initial commit
This commit is contained in:
ale
commit
c7d1a65655
66
action.d/sendmail-abuse.conf
Normal file
66
action.d/sendmail-abuse.conf
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: actionstart
|
||||||
|
# Notes.: command executed once at the start of Fail2Ban.
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
|
||||||
|
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
|
||||||
|
From: Fail2Ban <<sender>>
|
||||||
|
To: <dest>\n
|
||||||
|
Hi,\n
|
||||||
|
The jail <name> has been started successfully.\n
|
||||||
|
Regards,\n
|
||||||
|
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
|
||||||
|
|
||||||
|
# Option: actionstop
|
||||||
|
# Notes.: command executed once at the end of Fail2Ban
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
|
||||||
|
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
|
||||||
|
From: Fail2Ban <<sender>>
|
||||||
|
To: <dest>\n
|
||||||
|
Hi,\n
|
||||||
|
The jail <name> has been stopped.\n
|
||||||
|
Regards,\n
|
||||||
|
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
|
||||||
|
|
||||||
|
# Option: actioncheck
|
||||||
|
# Notes.: command executed once before each actionban command
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actioncheck =
|
||||||
|
|
||||||
|
# Option: actionban
|
||||||
|
# Notes.: command executed when banning an IP. Take care that the
|
||||||
|
# command is executed with Fail2Ban user rights.
|
||||||
|
actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
|
||||||
|
|
||||||
|
# Option: actionunban
|
||||||
|
# Notes.: command executed when unbanning an IP. Take care that the
|
||||||
|
# command is executed with Fail2Ban user rights.
|
||||||
|
# Tags: <ip> IP address
|
||||||
|
# <failures> number of failures
|
||||||
|
# <time> unix timestamp of the ban time
|
||||||
|
# Values: CMD
|
||||||
|
#
|
||||||
|
actionunban =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
# Defaut name of the chain
|
||||||
|
#
|
||||||
|
name = default
|
||||||
|
|
||||||
|
# Destination/Addressee of the mail
|
||||||
|
#
|
||||||
|
dest = webmaster@hatthieves.es
|
||||||
|
|
||||||
|
# Sender of the mail
|
||||||
|
#
|
||||||
|
sender = fail2ban@hatthieves.es
|
||||||
|
|
||||||
|
# Path to the log files which contain relevant lines for the abuser IP
|
||||||
|
#
|
||||||
|
logpath = /dev/null
|
||||||
44
fail2ban_abuse_mail.sh
Executable file
44
fail2ban_abuse_mail.sh
Executable file
@ -0,0 +1,44 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
LANG="C"
|
||||||
|
REMOTE_IP="$1"
|
||||||
|
SENDER_MAIL="$2"
|
||||||
|
DEST_MAIL="$3"
|
||||||
|
LOGFILE="$4"
|
||||||
|
DATE=$(date)
|
||||||
|
WHOIS_OUTPUT=$(whois $REMOTE_IP)
|
||||||
|
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
|
||||||
|
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
|
||||||
|
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
|
||||||
|
|
||||||
|
# Skip sending email when an email was already sent out for that IP the last 24hours
|
||||||
|
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
|
||||||
|
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
|
||||||
|
|
||||||
|
# Get the Abuse email address from Abusix
|
||||||
|
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
|
||||||
|
ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Send email
|
||||||
|
if [ $ABUSE_ADDR ]; then
|
||||||
|
#sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
|
||||||
|
swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
|
||||||
|
--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es, please read" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
|
||||||
|
--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
|
||||||
|
"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
|
||||||
|
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
||||||
|
|
||||||
|
The following intrusion attempts were detected by our systems:
|
||||||
|
$LOG_LINES
|
||||||
|
|
||||||
|
WHOIS report FYI:
|
||||||
|
$WHOIS_OUTPUT
|
||||||
|
|
||||||
|
Thanks for your time and curiosity... take care with botnets...
|
||||||
|
- ANTIBOTNET SYSTEM -
|
||||||
|
together will do a better and free world :-)
|
||||||
|
from postmaster@hatthieves.es
|
||||||
|
by www.HatThieves.es"
|
||||||
|
fi
|
||||||
7
jail.d/sshd.conf
Normal file
7
jail.d/sshd.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
bantime = 10800
|
||||||
|
maxretry = 6
|
||||||
|
ignoreip = manalejandro.com,hatthieves.es
|
||||||
|
action = hostsdeny
|
||||||
|
sendmail-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
|
||||||
Loading…
Reference in New Issue
Block a user