initial commit
This commit is contained in:
ale
commit
c7d1a65655
66
action.d/sendmail-abuse.conf
Normal file
66
action.d/sendmail-abuse.conf
Normal file
@ -0,0 +1,66 @@
|
||||
[Definition]
|
||||
|
||||
# Option: actionstart
|
||||
# Notes.: command executed once at the start of Fail2Ban.
|
||||
# Values: CMD
|
||||
#
|
||||
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started
|
||||
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
|
||||
From: Fail2Ban <<sender>>
|
||||
To: <dest>\n
|
||||
Hi,\n
|
||||
The jail <name> has been started successfully.\n
|
||||
Regards,\n
|
||||
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
|
||||
|
||||
# Option: actionstop
|
||||
# Notes.: command executed once at the end of Fail2Ban
|
||||
# Values: CMD
|
||||
#
|
||||
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped
|
||||
Date: `date -u +"%%a, %%d %%h %%Y %%T +0000"`
|
||||
From: Fail2Ban <<sender>>
|
||||
To: <dest>\n
|
||||
Hi,\n
|
||||
The jail <name> has been stopped.\n
|
||||
Regards,\n
|
||||
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
|
||||
|
||||
# Option: actioncheck
|
||||
# Notes.: command executed once before each actionban command
|
||||
# Values: CMD
|
||||
#
|
||||
actioncheck =
|
||||
|
||||
# Option: actionban
|
||||
# Notes.: command executed when banning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
|
||||
|
||||
# Option: actionunban
|
||||
# Notes.: command executed when unbanning an IP. Take care that the
|
||||
# command is executed with Fail2Ban user rights.
|
||||
# Tags: <ip> IP address
|
||||
# <failures> number of failures
|
||||
# <time> unix timestamp of the ban time
|
||||
# Values: CMD
|
||||
#
|
||||
actionunban =
|
||||
|
||||
[Init]
|
||||
|
||||
# Defaut name of the chain
|
||||
#
|
||||
name = default
|
||||
|
||||
# Destination/Addressee of the mail
|
||||
#
|
||||
dest = webmaster@hatthieves.es
|
||||
|
||||
# Sender of the mail
|
||||
#
|
||||
sender = fail2ban@hatthieves.es
|
||||
|
||||
# Path to the log files which contain relevant lines for the abuser IP
|
||||
#
|
||||
logpath = /dev/null
|
||||
44
fail2ban_abuse_mail.sh
Executable file
44
fail2ban_abuse_mail.sh
Executable file
@ -0,0 +1,44 @@
|
||||
#!/bin/bash
|
||||
|
||||
PATH="$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
LANG="C"
|
||||
REMOTE_IP="$1"
|
||||
SENDER_MAIL="$2"
|
||||
DEST_MAIL="$3"
|
||||
LOGFILE="$4"
|
||||
DATE=$(date)
|
||||
WHOIS_OUTPUT=$(whois $REMOTE_IP)
|
||||
REVERSE_IP=$(echo $REMOTE_IP | awk 'BEGIN{FS=".";ORS="."} {for (i = NF; i > 0; i--){print $i}}')
|
||||
LOG_LINES=$(grep $REMOTE_IP $LOGFILE)
|
||||
BANNED_IP_PATH="/var/tmp/fail2ban_banned_ips"
|
||||
|
||||
# Skip sending email when an email was already sent out for that IP the last 24hours
|
||||
if ! [ -d $BANNED_IP_PATH ]; then mkdir $BANNED_IP_PATH; else find ${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
|
||||
if [ -n "$(find ${BANNED_IP_PATH}/$REMOTE_IP -mtime -1 2>/dev/null)" ]; then exit 0; else touch ${BANNED_IP_PATH}/$REMOTE_IP; fi
|
||||
|
||||
# Get the Abuse email address from Abusix
|
||||
if DNS_REPLY=$(host -t TXT ${REVERSE_IP}abuse-contacts.abusix.org); then
|
||||
ABUSE_ADDR=$(echo $DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd ",")
|
||||
fi
|
||||
|
||||
# Send email
|
||||
if [ $ABUSE_ADDR ]; then
|
||||
#sendmail -t -i -f $SENDER_MAIL $ABUSE_ADDR << EOF
|
||||
swaks -f $SENDER_MAIL -t "$ABUSE_ADDR" --tlsc -au fail2ban -ap pass -s mail.hatthieves.es -p 465 \
|
||||
--h-Subject "[Urgent]: Automatic abuse report for IP address $REMOTE_IP from hatthieves.es, please read" --h-From "Fail2Ban hatthieves.es <$SENDER_MAIL>" \
|
||||
--h-Bcc "webmail@hatthieves.es" --h-To $ABUSE_ADDR --body \
|
||||
"This is an automatic email abuse report about the IP address $REMOTE_IP generated at $DATE, please do not reply.
|
||||
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
||||
|
||||
The following intrusion attempts were detected by our systems:
|
||||
$LOG_LINES
|
||||
|
||||
WHOIS report FYI:
|
||||
$WHOIS_OUTPUT
|
||||
|
||||
Thanks for your time and curiosity... take care with botnets...
|
||||
- ANTIBOTNET SYSTEM -
|
||||
together will do a better and free world :-)
|
||||
from postmaster@hatthieves.es
|
||||
by www.HatThieves.es"
|
||||
fi
|
||||
7
jail.d/sshd.conf
Normal file
7
jail.d/sshd.conf
Normal file
@ -0,0 +1,7 @@
|
||||
[sshd]
|
||||
enabled = true
|
||||
bantime = 10800
|
||||
maxretry = 6
|
||||
ignoreip = manalejandro.com,hatthieves.es
|
||||
action = hostsdeny
|
||||
sendmail-abuse[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
|
||||
Loading…
Reference in New Issue
Block a user