diff --git a/README.md b/README.md index 2f56a9b..05642bd 100644 --- a/README.md +++ b/README.md @@ -1,17 +1,17 @@ -# HatThieves `fail2ban` with abuse reporting system +# fail2ban with abuse reporting system ## Config -#### edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings +edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings ## Expose jail -``` -docker-compose up -d -``` + + docker-compose up -d ## Stop jail -``` -docker-compose down -``` -### License MIT + docker-compose down + +## License + + MIT diff --git a/docker-compose.yml b/docker-compose.yml index 486cd67..20e84e6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -3,6 +3,7 @@ version: '2' services: fail2ban: build: ./fail2ban + image: fail2ban hostname: fail2ban container_name: fail2ban restart: always @@ -12,7 +13,15 @@ services: volumes: - ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro - ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro + - ./fail2ban/fail2ban.log:/var/log/fail2ban.log cap_add: - NET_ADMIN - NET_RAW - network_mode: host + ports: + - "22:22/tcp" + - "2222:2222/tcp" + networks: + failnet: + +networks: + failnet: diff --git a/fail2ban/Dockerfile b/fail2ban/Dockerfile index 566714b..469ff91 100644 --- a/fail2ban/Dockerfile +++ b/fail2ban/Dockerfile @@ -1,3 +1,3 @@ FROM debian:sid-slim -RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables && apt clean +RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables tor torsocks && apt clean WORKDIR /etc/fail2ban diff --git a/fail2ban/entrypoint.sh b/fail2ban/entrypoint.sh index e147bab..fbcb9f5 100644 --- a/fail2ban/entrypoint.sh +++ b/fail2ban/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -DOMAIN=hatthieves.es -SMTP=smtp.hatthieves.es +DOMAIN=manalejandro.com +SMTP=smtp.manalejandro.com USER=fail2ban PASS=pass @@ -13,9 +13,9 @@ SENDER_MAIL=\"\$2\" DEST_MAIL=\"\$3\" LOGFILE=\"\$4\" DATE=\$(date) -WHOIS_OUTPUT=\$(whois \$REMOTE_IP) +WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP) REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}') -LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE) +LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE) BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\" # Skip sending email when an email was already sent out for that IP the last 24hours @@ -23,15 +23,17 @@ if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_I if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi # Get the Abuse email address from Abusix -if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then - ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\") -fi +#if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then +# ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\") +#fi + +ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//') # Send email if [ \$ABUSE_ADDR ]; then -swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465 \\ +swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\ --h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\ ---h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\ +--h-To \$ABUSE_ADDR --body \\ \"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply. You get this email because you are listed as the official and popular abuse email contact for this concrete IP address. @@ -41,11 +43,8 @@ The following intrusion attempts were detected by our systems: WHOIS report FYI: \$WHOIS_OUTPUT -Thanks for your time and curiosity... take care with botnets... - ANTIBOTNET SYSTEM - -together will do a better and free world :-) -from postmaster@$DOMAIN -by www.$DOMAIN\" +from postmaster@$DOMAIN by $DOMAIN\" fi" > fail2ban_abuse_mail.sh echo "[Definition] @@ -123,14 +122,13 @@ maxretry = 2 ignoreip = $DOMAIN backend = pyinotify filter = sshd -action = iptables-allports +action = iptables-allports[name=SSH, protocol=tcp] sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf -chmod +x fail2ban_abuse_mail.sh rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock mkdir -p /var/run/fail2ban -/etc/init.d/rsyslog start -/etc/init.d/ssh start -/etc/init.d/fail2ban start -/bin/sleep infinity - +service rsyslog start +service ssh start +service fail2ban start +service tor start +/bin/sleep infinity \ No newline at end of file diff --git a/fail2ban/fail2ban.log b/fail2ban/fail2ban.log new file mode 100644 index 0000000..e69de29