confdroid/confdroid_fail2ban
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'jenkins' into 'master'

Browse Source 
Jenkins

See merge request !8
This commit is contained in:
12ww1160
2017-08-06 17:23:15 +02:00
parent cfb33c15b8 19cf115fce
commit 36fb2db531
14 changed files with 410 additions and 812 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
CHANGELOG.md
View File

@@ -8,6 +8,26 @@ Changelog of Git Changelog.
<h2> No issue </h2>
<a href="https://gitlab.puppetsoft.com/12WW1160/git-changelog-lib/commit/df59c3e85d59b32">df59c3e85d59b32</a> Arne Teuke <i>2017-08-03 16:33:22</i>
<p>
<h3>added more file controls</h3>
</p>
<a href="https://gitlab.puppetsoft.com/12WW1160/git-changelog-lib/commit/1b33e2a2105237c">1b33e2a2105237c</a> Jenkins Server <i>2017-08-03 16:32:58</i>
<p>
<h3>recommit for updates in build 12</h3>
</p>
<a href="https://gitlab.puppetsoft.com/12WW1160/git-changelog-lib/commit/d33c85b30d815d8">d33c85b30d815d8</a> Arne Teuke <i>2017-08-03 16:29:36</i>
<p>
<h3>added more file controls</h3>
</p>
<a href="https://gitlab.puppetsoft.com/12WW1160/git-changelog-lib/commit/e4cfd9c5663c0e2">e4cfd9c5663c0e2</a> Arne Teuke <i>2017-08-03 16:25:10</i>
<p>
<h3>added more file controls</h3>
</p>
<a href="https://gitlab.puppetsoft.com/12WW1160/git-changelog-lib/commit/cb4b482e20b2be5">cb4b482e20b2be5</a> Arne Teuke <i>2017-08-03 14:56:00</i>
<p>
<h3>fixed controls for main conf/local files</h3>

2
doc/_index.html
View File

@@ -132,7 +132,7 @@
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:54 2017 by
Generated on Sun Aug 6 17:07:20 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/file.README.html
View File

@@ -251,7 +251,7 @@ environments.</p>
</div></div>
<div id="footer">
Generated on Thu Aug 3 18:32:55 2017 by
Generated on Sun Aug 6 17:07:21 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/index.html
View File

@@ -251,7 +251,7 @@ environments.</p>
</div></div>
<div id="footer">
Generated on Thu Aug 3 18:32:55 2017 by
Generated on Sun Aug 6 17:07:21 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban.html
View File

@@ -139,7 +139,7 @@ class cd_fail2ban {
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:22 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aconfig.html
View File

@@ -153,7 +153,7 @@ class cd_fail2ban::main::config (
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:23 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Adirs.html
View File

@@ -350,7 +350,7 @@ class cd_fail2ban::main::dirs (
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:22 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html
View File

@@ -286,7 +286,7 @@ class cd_fail2ban::main::files (
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:22 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Ainstall.html
View File

@@ -159,7 +159,7 @@ class cd_fail2ban::main::install (
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:23 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aservice.html
View File

@@ -166,7 +166,7 @@ class cd_fail2ban::main::service (
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:57 2017 by
Generated on Sun Aug 6 17:07:23 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

