diff --git a/fail2ban/README b/fail2ban/README index b3746631210073e45899162ab012446c70a91473..76e202c76fc0018b81909cd268883983b362a5ac 100644 --- a/fail2ban/README +++ b/fail2ban/README @@ -29,7 +29,8 @@ In the corresponding action following invocation can be used: actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time> Please, edit corresponding paths and Warden names in the corresponding -script preamble. +script preamble and check/edit contents of the IDEA template (e.g. Target IP +address in f2ban_ssh.sh). Scripts write generated Idea_ events into warden_filer compatible directory, so you will need to run properly configured (and registered diff --git a/fail2ban/f2ban_ssh.sh b/fail2ban/f2ban_ssh.sh index 61c8b165cad660feacbdb01d709036d93fe1667d..e814a2e7e0f4bd9a9662faed820aca04615ebc29 100755 --- a/fail2ban/f2ban_ssh.sh +++ b/fail2ban/f2ban_ssh.sh @@ -31,9 +31,9 @@ cat >"$filer_dir/tmp/$event_id" <<EOF "ID": "$event_id", "DetectTime": "$detect_time", "CreateTime": "$create_time", - "Category": ["Abusive.Spam"], + "Category": ["Attempt.Login"], "Description": "SSH dictionary/bruteforce attack", - "Count": $failures, + "ConnCount": $failures, "Note": "IP attempted $failures logins to SSH service", "Source": [{ "IP4": ["$src_ip"], @@ -41,8 +41,10 @@ cat >"$filer_dir/tmp/$event_id" <<EOF }], "Target": [{ "Type": ["Anonymised"], - "IP4": ["160.217.0.0/16"], - "Anonymised": true + "IP4": ["192.0.2.0/24"], + "Anonymised": true, + "Proto": ["tcp", "ssh"], + "Port": [22] }], "Node": [{ "Name": "$node_name",