Difference between revisions of "Fail2ban Vuurmuur"
From MS Computech
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
Fail2ban + Vuurmuur | Fail2ban + Vuurmuur | ||
<pre>apt-get install fail2ban | <pre>apt-get install fail2ban | ||
| − | nano /etc/fail2ban/action.d/vuurmuur.conf | + | nano /etc/fail2ban/action.d/vuurmuur.conf</pre> |
| − | </pre><pre># | + | <pre> |
| + | # Author: Nick Shobe | ||
# | # | ||
| + | |||
| + | [Definition] | ||
| + | |||
| + | # Option: actionstart | ||
| + | # Notes.: command executed once at the start of Fail2Ban. | ||
| + | # Values: CMD | ||
# | # | ||
| − | + | # Create a zone in vuurmuur called fail2ban... this script will add the "<name>" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network | |
| − | + | # You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules. | |
| − | # Option: actionban | + | actionstart = vuurmuur_script --create --network <name>.fail2ban |
| − | # Notes.: command executed when banning an IP. Take care that the | + | vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes |
| − | # command is executed with Fail2Ban user rights. | + | vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0 |
| − | # Tags: | + | vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0 |
| − | # | + | append='' |
| − | # | + | for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done |
| − | # Values: CMD | + | vuurmuur_script --create --group <group>.<name>.fail2ban |
| + | vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes | ||
| + | |||
| + | # Option: actionstop | ||
| + | # Notes.: command executed once at the end of Fail2Ban | ||
| + | # Values: CMD | ||
| + | # | ||
| + | actionstop = for group in `vuurmuur_script --list --group <name>.fail2ban`; do vuurmuur_script --delete --group $group; done | ||
| + | for host in `vuurmuur_script --list --host <name>.fail2ban`; do vuurmuur_script --delete --host $host; done | ||
| + | vuurmuur_script --delete --network <name>.fail2ban | ||
| + | vuurmuur_script --create --network <name>.fail2ban | ||
| + | vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes | ||
| + | vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0 | ||
| + | vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0 | ||
| + | append='' | ||
| + | for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done | ||
| + | vuurmuur_script --create --group <group>.<name>.fail2ban | ||
| + | vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes | ||
| + | vuurmuur_script --reload | ||
| + | |||
| + | # Option: actioncheck | ||
| + | # Notes.: command executed once before each actionban command | ||
| + | # Values: CMD | ||
| + | # | ||
| + | actioncheck = vuurmuur_script --list --host <name>.fail2ban | tr '-' '.' | ||
| + | |||
| + | # Option: actionban | ||
| + | # Notes.: command executed when banning an IP. Take care that the | ||
| + | # command is executed with Fail2Ban user rights. | ||
| + | # Tags: <ip> IP address | ||
| + | # <failures> number of failures | ||
| + | # <time> unix timestamp of the ban time | ||
| + | # Values: CMD | ||
| + | # | ||
| + | actionban = vuurmuur_script --create --host `echo <ip> | tr '.' "-"`.<name>.fail2ban | ||
| + | vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable IPADDRESS --set <ip> | ||
| + | vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable ACTIVE --set Yes | ||
| + | append='' | ||
| + | for x in `vuurmuur_script --print --group <name>.fail2ban --variable MEMBER`; do append='--append'; done | ||
| + | vuurmuur_script --modify --apply --group <group>.<name>.fail2ban $append --variable MEMBER --set `echo <ip> | tr '.' '-'` | ||
| + | vuurmuur_script --reload | ||
| + | |||
| + | # Option: actionunban | ||
| + | # Notes.: command executed when unbanning an IP. Take care that the | ||
| + | # command is executed with Fail2Ban user rights. | ||
| + | # Tags: <ip> IP address | ||
| + | # <failures> number of failures | ||
| + | # <time> unix timestamp of the ban time | ||
| + | # Values: CMD | ||
# | # | ||
| − | + | # If you want to keep known bad ip's around for review and moving to a perm ban list... use "--modify --variable ACTIVE --set No" instead of --delete You may need to change the way hosts are added to account for repeats. | |
| − | + | # this script prints all of the current group members, deletes and recreates the group... without the member to be removed. | |
