From 3b1b70ed16fa5d65b3be9f09db2d36e5b3d493ce Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 10:57:59 -0400 Subject: [PATCH 01/20] added Fail2ban filters from #866, #767, and #798 on main branch --- conf/fail2ban/jail.local | 89 +++++++++++++++++++++- conf/fail2ban/miab-management-daemon.conf | 12 +++ conf/fail2ban/miab-munin.conf | 20 +++++ conf/fail2ban/miab-owncloud.conf | 28 +++++++ conf/fail2ban/miab-postfix-submission.conf | 7 ++ conf/fail2ban/miab-roundcube.conf | 9 +++ conf/fail2ban/nginx-badbots.conf | 38 +++++++++ conf/fail2ban/nginx.conf | 17 +++++ setup/system.sh | 6 ++ 9 files changed, 222 insertions(+), 4 deletions(-) create mode 100644 conf/fail2ban/miab-management-daemon.conf create mode 100644 conf/fail2ban/miab-munin.conf create mode 100644 conf/fail2ban/miab-owncloud.conf create mode 100644 conf/fail2ban/miab-postfix-submission.conf create mode 100644 conf/fail2ban/miab-roundcube.conf create mode 100644 conf/fail2ban/nginx-badbots.conf create mode 100644 conf/fail2ban/nginx.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index dc338803..20860098 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -6,29 +6,54 @@ # ours too. The string is substituted during installation. ignoreip = 127.0.0.1/8 PUBLIC_IP +action = %(action_mwl)s + # JAILS +# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses [ssh] maxretry = 7 bantime = 3600 - +# action = sendmail-whois-lines[name=ssh, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + [ssh-ddos] enabled = true +# action = sendmail-whois-lines[name=ssh-ddos, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] [sasl] enabled = true +# action = sendmail-whois-lines[name=sasl, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + + +[nginx] + +enabled = true +filter = nginx-http-auth +port = http,https +# action = sendmail-whois-lines[name=nginx-http-auth, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + +[nginx-badbots] + +enabled = true +port = http,https +filter = nginx-badbots +# action = sendmail-whois-lines[name=nginx-badbots, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/nginx/access.log +maxretry = 2 [dovecot] -enabled = true -filter = dovecotimap +enabled = true +filter = dovecotimap findtime = 30 maxretry = 20 -logpath = /var/log/mail.log +# action = sendmail-whois-lines[name=dovecot, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] [recidive] enabled = true maxretry = 10 action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + # In the recidive section of jail.conf the action contains: # # action = iptables-allports[name=recidive] @@ -39,3 +64,59 @@ action = iptables-allports[name=recidive] # By default we don't configure this address and no action is required from the admin anyway. # So the notification is ommited. This will prevent message appearing in the mail.log that mail # can't be delivered to fail2ban@$HOSTNAME. + +# Copied from ChiefGyk's OwnCloud +# [owncloud] +# enabled = true +# filter = owncloud +# action = sendmail-whois-lines[name=owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +# logpath = /home/user-data/owncloud/owncloud.log +# maxretry = 20 +# findtime = 300 +# bantime = 300 + +[miab-management] +enabled = true +filter = miab-management-daemon +# action = sendmail-whois-lines[name=miab-management, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +port = http,https +logpath = /var/log/syslog +maxretry = 20 +findtime = 30 + +[miab-munin] +enabled = true +port = http,https +filter = miab-munin +# action = sendmail-whois-lines[name=miab-munin, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 + +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +# action = sendmail-whois-lines[name=miab-owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /home/user-data/owncloud/owncloud.log +maxretry = 20 +findtime = 30 + +[miab-postfix587] +enabled = true +port = 587 +filter = miab-postfix-submission +# action = sendmail-whois-lines[name=miab-postfix-submission, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 + +[miab-roundcube] +enabled = true +port = http,https +filter = miab-roundcube +action = sendmail-whois-lines[name=miab-roundcube, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 + diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf new file mode 100644 index 00000000..0b0489c2 --- /dev/null +++ b/conf/fail2ban/miab-management-daemon.conf @@ -0,0 +1,12 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = diff --git a/conf/fail2ban/miab-munin.conf b/conf/fail2ban/miab-munin.conf new file mode 100644 index 00000000..a923be1e --- /dev/null +++ b/conf/fail2ban/miab-munin.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* +ignoreregex = diff --git a/conf/fail2ban/miab-owncloud.conf b/conf/fail2ban/miab-owncloud.conf new file mode 100644 index 00000000..153dffa7 --- /dev/null +++ b/conf/fail2ban/miab-owncloud.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* +ignoreregex = +alon@box:/etc/fail2ban$ cat filter.d/miab-owncloud.conf +[INCLUDES] + +before = common.conf + +[Definition] +failregex=Login failed: .*Remote IP: '[\)'] +ignoreregex = diff --git a/conf/fail2ban/miab-postfix-submission.conf b/conf/fail2ban/miab-postfix-submission.conf new file mode 100644 index 00000000..236e1331 --- /dev/null +++ b/conf/fail2ban/miab-postfix-submission.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex=postfix/submission/smtpd.*warning.*\[\]: .* authentication (failed|aborted) +ignoreregex = diff --git a/conf/fail2ban/miab-roundcube.conf b/conf/fail2ban/miab-roundcube.conf new file mode 100644 index 00000000..c6979c85 --- /dev/null +++ b/conf/fail2ban/miab-roundcube.conf @@ -0,0 +1,9 @@ +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = IMAP Error: Login failed for .*? from \. AUTHENTICATE.* + +ignoreregex = diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf new file mode 100644 index 00000000..c32b9f2a --- /dev/null +++ b/conf/fail2ban/nginx-badbots.conf @@ -0,0 +1,38 @@ +# fail2ban filter configuration for nginx + + +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + +ignoreregex = + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black +alon@box:/etc/fail2ban$ cat filter.d/nginx-badbots.conf +# Fail2Ban configuration file +# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + + +[Definition] + +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider +badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +ignoreregex = + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. +# +# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/nginx.conf b/conf/fail2ban/nginx.conf new file mode 100644 index 00000000..74dfe184 --- /dev/null +++ b/conf/fail2ban/nginx.conf @@ -0,0 +1,17 @@ +# fail2ban filter configuration for nginx + + +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + +ignoreregex = + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black +# Second entry done by Alon Ganon \ No newline at end of file diff --git a/setup/system.sh b/setup/system.sh index cc152524..d6ddc5e9 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -296,5 +296,11 @@ cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf +cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf +cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf +cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf +cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf +cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf +cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf restart_service fail2ban From 6f1315f93a6867bcba722d31ae4ea018c9759318 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 11:03:30 -0400 Subject: [PATCH 02/20] added missing log location for jail.local --- conf/fail2ban/jail.local | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 20860098..dd0842d1 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -9,7 +9,7 @@ ignoreip = 127.0.0.1/8 PUBLIC_IP action = %(action_mwl)s # JAILS -# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses +# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses, in addition to blocklist.de [ssh] maxretry = 7 @@ -47,6 +47,7 @@ filter = dovecotimap findtime = 30 maxretry = 20 # action = sendmail-whois-lines[name=dovecot, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +logpath = /var/log/mail.log [recidive] enabled = true From 994727d2cd5a2aef38ff504c778e5c69358c9142 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 11:06:40 -0400 Subject: [PATCH 03/20] added script which automatically adds IP addresses which have been reported to be attacking other servers. It will update the IPTables automatically everyday, as well as perform the initial run the first day. As mentioned in #864 on the origin --- setup/system.sh | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index d6ddc5e9..f9122f32 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -304,3 +304,8 @@ cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfi cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf restart_service fail2ban + +# Add Blocklist.de malicious IP Addresses to Daily Crontab +curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban +chmod a+x /etc/cron.daily/sync-fail2ban +time /etc/cron.daily/sync-fail2ban From 4f4ec5436abd4087142ad5f9f09b00d0fc891678 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 12:44:39 -0400 Subject: [PATCH 04/20] added RKHunter to system.sh on lines 122-134 per #869 and made it run everytime apt launches to install or update. This should help prevent rootkits. I also added a config to whitelist certain things --- conf/rkhunter/rkhunter.conf | 1008 +++++++++++++++++++++++++++++++++++ setup/system.sh | 18 + 2 files changed, 1026 insertions(+) create mode 100644 conf/rkhunter/rkhunter.conf diff --git a/conf/rkhunter/rkhunter.conf b/conf/rkhunter/rkhunter.conf new file mode 100644 index 00000000..fc7aea61 --- /dev/null +++ b/conf/rkhunter/rkhunter.conf @@ -0,0 +1,1008 @@ +# +# This is the main configuration file for Rootkit Hunter. +# +# You can either modify this file directly, or you can create a local +# configuration file. The local file must be named 'rkhunter.conf.local', +# and must reside in the same directory as this file. Please modify one +# or both files to your own requirements. It is suggested that the +# command 'rkhunter -C' is run after any changes have been made. +# +# Please review the documentation before posting bug reports or questions. +# To report bugs, obtain updates, or provide patches or comments, please go to: +# http://rkhunter.sourceforge.net +# +# To ask questions about rkhunter, please use the rkhunter-users mailing list. +# Note this is a moderated list: please subscribe before posting. +# +# Lines beginning with a hash (#), and blank lines, are ignored. +# End-of-line comments are not supported. +# +# Most of the following options need only be specified once. If +# they appear more than once, then the last one seen will be used. +# Some options are allowed to appear more than once, and the text +# describing the option will say if this is so. +# +# Some of the options are space-separated lists of pathnames. If +# wildcard characters (globbing) are allowed in the list, then the +# text describing the option will say so. +# +# Space-separated lists may be enclosed by quotes, but these must only +# appear at the start and end of the list, not in the middle. +# +# For example: XXX="abc def gh" (correct) +# XXX="abc" "def" "gh" (incorrect) +# + + +# +# If this option is set to 1, it specifies that the mirrors file +# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' +# options are used, is to be rotated. Rotating the entries in the file +# allows a basic form of load-balancing between the mirror sites whenever +# the above options are used. +# If the option is set to 0, then the mirrors will be treated as if in +# a priority list. That is, the first mirror listed will always be used +# first. The second mirror will only be used if the first mirror fails, +# the third mirror will only be used if the second mirror fails, and so on. +# +# If the mirrors file is read-only, then the '--versioncheck' command-line +# option can only be used if this option is set to 0. +# +ROTATE_MIRRORS=1 + +# +# If this option is set to 1, it specifies that when the '--update' +# option is used, then the mirrors file is to be checked for updates +# as well. If the current mirrors file contains any local mirrors, +# these will be prepended to the updated file. +# If this option is set to 0, the mirrors file can only be updated +# manually. This may be useful if only using local mirrors. +# +UPDATE_MIRRORS=1 + +# +# The MIRRORS_MODE option tells rkhunter which mirrors are to be +# used when the '--update' or '--versioncheck' command-line options +# are given. Possible values are: +# 0 - use any mirror (the default) +# 1 - only use local mirrors +# 2 - only use remote mirrors +# +# Local and remote mirrors can be defined in the mirrors file +# by using the 'local=' and 'remote=' keywords respectively. +# +MIRRORS_MODE=0 + +# +# Email a message to this address if a warning is found when the +# system is being checked. Multiple addresses may be specified +# simply be separating them with a space. Setting this option to +# null disables the option. +# +# NOTE: This option should be present in the configuration file. +# +#MAIL-ON-WARNING=me@mydomain root@mydomain + +# +# Specify the mail command to use if MAIL-ON-WARNING is set. +# +# NOTE: Double quotes are not required around the command, but +# are required around the subject line if it contains spaces. +# +MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" + +# +# Specify the temporary directory to use. +# +# NOTE: Do not use /tmp as your temporary directory. Some +# important files will be written to this directory, so be +# sure that the directory permissions are tight. +# +TMPDIR=/var/lib/rkhunter/tmp + +# +# Specify the database directory to use. +# +DBDIR=/var/lib/rkhunter/db + +# +# Specify the script directory to use. +# +SCRIPTDIR=/usr/share/rkhunter/scripts + +# +# This option can be used to modify the command directory list used +# by rkhunter to locate commands (that is, its PATH). By default +# this will be the root PATH, and an internal list of some common +# command directories. +# +# Any directories specified here will, by default, be appended to the +# default list. However, if a directory name begins with the '+' +# character, then that directory will be prepended to the list (that +# is, it will be put at the start of the list). +# +# This is a space-separated list of directory names. The option may +# be specified more than once. +# +#BINDIR="/bin /usr/bin /sbin /usr/sbin" +#BINDIR="+/usr/local/bin +/usr/local/sbin" + +# +# Specify the default language to use. This should be similar +# to the ISO 639 language code. +# +# NOTE: Please ensure that the language you specify is supported. +# For a list of supported languages use the following command: +# +# rkhunter --lang en --list languages +# +#LANGUAGE=en + +# +# This option is a space-separated list of the languages that are to +# be updated when the '--update' option is used. If unset, then all +# the languages will be updated. If none of