134 lines
4.2 KiB
Bash
134 lines
4.2 KiB
Bash
#!/bin/bash
|
|
DOMAIN=manalejandro.com
|
|
SMTP=smtp.manalejandro.com
|
|
USER=fail2ban
|
|
PASS=pass
|
|
|
|
echo "#!/bin/bash
|
|
|
|
PATH=\"\$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"
|
|
LANG=\"C\"
|
|
REMOTE_IP=\"\$1\"
|
|
SENDER_MAIL=\"\$2\"
|
|
DEST_MAIL=\"\$3\"
|
|
LOGFILE=\"\$4\"
|
|
DATE=\$(date)
|
|
WHOIS_OUTPUT=\$(torsocks whois \$REMOTE_IP)
|
|
REVERSE_IP=\$(echo \$REMOTE_IP | awk 'BEGIN{FS=\".\";ORS=\".\"} {for (i = NF; i > 0; i--){print \$i}}')
|
|
LOG_LINES=\$(grep -a \$REMOTE_IP \$LOGFILE)
|
|
BANNED_IP_PATH=\"/var/tmp/fail2ban_banned_ips\"
|
|
|
|
# Skip sending email when an email was already sent out for that IP the last 24hours
|
|
if ! [ -d \$BANNED_IP_PATH ]; then mkdir \$BANNED_IP_PATH; else find \${BANNED_IP_PATH}/ -mtime +30 -type f -delete; fi
|
|
if [ -n \"\$(find \${BANNED_IP_PATH}/\$REMOTE_IP -mtime -1 2>/dev/null)\" ]; then exit 0; else touch \${BANNED_IP_PATH}/\$REMOTE_IP; fi
|
|
|
|
# Get the Abuse email address from Abusix
|
|
#if DNS_REPLY=\$(host -t TXT \${REVERSE_IP}abuse-contacts.abusix.zone); then
|
|
# ABUSE_ADDR=\$(echo \$DNS_REPLY | grep -Eio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b' | paste -sd \",\")
|
|
#fi
|
|
|
|
ABUSE_ADDR=\$(torsocks whois -b \$REMOTE_IP | egrep ^abuse | sed 's/^.*: \?\+//')
|
|
|
|
# Send email
|
|
if [ \$ABUSE_ADDR ]; then
|
|
swaks -f \$SENDER_MAIL -t \"\$ABUSE_ADDR\" -tlsc -a -au $USER -ap $PASS -s $SMTP -p 465 \\
|
|
--h-Subject \"[Urgent]: Automatic abuse report for IP address \$REMOTE_IP from $DOMAIN\" --h-From \"Fail2Ban $DOMAIN <\$SENDER_MAIL>\" \\
|
|
--h-To \$ABUSE_ADDR --body \\
|
|
\"This is an automatic email abuse report about the IP address \$REMOTE_IP generated at \$DATE, please do not reply.
|
|
You get this email because you are listed as the official and popular abuse email contact for this concrete IP address.
|
|
|
|
The following intrusion attempts were detected by our systems:
|
|
\$LOG_LINES
|
|
|
|
WHOIS report FYI:
|
|
\$WHOIS_OUTPUT
|
|
|
|
- ANTIBOTNET SYSTEM -
|
|
from postmaster@$DOMAIN by $DOMAIN\"
|
|
fi" > fail2ban_abuse_mail.sh
|
|
|
|
echo "[Definition]
|
|
|
|
# Option: actionstart
|
|
# Notes.: command executed once at the start of Fail2Ban.
|
|
# Values: CMD
|
|
#
|
|
actionstart = printf %%b \"Subject: [Fail2Ban] <name>: started
|
|
Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
|
|
From: Fail2Ban <<sender>>
|
|
To: <dest>\\n
|
|
Hi,\\n
|
|
The jail <name> has been started successfully.\\n
|
|
Regards,\\n
|
|
Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
|
|
|
|
# Option: actionstop
|
|
# Notes.: command executed once at the end of Fail2Ban
|
|
# Values: CMD
|
|
#
|
|
actionstop = printf %%b \"Subject: [Fail2Ban] <name>: stopped
|
|
Date: \`date -u +\"%%a, %%d %%h %%Y %%T +0000\"\`
|
|
From: Fail2Ban <<sender>>
|
|
To: <dest>\\n
|
|
Hi,\\n
|
|
The jail <name> has been stopped.\\n
|
|
Regards,\\n
|
|
Fail2Ban\" | /usr/sbin/sendmail -f <sender> <dest>
|
|
|
|
# Option: actioncheck
|
|
# Notes.: command executed once before each actionban command
|
|
# Values: CMD
|
|
#
|
|
actioncheck =
|
|
|
|
# Option: actionban
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
actionban = /etc/fail2ban/fail2ban_abuse_mail.sh <ip> <sender> <dest> <logpath>
|
|
|
|
# Option: actionunban
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
# Tags: <ip> IP address
|
|
# <failures> number of failures
|
|
# <time> unix timestamp of the ban time
|
|
# Values: CMD
|
|
#
|
|
actionunban =
|
|
|
|
[Init]
|
|
|
|
# Defaut name of the chain
|
|
#
|
|
name = default
|
|
|
|
# Destination/Addressee of the mail
|
|
#
|
|
dest = webmaster@$DOMAIN
|
|
|
|
# Sender of the mail
|
|
#
|
|
sender = fail2ban@$DOMAIN
|
|
|
|
# Path to the log files which contain relevant lines for the abuser IP
|
|
#
|
|
logpath = /dev/null" > action.d/sendmail-abuse.conf
|
|
|
|
echo "[sshd]
|
|
enabled = true
|
|
bantime = 10800
|
|
findtime = 1800
|
|
maxretry = 2
|
|
ignoreip = $DOMAIN
|
|
backend = pyinotify
|
|
filter = sshd
|
|
action = iptables-allports[name=SSH, protocol=tcp]
|
|
sendmail-abuse[name=%(__name__)s, dest=\"%(destemail)s\", logpath=%(logpath)s]" > jail.d/sshd.conf
|
|
|
|
rm -f /etc/fail2ban/jail.d/defaults-debian.conf /var/run/fail2ban/fail2ban.sock
|
|
mkdir -p /var/run/fail2ban
|
|
service rsyslog start
|
|
service ssh start
|
|
service fail2ban start
|
|
service tor start
|
|
/bin/sleep infinity |