338
doc/puppet_classes/cd_fail2ban_3A_3Aparams.html
View File

@@ -128,7 +128,9 @@ for more details.</p>
with this program. If not, see <a
href="http://www.gnu.org/licenses">www.gnu.org/licenses</a>/.
<code>CRITICAL</code>,<code>ERROR</code>,<code>WARNING</code>,<code>NOTICE</code>,<code>INFO</code>
and <code>DEBUG</code>.</p>
and <code>DEBUG</code>.
@param [string] Report ban via badips.com, and use
as blacklist</p>
</div>
</div>
@@ -537,10 +539,10 @@ auto: will use the system locale setting</p>
<span class='name'>fn_enabled</span>
<span class='type'>(<tt>string</tt>)</span>
<span class='type'>(<tt>boolean</tt>)</span>
<em class="default">(defaults to: <tt>&#39;false&#39;</tt>)</em>
<em class="default">(defaults to: <tt>false</tt>)</em>
&mdash;
@@ -714,6 +716,212 @@ href="https://tools.ietf.org/html/rfc7231#section-5.5.3">tools.ietf.org/html/rfc
</li>
<li>
<span class='name'>fn_banaction</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;iptables-multiport&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>Default banning action</p>
</div>
</li>
<li>
<span class='name'>fn_banaction_allports</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;iptables-allports&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>Default banning action</p>
</div>
</li>
<li>
<span class='name'>fn_action_</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ban only</p>
</div>
</li>
<li>
<span class='name'>fn_action_mw</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
%(mta)s-whois[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ban &amp; send an e-mail with whois report to the
destemail.</p>
</div>
</li>
<li>
<span class='name'>fn_action_mwl</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
%(mta)s-whois-lines[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, logpath=%(logpath)s, chain=&quot;%(chain)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ban &amp; send an e-mail with whois report and
relevant log lines</p>
</div>
</li>
<li>
<span class='name'>fn_action_xarf</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
xarf-login-attack[service=%(__name__)s, sender=&quot;%(sender)s&quot;, logpath=%(logpath)s, port=&quot;%(port)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ban &amp; send a xarf e-mail to abuse contact of
IP address and include
relevant log lines.</p>
</div>
</li>
<li>
<span class='name'>fn_action_cf_mwl</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;cloudflare[cfuser=&quot;%(cfemail)s&quot;, cftoken=&quot;%(cfapikey)s&quot;]
%(mta)s-whois-lines[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, logpath=%(logpath)s, chain=&quot;%(chain)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>ban IP on CloudFlare &amp; send an e-mail with
whois report and relevant
log lines.</p>
</div>
</li>
<li>
<span class='name'>fn_action_blocklist_de</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;blocklist_de[email=&quot;%(sender)s&quot;, service=%(filter)s, apikey=&quot;%(blocklist_de_apikey)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>Report block via blocklist.de fail2ban
reporting service API</p>
</div>
</li>
<li>
<span class='name'>fn_action_badips_report</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;badips[category=&quot;%(__name__)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;</tt>)</em>
&mdash;
<div class='inline'>
<h1 id="label-Report+ban+via+badips.com">Report ban via badips.com</h1>
<p>(uses action.d/badips.conf for reporting only).</p>
</div>
</li>
<li>
<span class='name'>fn_default_action</span>
<span class='type'>(<tt>string</tt>)</span>
<em class="default">(defaults to: <tt>&#39;action_&#39;</tt>)</em>
&mdash;
<div class='inline'>
<p>Choose default action.</p>
</div>
</li>
<li>
<span class='name'>fn_action_badips</span>
<span class='type'>(<tt>Any</tt>)</span>
<em class="default">(defaults to: <tt>&#39;badips.py[category=&quot;%(__name__)s&quot;, banaction=&quot;%(banaction)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;</tt>)</em>
</li>
</ul>
@@ -724,23 +932,6 @@ href="https://tools.ietf.org/html/rfc7231#section-5.5.3">tools.ietf.org/html/rfc
<pre class="lines">
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