the languages are to be +# updated, then set this option to just 'en'. +# +# The default is for all the languages to be updated. The default +# language, specified above, and the English (en) language file will +# always be updated regardless of this option. +# +UPDATE_LANG="" + +# +# Specify the log file pathname. +# +# NOTE: This option should be present in the configuration file. +# +LOGFILE=/var/log/rkhunter.log + +# +# Set the following option to 1 if the log file is to be appended to +# whenever rkhunter is run. +# +APPEND_LOG=0 + +# +# Set the following option to 1 if the log file is to be copied when +# rkhunter finishes and an error or warning has occurred. The copied +# log file name will be appended with the current date and time +# (in YYYY-MM-DD_HH:MM:SS format). +# For example: rkhunter.log.2009-04-21_00:57:51 +# +COPY_LOG_ON_ERROR=0 + +# +# Set the following option to enable the rkhunter check start and finish +# times to be logged by syslog. Warning messages will also be logged. +# The value of the option must be a standard syslog facility and +# priority, separated by a dot. For example: +# +# USE_SYSLOG=authpriv.warning +# +# Setting the value to 'none', or just leaving the option commented out, +# disables the use of syslog. +# +#USE_SYSLOG=authpriv.notice + +# +# Set the following option to 1 if the second colour set is to be used. +# This can be useful if your screen uses black characters on a white +# background (for example, a PC instead of a server). +# +COLOR_SET2=0 + +# +# Set the following option to 0 if rkhunter should not detect if X is +# being used. If X is detected as being used, then the second colour +# set will automatically be used. +# +AUTO_X_DETECT=1 + +# +# Set the following option to 1 if it is wanted that any 'Whitelisted' +# results are shown in white rather than green. For colour set 2 users, +# setting this option will cause the result to be shown in black. +# +WHITELISTED_IS_WHITE=0 + +# +# The following option is checked against the SSH configuration file +# 'PermitRootLogin' option. A warning will be displayed if they do not +# match. However, if a value has not been set in the SSH configuration +# file, then a value here of 'unset' can be used to avoid warning messages. +# This option has a default value of 'no'. +# +ALLOW_SSH_ROOT_USER=no + +# +# Set this option to '1' to allow the use of the SSH-1 protocol, but note +# that theoretically it is weaker, and therefore less secure, than the +# SSH-2 protocol. Do not modify this option unless you have good reasons +# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 +# authentication). If the 'Protocol' option has not been set in the SSH +# configuration file, then a value of '2' may be set here in order to +# suppress a warning message. This option has a default value of '0'. +# +ALLOW_SSH_PROT_V1=0 + +# +# This setting tells rkhunter the directory containing the SSH configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. +# +#SSH_CONFIG_DIR=/etc/ssh + +# +# These two options determine which tests are to be performed. +# The ENABLE_TESTS option can use the word 'all' to refer to all the +# available tests. The DISABLE_TESTS option can use the word 'none' to +# mean that no tests are disabled. The list of disabled tests is applied to +# the list of enabled tests. Both options are space-separated lists of test +# names. The currently available test names can be seen by using the command +# 'rkhunter --list tests'. +# +# The program defaults are to enable all tests and disable none. However, if +# either of the options below are specified, then they will override the +# program defaults. +# +# The supplied configuration file has some tests already disabled, and these +# are tests that will be used only occasionally, can be considered +# "advanced" or that are prone to produce more than the average number of +# false-positives. +# +# Please read the README file for more details about enabling and disabling +# tests, the test names, and how rkhunter behaves when these options are used. +# +# hidden_procs test requires the unhide command which is part of the unhide +# package in Debian. +# +# apps test is disabled by default as it triggers warnings about outdated +# applications (and warns about possible security risk: we better trust +# the Debian Security Team). +# +ENABLE_TESTS="all" +DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" + +# +# The HASH_FUNC option can be used to specify the command to use +# for the file hash value check. It can be specified as just the +# command name or the full pathname. If just the command name is +# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or +# SHA512, then rkhunter will first look for the relevant command, +# such as 'sha256sum', and then for 'sha256'. If neither of these +# are found, it will then look to see if a perl module has been +# installed which will support the relevant hash function. To see +# which perl modules have been installed use the command +# 'rkhunter --list perl'. +# +# The default is SHA1, or MD5 if SHA1 cannot be found. +# +# Systems using prelinking are restricted to using either the +# SHA1 or MD5 function. +# +# A value of 'NONE' (in uppercase) can be specified to indicate that +# no hash function should be used. Rootkit Hunter will detect this and +# automatically disable the file hash checks. +# +# Examples: +# For Solaris 9 : HASH_FUNC=gmd5sum +# For Solaris 10: HASH_FUNC=sha1sum +# For AIX (>5.2): HASH_FUNC="csum -hMD5" +# For NetBSD : HASH_FUNC="cksum -a sha512" +# +# NOTE: If the hash function is changed then you MUST run rkhunter with +# the '--propupd' option to rebuild the file properties database. +# +#HASH_FUNC=sha1sum + +# +# The HASH_FLD_IDX option specifies which field from the HASH_FUNC +# command output contains the hash value. The fields are assumed to +# be space-separated. The default value is 1, but for *BSD users +# rkhunter will, by default, use a value of 4 if the HASH_FUNC option +# has not been set. The option value must be an integer greater +# than zero. +# +#HASH_FLD_IDX=4 + +# +# The PKGMGR option tells rkhunter to use the specified package manager +# to obtain the file property information. This is used when updating +# the file properties file ('rkhunter.dat'), and when running the file +# properties check. For RedHat/RPM-based systems, 'RPM' can be used to +# get information from the RPM database. For Debian-based systems 'DPKG' +# can be used, for *BSD systems 'BSD' can be used, and for Solaris +# systems 'SOLARIS' can be used. No value, or a value of 'NONE', +# indicates that no package manager is to be used. The default is 'NONE'. +# +# The current package managers, except 'SOLARIS', store the file hash +# values using an MD5 hash function. The Solaris package manager includes +# a checksum value, but this is not used by default (see USE_SUNSUM below). +# +# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. +# The 'RPM' package manager additionally provides values for the inode, +# file permissions, uid, gid and other values. The 'SOLARIS' also provides +# most of the values, similar to 'RPM', but not the inode number. +# +# For any file not part of a package, rkhunter will revert to using the +# HASH_FUNC hash function instead. +# +# Whenever this option is changed 'rkhunter --propupd' must be run. +# +# NONE is the default for Debian as well, as running --propupd takes +# about 4 times longer when it's set to DPKG +# +#PKGMGR=NONE + +# +# It is possible that a file which is part of a package may be modified +# by the administrator. Typically this occurs for configuration files. +# However, the package manager may list the file as being modified. For +# the RPM package manager this may well depend on how the package was +# built. This option specifies those pathnames which are to be exempt +# from the package manager verification process, and which will be treated +# as non-packaged files. As such, the file properties are still checked. +# +# This option only takes effect if the PKGMGR option has been set, and +# is not 'NONE'. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. +# +# Whenever this option is changed 'rkhunter --propupd' must be run. +# +#PKGMGR_NO_VRFY="" + +# +# This option can be used to tell rkhunter to ignore any prelink +# dependency errors for the given commands. However, a warning will also +# be issued if the error does not occur for a given command. As such +# this option must only be used on commands which experience a persistent +# problem. +# +# Short-term prelink dependency errors can usually be resolved simply by +# running the 'prelink' command on the given pathname. +# +# NOTE: The command 'rkhunter --propupd' must be run whenever this option +# is changed. +# +# This is a space-separated list of command pathnames. The option can be +# specified more than once. +# +#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" + +# +# If the 'SOLARIS' package manager is used, then it is possible to use +# the checksum (hash) value stored for a file. However, this is only a +# 16-bit checksum, and as such is not nearly as secure as, for example, +# a SHA-2 value. For that reason, the checksum is not used by default, +# and the hash function given by HASH_FUNC is used instead. To enable +# this option, set its value to 1. The Solaris 'sum' command must be +# present on the system if this option is used. +# +#USE_SUNSUM=0 + +# +# This option is a space-separated list of commands, directories and file +# pathnames which will be included in the file properties checks. +# This option can be specified more than once. +# +# Whenever this option is changed, 'rkhunter --propupd' must be run. +# +# Simple command names - for example, 'top' - and directory names are +# added to the internal list of directories to be searched for each of +# the command names in the command list. Additionally, full pathnames +# to files, which need not be commands, may be given. Any files or +# directories which are already part of the internal lists will be +# silently ignored from the configuration. +# +# Normal globbing wildcards are allowed, except for simple command names. +# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. +# +# Specific files may be excluded by preceding their name with an +# exclamation mark (!). For example, '!/opt/top'. By combining this +# with wildcarding, whole directories can be excluded. For example, +# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first +# two directory levels of '/etc'. However, anything in '/etc/rc0.d', +# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. +# +# NOTE: Only files and directories which have been added by the user, +# and are not part of the internal lists, can be excluded. So, for +# example, it is not possible to exclude the 'ps' command by using +# '!/bin/ps'. These will be silently ignored from the configuration. +# +#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" +#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" +#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" +#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" +#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" +#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" +#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" + +# +# This option whitelists files and directories from existing, +# or not existing, on the system at the time of testing. This +# option is used when the configuration file options themselves +# are checked, and during the file properties check, the hidden +# files and directories checks, and the filesystem check of the +# '/dev' directory. +# +# This is a space-separated list of pathnames. The option may be +# specified more than once. The option may use wildcard characters, +# but be aware that this is probably not what you want to do as the +# wildcarding will be expanded after files have been deleted. As +# such deleted files won't be whitelisted if wildcarded. +# +# NOTE: The user must take into consideration how often the file will +# appear and disappear from the system in relation to how often +# rkhunter is run. If the file appears, and disappears, too often +# then rkhunter may not notice this. All it will see is that the file +# has changed. The inode-number and DTM will certainly be different +# for each new file, and rkhunter will report this. +# +#EXISTWHITELIST="" + +# +# Whitelist various attributes of the specified files. +# The attributes are those of the 'attributes' test. +# Specifying a file name here does not include it being +# whitelisted for the write permission test (see below). +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ATTRWHITELIST="/bin/ps /usr/bin/date" + +# +# Allow the specified commands to have the 'others' +# (world) permission have the write-bit set. +# +# For example, files with permissions r-xr-xrwx +# or rwxrwxrwx. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#WRITEWHITELIST="/bin/ps /usr/bin/date" + +# +# Allow the specified commands to be scripts. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +SCRIPTWHITELIST=/bin/egrep +SCRIPTWHITELIST=/bin/fgrep +SCRIPTWHITELIST=/bin/which +SCRIPTWHITELIST=/usr/bin/groups +SCRIPTWHITELIST=/usr/bin/ldd +#SCRIPTWHITELIST=/usr/bin/lwp-request +SCRIPTWHITELIST=/usr/sbin/adduser +#SCRIPTWHITELIST=/usr/sbin/prelink +SCRIPTWHITELIST=/usr/bin/unhide.rb + +# +# Allow the specified commands to have the immutable attribute set. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" + +# +# If this option is set to 1, then the immutable-bit test is +# reversed. That is, the files are expected to have the bit set. +# +IMMUTABLE_SET=0 + +# +# Allow the specified hidden directories to be whitelisted. +# +# This is a space-separated list of directory pathnames. +# The option may be specified more than once. The option +# may use wildcard characters. +# +#ALLOWHIDDENDIR="/etc/.java" +#ALLOWHIDDENDIR="/dev/.static" +#ALLOWHIDDENDIR="/dev/.SRC-unix" +#ALLOWHIDDENDIR="/etc/.etckeeper" +ALLOWHIDDENDIR="/dev/.udev" + + +# +# Allow the specified hidden files to be whitelisted. +# +# This is a space-separated list of filenames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ALLOWHIDDENFILE="/etc/.java" +#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" +#ALLOWHIDDENFILE="/etc/.pwd.lock" +#ALLOWHIDDENFILE="/etc/.init.state" +#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" +#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" +#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" +#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" +#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" +#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" +#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" +#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" +#ALLOWHIDDENFILE="/etc/.gitignore" +#ALLOWHIDDENFILE="/etc/.bzrignore" +ALLOWHIDDENFILE="/dev/.blkid.tab" +ALLOWHIDDENFILE="/dev/.blkid.tab.old" +ALLOWHIDDENFILE="/dev/.initramfs" + +# +# Allow the specified processes to use deleted files. The +# process name may be followed by a colon-separated list of +# full pathnames. The process will then only be whitelisted +# if it is using one of the given files. For example: +# +# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" +# +# This is a space-separated list of process names. The option +# may be specified more than once. The option may use wildcard +# characters, but only in the file names. +# +#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" +#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" +#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" +#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" +#ALLOWPROCDELFILE="/usr/bin/file-roller" + +# +# Allow the specified processes to listen on any network interface. +# +# This is a space-separated list of process names. The option +# may be specified more than once. +# +#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" +#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" +#ALLOWPROCLISTEN="/usr/sbin/snort-plain" + +# +# Allow the specified network interfaces to be in promiscuous mode. +# +# This is a space-separated list of interface names. The option may +# be specified more than once. +# +#ALLOWPROMISCIF="eth0" + +# +# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. +# The two allowed options are: THOROUGH or LAZY. +# If commented out we do a THOROUGH scan which will increase the runtime. +# Even though this adds to the running time it is highly recommended to +# leave it like this. +# +#SCAN_MODE_DEV=THOROUGH + +# +# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to +# perform a basic check, or a more thorough check. If the option is set to 0, +# then a basic check is performed. If it is set to 1, then all the directries +# in the /etc and /usr directories are scanned. The default value is 0. Users +# should note that setting this option to 1 will cause the test to take longer +# to complete. +# +PHALANX2_DIRTEST=0 + +# +# Allow the specified files to be present in the /dev directory, +# and not regarded as suspicious. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. The option may use wildcard +# characters. +# +#ALLOWDEVFILE="/dev/shm/pulse-shm-*" +#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" +ALLOWDEVFILE="/dev/.udev/rules.d/root.rules" + +# +# This setting tells rkhunter where the inetd configuration +# file is located. +# +#INETD_CONF_PATH=/etc/inetd.conf + +# +# Allow the following enabled inetd services. +# +# This is a space-separated list of service names. The option may +# be specified more than once. +# +# For non-Solaris users the simple service name should be used. +# For example: +# +# INETD_ALLOWED_SVC=echo +# +# For Solaris 9 users the simple service name should also be used, but +# if it is an RPC service, then the executable pathname should be used. +# For example: +# +# INETD_ALLOWED_SVC=imaps +# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" +# +# For Solaris 10 users the service/FMRI name should be used. For example: +# +# INETD_ALLOWED_SVC=/network/rpc/meta +# INETD_ALLOWED_SVC=/network/rpc/metamed +# INETD_ALLOWED_SVC=/application/font/stfsloader +# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord +# +#INETD_ALLOWED_SVC=echo + +# +# This setting tells rkhunter where the xinetd configuration +# file is located. +# +#XINETD_CONF_PATH=/etc/xinetd.conf + +# +# Allow the following enabled xinetd services. Whilst it would be +# nice to use the service names themselves, at the time of testing +# we only have the pathname available. As such, these entries are +# the xinetd file pathnames. +# +# This is a space-separated list of service names. The option may +# be specified more than once. +# +#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo + +# +# This option tells rkhunter the local system startup file pathnames. +# The directories will be searched for files. By default rkhunter +# will use certain filenames and directories. If the option is set +# to 'none', then certain tests will be skipped. +# +# This is a space-separated list of file and directory pathnames. +# The option may be specified more than once. The option may use +# wildcard characters. +# +#STARTUP_PATHS="/etc/init.d /etc/rc.local" + +# +# This setting tells rkhunter the pathname to the file containing the +# user account passwords. This setting will be worked out by rkhunter, +# and so should not usually need to be set. Users of TCB shadow files +# should not set this option. +# +#PASSWORD_FILE=/etc/shadow + +# +# Allow the following accounts to be root equivalent. These accounts +# will have a UID value of zero. The 'root' account does not need to +# be listed as it is automatically whitelisted. +# +# This is a space-separated list of account names. The option may +# be specified more than once. +# +# NOTE: For *BSD systems you will probably need to use this option +# for the 'toor' account. +# +#UID0_ACCOUNTS="toor rooty sashroot" + +# +# Allow the following accounts to have no password. NIS/YP entries do +# not need to be listed as they are automatically whitelisted. +# +# This is a space-separated list of account names. The option may +# be specified more than once. +# +#PWDLESS_ACCOUNTS="abc" + +# +# This setting tells rkhunter the pathname to the syslog configuration +# file. This setting will be worked out by rkhunter, and so should not +# usually need to be set. A value of 'NONE' can be used to indicate +# that there is no configuration file, but that the syslog daemon process +# may be running. +# +# This is a space-separated list of pathnames. The option may +# be specified more than once. +# +#SYSLOG_CONFIG_FILE=/etc/syslog.conf + +# +# This option permits the use of syslog remote logging. +# +ALLOW_SYSLOG_REMOTE_LOGGING=0 + +# +# Allow the following applications, or a specific version of an application, +# to be whitelisted. This option may be specified more than once, and is a +# space-separated list consisting of the application names. If a specific +# version is to be whitelisted, then the name must be followed by a colon +# and then the version number. For example: +# +# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" +# +# Note above that for the Apache web server, the name 'httpd' is used. +# +#APP_WHITELIST="" + +# +# Scan for suspicious files in directories containing temporary files and +# directories posing a relatively higher risk due to user write access. +# Please do not enable by default as suspscan is CPU and I/O intensive and prone to +# producing false positives. Do review all settings before usage. +# Also be aware that running suspscan in combination with verbose logging on, +# RKH's default, will show all ignored files. +# Please consider adding all directories the user the (web)server runs as has +# write access to including the document root (example: "/var/www") and log +# directories (example: "/var/log/httpd"). +# +# This is a space-separated list of directory pathnames. +# The option may be specified more than once. +# +#SUSPSCAN_DIRS="/tmp /var/tmp" + +# +# Directory for temporary files. A memory-based one is better (faster). +# Do not use a directory name that is listed in SUSPSCAN_DIRS. +# Please make sure you have a tempfs mounted and the directory exists. +# +SUSPSCAN_TEMP=/dev/shm + +# +# Maximum filesize in bytes. Files larger than this will not be inspected. +# Do make sure you have enough space left in your temporary files directory. +# +SUSPSCAN_MAXSIZE=10240000 + +# +# Score threshold. Below this value no hits will be reported. +# A value of "200" seems "good" after testing on malware. Please adjust +# locally if necessary. +# +SUSPSCAN_THRESH=200 + +# +# The following option can be used to whitelist network ports which +# are known to have been used by malware. This option may be specified +# more than once. The option is a space-separated list of one or more +# of four types of whitelisting. These are: +# +# 1) a 'protocol:port' pair (e.g. TCP:25) +# 2) a pathname to an executable (e.g. /usr/sbin/squid) +# 3) a combined pathname, protocol and port +# (e.g. /usr/sbin/squid:TCP:3801) +# 4) an asterisk ('*') +# +# Only the UDP or TCP protocol may be specified, and the port number +# must be between 1 and 65535 inclusive. +# +# The asterisk can be used to indicate that any executable which rkhunter +# can locate as a command, is whitelisted. (See BINDIR in this file.) +# +# For example: +# +# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" +# +# NOTE: In order to whitelist a pathname, or use the asterisk option, +# the 'lsof' command must be present. +# +#PORT_WHITELIST="" + +# +# The following option can be used to tell rkhunter where the operating +# system 'release' file is located. This file contains information +# specifying the current O/S version. RKH will store this information +# itself, and check to see if it has changed between each run. If it has +# changed, then the user is warned that RKH may issue warning messages +# until RKH has been run with the '--propupd' option. +# +# Since the contents of the file vary according to the O/S distribution, +# RKH will perform different actions when it detects the file itself. As +# such, this option should not be set unless necessary. If this option is +# specified, then RKH will assume the O/S release information is on the +# first non-blank line of the file. +# +#OS_VERSION_FILE="/etc/debian_version" + +# +# The following two options can be used to whitelist files and directories +# that would normally be flagged with a warning during the various rootkit +# and malware checks. If the file or directory name contains a space, then +# the percent character ('%') must be used instead. Only existing files and +# directories can be specified, and these must be full pathnames not links. +# +# Additionally, the RTKT_FILE_WHITELIST option may include a string after the +# file name (separated by a colon). This will then only whitelist that string +# in that file (as part of the malware checks). For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" +# +# If the option list includes the filename on its own as well, then the file +# will be whitelisted from rootkit checks of the files existence, but still +# only the specific string within the file will be whitelisted. For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" +# +# To whitelist a file from the existence checks, but not from the strings +# checks, then include the filename on its own and on its own but with +# just a colon appended. For example: +# +# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# These are space-separated lists of file and directory pathnames. +# The options may be specified more than once. +# +#RTKT_DIR_WHITELIST="" +#RTKT_FILE_WHITELIST="" + +# +# The following option can be used to whitelist shared library files that would +# normally be flagged with a warning during the preloaded shared library check. +# These library pathnames usually exist in the '/etc/ld.so.preload' file or in +# the LD_PRELOAD environment variable. +# +# NOTE: It is recommended that if you whitelist any files, then you include +# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS +# configuration option. +# +# This is a space-separated list of library pathnames. +# The option may be specified more than once. +# +#SHARED_LIB_WHITELIST="/lib/snoopy.so" + +# +# To force rkhunter to use the supplied script for the 'stat' or 'readlink' +# command, then the following two options can be used. The value must be +# set to 'BUILTIN'. +# +# NOTE: IRIX users will probably need to enable STAT_CMD. +# +#STAT_CMD=BUILTIN +#READLINK_CMD=BUILTIN + +# +# In the file properties test any modification date/time is displayed as the +# number of epoch seconds. Rkhunter will try and use the 'date' command, or +# failing that the 'perl' command, to display the date and time in a +# human-readable format as well. This option may be used if some other command +# should be used instead. The given command must understand the '%s' and +# 'seconds ago' options found in the GNU date command. +# +# A value of 'NONE' may be used to request that only the epoch seconds be shown. +# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if +# it is present. +# +#EPOCH_DATE_CMD="" + +# +# This setting tells rkhunter the directory containing the available +# Linux kernel modules. This setting will be worked out by rkhunter, +# and so should not usually need to be set. +# +#MODULES_DIR="" + +# +# The following option can be set to a command which rkhunter will use when +# downloading files from the Internet - that is, when the '--update' or +# '--versioncheck' option is used. The command can take options. +# +# This allows the user to use a command other than the one automatically +# selected by rkhunter, but still one which it already knows about. +# For example: +# +# WEB_CMD=curl +# +# Alternatively, the user may specify a completely new command. However, note +# that rkhunter expects the downloaded file to be written to stdout, and that +# everything written to stderr is ignored. For example: +# +# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" +# +# *BSD users may want to use the 'ftp' command, provided that it supports +# the HTTP protocol: +# +# WEB_CMD="ftp -o -" +# +#WEB_CMD="" + +# +# Set the following option to 0 if you do not want to receive a warning if +# any O/S information has changed since the last run of 'rkhunter --propupd'. +# The warnings occur during the file properties check. The default is to +# issue a warning if something has changed. +# +#WARN_ON_OS_CHANGE=1 + +# +# Set the following option to 1 if you want rkhunter to automatically run +# a file properties update ('--propupd') if the O/S has changed. Detection +# of an O/S change occurs during the file properties check. The default is +# not to do an automatic update. +# +# WARNING: Only set this option if you are sure that the update will work +# correctly. That is, that the database directory is writeable, that a valid +# hash function is available, and so on. This can usually be checked simply +# by running 'rkhunter --propupd' at least once. +# +#UPDT_ON_OS_CHANGE=0 + +# +# Set the following option to 1 if locking is to be used when rkhunter runs. +# The lock is set just before logging starts, and is removed when the program +# ends. It is used to prevent items such as the log file, and the file +# properties file, from becoming corrupted if rkhunter is running more than +# once. The mechanism used is to simply create a lock file in the TMPDIR +# directory. If the lock file already exists, because rkhunter is already +# running, then the current process simply loops around sleeping for 10 seconds +# and then retrying the lock. +# +# The default is not to use locking. +# +USE_LOCKING=0 + +# +# If locking is used, then rkhunter may have to wait to get the lock file. +# This option sets the total amount of time, in seconds, that rkhunter should +# wait. It will retry the lock every 10 seconds, until either it obtains the +# lock or the timeout value has been reached. If no value is set, then a +# default of 300 seconds (5 minutes) is used. +# +LOCK_TIMEOUT=300 + +# +# If locking is used, then rkhunter may be