last changes

2019-07-02 12:40:07 +00:00 · 2019-07-02 12:40:07 +00:00 · 417ead2c99
commit 417ead2c99
parent 0b261f4a45
7 changed files with 27 additions and 126 deletions
--- a/README.md
+++ b/README.md
@ -1,3 +1,19 @@
 # fail2ban ssh abuse email provider

 ## ANTIBOTNET SYSTEM
+
+## Config
+
+### edit `entrypoint.sh` with your smtp settings
+
+## Expose jail
+```
+docker-compose up -d
+```
+
+## Stop jail
+```
+docker-compose down
+```
+
+### License MIT
--- a/action.d/sendmail-abuse.conf
+++ b/action.d/sendmail-abuse.conf
@ -1,66 +0,0 @@
-[Definition]
- 
-# Option:  actionstart
-# Notes.:  command executed once at the start of Fail2Ban.
-# Values:  CMD
-#
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
-              Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
-              From: Fail2Ban <<sender>>
-              To: <dest>\n
-              Hi,\n
-              The jail <name> has been started successfully.\n
-              Regards,\n
-              Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
- 
-# Option:  actionstop
-# Notes.:  command executed once at the end of Fail2Ban
-# Values:  CMD
-#
-actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
-             Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
-             From: Fail2Ban <<sender>>
-             To: <dest>\n
-             Hi,\n
-             The jail <name> has been stopped.\n
-             Regards,\n
-             Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
- 
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
- 
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
- 
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-actionunban =
- 
-[Init]
- 
-# Defaut name of the chain
-#
-name = default
- 
-# Destination/Addressee of the mail
-#
-dest = webmaster@hatthieves.es
- 
-# Sender of the mail
-#
-sender = fail2ban@hatthieves.es
- 
-# Path to the log files which contain relevant lines for the abuser IP
-#
-logpath = /dev/null
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -16,8 +16,4 @@ services:
    ports:
      - 22:22/tcp
      - 2222:2222/tcp
-    networks:
-      failnet:
-        
-networks:
-  failnet:
+    network_mode: host
--- a/fail2ban/Dockerfile
+++ b/fail2ban/Dockerfile
@ -1,3 +1,3 @@
 FROM debian:sid-slim
-RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host && apt clean
+RUN apt update && apt -y upgrade && apt -y install fail2ban openssh-server rsyslog swaks host python3-pyinotify && apt clean
 WORKDIR /etc/fail2ban
--- a/fail2ban/entrypoint.sh
+++ b/fail2ban/entrypoint.sh
@ -118,13 +118,18 @@ logpath = /dev/null" > action.d/sendmail-abuse.conf
 echo "[sshd]
 enabled = true
 bantime = 10800
-maxretry = 6
+maxretry = 4
 ignoreip = $DOMAIN
-action = hostsdeny
+backend = pyinotify
+filter = sshd
+action = iptables-allports
         sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf

 chmod +x fail2ban_abuse_mail.sh
+rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
+mkdir -p /var/run/fail2ban
 /etc/init.d/rsyslog start
 /etc/init.d/ssh start
-mkdir -p /var/run/fail2ban
-/usr/bin/python3 /usr/bin/fail2ban-server -xf start
+/etc/init.d/fail2ban start
+/bin/sleep infinity
+
--- a/fail2ban_abuse_mail.sh
+++ b/fail2ban_abuse_mail.sh
@ -1,43 +0,0 @@
-#!/bin/bash
-
-PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-LANG="C"
-REMOTE_IP="$1"
-SENDER_MAIL="$2"
-DEST_MAIL="$3"
-LOGFILE="$4"
-DATE=$(date)
-WHOIS_OUTPUT=$(whois $REMOTE_IP)
-REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
-LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
-BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
-
-# Skip sending email when an email was already sent out for that IP the last 24hours
-if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
-if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
-
-# Get the Abuse email address from Abusix
-if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
-  ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
-fi
-
-# Send email
-if [ $ABUSE_ADDR ]; then
-swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
-"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
-You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
-
-The following intrusion attempts were detected by our systems:
-$LOG_LINES
-
-WHOIS report FYI:
-$WHOIS_OUTPUT
-
-Thanks for your time and curiosity... take care with botnets...
- ANTIBOTNET SYSTEM -
-together will do a better and free world :-)
-from postmaster@hatthieves.es
-by www.HatThieves.es"
-fi
--- a/jail.d/sshd.conf
+++ b/jail.d/sshd.conf
@ -1,7 +0,0 @@
-[sshd]
-enabled = true
-bantime = 10800
-maxretry = 6
-ignoreip = manalejandro.com,hatthieves.es
-action = hostsdeny
-         sendmail-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]