@@ -804,47 +995,92 @@ href="https://tools.ietf.org/html/rfc7231#section-5.5.3">tools.ietf.org/html/rfc
181
182
183
184</pre>
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215</pre>
</td>
<td>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 104</span>
<pre class="code"><span class="info file"># File 'manifests/params.pp', line 121</span>
class cd_fail2ban::params (
$pkg_ensure = &#39;latest&#39;,
$pkg_ensure = &#39;latest&#39;,
$fn_manage_config = true,
$fn_enable_service = &#39;running&#39;,
$fn_manage_config = true,
$fn_enable_service = &#39;running&#39;,
# fail2ban.conf/local
$fn_loglevel = &#39;INFO&#39;,
$fn_logtarget = &#39;SYSLOG&#39;,
$fn_syslogsocket = &#39;auto&#39;,
$fn_socket = &#39;/var/run/fail2ban/fail2ban.sock&#39;,
$fn_pidfile = &#39;/var/run/fail2ban/fail2ban.pid&#39;,
$fn_dbfile = &#39;/var/lib/fail2ban/fail2ban.sqlite3&#39;,
$fn_dbpurgeage = &#39;86400&#39;,
$fn_loglevel = &#39;INFO&#39;,
$fn_logtarget = &#39;SYSLOG&#39;,
$fn_syslogsocket = &#39;auto&#39;,
$fn_socket = &#39;/var/run/fail2ban/fail2ban.sock&#39;,
$fn_pidfile = &#39;/var/run/fail2ban/fail2ban.pid&#39;,
$fn_dbfile = &#39;/var/lib/fail2ban/fail2ban.sqlite3&#39;,
$fn_dbpurgeage = &#39;86400&#39;,
# jail.conf/local
$fn_ignoreip = &#39;127.0.0.1/8&#39;,
$fn_ignorecommand = &#39;&#39;,
$fn_bantime = &#39;600&#39;,
$fn_findtime = &#39;600&#39;,
$fn_maxretry = &#39;5&#39;,
$fn_backend = &#39;auto&#39;,
$fn_usedns = &#39;warn&#39;,
$fn_logencoding = &#39;auto&#39;,
$fn_enabled = &#39;false&#39;,
$fn_filter = &#39;%(__name__)s&#39;,
$fn_destemail = &#39;root@localhost&#39;,
$fn_sender = &#39;root@localhost&#39;,
$fn_mta = &#39;sendmail&#39;,
$fn_protocol = &#39;tcp&#39;,
$fn_chain = &#39;INPUT&#39;,
$fn_port = &#39;0:65535&#39;,
$fn_fail2ban_agent = &#39;Fail2Ban/%(fail2ban_version)s&#39;,
$fn_ignoreip = &#39;127.0.0.1/8&#39;,
$fn_ignorecommand = &#39;&#39;,
$fn_bantime = &#39;600&#39;,
$fn_findtime = &#39;600&#39;,
$fn_maxretry = &#39;5&#39;,
$fn_backend = &#39;auto&#39;,
$fn_usedns = &#39;warn&#39;,
$fn_logencoding = &#39;auto&#39;,
$fn_enabled = false,
$fn_filter = &#39;%(__name__)s&#39;,
$fn_destemail = &#39;root@localhost&#39;,
$fn_sender = &#39;root@localhost&#39;,
$fn_mta = &#39;sendmail&#39;,
$fn_protocol = &#39;tcp&#39;,
$fn_chain = &#39;INPUT&#39;,
$fn_port = &#39;0:65535&#39;,
$fn_fail2ban_agent = &#39;Fail2Ban/%(fail2ban_version)s&#39;,
$fn_banaction = &#39;iptables-multiport&#39;,
$fn_banaction_allports = &#39;iptables-allports&#39;,
$fn_action_ = &#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]&#39;,
$fn_action_mw = &#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
%(mta)s-whois[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]&#39;,
$fn_action_mwl = &#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
%(mta)s-whois-lines[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, logpath=%(logpath)s, chain=&quot;%(chain)s&quot;]&#39;,
$fn_action_xarf = &#39;%(banaction)s[name=%(__name__)s, bantime=&quot;%(bantime)s&quot;, port=&quot;%(port)s&quot;, protocol=&quot;%(protocol)s&quot;, chain=&quot;%(chain)s&quot;]
xarf-login-attack[service=%(__name__)s, sender=&quot;%(sender)s&quot;, logpath=%(logpath)s, port=&quot;%(port)s&quot;]&#39;,
$fn_action_cf_mwl = &#39;cloudflare[cfuser=&quot;%(cfemail)s&quot;, cftoken=&quot;%(cfapikey)s&quot;]
%(mta)s-whois-lines[name=%(__name__)s, sender=&quot;%(sender)s&quot;, dest=&quot;%(destemail)s&quot;, logpath=%(logpath)s, chain=&quot;%(chain)s&quot;]&#39;,
$fn_action_blocklist_de = &#39;blocklist_de[email=&quot;%(sender)s&quot;, service=%(filter)s, apikey=&quot;%(blocklist_de_apikey)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;,
$fn_action_badips = &#39;badips.py[category=&quot;%(__name__)s&quot;, banaction=&quot;%(banaction)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;,
$fn_action_badips_report = &#39;badips[category=&quot;%(__name__)s&quot;, agent=&quot;%(fail2ban_agent)s&quot;]&#39;,
$fn_default_action = &#39;action_&#39;,
) {
@@ -897,7 +1133,7 @@ $fn_jail_local_erb = &#39;cd_fail2ban/jail_local.erb&#39;
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:56 2017 by
Generated on Sun Aug 6 17:07:22 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

