From 49b1af390600fd6a8a8b6903a399e80968855b2e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Mon, 18 Sep 2017 14:54:02 +0200
Subject: [PATCH] Fixed and extended ssh template and README (thx
 bartos@cesnet.cz)

---
 fail2ban/README       |  3 ++-
 fail2ban/f2ban_ssh.sh | 10 ++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/fail2ban/README b/fail2ban/README
index b374663..76e202c 100644
--- a/fail2ban/README
+++ b/fail2ban/README
@@ -29,7 +29,8 @@ In the corresponding action following invocation can be used:
    actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time>
 
 Please, edit corresponding paths and Warden names in the corresponding
-script preamble.
+script preamble and check/edit contents of the IDEA template (e.g. Target IP 
+address in f2ban_ssh.sh).
 
 Scripts write generated Idea_ events into warden_filer compatible
 directory, so you will need to run properly configured (and registered
diff --git a/fail2ban/f2ban_ssh.sh b/fail2ban/f2ban_ssh.sh
index 61c8b16..e814a2e 100755
--- a/fail2ban/f2ban_ssh.sh
+++ b/fail2ban/f2ban_ssh.sh
@@ -31,9 +31,9 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
    "ID": "$event_id",
    "DetectTime": "$detect_time",
    "CreateTime": "$create_time",
-   "Category": ["Abusive.Spam"],
+   "Category": ["Attempt.Login"],
    "Description": "SSH dictionary/bruteforce attack",
-   "Count": $failures,
+   "ConnCount": $failures,
    "Note": "IP attempted $failures logins to SSH service",
    "Source": [{
       "IP4": ["$src_ip"],
@@ -41,8 +41,10 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
    }],
    "Target": [{
        "Type": ["Anonymised"],
-       "IP4": ["160.217.0.0/16"],
-       "Anonymised": true
+       "IP4": ["192.0.2.0/24"],
+       "Anonymised": true,
+       "Proto": ["tcp", "ssh"],
+       "Port": [22]
    }],
    "Node": [{
          "Name": "$node_name",
-- 
GitLab