v0.2
This commit is contained in:
parent
a3a4e8cbc1
commit
34254b569d
18
README.md
18
README.md
@ -1,17 +1,17 @@
|
||||
# HatThieves `fail2ban` with abuse reporting system
|
||||
# fail2ban with abuse reporting system
|
||||
|
||||
## Config
|
||||
|
||||
#### edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
|
||||
edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
|
||||
|
||||
## Expose jail
|
||||
```
|
||||
docker-compose up -d
|
||||
```
|
||||
|
||||
docker-compose up -d
|
||||
|
||||
## Stop jail
|
||||
```
|
||||
docker-compose down
|
||||
```
|
||||
|
||||
### License MIT
|
||||
docker-compose down
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
||||
|
@ -3,6 +3,7 @@ version: '2'
|
||||
services:
|
||||
fail2ban:
|
||||
build: ./fail2ban
|
||||
image: fail2ban
|
||||
hostname: fail2ban
|
||||
container_name: fail2ban
|
||||
restart: always
|
||||
@ -12,7 +13,15 @@ services:
|
||||
volumes:
|
||||
- ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
|
||||
- ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
|
||||
- ./fail2ban/fail2ban.log:/var/log/fail2ban.log
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
network_mode: host
|
||||
ports:
|
||||
- "22:22/tcp"
|
||||
- "2222:2222/tcp"
|
||||
networks:
|
||||
failnet:
|
||||
|
||||
networks:
|
||||
failnet:
|
||||
|
@ -1,3 +1,3 @@
|
||||
FROM debian:sid-slim
|
||||
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables && apt clean
|
||||
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables tor torsocks && apt clean
|
||||
WORKDIR /etc/fail2ban
|
||||
|
@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
DOMAIN=hatthieves.es
|
||||
SMTP=smtp.hatthieves.es
|
||||
DOMAIN=manalejandro.com
|
||||
SMTP=smtp.manalejandro.com
|
||||
USER=fail2ban
|
||||
PASS=pass
|
||||
|
||||
@ -13,9 +13,9 @@ SENDER_MAIL=\"\$2\"
|
||||
DEST_MAIL=\"\$3\"
|
||||
LOGFILE=\"\$4\"
|
||||
DATE=\$(date)
|
||||
WHOIS_OUTPUT=\$(whois \$REMOTE_IP)
|
||||
WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP)
|
||||
REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
|
||||
LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE)
|
||||
LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE)
|
||||
BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
|
||||
|
||||
# Skip sending email when an email was already sent out for that IP the last 24hours
|
||||
@ -23,15 +23,17 @@ if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_I
|
||||
if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
|
||||
|
||||
# Get the Abuse email address from Abusix
|
||||
if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then
|
||||
ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
|
||||
fi
|
||||
#if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then
|
||||
# ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
|
||||
#fi
|
||||
|
||||
ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//')
|
||||
|
||||
# Send email
|
||||
if [ \$ABUSE_ADDR ]; then
|
||||
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465 \\
|
||||
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\
|
||||
--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
|
||||
--h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\
|
||||
--h-To \$ABUSE_ADDR --body \\
|
||||
\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
|
||||
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
||||
|
||||
@ -41,11 +43,8 @@ The following intrusion attempts were detected by our systems:
|
||||
WHOIS report FYI:
|
||||
\$WHOIS_OUTPUT
|
||||
|
||||
Thanks for your time and curiosity... take care with botnets...
|
||||
- ANTIBOTNET SYSTEM -
|
||||
together will do a better and free world :-)
|
||||
from postmaster@$DOMAIN
|
||||
by www.$DOMAIN\"
|
||||
from postmaster@$DOMAIN by $DOMAIN\"
|
||||
fi" > fail2ban_abuse_mail.sh
|
||||
|
||||
echo "[Definition]
|
||||
@ -123,14 +122,13 @@ maxretry = 2
|
||||
ignoreip = $DOMAIN
|
||||
backend = pyinotify
|
||||
filter = sshd
|
||||
action = iptables-allports
|
||||
action = iptables-allports[name=SSH, protocol=tcp]
|
||||
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
|
||||
|
||||
chmod +x fail2ban_abuse_mail.sh
|
||||
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
|
||||
mkdir -p /var/run/fail2ban
|
||||
/etc/init.d/rsyslog start
|
||||
/etc/init.d/ssh start
|
||||
/etc/init.d/fail2ban start
|
||||
/bin/sleep infinity
|
||||
|
||||
service rsyslog start
|
||||
service ssh start
|
||||
service fail2ban start
|
||||
service tor start
|
||||
/bin/sleep infinity
|
0
fail2ban/fail2ban.log
Normal file
0
fail2ban/fail2ban.log
Normal file
Loading…
Reference in New Issue
Block a user