2
doc/top-level-namespace.html
View File

@@ -90,7 +90,7 @@
</div>
<div id="footer">
Generated on Thu Aug 3 18:32:55 2017 by
Generated on Sun Aug 6 17:07:21 2017 by
<a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a>
0.9.9 (ruby-2.0.0).
</div>

89
manifests/params.pp
View File

@@ -80,7 +80,7 @@
# handled by the jail This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
# auto: will use the system locale setting
# @param [string] fn_enabled enables the jails.
# @param [boolean] fn_enabled enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
# true: jail will be enabled and log files will get monitored for changes
@@ -100,43 +100,74 @@
# in a particular jail
# @param [string] fn_fail2ban_agent Format of user-agent
# https://tools.ietf.org/html/rfc7231#section-5.5.3
# @param [string] fn_banaction Default banning action
# @param [string] fn_banaction_allports Default banning action
# @param [string] fn_action_ ban only
# @param [string] fn_action_mw ban & send an e-mail with whois report to the
# destemail.
# @param [string] fn_action_mwl ban & send an e-mail with whois report and
# relevant log lines
# @param [string] fn_action_xarf ban & send a xarf e-mail to abuse contact of
# IP address and include relevant log lines.
# @param [string] fn_action_cf_mwl ban IP on CloudFlare & send an e-mail with
# whois report and relevant log lines.
# @param [string] fn_action_blocklist_de Report block via blocklist.de fail2ban
# reporting service API
# @param [string] Report ban via badips.com, and use as blacklist
# @param [string] fn_action_badips_report # Report ban via badips.com
# (uses action.d/badips.conf for reporting only).
# @param [string] fn_default_action Choose default action.
###############################################################################
class cd_fail2ban::params (
$pkg_ensure = 'latest',
$pkg_ensure = 'latest',
$fn_manage_config = true,
$fn_enable_service = 'running',
$fn_manage_config = true,
$fn_enable_service = 'running',
# fail2ban.conf/local
$fn_loglevel = 'INFO',
$fn_logtarget = 'SYSLOG',
$fn_syslogsocket = 'auto',
$fn_socket = '/var/run/fail2ban/fail2ban.sock',
$fn_pidfile = '/var/run/fail2ban/fail2ban.pid',
$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3',
$fn_dbpurgeage = '86400',
$fn_loglevel = 'INFO',
$fn_logtarget = 'SYSLOG',
$fn_syslogsocket = 'auto',
$fn_socket = '/var/run/fail2ban/fail2ban.sock',
$fn_pidfile = '/var/run/fail2ban/fail2ban.pid',
$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3',
$fn_dbpurgeage = '86400',
# jail.conf/local
$fn_ignoreip = '127.0.0.1/8',
$fn_ignorecommand = '',
$fn_bantime = '600',
$fn_findtime = '600',
$fn_maxretry = '5',
$fn_backend = 'auto',
$fn_usedns = 'warn',
$fn_logencoding = 'auto',
$fn_enabled = 'false',
$fn_filter = '%(__name__)s',
$fn_destemail = 'root@localhost',
$fn_sender = 'root@localhost',
$fn_mta = 'sendmail',
$fn_protocol = 'tcp',
$fn_chain = 'INPUT',
$fn_port = '0:65535',
$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s',
$fn_ignoreip = '127.0.0.1/8',
$fn_ignorecommand = '',
$fn_bantime = '600',
$fn_findtime = '600',
$fn_maxretry = '5',
$fn_backend = 'auto',
$fn_usedns = 'warn',
$fn_logencoding = 'auto',
$fn_enabled = false,
$fn_filter = '%(__name__)s',
$fn_destemail = 'root@localhost',
$fn_sender = 'root@localhost',
$fn_mta = 'sendmail',
$fn_protocol = 'tcp',
$fn_chain = 'INPUT',
$fn_port = '0:65535',
$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s',
$fn_banaction = 'iptables-multiport',
$fn_banaction_allports = 'iptables-allports',
$fn_action_ = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]',
$fn_action_mw = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]',
$fn_action_mwl = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_xarf = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]',
$fn_action_cf_mwl = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_blocklist_de = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips_report = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]',
$fn_default_action = 'action_',
) {