doing nothing for some time if it +# has to wait for the lock. Some simple messages are echo'd to the users screen +# to let them know that rkhunter is waiting for the lock. Set this option to 0 +# if the messages are not to be displayed. The default is to show them. +# +SHOW_LOCK_MSGS=1 + +# +# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function +# will search (on a per rootkit basis) for filenames in all of the directories (as defined +# by the result of running 'find / -xdev'). While still not optimal, as it +# still searches for only file names as opposed to file contents, this is one step away +# from the rigidity of searching in known (evidence) or default (installation) locations. +# +# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. +# +# You should only activate this feature as part of a more thorough investigation which +# should be based on relevant best practices and procedures. +# +# Enabling this feature implies you have the knowledge to interpret the results properly. +# +#SCANROOTKITMODE=THOROUGH + +# +# The following option can be set to the name(s) of the tests the 'unhide' command is +# to use. In order to maintain compatibility with older versions of 'unhide', this +# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but +# will only take effect when they are seen. The test names are a space-separated list, +# and will be executed in the order given. +# +#UNHIDE_TESTS="sys" + +# +# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it +# is possible to disable the execution of one of the programs if desired. By default +# rkhunter will look for both programs, and execute each of them as they are found. +# If the value of this option is 0, then both programs will be executed if they are +# present. A value of 1 will disable execution of the C 'unhide' program, and a value +# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable +# both programs, then disable the 'hidden_procs' test. +# +DISABLE_UNHIDE=1 + +INSTALLDIR="/usr" diff --git a/setup/system.sh b/setup/system.sh index f9122f32..946d243d 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -118,6 +118,21 @@ apt_install python3 python3-dev python3-pip \ netcat-openbsd wget curl git sudo coreutils bc \ haveged pollinate \ unattended-upgrades cron ntp fail2ban + +# Add Rootkit hunter +# I have it install and then update to install dependencies and such +# Added by Alon "Chief Gyk" Ganon +apt_install rkhunter binutils libreadline5 ruby ruby1.9.1 unhide.rb +wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz +tar xzvf rkhunter* +cd rkhunter* +./installer.sh --layout /usr --install +cd .. +rm -rf rkhunter* +rkhunter --propupd +cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf +sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter + # ### Set the system timezone # @@ -306,6 +321,9 @@ cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf restart_service fail2ban # Add Blocklist.de malicious IP Addresses to Daily Crontab +# Added by Alon "ChiefGyk" Ganon curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban chmod a+x /etc/cron.daily/sync-fail2ban time /etc/cron.daily/sync-fail2ban + + From e0b333843ae137db8e4a74fd1f426ea15d4b4a78 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 12:48:26 -0400 Subject: [PATCH 05/20] had rkhunter --propupd run before configs were changed. Fixed for #869 --- setup/system.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index 946d243d..0fc07937 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -129,9 +129,10 @@ cd rkhunter* ./installer.sh --layout /usr --install cd .. rm -rf rkhunter* -rkhunter --propupd cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter +rkhunter --propupd + # ### Set the system timezone From 933668f156a5cd35907ab719189c43040147aef5 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 12:57:54 -0400 Subject: [PATCH 06/20] had rkhunter --propupd run before configs were changed. Fixed for #869, also added a crontab for RKHunter to automatically run daily at 4:15AM --- setup/system.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 0fc07937..57d6aec2 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -121,6 +121,7 @@ apt_install python3 python3-dev python3-pip \ # Add Rootkit hunter # I have it install and then update to install dependencies and such +# It adds a crontab to check daily at 4:15AM # Added by Alon "Chief Gyk" Ganon apt_install rkhunter binutils libreadline5 ruby ruby1.9.1 unhide.rb wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz @@ -132,6 +133,8 @@ rm -rf rkhunter* cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter rkhunter --propupd +(crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet +")| crontab - From ab3fbad0b8cda61d454936ee5e92e24e6e1c5ecb Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 13:37:21 -0400 Subject: [PATCH 07/20] a couple minor changes to Fail2Ban #870 fixed a couple variables, copied owncloud.conf fail2ban from my own owncloud 9 server for my own business. Though it is commented out --- conf/fail2ban/jail.local | 4 ++-- conf/fail2ban/owncloud.conf | 8 ++++++++ setup/system.sh | 1 + 3 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 conf/fail2ban/owncloud.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index dd0842d1..53a6a08a 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -71,7 +71,7 @@ action = iptables-allports[name=recidive] # enabled = true # filter = owncloud # action = sendmail-whois-lines[name=owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] -# logpath = /home/user-data/owncloud/owncloud.log +# logpath = STORAGE_ROOT/owncloud/owncloud.log # maxretry = 20 # findtime = 300 # bantime = 300 @@ -99,7 +99,7 @@ enabled = true port = http,https filter = miab-owncloud # action = sendmail-whois-lines[name=miab-owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] -logpath = /home/user-data/owncloud/owncloud.log +logpath = STORAGE_ROOT/owncloud/owncloud.log maxretry = 20 findtime = 30 diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf new file mode 100644 index 00000000..c62763d0 --- /dev/null +++ b/conf/fail2ban/owncloud.conf @@ -0,0 +1,8 @@ +[INCLUDES] +before = common.conf + +[Definition] +_daemon = owncloud + +failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*","method":".*} +ignoreregex = diff --git a/setup/system.sh b/setup/system.sh index 57d6aec2..86234213 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -321,6 +321,7 @@ cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf +cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf restart_service fail2ban From fd457e187c4dbaa1d2e4b82f72254afd74bbc7de Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 19:53:30 -0400 Subject: [PATCH 08/20] fixed some issues with warnings due to there not being a variable set for PKGMG=DPKG --- conf/rkhunter/rkhunter.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/rkhunter/rkhunter.conf b/conf/rkhunter/rkhunter.conf index fc7aea61..698f2be7 100644 --- a/conf/rkhunter/rkhunter.conf +++ b/conf/rkhunter/rkhunter.conf @@ -333,7 +333,7 @@ DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" # NONE is the default for Debian as well, as running --propupd takes # about 4 times longer when it's set to DPKG # -#PKGMGR=NONE +PKGMGR=DPKG # # It is possible that a file which is part of a package may be modified From cb35e6dd9601dd9d74384faedce4b577bd6f4202 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Sun, 26 Jun 2016 20:06:53 -0400 Subject: [PATCH 09/20] extended owncloud filter find time --- conf/fail2ban/jail.local | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 53a6a08a..cbcaf817 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -101,7 +101,7 @@ filter = miab-owncloud # action = sendmail-whois-lines[name=miab-owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] logpath = STORAGE_ROOT/owncloud/owncloud.log maxretry = 20 -findtime = 30 +findtime = 120 [miab-postfix587] enabled = true From 187b28dc519816313c8d0d233c3f5004c5c1e383 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 03:58:30 -0400 Subject: [PATCH 10/20] committed a fix for owncloud filter. Lack of caffeine caused me to enter a wrong part of my script --- conf/fail2ban/miab-owncloud.conf | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/conf/fail2ban/miab-owncloud.conf b/conf/fail2ban/miab-owncloud.conf index 153dffa7..a9a13f2c 100644 --- a/conf/fail2ban/miab-owncloud.conf +++ b/conf/fail2ban/miab-owncloud.conf @@ -1,24 +1,3 @@ -# Fail2Ban filter Mail-in-a-Box management daemon - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = mailinabox - -failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* -ignoreregex = -alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf -[INCLUDES] - -before = common.conf - -[Definition] -failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* -ignoreregex = -alon@box:/etc/fail2ban$ cat filter.d/miab-owncloud.conf [INCLUDES] before = common.conf From 3701676304f99972ea1022e0cff398c21f59ef91 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 04:01:51 -0400 Subject: [PATCH 11/20] fixed miab-munin.conf --- conf/fail2ban/miab-munin.conf | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/conf/fail2ban/miab-munin.conf b/conf/fail2ban/miab-munin.conf index a923be1e..b254cc62 100644 --- a/conf/fail2ban/miab-munin.conf +++ b/conf/fail2ban/miab-munin.conf @@ -1,16 +1,3 @@ -# Fail2Ban filter Mail-in-a-Box management daemon - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = mailinabox - -failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* -ignoreregex = -alon@box:/etc/fail2ban$ cat filter.d/miab-munin.conf [INCLUDES] before = common.conf From 52658396816d962dc5aa27fc4fce6cfd7f43866a Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 04:10:39 -0400 Subject: [PATCH 12/20] made rkhunter create a local file per suggestions --- setup/system.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/system.sh b/setup/system.sh index 86234213..93470577 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -130,7 +130,7 @@ cd rkhunter* ./installer.sh --layout /usr --install cd .. rm -rf rkhunter* -cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf +cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf.local sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter rkhunter --propupd (crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet From b76c9330c5d36c107f33296f98ea3cdb014d7992 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 04:13:56 -0400 Subject: [PATCH 13/20] some fixes to fail2ban filters and jail.local --- conf/fail2ban/jail.local | 46 ++++++++++++++++------------------------ setup/system.sh | 3 ++- 2 files changed, 20 insertions(+), 29 deletions(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index cbcaf817..661151b1 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -14,15 +14,15 @@ action = %(action_mwl)s [ssh] maxretry = 7 bantime = 3600 -# action = sendmail-whois-lines[name=ssh, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=ssh, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [ssh-ddos] enabled = true -# action = sendmail-whois-lines[name=ssh-ddos, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=ssh-ddos, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [sasl] enabled = true -# action = sendmail-whois-lines[name=sasl, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=sasl, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [nginx] @@ -30,14 +30,14 @@ enabled = true enabled = true filter = nginx-http-auth port = http,https -# action = sendmail-whois-lines[name=nginx-http-auth, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=nginx-http-auth, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [nginx-badbots] enabled = true port = http,https filter = nginx-badbots -# action = sendmail-whois-lines[name=nginx-badbots, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=nginx-badbots, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/nginx/access.log maxretry = 2 @@ -46,14 +46,14 @@ enabled = true filter = dovecotimap findtime = 30 maxretry = 20 -# action = sendmail-whois-lines[name=dovecot, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=dovecot, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/mail.log [recidive] enabled = true maxretry = 10 action = iptables-allports[name=recidive] -# sendmail-whois-lines[name=recidive, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] + sendmail-whois-lines[name=recidive, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] # In the recidive section of jail.conf the action contains: # @@ -67,19 +67,18 @@ action = iptables-allports[name=recidive] # can't be delivered to fail2ban@$HOSTNAME. # Copied from ChiefGyk's OwnCloud -# [owncloud] -# enabled = true -# filter = owncloud -# action = sendmail-whois-lines[name=owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] -# logpath = STORAGE_ROOT/owncloud/owncloud.log -# maxretry = 20 -# findtime = 300 -# bantime = 300 +[owncloud] +enabled = true +filter = owncloud +action = sendmail-whois-lines[name=owncloud, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] +logpath = STORAGE_ROOT/owncloud/owncloud.log +maxretry = 20 +findtime = 300 [miab-management] enabled = true filter = miab-management-daemon -# action = sendmail-whois-lines[name=miab-management, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=miab-management, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] port = http,https logpath = /var/log/syslog maxretry = 20 @@ -89,25 +88,16 @@ findtime = 30 enabled = true port = http,https filter = miab-munin -# action = sendmail-whois-lines[name=miab-munin, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=miab-munin, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/nginx/access.log maxretry = 20 findtime = 30 -[miab-owncloud] -enabled = true -port = http,https -filter = miab-owncloud -# action = sendmail-whois-lines[name=miab-owncloud, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] -logpath = STORAGE_ROOT/owncloud/owncloud.log -maxretry = 20 -findtime = 120 - [miab-postfix587] enabled = true port = 587 filter = miab-postfix-submission -# action = sendmail-whois-lines[name=miab-postfix-submission, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=miab-postfix-submission, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/mail.log maxretry = 20 findtime = 30 @@ -116,7 +106,7 @@ findtime = 30 enabled = true port = http,https filter = miab-roundcube -action = sendmail-whois-lines[name=miab-roundcube, dest="@.,@.,fail2ban@blocklist.de", sender=fail2ban@box.., sendername="Fail2Ban"] +action = sendmail-whois-lines[name=miab-roundcube, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/roundcubemail/errors maxretry = 20 findtime = 30 diff --git a/setup/system.sh b/setup/system.sh index 93470577..9b9b3530 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -311,6 +311,7 @@ restart_service resolvconf # ### Fail2Ban Service # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh +# ChiefGyk commented out a filter to use my own temporarily. May be removed later on line 322 cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local @@ -318,7 +319,7 @@ cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf -cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf +#cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf From 7f89d7cb82f908c9cc1daf63aa2bbd32f5394c22 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 04:32:06 -0400 Subject: [PATCH 14/20] added line for rkhunter to first update when installed. --- setup/system.