Initial commit

0.10.2/README.install

@@ -0,0 +1,7 @@
+
+echo "deb tor+http://ncomputers.org/debian stretch main" > /etc/apt/sources.list.d/ncomputers.org-stretch.list
+echo "deb http://ncomputers.org/debian stretch main" > /etc/apt/sources.list.d/ncomputers.org-stretch.list
+apt-get update
+apt-get install ncomputers.org-keyring
+apt-get update
+

0.10.2/action.d/helpers-common.conf

@@ -0,0 +1,16 @@
+[DEFAULT]
+
+# Usage:
+#   _grep_logs_args = 'test'
+#   (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...
+#
+_grep_logs = logpath="<logpath>"; grep <grepopts> -E %(_grep_logs_args)s $logpath | <greplimit>
+_grep_logs_args = "(^|[^0-9a-fA-F:])$(echo '<ip>' | sed 's/\./\\./g')([^0-9a-fA-F:]|$)"
+
+# Used for actions, that should not by executed if ticket was restored:
+_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;
+
+[Init]
+greplimit = tail -n <grepmax>
+grepmax = 1000
+grepopts = -m <grepmax>

0.10.2/action.d/iptables-multiport.local

@@ -0,0 +1,27 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+# Modified by Yaroslav Halchenko for multiport banning
+#
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = <ip64tables> -N f2b-<name>
+              <ip64tables> -A f2b-<name> -j <returntype>
+              <ip64tables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = <ip64tables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+             <actionflush>
+             <ip64tables> -X f2b-<name>
+
+[Init]
+
+ip64tables = ip64tables <lockingopt>

0.10.2/action.d/sendmail-ban-unban.local

@@ -0,0 +1,70 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+[INCLUDES]
+
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = printf %%b "Subject: [Fail2Ban] <name>: freed <ip>
+            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been freed by Fail2Ban <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Sender display name
+#
+sendername = Fail2Ban

0.10.2/action.d/sendmail-ban.local

@@ -0,0 +1,63 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+[INCLUDES]
+
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+
+# Sender display name
+#
+sendername = Fail2Ban

0.10.2/action.d/sendmail-whois-lines.local

@@ -0,0 +1,46 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+[INCLUDES]
+
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = printf %%b "Subject: [Fail2Ban] <name>: freed <ip>
+            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+            From: <sendername> <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been freed by Fail2Ban <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Sender display name
+#
+sendername = Fail2Ban

0.10.2/filter.d/dovecot.local

@@ -0,0 +1,7 @@
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[Definition]
+
+mdre-sql = ^sql\([^,]+,<HOST>,<[^>]*>\): (Password mismatch|unknown user)(\(given password: \S*\))?.*$
+

0.10.2/filter.d/postfix.local

@@ -0,0 +1,5 @@
+
+[Definition]
+
+mdpr-sasl-dos = \w+:
+mdre-sasl-dos = ^client=[-._\w]+\[<HOST>\]\, sasl_method=(?:LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5)+, sasl_username=\S+@\S+\.\w+\s*$

0.10.2/ip64tables

@@ -0,0 +1,29 @@
+#!/bin/bash
+# iptables/ip6tables switch
+LINE=$*
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+  # IPv4
+  iptables $LINE
+  ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+  # IPv6
+  ip6tables $LINE
+  ERRCODE=$?
+
+else
+  # IPv4 + IPv6
+  iptables $LINE
+  ERRCODE=$?
+  ip6tables $LINE
+  if [ $? -ge "1" ]; then
+    ERRCODE=$?
+  fi
+
+fi
+
+exit $ERRCODE

0.10.2/jail.local

@@ -0,0 +1,105 @@
+[DEFAULT]
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Sender email address used solely for some actions
+sender = fail2ban@<fq-hostname>
+
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+
+# ban & send an information e-mail to the destemail. No e-mail if unban.
+#
+# Note:
+# sendmail-ban must be configured. See action.d/sendmail-ban.local
+#
+action_mb = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-ban[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an information e-mail to the destemail. Also send an
+# information e-mail if ip was unbanned.
+#
+# Note:
+# sendmail-ban-unban must be configured. See action.d/sendmail-ban-unban.local
+#
+action_mbu = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+            %(mta)s-ban-unban[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# Choose default action
+#
+#action = %(action_mb)s
+#action = %(action_mbu)s
+action = %(action_)s
+
+
+#
+# JAIL
+#
+
+[sshd]
+
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+findtime = 600
+maxretry = 6
+bantime  = 86400
+
+
+[postfix-rbl]
+
+enabled  = true
+
+
+[postfix-sasl]
+
+enabled  = true
+# - Take care to allowh 'whois' requests from this mashine. Maybe
+# - you have configure your firewall
+action   = %(action_mwl)s
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap2,imaps,pop3,pop3s
+findtime = 360
+maxretry = 30
+bantime  = 3600
+
+
+[postfix-sasl-dos]
+
+enabled  = true
+# - Take care to allowh 'whois' requests from this mashine. Maybe
+# - you have configure your firewall
+action   = %(action_mwl)s
+port     = smtp,465,submission
+filter   = postfix[mode=sasl-dos]
+#logpath  = /var/log/mail.log
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+findtime = 60
+maxretry = 20
+bantime  = 10800
+
+
+[dovecot]
+
+enabled  = true
+action   = %(action_mbu)s
+port     = pop3,pop3s,imap2,imaps,submission,465
+filter   = dovecot[mode=sql]
+#mode     = sql
+logpath  = /var/log/dovecot/dovecot.log
+maxretry = 20
+#maxretry = 4
+findtime = 1200
+bantime  = 1800
+