -.*(GET|POST|HEAD).*(/get_password\.php)
-            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/info/)
+            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/info)
+            ^<HOST> -.*(GET|POST|HEAD).*(/\.git/HEAD)
             ^<HOST> -.*(GET|POST|HEAD).*(/Hello\.World)
             ^<HOST> -.*(GET|POST|HEAD).*(/hndUnblock\.cgi)
             ^<HOST> -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg)
@@ -231,7 +232,7 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
             ^<HOST> -.*(GET|POST|HEAD).*(\x22sanitize)
             ^<HOST> -.*(GET|POST|HEAD).*(\x22SimplePie)
             ^<HOST> -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers)
-            ^<HOST> -.*(GET).*(\.\./wp-config.php)
+            ^<HOST> -.*(GET|POST|HEAD).*(\.\./wp-config.php)
 
 
 ignoreregex =
diff --git a/conf/fail2ban/jail.d/badrequests.conf b/conf/fail2ban/jail.d/badrequests.conf
new file mode 100644
index 00000000..d80e527c
--- /dev/null
+++ b/conf/fail2ban/jail.d/badrequests.conf
@@ -0,0 +1,14 @@
+# Block clients that generate too many non existing resources
+# Do not deploy of you host many websites on your box
+# any bad html link will trigger a false positive.
+# This jail is meant to catch scanners that try many
+# sites.
+[badrequests]
+enabled  = true
+port     = http,https
+filter   = nginx-badrequests
+logpath = /var/log/nginx/error.log
+          /var/log/nginx/access.log
+maxretry = 8
+findtime = 15m
+bantime = 15m
diff --git a/conf/fail2ban/jail.d/postfix-extra.conf b/conf/fail2ban/jail.d/postfix-extra.conf
new file mode 100644
index 00000000..2e62e70d
--- /dev/null
+++ b/conf/fail2ban/jail.d/postfix-extra.conf
@@ -0,0 +1,31 @@
+# typically non smtp commands. Block fast for access to postfix
+[miab-postfix-scanner]
+enabled  = true
+port     = smtp,465,587
+filter   = miab-postfix-scanner
+logpath = /var/log/mail.log
+maxretry = 2
+findtime = 1d
+bantime = 1h
+
+# ip lookup of hostname does not match. Go easy on block
+[miab-pf-rdnsfail]
+enabled  = true
+port     = smtp,465,587
+mode     = normal
+filter   = miab-postfix-rdnsfail
+logpath  = /var/log/mail.log
+maxretry = 8
+findtime = 12h
+bantime  = 30m
+
+# ip lookup of hostname does not match with failure. More strict block
+[miab-pf-rdnsfail-e]
+enabled  = true
+port     = smtp,465,587
+mode     = errors
+filter   = miab-postfix-rdnsfail[mode=errors]
+logpath  = /var/log/mail.log
+maxretry = 4
+findtime = 1d
+bantime  = 1h
diff --git a/conf/fail2ban/jail.d/webexploits.conf b/conf/fail2ban/jail.d/webexploits.conf
index 30baaceb..f5edda95 100644
--- a/conf/fail2ban/jail.d/webexploits.conf
+++ b/conf/fail2ban/jail.d/webexploits.conf
@@ -1,8 +1,12 @@
+# Block clients based on a list of specific requests
+# The list contains applications that are not installed
+# only scanners and bad parties will try too often
+# so blocking can be fast and long
 [webexploits]
 enabled  = true
 port     = http,https
 filter   = webexploits
 logpath = /var/log/nginx/access.log
 maxretry = 2
-findtime = 240m
-bantime = 60m
+findtime = 4h
+bantime = 4h
diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf
index b360aa77..006a5c7e 100644
--- a/conf/fail2ban/jails.conf
+++ b/conf/fail2ban/jails.conf
@@ -5,7 +5,7 @@
 # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
 # ping services over the public interface so we should whitelist that address of
 # ours too. The string is substituted during installation.
-ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6 ADMIN_HOME_IP ADMIN_HOME_IPV6
+ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64
 bantime = 15m
 findtime = 120m
 maxretry = 4
@@ -69,7 +69,7 @@ findtime = 15m
 enabled  = true
 maxretry = 10
 bantime  = 2w
-findtime = 3d
+findtime = 6d
 action   = iptables-allports[name=recidive]
 # In the recidive section of jail.conf the action contains:
 #