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/system.sh b/setup/system.sh index 9b9b3530..245ce754 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -132,6 +132,7 @@ cd .. rm -rf rkhunter* cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf.local sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter +rkhunter --update rkhunter --propupd (crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet ")| crontab - From 20bf710b28b1f5ef8f1c7faa9cfd5c159d281dd0 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 09:21:29 -0400 Subject: [PATCH 15/20] removed some more clutter from jail.local --- conf/fail2ban/jail.local | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 661151b1..c6c8b00f 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -14,15 +14,12 @@ action = %(action_mwl)s [ssh] maxretry = 7 bantime = 3600 -action = sendmail-whois-lines[name=ssh, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [ssh-ddos] enabled = true -action = sendmail-whois-lines[name=ssh-ddos, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [sasl] enabled = true -action = sendmail-whois-lines[name=sasl, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [nginx] @@ -30,14 +27,12 @@ action = sendmail-whois-lines[name=sasl, dest="admin@$DOMAIN", sender=fail2ban enabled = true filter = nginx-http-auth port = http,https -action = sendmail-whois-lines[name=nginx-http-auth, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] [nginx-badbots] enabled = true port = http,https filter = nginx-badbots -action = sendmail-whois-lines[name=nginx-badbots, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/nginx/access.log maxretry = 2 @@ -46,14 +41,12 @@ enabled = true filter = dovecotimap findtime = 30 maxretry = 20 -action = sendmail-whois-lines[name=dovecot, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/mail.log [recidive] enabled = true maxretry = 10 action = iptables-allports[name=recidive] - sendmail-whois-lines[name=recidive, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] # In the recidive section of jail.conf the action contains: # @@ -70,7 +63,6 @@ action = iptables-allports[name=recidive] [owncloud] enabled = true filter = owncloud -action = sendmail-whois-lines[name=owncloud, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = STORAGE_ROOT/owncloud/owncloud.log maxretry = 20 findtime = 300 @@ -78,7 +70,6 @@ findtime = 300 [miab-management] enabled = true filter = miab-management-daemon -action = sendmail-whois-lines[name=miab-management, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] port = http,https logpath = /var/log/syslog maxretry = 20 @@ -88,7 +79,6 @@ findtime = 30 enabled = true port = http,https filter = miab-munin -action = sendmail-whois-lines[name=miab-munin, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/nginx/access.log maxretry = 20 findtime = 30 @@ -97,7 +87,6 @@ findtime = 30 enabled = true port = 587 filter = miab-postfix-submission -action = sendmail-whois-lines[name=miab-postfix-submission, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/mail.log maxretry = 20 findtime = 30 @@ -106,7 +95,6 @@ findtime = 30 enabled = true port = http,https filter = miab-roundcube -action = sendmail-whois-lines[name=miab-roundcube, dest="admin@$DOMAIN", sender=fail2ban@$DOMAIN, sendername="Fail2Ban"] logpath = /var/log/roundcubemail/errors maxretry = 20 findtime = 30 From 406f991be3a74bd4375f66427e912ec85586fe8e Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 09:30:01 -0400 Subject: [PATCH 16/20] fixed error in my script copying nginx-badbots --- conf/fail2ban/nginx-badbots.conf | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf index c32b9f2a..b2ac9626 100644 --- a/conf/fail2ban/nginx-badbots.conf +++ b/conf/fail2ban/nginx-badbots.conf @@ -1,20 +1,3 @@ -# fail2ban filter configuration for nginx - - -[Definition] - - -failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - -ignoreregex = - -# DEV NOTES: -# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files -# Extensive search of all nginx auth failures not done yet. -# -# Author: Daniel Black -alon@box:/etc/fail2ban$ cat filter.d/nginx-badbots.conf # Fail2Ban configuration file # # Regexp to catch known spambots and software alike. Please verify From 3a1313144b6bc0531e4f92888c8e09c3428fbad0 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Mon, 27 Jun 2016 09:38:14 -0400 Subject: [PATCH 17/20] moved blocklist script locally within installation --- conf/blocklist/sync-fail2ban | 85 ++++++++++++++++++++++++++++++++++++ setup/system.sh | 2 +- 2 files changed, 86 insertions(+), 1 deletion(-) create mode 100644 conf/blocklist/sync-fail2ban diff --git a/conf/blocklist/sync-fail2ban b/conf/blocklist/sync-fail2ban new file mode 100644 index 00000000..3ee9c23a --- /dev/null +++ b/conf/blocklist/sync-fail2ban @@ -0,0 +1,85 @@ +#!/bin/bash + +## Update fail2ban iptables with globally known attackers. +## Actually, runs 100% independently now, without needing fail2ban installed. +## +## /etc/cron.daily/sync-fail2ban +## +## Author: Marcos Kobylecki +## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ + + +## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. +#PROGRAM=/etc/init.d/fail2ban +#[ -x $PROGRAM ] || exit 0 + +datadir=/etc/fail2ban +[[ -d "$datadir" ]] || datadir=/tmp + +## Get default settings of fail2ban (optional?) +[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban + +umask 000 +blacklistf=$datadir/blacklist.blocklist.de.txt + +mv -vf $blacklistf $blacklistf.last + +badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" + + + iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. + +# Grab list(s) at https://www.blocklist.de/en/export.html . Block. +echo "Adding new blocks:" + time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ + |sort -u \ + |tee $blacklistf \ + |grep -v '^#\|:' \ + |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done + + + +# Which listings had been removed since last time? Unblock. +echo "Removing old blocks:" +if [[ -r $blacklistf.diff ]]; then + # comm is brittle, cannot use sort -rn + time comm -23 $blacklistf.last $blacklistf \ + |tee $blacklistf.delisted \ + |grep -v '^#\|:' \ + |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done + +fi + + +# prepare for next time. + diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff + + + + + +# Saves a copy of current iptables rules, should you like to check them later. +(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & + + +exit + +# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found +# So weed out IPv6, try |grep -v ':' + +## http://ix.io/fpC + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = iptables -D fail2ban- -s -j \ No newline at end of file diff --git a/setup/system.sh b/setup/system.sh index 245ce754..af7afdf4 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -329,7 +329,7 @@ restart_service fail2ban # Add Blocklist.de malicious IP Addresses to Daily Crontab # Added by Alon "ChiefGyk" Ganon -curl -s https://gist.githubusercontent.com/klepsydra/ecf975984b32b1c8291a/raw > /etc/cron.daily/sync-fail2ban +cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban chmod a+x /etc/cron.daily/sync-fail2ban time /etc/cron.daily/sync-fail2ban From 23f2b1688f0f6db2986c7576dc7be1860a9557f6 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Tue, 28 Jun 2016 12:31:21 -0400 Subject: [PATCH 18/20] reset --- conf/blocklist/sync-fail2ban | 85 -- conf/fail2ban/jail.local | 66 +- conf/fail2ban/miab-management-daemon.conf | 12 - conf/fail2ban/miab-munin.conf | 7 - conf/fail2ban/miab-owncloud.conf | 7 - conf/fail2ban/miab-postfix-submission.conf | 7 - conf/fail2ban/miab-roundcube.conf | 9 - conf/fail2ban/nginx-badbots.conf | 21 - conf/fail2ban/nginx.conf | 17 - conf/fail2ban/owncloud.conf | 8 - conf/rkhunter/rkhunter.conf | 1008 -------------------- setup/system.sh | 36 - 12 files changed, 3 insertions(+), 1280 deletions(-) delete mode 100644 conf/blocklist/sync-fail2ban delete mode 100644 conf/fail2ban/miab-management-daemon.conf delete mode 100644 conf/fail2ban/miab-munin.conf delete mode 100644 conf/fail2ban/miab-owncloud.conf delete mode 100644 conf/fail2ban/miab-postfix-submission.conf delete mode 100644 conf/fail2ban/miab-roundcube.conf delete mode 100644 conf/fail2ban/nginx-badbots.conf delete mode 100644 conf/fail2ban/nginx.conf delete mode 100644 conf/fail2ban/owncloud.conf delete mode 100644 conf/rkhunter/rkhunter.conf diff --git a/conf/blocklist/sync-fail2ban b/conf/blocklist/sync-fail2ban deleted file mode 100644 index 3ee9c23a..00000000 --- a/conf/blocklist/sync-fail2ban +++ /dev/null @@ -1,85 +0,0 @@ -#!/bin/bash - -## Update fail2ban iptables with globally known attackers. -## Actually, runs 100% independently now, without needing fail2ban installed. -## -## /etc/cron.daily/sync-fail2ban -## -## Author: Marcos Kobylecki -## http://www.reddit.com/r/linux/comments/2nvzur/shared_blacklists_from_fail2ban/ - - -## Quit if fail2ban is missing. Maybe this fake requirement can be skipped? YES. -#PROGRAM=/etc/init.d/fail2ban -#[ -x $PROGRAM ] || exit 0 - -datadir=/etc/fail2ban -[[ -d "$datadir" ]] || datadir=/tmp - -## Get default settings of fail2ban (optional?) -[ -r /etc/default/fail2ban ] && . /etc/default/fail2ban - -umask 000 -blacklistf=$datadir/blacklist.blocklist.de.txt - -mv -vf $blacklistf $blacklistf.last - -badlisturls="http://antivirus.neu.edu.cn/ssh/lists/base_30days.txt http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt" - - - iptables -vN fail2ban-ssh # Create the chain if it doesn't exist. Harmless if it does. - -# Grab list(s) at https://www.blocklist.de/en/export.html . Block. -echo "Adding new blocks:" - time curl -s http://lists.blocklist.de/lists/ssh.txt http://lists.blocklist.de/lists/bruteforcelogin.txt \ - |sort -u \ - |tee $blacklistf \ - |grep -v '^#\|:' \ - |while read IP; do iptables -I fail2ban-ssh 1 -s $IP -j DROP; done - - - -# Which listings had been removed since last time? Unblock. -echo "Removing old blocks:" -if [[ -r $blacklistf.diff ]]; then - # comm is brittle, cannot use sort -rn - time comm -23 $blacklistf.last $blacklistf \ - |tee $blacklistf.delisted \ - |grep -v '^#\|:' \ - |while read IP; do iptables -w -D fail2ban-ssh -s $IP -j DROP || iptables -wv -D fail2ban-ssh -s $IP -j LOGDROP; done - -fi - - -# prepare for next time. - diff -wbay $blacklistf.last $blacklistf > $blacklistf.diff - - - - - -# Saves a copy of current iptables rules, should you like to check them later. -(set -x; iptables -wnv -L --line-numbers; iptables -wnv -t nat -L --line-numbers) &> /tmp/iptables.fail2ban.log & - - -exit - -# iptables v1.4.21: host/network `2a00:1210:fffe:145::1' not found -# So weed out IPv6, try |grep -v ':' - -## http://ix.io/fpC - - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionban = iptables -I fail2ban- 1 -s -j # Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = iptables -D fail2ban- -s -j \ No newline at end of file diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index c6c8b00f..dc338803 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -6,39 +6,21 @@ # ours too. The string is substituted during installation. ignoreip = 127.0.0.1/8 PUBLIC_IP -action = %(action_mwl)s - # JAILS -# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses, in addition to blocklist.de [ssh] maxretry = 7 bantime = 3600 - + [ssh-ddos] enabled = true [sasl] enabled = true - -[nginx] - -enabled = true -filter = nginx-http-auth -port = http,https - -[nginx-badbots] - -enabled = true -port = http,https -filter = nginx-badbots -logpath = /var/log/nginx/access.log -maxretry = 2 - [dovecot] -enabled = true -filter = dovecotimap +enabled = true +filter = dovecotimap findtime = 30 maxretry = 20 logpath = /var/log/mail.log @@ -47,7 +29,6 @@ logpath = /var/log/mail.log enabled = true maxretry = 10 action = iptables-allports[name=recidive] - # In the recidive section of jail.conf the action contains: # # action = iptables-allports[name=recidive] @@ -58,44 +39,3 @@ action = iptables-allports[name=recidive] # By default we don't configure this address and no action is required from the admin anyway. # So the notification is ommited. This will prevent message appearing in the mail.log that mail # can't be delivered to fail2ban@$HOSTNAME. - -# Copied from ChiefGyk's OwnCloud -[owncloud] -enabled = true -filter = owncloud -logpath = STORAGE_ROOT/owncloud/owncloud.log -maxretry = 20 -findtime = 300 - -[miab-management] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[miab-munin] -enabled = true -port = http,https -filter = miab-munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[miab-postfix587] -enabled = true -port = 587 -filter = miab-postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[miab-roundcube] -enabled = true -port = http,https -filter = miab-roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf deleted file mode 100644 index 0b0489c2..00000000 --- a/conf/fail2ban/miab-management-daemon.conf +++ /dev/null @@ -1,12 +0,0 @@ -# Fail2Ban filter Mail-in-a-Box management daemon - -[INCLUDES] - -before = common.conf - -[Definition] - -_daemon = mailinabox - -failregex = Mail-in-a-Box Management Daemon: Failed login attempt from ip - timestamp .* -ignoreregex = diff --git a/conf/fail2ban/miab-munin.conf b/conf/fail2ban/miab-munin.conf deleted file mode 100644 index b254cc62..00000000 --- a/conf/fail2ban/miab-munin.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* -ignoreregex = diff --git a/conf/fail2ban/miab-owncloud.conf b/conf/fail2ban/miab-owncloud.conf deleted file mode 100644 index a9a13f2c..00000000 --- a/conf/fail2ban/miab-owncloud.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex=Login failed: .*Remote IP: '[\)'] -ignoreregex = diff --git a/conf/fail2ban/miab-postfix-submission.conf b/conf/fail2ban/miab-postfix-submission.conf deleted file mode 100644 index 236e1331..00000000 --- a/conf/fail2ban/miab-postfix-submission.conf +++ /dev/null @@ -1,7 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] -failregex=postfix/submission/smtpd.*warning.*\[\]: .* authentication (failed|aborted) -ignoreregex = diff --git a/conf/fail2ban/miab-roundcube.conf b/conf/fail2ban/miab-roundcube.conf deleted file mode 100644 index c6979c85..00000000 --- a/conf/fail2ban/miab-roundcube.conf +++ /dev/null @@ -1,9 +0,0 @@ -[INCLUDES] - -before = common.conf - -[Definition] - -failregex = IMAP Error: Login failed for .*? from \. AUTHENTICATE.