| − | + | actionunban = vuurmuur_script --delete --host `echo <ip> | tr '.' "-"`.<name>.fail2ban | |
| − | + | append='d' | |
| − | + | for member in `vuurmuur_script --print --group <group>.<name>.fail2ban --variable MEMBER`; | |
| − | + | do if [ $append != '--append' ];then | |
| − | + | vuurmuur_script --delete --group <group>.<name>.fail2ban; | |
| − | + | vuurmuur_script --create --group <group>.<name>.fail2ban; | |
| − | + | vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes; | |
| + | fi; | ||
| + | tmp=`echo $member|grep -E -o "[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}"`; | ||
| + | if [ -z "$tmp" ] | ||
| + | then | ||
| + | tmp='d'; | ||
| + | fi | ||
| + | if [ $tmp != `echo <ip> | tr '.' "-"` ]; | ||
| + | then vuurmuur_script --modify --group <group>.<name>.fail2ban $append --variable MEMBER --set $member; | ||
| + | fi; | ||
| + | if [ $append != '--append' ]; | ||
| + | then append='--append'; | ||
| + | fi; | ||
| + | done | ||
| + | vuurmuur_script --reload | ||
| + | |||
| + | [Init] | ||
| + | |||
| + | # Defaut name of the chain | ||
# | # | ||
| − | + | name = block | |
| − | + | ||
| − | + | group = blockedhosts | |
| − | |||
| − | |||
| − | |||
</pre> | </pre> | ||
[http://wiki.goatpr0n.de/blog/2009/03/07.vuurmuur.and.fail2ban source] | [http://wiki.goatpr0n.de/blog/2009/03/07.vuurmuur.and.fail2ban source] | ||
Latest revision as of 10:25, 28 February 2017
Fail2ban + Vuurmuur
apt-get install fail2ban nano /etc/fail2ban/action.d/vuurmuur.conf
# Author: Nick Shobe
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# Create a zone in vuurmuur called fail2ban... this script will add the "<name>" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network
# You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules.
actionstart = vuurmuur_script --create --network <name>.fail2ban
vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group <group>.<name>.fail2ban
vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = for group in `vuurmuur_script --list --group <name>.fail2ban`; do vuurmuur_script --delete --group $group; done
for host in `vuurmuur_script --list --host <name>.fail2ban`; do vuurmuur_script --delete --host $host; done
vuurmuur_script --delete --network <name>.fail2ban
vuurmuur_script --create --network <name>.fail2ban
vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group <group>.<name>.fail2ban
vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
vuurmuur_script --reload
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = vuurmuur_script --list --host <name>.fail2ban | tr '-' '.'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = vuurmuur_script --create --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable IPADDRESS --set <ip>
vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable ACTIVE --set Yes
append=''
for x in `vuurmuur_script --print --group <name>.fail2ban --variable MEMBER`; do append='--append'; done
vuurmuur_script --modify --apply --group <group>.<name>.fail2ban $append --variable MEMBER --set `echo <ip> | tr '.' '-'`
vuurmuur_script --reload
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# If you want to keep known bad ip's around for review and moving to a perm ban list... use "--modify --variable ACTIVE --set No" instead of --delete You may need to change the way hosts are added to account for repeats.
# this script prints all of the current group members, deletes and recreates the group... without the member to be removed.
actionunban = vuurmuur_script --delete --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
append='d'
for member in `vuurmuur_script --print --group <group>.<name>.fail2ban --variable MEMBER`;
do if [ $append != '--append' ];then
vuurmuur_script --delete --group <group>.<name>.fail2ban;
vuurmuur_script --create --group <group>.<name>.fail2ban;
vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes;
fi;
tmp=`echo $member|grep -E -o "[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}"`;
if [ -z "$tmp" ]
then
tmp='d';
fi
if [ $tmp != `echo <ip> | tr '.' "-"` ];
then vuurmuur_script --modify --group <group>.<name>.fail2ban $append --variable MEMBER --set $member;
fi;
if [ $append != '--append' ];
then append='--append';
fi;
done
vuurmuur_script --reload
[Init]
# Defaut name of the chain
#
name = block
group = blockedhosts
