ale/fail2ban
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

last changes

Browse Source
This commit is contained in:
ale 2019-07-02 12:40:07 +00:00
parent 0b261f4a45
commit 417ead2c99
7 changed files with 27 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -1,3 +1,19 @@
# fail2ban ssh abuse email provider # fail2ban ssh abuse email provider
## ANTIBOTNET SYSTEM ## ANTIBOTNET SYSTEM
## Config
### edit `entrypoint.sh` with your smtp settings
## Expose jail
```
docker-compose up -d
```
## Stop jail
```
docker-compose down
```
### License MIT

66
action.d/sendmail-abuse.conf
View File

@ -1,66 +0,0 @@
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
[Init]
# Defaut name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = webmaster@hatthieves.es
# Sender of the mail
#
sender = fail2ban@hatthieves.es
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null

6
docker-compose.yml
View File

@ -16,8 +16,4 @@ services:
ports: ports:
- 22:22/tcp - 22:22/tcp
- 2222:2222/tcp - 2222:2222/tcp
networks: network_mode: host
failnet:
networks:
failnet:

2
fail2ban/Dockerfile
View File

@ -1,3 +1,3 @@
FROM debian:sid-slim FROM debian:sid-slim
RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host && apt clean RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify && apt clean
WORKDIR /etc/fail2ban WORKDIR /etc/fail2ban

13
fail2ban/entrypoint.sh
View File

@ -118,13 +118,18 @@ logpath = /dev/null" > action.d/sendmail-abuse.conf
echo "[sshd] echo "[sshd]
enabled = true enabled = true
bantime = 10800 bantime = 10800
maxretry = 6 maxretry = 4
ignoreip = $DOMAIN ignoreip = $DOMAIN
action = hostsdeny backend = pyinotify
filter = sshd
action = iptables-allports
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
chmod +x fail2ban_abuse_mail.sh chmod +x fail2ban_abuse_mail.sh
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
mkdir -p /var/run/fail2ban
/etc/init.d/rsyslog start /etc/init.d/rsyslog start
/etc/init.d/ssh start /etc/init.d/ssh start
mkdir -p /var/run/fail2ban /etc/init.d/fail2ban start
/usr/bin/python3 /usr/bin/fail2ban-server -xf start /bin/sleep infinity

43
fail2ban_abuse_mail.sh
View File

@ -1,43 +0,0 @@
#!/bin/bash
PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
LANG="C"
REMOTE_IP="$1"
SENDER_MAIL="$2"
DEST_MAIL="$3"
LOGFILE="$4"
DATE=$(date)
WHOIS_OUTPUT=$(whois $REMOTE_IP)
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
# Skip sending email when an email was already sent out for that IP the last 24hours
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
# Get the Abuse email address from Abusix
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
fi
# Send email
if [ $ABUSE_ADDR ]; then
swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
The following intrusion attempts were detected by our systems:
$LOG_LINES
WHOIS report FYI:
$WHOIS_OUTPUT
Thanks for your time and curiosity... take care with botnets...
- ANTIBOTNET SYSTEM -
together will do a better and free world :-)
from postmaster@hatthieves.es
by www.HatThieves.es"
fi

7
jail.d/sshd.conf
View File

@ -1,7 +0,0 @@
[sshd]
enabled = true
bantime = 10800
maxretry = 6
ignoreip = manalejandro.com,hatthieves.es
action = hostsdeny
sendmail-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]