* - -ignoreregex = diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf deleted file mode 100644 index b2ac9626..00000000 --- a/conf/fail2ban/nginx-badbots.conf +++ /dev/null @@ -1,21 +0,0 @@ -# Fail2Ban configuration file -# -# Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. - - -[Definition] - -badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider -badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 - -failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ - -ignoreregex = - -# DEV Notes: -# List of bad bots fetched from http://www.user-agents.org -# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. -# -# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/nginx.conf b/conf/fail2ban/nginx.conf deleted file mode 100644 index 74dfe184..00000000 --- a/conf/fail2ban/nginx.conf +++ /dev/null @@ -1,17 +0,0 @@ -# fail2ban filter configuration for nginx - - -[Definition] - - -failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ - -ignoreregex = - -# DEV NOTES: -# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files -# Extensive search of all nginx auth failures not done yet. -# -# Author: Daniel Black -# Second entry done by Alon Ganon \ No newline at end of file diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf deleted file mode 100644 index c62763d0..00000000 --- a/conf/fail2ban/owncloud.conf +++ /dev/null @@ -1,8 +0,0 @@ -[INCLUDES] -before = common.conf - -[Definition] -_daemon = owncloud - -failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*","method":".*} -ignoreregex = diff --git a/conf/rkhunter/rkhunter.conf b/conf/rkhunter/rkhunter.conf deleted file mode 100644 index 698f2be7..00000000 --- a/conf/rkhunter/rkhunter.conf +++ /dev/null @@ -1,1008 +0,0 @@ -# -# This is the main configuration file for Rootkit Hunter. -# -# You can either modify this file directly, or you can create a local -# configuration file. The local file must be named 'rkhunter.conf.local', -# and must reside in the same directory as this file. Please modify one -# or both files to your own requirements. It is suggested that the -# command 'rkhunter -C' is run after any changes have been made. -# -# Please review the documentation before posting bug reports or questions. -# To report bugs, obtain updates, or provide patches or comments, please go to: -# http://rkhunter.sourceforge.net -# -# To ask questions about rkhunter, please use the rkhunter-users mailing list. -# Note this is a moderated list: please subscribe before posting. -# -# Lines beginning with a hash (#), and blank lines, are ignored. -# End-of-line comments are not supported. -# -# Most of the following options need only be specified once. If -# they appear more than once, then the last one seen will be used. -# Some options are allowed to appear more than once, and the text -# describing the option will say if this is so. -# -# Some of the options are space-separated lists of pathnames. If -# wildcard characters (globbing) are allowed in the list, then the -# text describing the option will say so. -# -# Space-separated lists may be enclosed by quotes, but these must only -# appear at the start and end of the list, not in the middle. -# -# For example: XXX="abc def gh" (correct) -# XXX="abc" "def" "gh" (incorrect) -# - - -# -# If this option is set to 1, it specifies that the mirrors file -# ('mirrors.dat'), which is used when the '--update' and '--versioncheck' -# options are used, is to be rotated. Rotating the entries in the file -# allows a basic form of load-balancing between the mirror sites whenever -# the above options are used. -# If the option is set to 0, then the mirrors will be treated as if in -# a priority list. That is, the first mirror listed will always be used -# first. The second mirror will only be used if the first mirror fails, -# the third mirror will only be used if the second mirror fails, and so on. -# -# If the mirrors file is read-only, then the '--versioncheck' command-line -# option can only be used if this option is set to 0. -# -ROTATE_MIRRORS=1 - -# -# If this option is set to 1, it specifies that when the '--update' -# option is used, then the mirrors file is to be checked for updates -# as well. If the current mirrors file contains any local mirrors, -# these will be prepended to the updated file. -# If this option is set to 0, the mirrors file can only be updated -# manually. This may be useful if only using local mirrors. -# -UPDATE_MIRRORS=1 - -# -# The MIRRORS_MODE option tells rkhunter which mirrors are to be -# used when the '--update' or '--versioncheck' command-line options -# are given. Possible values are: -# 0 - use any mirror (the default) -# 1 - only use local mirrors -# 2 - only use remote mirrors -# -# Local and remote mirrors can be defined in the mirrors file -# by using the 'local=' and 'remote=' keywords respectively. -# -MIRRORS_MODE=0 - -# -# Email a message to this address if a warning is found when the -# system is being checked. Multiple addresses may be specified -# simply be separating them with a space. Setting this option to -# null disables the option. -# -# NOTE: This option should be present in the configuration file. -# -#MAIL-ON-WARNING=me@mydomain root@mydomain - -# -# Specify the mail command to use if MAIL-ON-WARNING is set. -# -# NOTE: Double quotes are not required around the command, but -# are required around the subject line if it contains spaces. -# -MAIL_CMD=mail -s "[rkhunter] Warnings found for ${HOST_NAME}" - -# -# Specify the temporary directory to use. -# -# NOTE: Do not use /tmp as your temporary directory. Some -# important files will be written to this directory, so be -# sure that the directory permissions are tight. -# -TMPDIR=/var/lib/rkhunter/tmp - -# -# Specify the database directory to use. -# -DBDIR=/var/lib/rkhunter/db - -# -# Specify the script directory to use. -# -SCRIPTDIR=/usr/share/rkhunter/scripts - -# -# This option can be used to modify the command directory list used -# by rkhunter to locate commands (that is, its PATH). By default -# this will be the root PATH, and an internal list of some common -# command directories. -# -# Any directories specified here will, by default, be appended to the -# default list. However, if a directory name begins with the '+' -# character, then that directory will be prepended to the list (that -# is, it will be put at the start of the list). -# -# This is a space-separated list of directory names. The option may -# be specified more than once. -# -#BINDIR="/bin /usr/bin /sbin /usr/sbin" -#BINDIR="+/usr/local/bin +/usr/local/sbin" - -# -# Specify the default language to use. This should be similar -# to the ISO 639 language code. -# -# NOTE: Please ensure that the language you specify is supported. -# For a list of supported languages use the following command: -# -# rkhunter --lang en --list languages -# -#LANGUAGE=en - -# -# This option is a space-separated list of the languages that are to -# be updated when the '--update' option is used. If unset, then all -# the languages will be updated. If none of the languages are to be -# updated, then set this option to just 'en'. -# -# The default is for all the languages to be updated. The default -# language, specified above, and the English (en) language file will -# always be updated regardless of this option. -# -UPDATE_LANG="" - -# -# Specify the log file pathname. -# -# NOTE: This option should be present in the configuration file. -# -LOGFILE=/var/log/rkhunter.log - -# -# Set the following option to 1 if the log file is to be appended to -# whenever rkhunter is run. -# -APPEND_LOG=0 - -# -# Set the following option to 1 if the log file is to be copied when -# rkhunter finishes and an error or warning has occurred. The copied -# log file name will be appended with the current date and time -# (in YYYY-MM-DD_HH:MM:SS format). -# For example: rkhunter.log.2009-04-21_00:57:51 -# -COPY_LOG_ON_ERROR=0 - -# -# Set the following option to enable the rkhunter check start and finish -# times to be logged by syslog. Warning messages will also be logged. -# The value of the option must be a standard syslog facility and -# priority, separated by a dot. For example: -# -# USE_SYSLOG=authpriv.warning -# -# Setting the value to 'none', or just leaving the option commented out, -# disables the use of syslog. -# -#USE_SYSLOG=authpriv.notice - -# -# Set the following option to 1 if the second colour set is to be used. -# This can be useful if your screen uses black characters on a white -# background (for example, a PC instead of a server). -# -COLOR_SET2=0 - -# -# Set the following option to 0 if rkhunter should not detect if X is -# being used. If X is detected as being used, then the second colour -# set will automatically be used. -# -AUTO_X_DETECT=1 - -# -# Set the following option to 1 if it is wanted that any 'Whitelisted' -# results are shown in white rather than green. For colour set 2 users, -# setting this option will cause the result to be shown in black. -# -WHITELISTED_IS_WHITE=0 - -# -# The following option is checked against the SSH configuration file -# 'PermitRootLogin' option. A warning will be displayed if they do not -# match. However, if a value has not been set in the SSH configuration -# file, then a value here of 'unset' can be used to avoid warning messages. -# This option has a default value of 'no'. -# -ALLOW_SSH_ROOT_USER=no - -# -# Set this option to '1' to allow the use of the SSH-1 protocol, but note -# that theoretically it is weaker, and therefore less secure, than the -# SSH-2 protocol. Do not modify this option unless you have good reasons -# to use the SSH-1 protocol (for instance for AFS token passing or Kerberos4 -# authentication). If the 'Protocol' option has not been set in the SSH -# configuration file, then a value of '2' may be set here in order to -# suppress a warning message. This option has a default value of '0'. -# -ALLOW_SSH_PROT_V1=0 - -# -# This setting tells rkhunter the directory containing the SSH configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. -# -#SSH_CONFIG_DIR=/etc/ssh - -# -# These two options determine which tests are to be performed. -# The ENABLE_TESTS option can use the word 'all' to refer to all the -# available tests. The DISABLE_TESTS option can use the word 'none' to -# mean that no tests are disabled. The list of disabled tests is applied to -# the list of enabled tests. Both options are space-separated lists of test -# names. The currently available test names can be seen by using the command -# 'rkhunter --list tests'. -# -# The program defaults are to enable all tests and disable none. However, if -# either of the options below are specified, then they will override the -# program defaults. -# -# The supplied configuration file has some tests already disabled, and these -# are tests that will be used only occasionally, can be considered -# "advanced" or that are prone to produce more than the average number of -# false-positives. -# -# Please read the README file for more details about enabling and disabling -# tests, the test names, and how rkhunter behaves when these options are used. -# -# hidden_procs test requires the unhide command which is part of the unhide -# package in Debian. -# -# apps test is disabled by default as it triggers warnings about outdated -# applications (and warns about possible security risk: we better trust -# the Debian Security Team). -# -ENABLE_TESTS="all" -DISABLE_TESTS="suspscan hidden_procs deleted_files packet_cap_apps apps" - -# -# The HASH_FUNC option can be used to specify the command to use -# for the file hash value check. It can be specified as just the -# command name or the full pathname. If just the command name is -# given, and it is one of MD5, SHA1, SHA224, SHA256, SHA384 or -# SHA512, then rkhunter will first look for the relevant command, -# such as 'sha256sum', and then for 'sha256'. If neither of these -# are found, it will then look to see if a perl module has been -# installed which will support the relevant hash function. To see -# which perl modules have been installed use the command -# 'rkhunter --list perl'. -# -# The default is SHA1, or MD5 if SHA1 cannot be found. -# -# Systems using prelinking are restricted to using either the -# SHA1 or MD5 function. -# -# A value of 'NONE' (in uppercase) can be specified to indicate that -# no hash function should be used. Rootkit Hunter will detect this and -# automatically disable the file hash checks. -# -# Examples: -# For Solaris 9 : HASH_FUNC=gmd5sum -# For Solaris 10: HASH_FUNC=sha1sum -# For AIX (>5.2): HASH_FUNC="csum -hMD5" -# For NetBSD : HASH_FUNC="cksum -a sha512" -# -# NOTE: If the hash function is changed then you MUST run rkhunter with -# the '--propupd' option to rebuild the file properties database. -# -#HASH_FUNC=sha1sum - -# -# The HASH_FLD_IDX option specifies which field from the HASH_FUNC -# command output contains the hash value. The fields are assumed to -# be space-separated. The default value is 1, but for *BSD users -# rkhunter will, by default, use a value of 4 if the HASH_FUNC option -# has not been set. The option value must be an integer greater -# than zero. -# -#HASH_FLD_IDX=4 - -# -# The PKGMGR option tells rkhunter to use the specified package manager -# to obtain the file property information. This is used when updating -# the file properties file ('rkhunter.dat'), and when running the file -# properties check. For RedHat/RPM-based systems, 'RPM' can be used to -# get information from the RPM database. For Debian-based systems 'DPKG' -# can be used, for *BSD systems 'BSD' can be used, and for Solaris -# systems 'SOLARIS' can be used. No value, or a value of 'NONE', -# indicates that no package manager is to be used. The default is 'NONE'. -# -# The current package managers, except 'SOLARIS', store the file hash -# values using an MD5 hash function. The Solaris package manager includes -# a checksum value, but this is not used by default (see USE_SUNSUM below). -# -# The 'DPKG' and 'BSD' package managers only provide MD5 hash values. -# The 'RPM' package manager additionally provides values for the inode, -# file permissions, uid, gid and other values. The 'SOLARIS' also provides -# most of the values, similar to 'RPM', but not the inode number. -# -# For any file not part of a package, rkhunter will revert to using the -# HASH_FUNC hash function instead. -# -# Whenever this option is changed 'rkhunter --propupd' must be run. -# -# NONE is the default for Debian as well, as running --propupd takes -# about 4 times longer when it's set to DPKG -# -PKGMGR=DPKG - -# -# It is possible that a file which is part of a package may be modified -# by the administrator. Typically this occurs for configuration files. -# However, the package manager may list the file as being modified. For -# the RPM package manager this may well depend on how the package was -# built. This option specifies those pathnames which are to be exempt -# from the package manager verification process, and which will be treated -# as non-packaged files. As such, the file properties are still checked. -# -# This option only takes effect if the PKGMGR option has been set, and -# is not 'NONE'. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. -# -# Whenever this option is changed 'rkhunter --propupd' must be run. -# -#PKGMGR_NO_VRFY="" - -# -# This option can be used to tell rkhunter to ignore any prelink -# dependency errors for the given commands. However, a warning will also -# be issued if the error does not occur for a given command. As such -# this option must only be used on commands which experience a persistent -# problem. -# -# Short-term prelink dependency errors can usually be resolved simply by -# running the 'prelink' command on the given pathname. -# -# NOTE: The command 'rkhunter --propupd' must be run whenever this option -# is changed. -# -# This is a space-separated list of command pathnames. The option can be -# specified more than once. -# -#IGNORE_PRELINK_DEP_ERR="/bin/ps /usr/bin/top" - -# -# If the 'SOLARIS' package manager is used, then it is possible to use -# the checksum (hash) value stored for a file. However, this is only a -# 16-bit checksum, and as such is not nearly as secure as, for example, -# a SHA-2 value. For that reason, the checksum is not used by default, -# and the hash function given by HASH_FUNC is used instead. To enable -# this option, set its value to 1. The Solaris 'sum' command must be -# present on the system if this option is used. -# -#USE_SUNSUM=0 - -# -# This option is a space-separated list of commands, directories and file -# pathnames which will be included in the file properties checks. -# This option can be specified more than once. -# -# Whenever this option is changed, 'rkhunter --propupd' must be run. -# -# Simple command names - for example, 'top' - and directory names are -# added to the internal list of directories to be searched for each of -# the command names in the command list. Additionally, full pathnames -# to files, which need not be commands, may be given. Any files or -# directories which are already part of the internal lists will be -# silently ignored from the configuration. -# -# Normal globbing wildcards are allowed, except for simple command names. -# For example, 'top*' cannot be given, but '/usr/bin/top*' is allowed. -# -# Specific files may be excluded by preceding their name with an -# exclamation mark (!). For example, '!/opt/top'. By combining this -# with wildcarding, whole directories can be excluded. For example, -# '/etc/* /etc/*/* !/etc/rc?.d/*'. This will look for files in the first -# two directory levels of '/etc'. However, anything in '/etc/rc0.d', -# '/etc/rc1.d', '/etc/rc2.d' and so on, will be excluded. -# -# NOTE: Only files and directories which have been added by the user, -# and are not part of the internal lists, can be excluded. So, for -# example, it is not possible to exclude the 'ps' command by using -# '!/bin/ps'. These will be silently ignored from the configuration. -# -#USER_FILEPROP_FILES_DIRS="top /usr/local/sbin !/opt/ps*" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf" -#USER_FILEPROP_FILES_DIRS="/etc/rkhunter.conf.local" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/*" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/mirrors.dat" -#USER_FILEPROP_FILES_DIRS="!/var/lib/rkhunter/db/rkhunter*" -#USER_FILEPROP_FILES_DIRS="/var/lib/rkhunter/db/i18n/*" - -# -# This option whitelists files and directories from existing, -# or not existing, on the system at the time of testing. This -# option is used when the configuration file options themselves -# are checked, and during the file properties check, the hidden -# files and directories checks, and the filesystem check of the -# '/dev' directory. -# -# This is a space-separated list of pathnames. The option may be -# specified more than once. The option may use wildcard characters, -# but be aware that this is probably not what you want to do as the -# wildcarding will be expanded after files have been deleted. As -# such deleted files won't be whitelisted if wildcarded. -# -# NOTE: The user must take into consideration how often the file will -# appear and disappear from the system in relation to how often -# rkhunter is run. If the file appears, and disappears, too often -# then rkhunter may not notice this. All it will see is that the file -# has changed. The inode-number and DTM will certainly be different -# for each new file, and rkhunter will report this. -# -#EXISTWHITELIST="" - -# -# Whitelist various attributes of the specified files. -# The attributes are those of the 'attributes' test. -# Specifying a file name here does not include it being -# whitelisted for the write permission test (see below). -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ATTRWHITELIST="/bin/ps /usr/bin/date" - -# -# Allow the specified commands to have the 'others' -# (world) permission have the write-bit set. -# -# For example, files with permissions r-xr-xrwx -# or rwxrwxrwx. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#WRITEWHITELIST="/bin/ps /usr/bin/date" - -# -# Allow the specified commands to be scripts. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -SCRIPTWHITELIST=/bin/egrep -SCRIPTWHITELIST=/bin/fgrep -SCRIPTWHITELIST=/bin/which -SCRIPTWHITELIST=/usr/bin/groups -SCRIPTWHITELIST=/usr/bin/ldd -#SCRIPTWHITELIST=/usr/bin/lwp-request -SCRIPTWHITELIST=/usr/sbin/adduser -#SCRIPTWHITELIST=/usr/sbin/prelink -SCRIPTWHITELIST=/usr/bin/unhide.rb - -# -# Allow the specified commands to have the immutable attribute set. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#IMMUTWHITELIST="/sbin/ifup /sbin/ifdown" - -# -# If this option is set to 1, then the immutable-bit test is -# reversed. That is, the files are expected to have the bit set. -# -IMMUTABLE_SET=0 - -# -# Allow the specified hidden directories to be whitelisted. -# -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. The option -# may use wildcard characters. -# -#ALLOWHIDDENDIR="/etc/.java" -#ALLOWHIDDENDIR="/dev/.static" -#ALLOWHIDDENDIR="/dev/.SRC-unix" -#ALLOWHIDDENDIR="/etc/.etckeeper" -ALLOWHIDDENDIR="/dev/.udev" - - -# -# Allow the specified hidden files to be whitelisted. -# -# This is a space-separated list of filenames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ALLOWHIDDENFILE="/etc/.java" -#ALLOWHIDDENFILE="/usr/share/man/man1/..1.gz" -#ALLOWHIDDENFILE="/etc/.pwd.lock" -#ALLOWHIDDENFILE="/etc/.init.state" -#ALLOWHIDDENFILE="/lib/.libcrypto.so.0.9.8e.hmac /lib/.libcrypto.so.6.hmac" -#ALLOWHIDDENFILE="/lib/.libssl.so.0.9.8e.hmac /lib/.libssl.so.6.hmac" -#ALLOWHIDDENFILE="/usr/bin/.fipscheck.hmac" -#ALLOWHIDDENFILE="/usr/bin/.ssh.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.1.0.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libfipscheck.so.1.hmac" -#ALLOWHIDDENFILE="/usr/lib/.libgcrypt.so.11.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha1hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha256hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha384hmac.hmac" -#ALLOWHIDDENFILE="/usr/lib/hmaccalc/sha512hmac.hmac" -#ALLOWHIDDENFILE="/usr/sbin/.sshd.hmac" -#ALLOWHIDDENFILE="/usr/share/man/man5/.k5login.5.gz" -#ALLOWHIDDENFILE="/etc/.gitignore" -#ALLOWHIDDENFILE="/etc/.bzrignore" -ALLOWHIDDENFILE="/dev/.blkid.tab" -ALLOWHIDDENFILE="/dev/.blkid.tab.old" -ALLOWHIDDENFILE="/dev/.initramfs" - -# -# Allow the specified processes to use deleted files. The -# process name may be followed by a colon-separated list of -# full pathnames. The process will then only be whitelisted -# if it is using one of the given files. For example: -# -# ALLOWPROCDELFILE="/usr/libexec/gconfd-2:/tmp/abc:/var/tmp/xyz" -# -# This is a space-separated list of process names. The option -# may be specified more than once. The option may use wildcard -# characters, but only in the file names. -# -#ALLOWPROCDELFILE="/sbin/cardmgr /usr/sbin/gpm:/etc/X11/abc" -#ALLOWPROCDELFILE="/usr/lib/libgconf2-4/gconfd-2" -#ALLOWPROCDELFILE="/usr/sbin/mysqld:/tmp/ib*" -#ALLOWPROCDELFILE="/usr/lib/iceweasel/firefox-bin" -#ALLOWPROCDELFILE="/usr/bin/file-roller" - -# -# Allow the specified processes to listen on any network interface. -# -# This is a space-separated list of process names. The option -# may be specified more than once. -# -#ALLOWPROCLISTEN="/sbin/dhclient /usr/bin/dhcpcd" -#ALLOWPROCLISTEN="/usr/sbin/pppoe /usr/sbin/tcpdump" -#ALLOWPROCLISTEN="/usr/sbin/snort-plain" - -# -# Allow the specified network interfaces to be in promiscuous mode. -# -# This is a space-separated list of interface names. The option may -# be specified more than once. -# -#ALLOWPROMISCIF="eth0" - -# -# SCAN_MODE_DEV governs how we scan '/dev' for suspicious files. -# The two allowed options are: THOROUGH or LAZY. -# If commented out we do a THOROUGH scan which will increase the runtime. -# Even though this adds to the running time it is highly recommended to -# leave it like this. -# -#SCAN_MODE_DEV=THOROUGH - -# -# The PHALANX2_DIRTEST option is used to indicate if the Phalanx2 test is to -# perform a basic check, or a more thorough check. If the option is set to 0, -# then a basic check is performed. If it is set to 1, then all the directries -# in the /etc and /usr directories are scanned. The default value is 0. Users -# should note that setting this option to 1 will cause the test to take longer -# to complete. -# -PHALANX2_DIRTEST=0 - -# -# Allow the specified files to be present in the /dev directory, -# and not regarded as suspicious. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. The option may use wildcard -# characters. -# -#ALLOWDEVFILE="/dev/shm/pulse-shm-*" -#ALLOWDEVFILE="/dev/shm/sem.ADBE_*" -ALLOWDEVFILE="/dev/.udev/rules.d/root.rules" - -# -# This setting tells rkhunter where the inetd configuration -# file is located. -# -#INETD_CONF_PATH=/etc/inetd.conf - -# -# Allow the following enabled inetd services. -# -# This is a space-separated list of service names. The option may -# be specified more than once. -# -# For non-Solaris users the simple service name should be used. -# For example: -# -# INETD_ALLOWED_SVC=echo -# -# For Solaris 9 users the simple service name should also be used, but -# if it is an RPC service, then the executable pathname should be used. -# For example: -# -# INETD_ALLOWED_SVC=imaps -# INETD_ALLOWED_SVC="/usr/sbin/rpc.metad /usr/sbin/rpc.metamhd" -# -# For Solaris 10 users the service/FMRI name should be used. For example: -# -# INETD_ALLOWED_SVC=/network/rpc/meta -# INETD_ALLOWED_SVC=/network/rpc/metamed -# INETD_ALLOWED_SVC=/application/font/stfsloader -# INETD_ALLOWED_SVC=/network/rpc-100235_1/rpc_ticotsord -# -#INETD_ALLOWED_SVC=echo - -# -# This setting tells rkhunter where the xinetd configuration -# file is located. -# -#XINETD_CONF_PATH=/etc/xinetd.conf - -# -# Allow the following enabled xinetd services. Whilst it would be -# nice to use the service names themselves, at the time of testing -# we only have the pathname available. As such, these entries are -# the xinetd file pathnames. -# -# This is a space-separated list of service names. The option may -# be specified more than once. -# -#XINETD_ALLOWED_SVC=/etc/xinetd.d/echo - -# -# This option tells rkhunter the local system startup file pathnames. -# The directories will be searched for files. By default rkhunter -# will use certain filenames and directories. If the option is set -# to 'none', then certain tests will be skipped. -# -# This is a space-separated list of file and directory pathnames. -# The option may be specified more than once. The option may use -# wildcard characters. -# -#STARTUP_PATHS="/etc/init.d /etc/rc.local" - -# -# This setting tells rkhunter the pathname to the file containing the -# user account passwords. This setting will be worked out by rkhunter, -# and so should not usually need to be set. Users of TCB shadow files -# should not set this option. -# -#PASSWORD_FILE=/etc/shadow - -# -# Allow the following accounts to be root equivalent. These accounts -# will have a UID value of zero. The 'root' account does not need to -# be listed as it is automatically whitelisted. -# -# This is a space-separated list of account names. The option may -# be specified more than once. -# -# NOTE: For *BSD systems you will probably need to use this option -# for the 'toor' account. -# -#UID0_ACCOUNTS="toor rooty sashroot" - -# -# Allow the following accounts to have no password. NIS/YP entries do -# not need to be listed as they are automatically whitelisted. -# -# This is a space-separated list of account names. The option may -# be specified more than once. -# -#PWDLESS_ACCOUNTS="abc" - -# -# This setting tells rkhunter the pathname to the syslog configuration -# file. This setting will be worked out by rkhunter, and so should not -# usually need to be set. A value of 'NONE' can be used to indicate -# that there is no configuration file, but that the syslog daemon process -# may be running. -# -# This is a space-separated list of pathnames. The option may -# be specified more than once. -# -#SYSLOG_CONFIG_FILE=/etc/syslog.conf - -# -# This option permits the use of syslog remote logging. -# -ALLOW_SYSLOG_REMOTE_LOGGING=0 - -# -# Allow the following applications, or a specific version of an application, -# to be whitelisted. This option may be specified more than once, and is a -# space-separated list consisting of the application names. If a specific -# version is to be whitelisted, then the name must be followed by a colon -# and then the version number. For example: -# -# APP_WHITELIST="openssl:0.9.7d gpg httpd:1.3.29" -# -# Note above that for the Apache web server, the name 'httpd' is used. -# -#APP_WHITELIST="" - -# -# Scan for suspicious files in directories containing temporary files and -# directories posing a relatively higher risk due to user write access. -# Please do not enable by default as suspscan is CPU and I/O intensive and prone to -# producing false positives. Do review all settings before usage. -# Also be aware that running suspscan in combination with verbose logging on, -# RKH's default, will show all ignored files. -# Please consider adding all directories the user the (web)server runs as has -# write access to including the document root (example: "/var/www") and log -# directories (example: "/var/log/httpd"). -# -# This is a space-separated list of directory pathnames. -# The option may be specified more than once. -# -#SUSPSCAN_DIRS="/tmp /var/tmp" - -# -# Directory for temporary files. A memory-based one is better (faster). -# Do not use a directory name that is listed in SUSPSCAN_DIRS. -# Please make sure you have a tempfs mounted and the directory exists. -# -SUSPSCAN_TEMP=/dev/shm - -# -# Maximum filesize in bytes. Files larger than this will not be inspected. -# Do make sure you have enough space left in your temporary files directory. -# -SUSPSCAN_MAXSIZE=10240000 - -# -# Score threshold. Below this value no hits will be reported. -# A value of "200" seems "good" after testing on malware. Please adjust -# locally if necessary. -# -SUSPSCAN_THRESH=200 - -# -# The following option can be used to whitelist network ports which -# are known to have been used by malware. This option may be specified -# more than once. The option is a space-separated list of one or more -# of four types of whitelisting. These are: -# -# 1) a 'protocol:port' pair (e.g. TCP:25) -# 2) a pathname to an executable (e.g. /usr/sbin/squid) -# 3) a combined pathname, protocol and port -# (e.g. /usr/sbin/squid:TCP:3801) -# 4) an asterisk ('*') -# -# Only the UDP or TCP protocol may be specified, and the port number -# must be between 1 and 65535 inclusive. -# -# The asterisk can be