755
templates/jail_local.erb
View File

@@ -8,727 +8,38 @@
[INCLUDES]
before = paths-<%= @fn_jail_paths %>.conf
before = paths-<%= @fn_jail_paths %>.conf
[DEFAULT]
ignoreip = <%= @fn_ignoreip %>
ignorecommand = <%= @fn_ignorecommand %>
bantime = <%= @fn_bantime %>
findtime = <%= @fn_findtime %>
maxretry = <%= @fn_maxretry %>
backend = <%= @fn_backend %>
usedns = <%= @fn_usedns %>
logencoding = <%= @fn_logencoding %>
enabled = <%= @fn_enabled %>
filter = <%= @fn_enabled %>
destemail = <%= @fn_destemail %>
sender = <%= @fn_sender %>
mta = <%= @fn_sender %>
protocol = <%= @fn_protocol %>
chain = <%= @fn_chain %>
port = <%= @fn_port %>
fail2ban_agent = <%= @fn_fail2ban_agent %>
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
#
# Web Applications
#
#
[drupal-auth]
port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#
# HTTP Proxy servers
#
#
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port = 27017
logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
filter = slapd
logpath = /var/log/slapd.log
ignoreip = <%= @fn_ignoreip %>
ignorecommand = <%= @fn_ignorecommand %>
bantime = <%= @fn_bantime %>
findtime = <%= @fn_findtime %>
maxretry = <%= @fn_maxretry %>
backend = <%= @fn_backend %>
usedns = <%= @fn_usedns %>
logencoding = <%= @fn_logencoding %>
enabled = <%= @fn_enabled %>
filter = <%= @fn_enabled %>
destemail = <%= @fn_destemail %>
sender = <%= @fn_sender %>
mta = <%= @fn_sender %>
protocol = <%= @fn_protocol %>
chain = <%= @fn_chain %>
port = <%= @fn_port %>
fail2ban_agent = <%= @fn_fail2ban_agent %>
banaction = <%= @fn_banaction %>
banaction_allports = <%= @fn_banaction_allports %>
# available actions
action_ = <%= @fn_action_ %>
action_mw = <%= @fn_action_mw %>
action_mwl = <%= @fn_action_mwl %>
action_xarf = <%= @fn_action_xarf %>
action_cf_mwl = <%= @fn_action_cf_mwl %>
action_blocklist_de = <%= @fn_action_blocklist_de %>
action_badips = <%= @fn_action_badips %>
action_badips_report = <%= @fn_action_badips_report %>
# Default action
action = %(<%= @fn_default_action %>)s