diff --git a/fail2ban/filter.d/lighttpd-fastcgi.conf b/fail2ban/filter.d/lighttpd-fastcgi.conf new file mode 100644 index 0000000..1c6e3fc --- /dev/null +++ b/fail2ban/filter.d/lighttpd-fastcgi.conf @@ -0,0 +1,18 @@ +# Fail2Ban configuration file +# +# Author: Arturo 'Buanzo' Busleiman +# + +[Definition] + +# Option: failregex +# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module +# Values: TEXT +# +failregex = .*ALERT\ -\ .*attacker\ \'\' + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/fail2ban/filter.d/nginx-auth.conf b/fail2ban/filter.d/nginx-auth.conf new file mode 100644 index 0000000..c555eec --- /dev/null +++ b/fail2ban/filter.d/nginx-auth.conf @@ -0,0 +1,12 @@ +# +# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf: +# +# Blocks IPs that fail to authenticate using basic authentication +# +[Definition] + +failregex = no user/password was provided for basic authentication.*client: + user .* was not found in.*client: + user .* password mismatch.*client: + +ignoreregex = diff --git a/fail2ban/filter.d/nginx-login.conf b/fail2ban/filter.d/nginx-login.conf new file mode 100644 index 0000000..5e1d482 --- /dev/null +++ b/fail2ban/filter.d/nginx-login.conf @@ -0,0 +1,9 @@ +# +# Login filter /etc/fail2ban/filter.d/nginx-login.conf: +# +# Blocks IPs that fail to authenticate using web application's log in page +# +# Scan access log for HTTP 200 + POST /sessions => failed log in +[Definition] +failregex = ^ -.*POST /sessions HTTP/1\.." 200 +ignoreregex = diff --git a/fail2ban/filter.d/nginx-noscript.conf b/fail2ban/filter.d/nginx-noscript.conf new file mode 100644 index 0000000..024c390 --- /dev/null +++ b/fail2ban/filter.d/nginx-noscript.conf @@ -0,0 +1,10 @@ +# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf: +# +# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts. +# +# Matches e.g. +# 192.168.1.1 - - "GET /something.php +# +[Definition] +failregex = ^ -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi) +ignoreregex = diff --git a/fail2ban/filter.d/nginx-proxy.conf b/fail2ban/filter.d/nginx-proxy.conf new file mode 100644 index 0000000..d2942cd --- /dev/null +++ b/fail2ban/filter.d/nginx-proxy.conf @@ -0,0 +1,10 @@ +# Proxy filter /etc/fail2ban/filter.d/proxy.conf: +# +# Block IPs trying to use server as proxy. +# +# Matches e.g. +# 192.168.1.1 - - "GET http://www.something.com/ +# +[Definition] +failregex = ^ -.*GET http.* +ignoreregex = diff --git a/fail2ban/jail.local b/fail2ban/jail.local new file mode 100644 index 0000000..5990c31 --- /dev/null +++ b/fail2ban/jail.local @@ -0,0 +1,192 @@ +[DEFAULT] +ignoreip = 127.0.0.1/8 192.168.1.0/24 +bantime = 20 +findtime = 20 +maxretry = 3 +backend = auto +destemail = backbone@backbone.ws +banaction = iptables-multiport +mta = sendmail +protocol = tcp + +[ssh-iptables] +enabled = true +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=backbone@backbone.ws] +logpath = /var/log/messages + +[ssh-ddos] +enabled = true +action = iptables[name=SSHDDOS, port=ssh, protocol=tcp] + sendmail-whois[name=SSH-DDOS, dest=backbone@backbone.ws] +logpath = /var/log/messages + +[pure-ftpd] +enabled = true +action = iptables[name=pureftpd, port=ftp, protocol=tcp] + sendmail-whois[name=Pure-FTPd, dest=backbone@backbone.ws] +# logpath = /var/log/pureftpd.log +logpath = /var/log/messages + +[sendmail-auth] +enabled = true +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] + sendmail-whois[name=Sendmail-Auth, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[sendmail-reject] +enabled = true +action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] + sendmail-whois[name=Sendmail-Reject, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[nginx-http-auth] +enabled = true +action = iptables-multiport[name=nginx-http-auth,port="80,443"] + sendmail-whois[name=Nginx-Http-Auth, dest=backbone@backbone.ws] +logpath = /var/log/nginx/error_log + +[squid] +enabled = true +action = iptables-multiport[name=squid,port="80,443,8080"] + sendmail-whois[name=Squid, dest=backbone@backbone.ws] +logpath = /var/log/squid/access.log + +[postfix-tcpwrapper] +enabled = true +action = hostsdeny[file=/not/a/standard/path/hosts.deny] + sendmail-whois[name=Postfix-TCPWrapper, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[php-url-fopen] +enabled = true +action = iptables-multiport[name=php-url-open, port="http,https"] + sendmail-whois[name=PHP-URL-Fopen, dest=backbone@backbone.ws] +logpath = /var/log/lighttpd/access.log + +[lighttpd-auth] +enabled = true +action = iptables-multiport[name=lighttpd-auth, port="http,https"] + sendmail-whois[name=Lighttpd-Auth, dest=backbone@backbone.ws] +logpath = /var/log/lighttpd/error.log + +[named-refused-tcp] +enabled = true +action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] + sendmail-whois[name=Named, dest=backbone@backbone.ws] +logpath = /var/log/messages + +[nsd] +enabled = true +action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp] + iptables-multiport[name=nsd-udp, port="domain", protocol=udp] + sendmail-whois[name=Nsd, dest=backbone@backbone.ws] +logpath = /var/log/messages + +[ejabberd-auth] +enabled = true +action = iptables[name=ejabberd, port=xmpp-client, protocol=tcp] + sendmail-whois[name=Ejabberd-Auth, dest=backbone@backbone.ws] +logpath = /var/log/jabber/ejabberd.log + +[recidive] +enabled = true +action = iptables-allports[name=recidive,protocol=all] + sendmail-whois[name=Recidive, dest=backbone@backbone.ws] + +[exim] +enabled = true +action = iptables-multiport[name=exim,port="25,465,587"] + sendmail-whois[name=Exim, dest=backbone@backbone.ws] +logpath = /var/log/exim/exim_main.log + +[exim-spam] +enabled = true +action = iptables-multiport[name=exim-spam,port="25,465,587"] + sendmail-whois[name=Exim-Spam, dest=backbone@backbone.ws] +logpath = /var/log/exim/exim_main.log + +[perdition] +enabled = true +action = iptables-multiport[name=perdition,port="110,143,993,995"] + sendmail-whois[name=Perdition, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[dovecot] +enabled = true +action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] + sendmail-whois[name=Dovecot, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[dovecot-auth] +enabled = true +action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] + sendmail-whois[name=Dovecot-Auth, dest=backbone@backbone.ws] +logpath = /var/log/dovecot.log + +[solid-pop3d] +enabled = true +action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp] + sendmail-whois[name=Solid-POP3d, dest=backbone@backbone.ws] +logpath = /var/log/mail.log + +[ssh-blocklist] +enabled = true +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH-Blocklist, dest=backbone@backbone.ws] +logpath = /var/log/messages + +# Kolan: Additional filters/rules +[nginx-auth] +enabled = true +filter = nginx-auth +action = iptables-multiport[name=nginx-auth, port="http,https", protocol=tcp] + sendmail-whois[name=Nginx-Auth, dest=backbone@backbone.ws] +logpath = /var/log/nginx/localhost.error_log +bantime = 3600 +maxretry = 3 + +[nginx-login] +enabled = true +filter = nginx-login +action = iptables-multiport[name=nginx-login, port="http,https", protocol=tcp] + sendmail-whois[name=Nginx-Login, dest=backbone@backbone.ws] +logpath = /var/log/nginx*/*access*log +bantime = 600 +maxretry = 6 + +[nginx-badbots] +enabled = true +filter = apache-badbots +action = iptables-multiport[name=nginx-badbots, port="http,https", protocol=tcp] + sendmail-whois[name=Nginx-BadBots, dest=backbone@backbone.ws] +logpath = /var/log/nginx*/*access*log +bantime = 86400 +maxretry = 1 + +[nginx-noscript] +enabled = true +filter = nginx-noscript +action = iptables-multiport[name=nginx-noscript, port="http,https", protocol=tcp] + sendmail-whois[name=Nginx-Noscript, dest=backbone@backbone.ws] +logpath = /var/log/nginx*/*access*log +maxretry = 6 +bantime = 86400 + +[nginx-proxy] +enabled = true +filter = nginx-proxy +action = iptables-multiport[name=nginx-proxy, port="http,https", protocol=tcp] + sendmail-whois[name=Nginx-Proxy, dest=backbone@backbone.ws] +logpath = /var/log/nginx*/*access*log +maxretry = 0 +bantime = 86400 + +[lighttpd-fastcgi] +enabled = true +port = http,https +filter = lighttpd-fastcgi +action = iptables-multiport[name=lighttpd-fastcgi, port="http,https", protocol=tcp] + sendmail-whois[name=Lighttpd-FastCGI, dest=backbone@backbone.ws] +logpath = /var/log/lighttpd/error.log +maxretry = 2