v0.2
This commit is contained in:
parent
a3a4e8cbc1
commit
34254b569d
16
README.md
16
README.md
@ -1,17 +1,17 @@
|
|||||||
# HatThieves `fail2ban` with abuse reporting system
|
# fail2ban with abuse reporting system
|
||||||
|
|
||||||
## Config
|
## Config
|
||||||
|
|
||||||
#### edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
|
edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
|
||||||
|
|
||||||
## Expose jail
|
## Expose jail
|
||||||
```
|
|
||||||
docker-compose up -d
|
docker-compose up -d
|
||||||
```
|
|
||||||
|
|
||||||
## Stop jail
|
## Stop jail
|
||||||
```
|
|
||||||
docker-compose down
|
|
||||||
```
|
|
||||||
|
|
||||||
### License MIT
|
docker-compose down
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
MIT
|
||||||
|
@ -3,6 +3,7 @@ version: '2'
|
|||||||
services:
|
services:
|
||||||
fail2ban:
|
fail2ban:
|
||||||
build: ./fail2ban
|
build: ./fail2ban
|
||||||
|
image: fail2ban
|
||||||
hostname: fail2ban
|
hostname: fail2ban
|
||||||
container_name: fail2ban
|
container_name: fail2ban
|
||||||
restart: always
|
restart: always
|
||||||
@ -12,7 +13,15 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
|
- ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
|
||||||
- ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
|
- ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
|
||||||
|
- ./fail2ban/fail2ban.log:/var/log/fail2ban.log
|
||||||
cap_add:
|
cap_add:
|
||||||
- NET_ADMIN
|
- NET_ADMIN
|
||||||
- NET_RAW
|
- NET_RAW
|
||||||
network_mode: host
|
ports:
|
||||||
|
- "22:22/tcp"
|
||||||
|
- "2222:2222/tcp"
|
||||||
|
networks:
|
||||||
|
failnet:
|
||||||
|
|
||||||
|
networks:
|
||||||
|
failnet:
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
FROM debian:sid-slim
|
FROM debian:sid-slim
|
||||||
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables && apt clean
|
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables tor torsocks && apt clean
|
||||||
WORKDIR /etc/fail2ban
|
WORKDIR /etc/fail2ban
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
DOMAIN=hatthieves.es
|
DOMAIN=manalejandro.com
|
||||||
SMTP=smtp.hatthieves.es
|
SMTP=smtp.manalejandro.com
|
||||||
USER=fail2ban
|
USER=fail2ban
|
||||||
PASS=pass
|
PASS=pass
|
||||||
|
|
||||||
@ -13,9 +13,9 @@ SENDER_MAIL=\"\$2\"
|
|||||||
DEST_MAIL=\"\$3\"
|
DEST_MAIL=\"\$3\"
|
||||||
LOGFILE=\"\$4\"
|
LOGFILE=\"\$4\"
|
||||||
DATE=\$(date)
|
DATE=\$(date)
|
||||||
WHOIS_OUTPUT=\$(whois \$REMOTE_IP)
|
WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP)
|
||||||
REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
|
REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
|
||||||
LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE)
|
LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE)
|
||||||
BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
|
BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
|
||||||
|
|
||||||
# Skip sending email when an email was already sent out for that IP the last 24hours
|
# Skip sending email when an email was already sent out for that IP the last 24hours
|
||||||
@ -23,15 +23,17 @@ if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_I
|
|||||||
if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
|
if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
|
||||||
|
|
||||||
# Get the Abuse email address from Abusix
|
# Get the Abuse email address from Abusix
|
||||||
if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then
|
#if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then
|
||||||
ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
|
# ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
|
||||||
fi
|
#fi
|
||||||
|
|
||||||
|
ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//')
|
||||||
|
|
||||||
# Send email
|
# Send email
|
||||||
if [ \$ABUSE_ADDR ]; then
|
if [ \$ABUSE_ADDR ]; then
|
||||||
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465 \\
|
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\
|
||||||
--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
|
--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
|
||||||
--h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\
|
--h-To \$ABUSE_ADDR --body \\
|
||||||
\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
|
\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
|
||||||
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
||||||
|
|
||||||
@ -41,11 +43,8 @@ The following intrusion attempts were detected by our systems:
|
|||||||
WHOIS report FYI:
|
WHOIS report FYI:
|
||||||
\$WHOIS_OUTPUT
|
\$WHOIS_OUTPUT
|
||||||
|
|
||||||
Thanks for your time and curiosity... take care with botnets...
|
|
||||||
- ANTIBOTNET SYSTEM -
|
- ANTIBOTNET SYSTEM -
|
||||||
together will do a better and free world :-)
|
from postmaster@$DOMAIN by $DOMAIN\"
|
||||||
from postmaster@$DOMAIN
|
|
||||||
by www.$DOMAIN\"
|
|
||||||
fi" > fail2ban_abuse_mail.sh
|
fi" > fail2ban_abuse_mail.sh
|
||||||
|
|
||||||
echo "[Definition]
|
echo "[Definition]
|
||||||
@ -123,14 +122,13 @@ maxretry = 2
|
|||||||
ignoreip = $DOMAIN
|
ignoreip = $DOMAIN
|
||||||
backend = pyinotify
|
backend = pyinotify
|
||||||
filter = sshd
|
filter = sshd
|
||||||
action = iptables-allports
|
action = iptables-allports[name=SSH, protocol=tcp]
|
||||||
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
|
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
|
||||||
|
|
||||||
chmod +x fail2ban_abuse_mail.sh
|
|
||||||
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
|
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
|
||||||
mkdir -p /var/run/fail2ban
|
mkdir -p /var/run/fail2ban
|
||||||
/etc/init.d/rsyslog start
|
service rsyslog start
|
||||||
/etc/init.d/ssh start
|
service ssh start
|
||||||
/etc/init.d/fail2ban start
|
service fail2ban start
|
||||||
|
service tor start
|
||||||
/bin/sleep infinity
|
/bin/sleep infinity
|
||||||
|
|
||||||
|
0
fail2ban/fail2ban.log
Normal file
0
fail2ban/fail2ban.log
Normal file
Loading…
Reference in New Issue
Block a user