ale/fail2ban
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

v0.2

Browse Source
This commit is contained in:
ale 2021-02-02 01:13:19 +01:00
parent a3a4e8cbc1
commit 34254b569d
5 changed files with 38 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
README.md
View File

@ -1,17 +1,17 @@
# HatThieves `fail2ban` with abuse reporting system # fail2ban with abuse reporting system
## Config ## Config
#### edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
## Expose jail ## Expose jail
```
docker-compose up -d docker-compose up -d
```
## Stop jail ## Stop jail
```
docker-compose down
```
### License MIT docker-compose down
## License
MIT

11
docker-compose.yml
View File

@ -3,6 +3,7 @@ version: '2'
services: services:
fail2ban: fail2ban:
build: ./fail2ban build: ./fail2ban
image: fail2ban
hostname: fail2ban hostname: fail2ban
container_name: fail2ban container_name: fail2ban
restart: always restart: always
@ -12,7 +13,15 @@ services:
volumes: volumes:
- ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro - ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
- ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro - ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
- ./fail2ban/fail2ban.log:/var/log/fail2ban.log
cap_add: cap_add:
- NET_ADMIN - NET_ADMIN
- NET_RAW - NET_RAW
network_mode: host ports:
- "22:22/tcp"
- "2222:2222/tcp"
networks:
failnet:
networks:
failnet:

2
fail2ban/Dockerfile
View File

@ -1,3 +1,3 @@
FROM debian:sid-slim FROM debian:sid-slim
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables && apt clean RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables tor torsocks && apt clean
WORKDIR /etc/fail2ban WORKDIR /etc/fail2ban

38
fail2ban/entrypoint.sh
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
DOMAIN=hatthieves.es DOMAIN=manalejandro.com
SMTP=smtp.hatthieves.es SMTP=smtp.manalejandro.com
USER=fail2ban USER=fail2ban
PASS=pass PASS=pass
@ -13,9 +13,9 @@ SENDER_MAIL=\"\$2\"
DEST_MAIL=\"\$3\" DEST_MAIL=\"\$3\"
LOGFILE=\"\$4\" LOGFILE=\"\$4\"
DATE=\$(date) DATE=\$(date)
WHOIS_OUTPUT=\$(whois \$REMOTE_IP) WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP)
REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}') REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE) LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE)
BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\" BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
# Skip sending email when an email was already sent out for that IP the last 24hours # Skip sending email when an email was already sent out for that IP the last 24hours
@ -23,15 +23,17 @@ if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_I
if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
# Get the Abuse email address from Abusix # Get the Abuse email address from Abusix
if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then #if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then
ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\") # ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
fi #fi
ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//')
# Send email # Send email
if [ \$ABUSE_ADDR ]; then if [ \$ABUSE_ADDR ]; then
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465 \\ swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\
--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\ --h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
--h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\ --h-To \$ABUSE_ADDR --body \\
\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply. \"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address. You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
@ -41,11 +43,8 @@ The following intrusion attempts were detected by our systems:
WHOIS report FYI: WHOIS report FYI:
\$WHOIS_OUTPUT \$WHOIS_OUTPUT
Thanks for your time and curiosity... take care with botnets...
- ANTIBOTNET SYSTEM - - ANTIBOTNET SYSTEM -
together will do a better and free world :-) from postmaster@$DOMAIN by $DOMAIN\"
from postmaster@$DOMAIN
by www.$DOMAIN\"
fi" > fail2ban_abuse_mail.sh fi" > fail2ban_abuse_mail.sh
echo "[Definition] echo "[Definition]
@ -123,14 +122,13 @@ maxretry = 2
ignoreip = $DOMAIN ignoreip = $DOMAIN
backend = pyinotify backend = pyinotify
filter = sshd filter = sshd
action = iptables-allports action = iptables-allports[name=SSH, protocol=tcp]
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
chmod +x fail2ban_abuse_mail.sh
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
mkdir -p /var/run/fail2ban mkdir -p /var/run/fail2ban
/etc/init.d/rsyslog start service rsyslog start
/etc/init.d/ssh start service ssh start
/etc/init.d/fail2ban start service fail2ban start
/bin/sleep infinity service tor start
/bin/sleep infinity

0
fail2ban/fail2ban.log Normal file
View File