fail2ban

production/fail2ban/docker-compose.yml

@@ -0,0 +1,34 @@
+version: '2.3'
+
+services:
+  fail2ban:
+    build: ./fail2ban
+    hostname: fail2ban
+    container_name: fail2ban
+    restart: always
+    entrypoint:
+      - /bin/bash
+      - /etc/fail2ban/entrypoint.sh
+    volumes:
+      - ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
+      - ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
+      - ./fail2ban.log:/var/log/fail2ban.log
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    ports:
+      - "22:22/tcp"
+      - "2222:2222/tcp"
+    networks:
+      mynet:
+        ipv4_address: 172.13.0.101
+        ipv6_address: 2001:db8:3::101
+
+networks:
+  mynet:
+    enable_ipv6: true
+    driver: bridge
+    ipam:
+      config:
+      - subnet: 172.13.0.0/24
+      - subnet: 2001:db8:3::/64

production/fail2ban/fail2ban/Dockerfile

@@ -0,0 +1,4 @@
+FROM debian:sid-slim
+RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify curl iptables && apt clean
+RUN touch /var/log/fail2ban.log
+WORKDIR /etc/fail2ban

production/fail2ban/fail2ban/entrypoint.sh

@@ -0,0 +1,160 @@
+#!/bin/bash
+DOMAIN=hatthieves.es
+SMTP=smtp.hatthieves.es
+USER=fail2ban
+PASS=f41l2b4n.
+
+echo "#!/bin/bash
+
+PATH=\"\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"
+LANG=\"C\"
+REMOTE_IP=\"\$1\"
+SENDER_MAIL=\"\$2\"
+DEST_MAIL=\"\$3\"
+LOGFILE=\"\$4\"
+DATE=\$(date)
+WHOIS_OUTPUT=\$(whois \$REMOTE_IP)
+REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
+LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE)
+BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
+
+# Skip sending email when an email was already sent out for that IP the last 24hours
+if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
+if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
+
+# Get the Abuse email address from Abusix
+if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then
+  ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
+fi
+
+# Send email
+if [ \$ABUSE_ADDR ]; then
+
+DOMAINSOCIAL=\"https://social.hatthieves.es\"
+USERNAME=\"fail2ban\"
+PASSWORD=\"f41l2b4n.\"
+CLIENT_NAME=\"Fail2Ban\"
+
+#APP_DATA=\$(curl -s -X POST -d \"client_name=\$CLIENT_NAME\" -d \"redirect_uris=urn:ietf:wg:oauth:2.0:oob\" -d \"scopes=write read\" \$DOMAINSOCIAL/api/v1/apps)
+
+#CLIENT_ID=\$(echo \$APP_DATA | cut -d \":\" -f 2 | cut -d \"\\\"\" -f 2)
+#CLIENT_SECRET=\$(echo \$APP_DATA | cut -d \":\" -f 3 | cut -d \"\\\"\" -f 2)
+
+#ACCESS_TOKEN=\$(curl -s -X POST --data-urlencode \"client_id=\$CLIENT_ID\" --data-urlencode \"client_secret=\$CLIENT_SECRET\" -d \"grant_type=password\" -d \"username=\$USERNAME\" --data-urlencode \"password=\$PASSWORD\" -Ss \$DOMAINSOCIAL/oauth/token | rev | cut -d \"\\\"\" -f 2 | rev)
+
+STATUS=\"This is an automatic abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
+
+The following intrusion attempts were detected by our systems:
+\$LOG_LINES
+
+- ANTIBOTNET SYSTEM -
+from postmaster@$DOMAIN
+https://gitea.hatthieves.es/cloud/fail2ban by www.$DOMAIN\"
+#curl -H \"Authorization: Bearer \$ACCESS_TOKEN\" -X POST --data-urlencode \"status=\$STATUS\" -Ss \$DOMAINSOCIAL/api/v1/statuses
+##curl -X POST --data-urlencode \"status=\$STATUS\" -Ss https://\$USERNAME:\$PASSWORD@social.hatthieves.es/api/v1/statuses
+
+swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 587 \\
+--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
+--h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\
+\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
+You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
+
+The following intrusion attempts were detected by our systems:
+\$LOG_LINES
+
+WHOIS report FYI:
+\$WHOIS_OUTPUT
+
+Thanks for your time and curiosity... take care with botnets...
+- ANTIBOTNET SYSTEM -
+together will do a better and free world :-)
+from postmaster@$DOMAIN
+https://gitea.hatthieves.es/cloud/fail2ban by www.$DOMAIN\"
+fi" > fail2ban_abuse_mail.sh
+
+echo "[Definition]
+ 
+# Option:  actionstart
+# Notes.:  command executed once at the start of Fail2Ban.
+# Values:  CMD
+#
+actionstart = printf %%b \"Subject: [Fail2Ban] <name>: started
+              Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
+              From: Fail2Ban <<sender>>
+              To: <dest>\\n
+              Hi,\\n
+              The jail <name> has been started successfully.\\n
+              Regards,\\n
+              Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
+ 
+# Option:  actionstop
+# Notes.:  command executed once at the end of Fail2Ban
+# Values:  CMD
+#
+actionstop = printf %%b \"Subject: [Fail2Ban] <name>: stopped
+             Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
+             From: Fail2Ban <<sender>>
+             To: <dest>\\n
+             Hi,\\n
+             The jail <name> has been stopped.\\n
+             Regards,\\n
+             Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
+ 
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+ 
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
+ 
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban =
+ 
+[Init]
+ 
+# Defaut name of the chain
+#
+name = default
+ 
+# Destination/Addressee of the mail
+#
+dest = webmaster@$DOMAIN
+ 
+# Sender of the mail
+#
+sender = fail2ban@$DOMAIN
+ 
+# Path to the log files which contain relevant lines for the abuser IP
+#
+logpath = /dev/null" > action.d/sendmail-abuse.conf
+
+echo "[sshd]
+enabled = true
+bantime = 10800
+findtime = 1800
+maxretry = 3
+ignoreip = $DOMAIN
+backend = pyinotify
+filter = sshd
+action = iptables-allports
+         sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
+
+chmod +x fail2ban_abuse_mail.sh
+rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
+/etc/init.d/rsyslog start
+/etc/init.d/ssh start
+mkdir -p /var/run/fail2ban
+/etc/init.d/fail2ban start
+/bin/sleep infinity
+

production/fail2ban/fail2ban/sshd_config

@@ -0,0 +1,10 @@
+Port 22
+Port 2222
+PermitRootLogin no
+ChallengeResponseAuthentication yes
+UsePAM yes
+X11Forwarding no
+X11UseLocalhost no
+PrintMotd no
+AcceptEnv LANG LC_*
+PasswordAuthentication yes