Difference between revisions of "Fail2ban Vuurmuur"

From MS Computech
Jump to: navigation, search
 
(One intermediate revision by the same user not shown)
Line 2: Line 2:
 
<pre>apt-get install fail2ban
 
<pre>apt-get install fail2ban
 
nano /etc/fail2ban/action.d/vuurmuur.conf</pre>
 
nano /etc/fail2ban/action.d/vuurmuur.conf</pre>
# Fail2Ban configuration file<br>#<br>#
+
<pre>
 
+
# Author: Nick Shobe
 +
#
 +
 
[Definition]
 
[Definition]
 
+
# Option: actionban<br># Notes.: command executed when banning an IP. Take care that the<br># command is executed with Fail2Ban user rights.<br># Tags: &lt;ip&gt; IP address<br># &lt;failures&gt; number of failures<br># &lt;time&gt; unix timestamp of the ban time<br># Values: CMD<br>#<br>actionban = vuurmuur_script --block &lt;ip&gt; --apply
+
# Option: actionstart
 
+
# Notes.:  command executed once at the start of Fail2Ban.
# Option: actionunban<br># Notes.: command executed when unbanning an IP. Take care that the<br># command is executed with Fail2Ban user rights.<br># Tags: &lt;ip&gt; IP address<br># &lt;failures&gt; number of failures<br># &lt;time&gt; unix timestamp of the ban time<br># Values: CMD<br>#<br>actionunban = vuurmuur_script --unblock &lt;ip&gt; --apply<br>
+
# Values:  CMD
 
+
#
 
+
# Create a zone in vuurmuur called fail2ban... this script will add the "<name>" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network
 
+
# You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules.
The parameter –apply makes the rule active and reloads vuurmuurs configuration. Open /etc/fail2ban/jail.conf in your favorite editor and search the option banaction and change it as follows:
+
actionstart = vuurmuur_script --create --network <name>.fail2ban
<pre>nano /etc/fail2ban/jail.conf
+
      vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
banaction = vuurmuur
+
      vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
 +
      vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
 +
      append=''
 +
      for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
 +
      vuurmuur_script --create --group <group>.<name>.fail2ban
 +
      vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
 +
 +
# Option:  actionstop
 +
# Notes.:  command executed once at the end of Fail2Ban
 +
# Values:  CMD
 +
#
 +
actionstop = for group in `vuurmuur_script --list --group <name>.fail2ban`; do vuurmuur_script --delete --group $group; done
 +
      for host in `vuurmuur_script --list --host <name>.fail2ban`; do vuurmuur_script --delete --host $host; done
 +
      vuurmuur_script --delete --network <name>.fail2ban
 +
      vuurmuur_script --create --network <name>.fail2ban
 +
              vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
 +
              vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
 +
              vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
 +
              append=''
 +
              for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
 +
      vuurmuur_script --create --group <group>.<name>.fail2ban
 +
              vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
 +
      vuurmuur_script --reload
 +
   
 +
# Option:  actioncheck
 +
# Notes.:  command executed once before each actionban command
 +
# Values:  CMD
 +
#
 +
actioncheck = vuurmuur_script --list --host <name>.fail2ban | tr '-' '.'
 +
 +
# Option:  actionban
 +
# Notes.: command executed when banning an IP. Take care that the
 +
#         command is executed with Fail2Ban user rights.
 +
# Tags:   <ipIP address
 +
#          <failures> number of failures
 +
#          <time> unix timestamp of the ban time
 +
# Values: CMD
 +
#
 +
actionban =    vuurmuur_script --create --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
 +
      vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable IPADDRESS --set <ip>
 +
      vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable ACTIVE --set Yes
 +
      append=''
 +
      for x in `vuurmuur_script --print --group <name>.fail2ban --variable MEMBER`; do append='--append'; done
 +
      vuurmuur_script --modify --apply --group <group>.<name>.fail2ban $append --variable MEMBER --set `echo <ip> | tr '.' '-'`
 +
      vuurmuur_script --reload
 +
 +
# Option: actionunban
 +
# Notes.: command executed when unbanning an IP. Take care that the
 +
#         command is executed with Fail2Ban user rights.
 +
# Tags:   <ipIP address
 +
#          <failures> number of failures
 +
#          <time> unix timestamp of the ban time
 +
# Values: CMD
 +
#
 +
# If you want to keep known bad ip's around for review and moving to a perm ban list... use "--modify --variable ACTIVE --set No" instead of --delete You may need to change the way hosts are added to account for repeats.
 +
# this script prints all of the current group members, deletes and recreates the group... without the member to be removed.
 +
actionunban =    vuurmuur_script --delete --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
 +
              append='d'
 +
              for member in `vuurmuur_script --print --group <group>.<name>.fail2ban --variable MEMBER`;
 +
              do if [ $append != '--append' ];then
 +
                      vuurmuur_script --delete --group <group>.<name>.fail2ban;
 +
                      vuurmuur_script --create --group <group>.<name>.fail2ban;
 +
                      vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes;
 +
              fi;
 +
              tmp=`echo $member|grep -E -o "[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}"`;
 +
              if [ -z "$tmp" ]
 +
              then
 +
                      tmp='d';
 +
              fi
 +
              if [ $tmp != `echo <ip> | tr '.' "-"` ];
 +
                      then vuurmuur_script --modify --group <group>.<name>.fail2ban $append --variable MEMBER --set $member;
 +
              fi;
 +
              if [ $append != '--append' ];
 +
              then append='--append';
 +
              fi;
 +
              done
 +
              vuurmuur_script --reload
 +
 +
[Init]
 +
 +
# Defaut name of the chain
 +
#
 +
name = block
 +
 +
group = blockedhosts
 
