v0.2

README.md

@@ -1,17 +1,17 @@
-# HatThieves `fail2ban` with abuse reporting system
+# fail2ban with abuse reporting system
 
 ## Config
 
-#### edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
+edit [entrypoint.sh](fail2ban/entrypoint.sh) with your smtp settings
 
 ## Expose jail
-```
+
     docker-compose up -d
-```
 
 ## Stop jail
-```
-docker-compose down
-```
 
-### License MIT
+    docker-compose down
+
+## License
+
+    MIT

docker-compose.yml

@@ -3,6 +3,7 @@ version: '2'
 services:
   fail2ban:
     build: ./fail2ban
+    image: fail2ban
     hostname: fail2ban
     container_name: fail2ban
     restart: always
@@ -12,7 +13,15 @@ services:
     volumes:
       - ./fail2ban/entrypoint.sh:/etc/fail2ban/entrypoint.sh:ro
       - ./fail2ban/sshd_config:/etc/ssh/sshd_config:ro
+      - ./fail2ban/fail2ban.log:/var/log/fail2ban.log
     cap_add:
       - NET_ADMIN
       - NET_RAW
-    network_mode: host
+    ports:
+      - "22:22/tcp"
+      - "2222:2222/tcp"
+    networks:
+      failnet:
+
+networks:
+  failnet:

fail2ban/Dockerfile

@@ -1,3 +1,3 @@
 FROM debian:sid-slim
-RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables && apt clean
+RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify iptables tor torsocks && apt clean
 WORKDIR /etc/fail2ban

fail2ban/entrypoint.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
-DOMAIN=hatthieves.es
-SMTP=smtp.hatthieves.es
+DOMAIN=manalejandro.com
+SMTP=smtp.manalejandro.com
 USER=fail2ban
 PASS=pass
 
@@ -13,9 +13,9 @@ SENDER_MAIL=\"\$2\"
 DEST_MAIL=\"\$3\"
 LOGFILE=\"\$4\"
 DATE=\$(date)
-WHOIS_OUTPUT=\$(whois \$REMOTE_IP)
+WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP)
 REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
-LOG_LINES=\$(grep \$REMOTE_IP \$LOGFILE)
+LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE)
 BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
 
 # Skip sending email when an email was already sent out for that IP the last 24hours
@@ -23,15 +23,17 @@ if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_I
 if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
 
 # Get the Abuse email address from Abusix
-if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.org); then
-  ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
-fi
+#if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then
+#  ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
+#fi
+
+ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//')
 
 # Send email
 if [ \$ABUSE_ADDR ]; then
-swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR,webmaster@$DOMAIN\" --tlsc -au $USER -ap $PASS -s $SMTP -p 465 \\
+swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\
 --h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
---h-Bcc \"webmaster@$DOMAIN\" --h-To \$ABUSE_ADDR --body \\
+--h-To \$ABUSE_ADDR --body \\
 \"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
 You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
 
@@ -41,11 +43,8 @@ The following intrusion attempts were detected by our systems:
 WHOIS report FYI:
 \$WHOIS_OUTPUT
 
-Thanks for your time and curiosity... take care with botnets...
 - ANTIBOTNET SYSTEM -
-together will do a better and free world :-)
-from postmaster@$DOMAIN
-by www.$DOMAIN\"
+from postmaster@$DOMAIN by $DOMAIN\"
 fi" > fail2ban_abuse_mail.sh
 
 echo "[Definition]
@@ -123,14 +122,13 @@ maxretry = 2
 ignoreip = $DOMAIN
 backend = pyinotify
 filter = sshd
-action = iptables-allports
+action = iptables-allports[name=SSH, protocol=tcp]
          sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
 
-chmod +x fail2ban_abuse_mail.sh
 rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
 mkdir -p /var/run/fail2ban
-/etc/init.d/rsyslog start
-/etc/init.d/ssh start
-/etc/init.d/fail2ban start
+service rsyslog start
+service ssh start
+service fail2ban start
+service tor start
 /bin/sleep infinity
-