used to indicate that any executable which rkhunter -# can locate as a command, is whitelisted. (See BINDIR in this file.) -# -# For example: -# -# PORT_WHITELIST="/home/user1/abc /opt/xyz TCP:2001 UDP:32011" -# -# NOTE: In order to whitelist a pathname, or use the asterisk option, -# the 'lsof' command must be present. -# -#PORT_WHITELIST="" - -# -# The following option can be used to tell rkhunter where the operating -# system 'release' file is located. This file contains information -# specifying the current O/S version. RKH will store this information -# itself, and check to see if it has changed between each run. If it has -# changed, then the user is warned that RKH may issue warning messages -# until RKH has been run with the '--propupd' option. -# -# Since the contents of the file vary according to the O/S distribution, -# RKH will perform different actions when it detects the file itself. As -# such, this option should not be set unless necessary. If this option is -# specified, then RKH will assume the O/S release information is on the -# first non-blank line of the file. -# -#OS_VERSION_FILE="/etc/debian_version" - -# -# The following two options can be used to whitelist files and directories -# that would normally be flagged with a warning during the various rootkit -# and malware checks. If the file or directory name contains a space, then -# the percent character ('%') must be used instead. Only existing files and -# directories can be specified, and these must be full pathnames not links. -# -# Additionally, the RTKT_FILE_WHITELIST option may include a string after the -# file name (separated by a colon). This will then only whitelist that string -# in that file (as part of the malware checks). For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm" -# -# If the option list includes the filename on its own as well, then the file -# will be whitelisted from rootkit checks of the files existence, but still -# only the specific string within the file will be whitelisted. For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local:hdparm /etc/rc.local" -# -# To whitelist a file from the existence checks, but not from the strings -# checks, then include the filename on its own and on its own but with -# just a colon appended. For example: -# -# RTKT_FILE_WHITELIST="/etc/rc.local /etc/rc.local:" -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# These are space-separated lists of file and directory pathnames. -# The options may be specified more than once. -# -#RTKT_DIR_WHITELIST="" -#RTKT_FILE_WHITELIST="" - -# -# The following option can be used to whitelist shared library files that would -# normally be flagged with a warning during the preloaded shared library check. -# These library pathnames usually exist in the '/etc/ld.so.preload' file or in -# the LD_PRELOAD environment variable. -# -# NOTE: It is recommended that if you whitelist any files, then you include -# those files in the file properties check. See the USER_FILEPROP_FILES_DIRS -# configuration option. -# -# This is a space-separated list of library pathnames. -# The option may be specified more than once. -# -#SHARED_LIB_WHITELIST="/lib/snoopy.so" - -# -# To force rkhunter to use the supplied script for the 'stat' or 'readlink' -# command, then the following two options can be used. The value must be -# set to 'BUILTIN'. -# -# NOTE: IRIX users will probably need to enable STAT_CMD. -# -#STAT_CMD=BUILTIN -#READLINK_CMD=BUILTIN - -# -# In the file properties test any modification date/time is displayed as the -# number of epoch seconds. Rkhunter will try and use the 'date' command, or -# failing that the 'perl' command, to display the date and time in a -# human-readable format as well. This option may be used if some other command -# should be used instead. The given command must understand the '%s' and -# 'seconds ago' options found in the GNU date command. -# -# A value of 'NONE' may be used to request that only the epoch seconds be shown. -# A value of 'PERL' may be used to force rkhunter to use the 'perl' command, if -# it is present. -# -#EPOCH_DATE_CMD="" - -# -# This setting tells rkhunter the directory containing the available -# Linux kernel modules. This setting will be worked out by rkhunter, -# and so should not usually need to be set. -# -#MODULES_DIR="" - -# -# The following option can be set to a command which rkhunter will use when -# downloading files from the Internet - that is, when the '--update' or -# '--versioncheck' option is used. The command can take options. -# -# This allows the user to use a command other than the one automatically -# selected by rkhunter, but still one which it already knows about. -# For example: -# -# WEB_CMD=curl -# -# Alternatively, the user may specify a completely new command. However, note -# that rkhunter expects the downloaded file to be written to stdout, and that -# everything written to stderr is ignored. For example: -# -# WEB_CMD="/opt/bin/dlfile --timeout 5m -q" -# -# *BSD users may want to use the 'ftp' command, provided that it supports -# the HTTP protocol: -# -# WEB_CMD="ftp -o -" -# -#WEB_CMD="" - -# -# Set the following option to 0 if you do not want to receive a warning if -# any O/S information has changed since the last run of 'rkhunter --propupd'. -# The warnings occur during the file properties check. The default is to -# issue a warning if something has changed. -# -#WARN_ON_OS_CHANGE=1 - -# -# Set the following option to 1 if you want rkhunter to automatically run -# a file properties update ('--propupd') if the O/S has changed. Detection -# of an O/S change occurs during the file properties check. The default is -# not to do an automatic update. -# -# WARNING: Only set this option if you are sure that the update will work -# correctly. That is, that the database directory is writeable, that a valid -# hash function is available, and so on. This can usually be checked simply -# by running 'rkhunter --propupd' at least once. -# -#UPDT_ON_OS_CHANGE=0 - -# -# Set the following option to 1 if locking is to be used when rkhunter runs. -# The lock is set just before logging starts, and is removed when the program -# ends. It is used to prevent items such as the log file, and the file -# properties file, from becoming corrupted if rkhunter is running more than -# once. The mechanism used is to simply create a lock file in the TMPDIR -# directory. If the lock file already exists, because rkhunter is already -# running, then the current process simply loops around sleeping for 10 seconds -# and then retrying the lock. -# -# The default is not to use locking. -# -USE_LOCKING=0 - -# -# If locking is used, then rkhunter may have to wait to get the lock file. -# This option sets the total amount of time, in seconds, that rkhunter should -# wait. It will retry the lock every 10 seconds, until either it obtains the -# lock or the timeout value has been reached. If no value is set, then a -# default of 300 seconds (5 minutes) is used. -# -LOCK_TIMEOUT=300 - -# -# If locking is used, then rkhunter may be doing nothing for some time if it -# has to wait for the lock. Some simple messages are echo'd to the users screen -# to let them know that rkhunter is waiting for the lock. Set this option to 0 -# if the messages are not to be displayed. The default is to show them. -# -SHOW_LOCK_MSGS=1 - -# -# If the option SCANROOTKITMODE is set to "THOROUGH" the scanrootkit() function -# will search (on a per rootkit basis) for filenames in all of the directories (as defined -# by the result of running 'find / -xdev'). While still not optimal, as it -# still searches for only file names as opposed to file contents, this is one step away -# from the rigidity of searching in known (evidence) or default (installation) locations. -# -# THIS OPTION SHOULD NOT BE ENABLED BY DEFAULT. -# -# You should only activate this feature as part of a more thorough investigation which -# should be based on relevant best practices and procedures. -# -# Enabling this feature implies you have the knowledge to interpret the results properly. -# -#SCANROOTKITMODE=THOROUGH - -# -# The following option can be set to the name(s) of the tests the 'unhide' command is -# to use. In order to maintain compatibility with older versions of 'unhide', this -# option defaults to 'sys'. Options such as '-m' and '-v' may also be specified, but -# will only take effect when they are seen. The test names are a space-separated list, -# and will be executed in the order given. -# -#UNHIDE_TESTS="sys" - -# -# If both the C 'unhide', and Ruby 'unhide.rb', programs exist on the system, then it -# is possible to disable the execution of one of the programs if desired. By default -# rkhunter will look for both programs, and execute each of them as they are found. -# If the value of this option is 0, then both programs will be executed if they are -# present. A value of 1 will disable execution of the C 'unhide' program, and a value -# of 2 will disable the Ruby 'unhide.rb' program. The default value is 0. To disable -# both programs, then disable the 'hidden_procs' test. -# -DISABLE_UNHIDE=1 - -INSTALLDIR="/usr" diff --git a/setup/system.sh b/setup/system.sh index af7afdf4..cc152524 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -118,26 +118,6 @@ apt_install python3 python3-dev python3-pip \ netcat-openbsd wget curl git sudo coreutils bc \ haveged pollinate \ unattended-upgrades cron ntp fail2ban - -# Add Rootkit hunter -# I have it install and then update to install dependencies and such -# It adds a crontab to check daily at 4:15AM -# Added by Alon "Chief Gyk" Ganon -apt_install rkhunter binutils libreadline5 ruby ruby1.9.1 unhide.rb -wget http://downloads.sourceforge.net/project/rkhunter/rkhunter/1.4.2/rkhunter-1.4.2.tar.gz -tar xzvf rkhunter* -cd rkhunter* -./installer.sh --layout /usr --install -cd .. -rm -rf rkhunter* -cp conf/rkhunter/rkhunter.conf /etc/rkhunter.conf.local -sed -i '/APT_AUTOGEN="false"/c\APT_AUTOGEN="yes"' /etc/default/rkhunter -rkhunter --update -rkhunter --propupd -(crontab -l 2>/dev/null; echo "15 04 * * * /usr/bin/rkhunter --cronjob --update --quiet -")| crontab - - - # ### Set the system timezone # @@ -312,25 +292,9 @@ restart_service resolvconf # ### Fail2Ban Service # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix and ssh -# ChiefGyk commented out a filter to use my own temporarily. May be removed later on line 322 cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf -cp conf/fail2ban/nginx.conf /etc/fail2ban/filter.d/nginx.conf -cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf -cp conf/fail2ban/miab-munin.conf /etc/fail2ban/filter.d/miab-munin.conf -#cp conf/fail2ban/miab-owncloud.conf /etc/fail2ban/filter.d/miab-owncloud.conf -cp conf/fail2ban/miab-postfix-submission.conf /etc/fail2ban/filter.d/miab-postfix-submission.conf -cp conf/fail2ban/miab-roundcube.conf /etc/fail2ban/filter.d/miab-roundcube.conf -cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf restart_service fail2ban - -# Add Blocklist.de malicious IP Addresses to Daily Crontab -# Added by Alon "ChiefGyk" Ganon -cp conf/blocklist/sync-fail2ban /etc/cron.daily/sync-fail2ban -chmod a+x /etc/cron.daily/sync-fail2ban -time /etc/cron.daily/sync-fail2ban - - From d46176a3c3088282b971715cd7f66bf7f38cc46b Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Tue, 28 Jun 2016 13:30:38 -0400 Subject: [PATCH 19/20] forgot to switch branches before submitting commits --- conf/fail2ban/jail.local | 19 +++++++++++++++++++ conf/fail2ban/nginx-badbots.conf | 21 +++++++++++++++++++++ conf/fail2ban/nginx-http-auth.conf | 7 +++++++ conf/fail2ban/owncloud.conf | 8 ++++++++ setup/system.sh | 3 +++ 5 files changed, 58 insertions(+) create mode 100644 conf/fail2ban/nginx-badbots.conf create mode 100644 conf/fail2ban/nginx-http-auth.conf create mode 100644 conf/fail2ban/owncloud.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index dc338803..4b50ac72 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -25,6 +25,25 @@ findtime = 30 maxretry = 20 logpath = /var/log/mail.log +[nginx] +enabled = true +filter = nginx-http-auth +port = http,https + +[nginx-badbots] +enabled = true +port = http,https +filter = nginx-badbots +logpath = /var/log/nginx/access.log +maxretry = 2 + +[owncloud] +enabled = true +filter = owncloud +logpath = STORAGE_ROOT/owncloud/owncloud.log +maxretry = 20 +findtime = 300 + [recidive] enabled = true maxretry = 10 diff --git a/conf/fail2ban/nginx-badbots.conf b/conf/fail2ban/nginx-badbots.conf new file mode 100644 index 00000000..b2ac9626 --- /dev/null +++ b/conf/fail2ban/nginx-badbots.conf @@ -0,0 +1,21 @@ +# Fail2Ban configuration file +# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + + +[Definition] + +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider +badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +failregex = ^ -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +ignoreregex = + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. +# +# Author: Yaroslav Halchenko diff --git a/conf/fail2ban/nginx-http-auth.conf b/conf/fail2ban/nginx-http-auth.conf new file mode 100644 index 00000000..5f89b3a4 --- /dev/null +++ b/conf/fail2ban/nginx-http-auth.conf @@ -0,0 +1,7 @@ +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ + +ignoreregex = \ No newline at end of file diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf new file mode 100644 index 00000000..c62763d0 --- /dev/null +++ b/conf/fail2ban/owncloud.conf @@ -0,0 +1,8 @@ +[INCLUDES] +before = common.conf + +[Definition] +_daemon = owncloud + +failregex = {"reqId":".*","remoteAddr":".*","app":"core","message":"Login failed: '.*' \(Remote IP: ''\)","level":2,"time":".*","method":".*} +ignoreregex = diff --git a/setup/system.sh b/setup/system.sh index cc152524..a88e37a6 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -296,5 +296,8 @@ cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf +cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf +cp conf/fail2ban/nginx-http-auth.conf /etc/fail2ban/filter.d/nginx-http-auth.conf +cp conf/fail2ban/nginx-badbots.conf /etc/fail2ban/filter.d/nginx-badbots.conf restart_service fail2ban From 41ecc4aab844c3cbd43a233f2ab16f41d1aaae60 Mon Sep 17 00:00:00 2001 From: ChiefGyk Date: Tue, 28 Jun 2016 13:32:53 -0400 Subject: [PATCH 20/20] Adds Fail2ban jails for nginx-http-auth, nginx-badbots, and owncloud, also needed to add original author credit to nginxjails --- conf/fail2ban/nginx-http-auth.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/conf/fail2ban/nginx-http-auth.conf b/conf/fail2ban/nginx-http-auth.conf index 5f89b3a4..9a1b44f2 100644 --- a/conf/fail2ban/nginx-http-auth.conf +++ b/conf/fail2ban/nginx-http-auth.conf @@ -4,4 +4,11 @@ failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ ^ \[error\] \d+#\d+: \*\d+ no user/password was provided for basic authentication, client: , server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$ -ignoreregex = \ No newline at end of file +ignoreregex = + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black +# Second entry done by Alon "ChiefGyk" Ganon alon@ganon.me \ No newline at end of file