</pre>
 
</pre>
 
[http://wiki.goatpr0n.de/blog/2009/03/07.vuurmuur.and.fail2ban source]
 
[http://wiki.goatpr0n.de/blog/2009/03/07.vuurmuur.and.fail2ban source]

Latest revision as of 10:25, 28 February 2017

Fail2ban + Vuurmuur 

apt-get install fail2ban
nano /etc/fail2ban/action.d/vuurmuur.conf
# Author: Nick Shobe
#
 
[Definition]
 
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
# Create a zone in vuurmuur called fail2ban... this script will add the "<name>" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network
# You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules.
actionstart = vuurmuur_script --create --network <name>.fail2ban
       vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
       vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
       vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
       append=''
       for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
       vuurmuur_script --create --group <group>.<name>.fail2ban
       vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
 
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = for group in `vuurmuur_script --list --group <name>.fail2ban`; do vuurmuur_script --delete --group $group; done
       for host in `vuurmuur_script --list --host <name>.fail2ban`; do vuurmuur_script --delete --host $host; done
       vuurmuur_script --delete --network <name>.fail2ban
       vuurmuur_script --create --network <name>.fail2ban
               vuurmuur_script --modify --network <name>.fail2ban --variable ACTIVE --set Yes
               vuurmuur_script --modify --network <name>.fail2ban --variable NETWORK --set 0.0.0.0
               vuurmuur_script --modify --network <name>.fail2ban --variable NETMASK --set 0.0.0.0
               append=''
               for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network <name>.fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
       vuurmuur_script --create --group <group>.<name>.fail2ban
               vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes
       vuurmuur_script --reload
     
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = vuurmuur_script --list --host <name>.fail2ban | tr '-' '.'
 
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban =     vuurmuur_script --create --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
       vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable IPADDRESS --set <ip>
       vuurmuur_script --modify --host `echo <ip> | tr '.' "-"`.<name>.fail2ban --variable ACTIVE --set Yes
       append=''
       for x in `vuurmuur_script --print --group <name>.fail2ban --variable MEMBER`; do append='--append'; done
       vuurmuur_script --modify --apply --group <group>.<name>.fail2ban $append --variable MEMBER --set `echo <ip> | tr '.' '-'`
       vuurmuur_script --reload
 
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
# If you want to keep known bad ip's around for review and moving to a perm ban list... use "--modify --variable ACTIVE --set No" instead of --delete You may need to change the way hosts are added to account for repeats.
# this script prints all of the current group members, deletes and recreates the group... without the member to be removed.
actionunban =     vuurmuur_script --delete --host `echo <ip> | tr '.' "-"`.<name>.fail2ban
               append='d'
               for member in `vuurmuur_script --print --group <group>.<name>.fail2ban --variable MEMBER`;
               do if [ $append != '--append' ];then
                       vuurmuur_script --delete --group <group>.<name>.fail2ban;
                       vuurmuur_script --create --group <group>.<name>.fail2ban;
                       vuurmuur_script --modify --group <group>.<name>.fail2ban --variable ACTIVE --set Yes;
               fi;
               tmp=`echo $member|grep -E -o "[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}"`;
               if [ -z "$tmp" ]
               then
                       tmp='d';
               fi
               if [ $tmp != `echo <ip> | tr '.' "-"` ];
                       then vuurmuur_script --modify --group <group>.<name>.fail2ban $append --variable MEMBER --set $member;
               fi;
               if [ $append != '--append' ];
               then append='--append';
               fi;
               done
               vuurmuur_script --reload
 
[Init]
 
# Defaut name of the chain
#
name = block
 
group = blockedhosts

source

Retrieved from "https://msc.siamtools.com/wiki/index.php?title=Fail2ban_Vuurmuur&oldid=1369"