Initial commit

2017-11-27 04:23:54 +01:00
commit 4dbdf09dc9
42 changed files with 2123 additions and 0 deletions
--- a/0.9.6/action.d/ip64tables-allports.local
+++ b/0.9.6/action.d/ip64tables-allports.local
@ -0,0 +1,54 @@
+# Fail2Ban configuration file
+#
+# Based on iptables-allports.conf:
+#     Author: Cyril Jaquier
+#     Modified: Yaroslav O. Halchenko <debian@onerussian.com>
+#           made active on all ports from original iptables.conf
+#
+#
+
+[INCLUDES]
+
+before = ip64tables-common.local
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = <iptables> -N f2b-<name>
+              <iptables> -A f2b-<name> -j <returntype>
+              <iptables> -I <chain> -p <protocol> -j f2b-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
+             <iptables> -F f2b-<name>
+             <iptables> -X f2b-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
+
+[Init]
--- a/0.9.6/action.d/ip64tables-common.local
+++ b/0.9.6/action.d/ip64tables-common.local
@ -0,0 +1,62 @@
+# Fail2Ban configuration file
+#
+# Based on iptables-common.local:
+#     Author: Daniel Black
+#
+# This is a included configuration file and includes the definitions for the iptables
+# used in all iptables based actions by default.
+#
+
+[INCLUDES]
+
+
+[Init]
+
+# Option:  chain
+# Notes    specifies the iptables chain to which the Fail2Ban rules should be
+#          added
+# Values:  STRING  Default: INPUT
+chain = INPUT
+
+# Default name of the chain
+#
+name = default
+
+# Option:  port
+# Notes.:  specifies port to monitor
+# Values:  [ NUM | STRING ]  Default:
+#
+port = ssh
+
+# Option:  protocol
+# Notes.:  internally used by config reader for interpolations.
+# Values:  [ tcp | udp | icmp | all ] Default: tcp
+#
+protocol = tcp
+
+# Option:  blocktype
+# Note:    This is what the action does with rules. This can be any jump target
+#          as per the iptables man page (section 8). Common values are DROP
+#          REJECT, REJECT --reject-with icmp-port-unreachable
+# Values:  STRING
+#blocktype = REJECT --reject-with icmp-port-unreachable
+blocktype = DROP
+
+# Option:  returntype
+# Note:    This is the default rule on "actionstart". This should be RETURN
+#          in all (blocking) actions, except REJECT in allowing actions.
+# Values:  STRING
+returntype = RETURN
+
+# Option:  lockingopt
+# Notes.:  Option was introduced to iptables to prevent multiple instances from
+#          running concurrently and causing irratic behavior.  -w was introduced
+#          in iptables 1.4.20, so might be absent on older systems
+#          See https://github.com/fail2ban/fail2ban/issues/1122
+# Values:  STRING
+lockingopt = -w
+
+# Option:  iptables
+# Notes.:  Actual command to be executed, including common to all calls options
+# Values:  STRING
+iptables = /usr/bin/ip64tables <lockingopt>
--- a/0.9.6/action.d/ip64tables-multiport.local
+++ b/0.9.6/action.d/ip64tables-multiport.local
@ -0,0 +1,51 @@
+# Fail2Ban configuration file
+#
+# Based on iptables-multiport.conf:
+#     Author: Cyril Jaquier
+#     Modified by Yaroslav Halchenko for multiport banning
+#
+
+[INCLUDES]
+
+before = ip64tables-common.local
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = <iptables> -N f2b-<name>
+              <iptables> -A f2b-<name> -j <returntype>
+              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+             <iptables> -F f2b-<name>
+             <iptables> -X f2b-<name>
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
--- a/0.9.6/action.d/sendmail-only-ban.local
+++ b/0.9.6/action.d/sendmail-only-ban.local
@ -0,0 +1,75 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+[INCLUDES]
+
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
+# Sender display name
+#
+sendername = Fail2Ban
--- a/0.9.6/action.d/sendmail-only-ban_unban.local
+++ b/0.9.6/action.d/sendmail-only-ban_unban.local
@ -0,0 +1,82 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+
+[INCLUDES]
+
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = printf %%b "Subject: [Fail2Ban] <name>: freed <ip>
+            Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been freed by Fail2Ban <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+
+[Init]
+
+# Defaut name of the chain
+#
+name = default
+
+# Destination/Addressee of the mail
+#
+dest = root
+
+# Sender of the mail
+#
+sender = fail2ban
+
+# Sender display name
+#
+sendername = Fail2Ban
--- a/0.9.6/filter.d/dovecot-pop3imap.local
+++ b/0.9.6/filter.d/dovecot-pop3imap.local
@ -0,0 +1,3 @@
+[Definition]
+failregex = (?: pop3-login|imap-login): (?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed).*rip=(?P<host>\S*),.*
+ignoreregex =
--- a/0.9.6/ip64tables
+++ b/0.9.6/ip64tables
@ -0,0 +1,29 @@
+#!/bin/bash
+# iptables/ip6tables switch
+LINE=$*
+
+RESULT=`echo $LINE | egrep " ([0-9]{1,3}\.){3}[0-9]{1,3}" | wc -l`
+RESULT6=`echo $LINE | egrep "(::[A-Fa-f0-9])|((:[A-Fa-f0-9]{1,4}){2,})" | wc -l `
+
+if [ $RESULT -eq "1" ]; then
+  # IPv4
+  iptables $LINE
+  ERRCODE=$?
+
+elif [ $RESULT6 -eq "1" ]; then
+  # IPv6
+  ip6tables $LINE
+  ERRCODE=$?
+
+else
+  # IPv4 + IPv6
+  iptables $LINE
+  ERRCODE=$?
+  ip6tables $LINE
+  if [ $? -ge "1" ]; then
+    ERRCODE=$?
+  fi
+
+fi
+
+exit $ERRCODE
--- a/0.9.6/jail.local
+++ b/0.9.6/jail.local
@ -0,0 +1,62 @@
+[DEFAULT]
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+##banaction = iptables-multiport
+banaction = ip64tables-multiport
+
+## - Note:
+## - sendmail-only-ban must be configured. See action.d/sendmail-only-ban.local
+## -
+action_m = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-only-ban_unban[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+## - Choose default action
+## -
+action = %(action_m)s
+#action = %(action_)s
+
+
+[sshd]
+
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+findtime = 600
+maxretry = 6
+bantime = 86400
+
+
+[postfix-sasl]
+
+enabled  = true
+port     = smtp,465,submission
+#port     = smtp,465,submission,143,imaps,pop3,pop3s
+filter   = postfix-sasl
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = /var/log/mail.warn
+findtime = 60
+maxretry = 10
+bantime = 3600
+
+
+[dovecot-pop3imap]
+
+enabled = true
+filter = dovecot-pop3imap
+port = pop3,pop3s,143,imaps
+protocol = tcp
+#action = ip64tables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,143,imaps", protocol=tcp]
+logpath = /var/log/dovecot/dovecot.log
+maxretry = 20
+findtime = 1200
+bantime = 1200