Skip to content
Snippets Groups Projects
Commit b6f8d77b authored by Pavel Kácha's avatar Pavel Kácha
Browse files

fail2ban helper scripts

parent 6496aaef
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
fail2ban/README 0 → 100644
+ 44
0
View file @ b6f8d77b
Support scripts for fail2ban
============================
Introduction
------------
Fail2ban is a logfile watcher, which is able to run various actions,
based on too many patterns occured in the log file.
Those helper shell scripts can be used as action to report events to
Warden_.
Dependencies
------------
1. Python packages
warden_filer 3.0+
Usage
-----
* f2ban_spam.sh is meant to be used in cooperation with the default
"postfix" rule.
* f2ban_ssh.sh is meant to be used in cooperation with the default
"ssh" rule.
In the corresponding action following invocation can be used:
actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time>
Please, edit corresponding paths and Warden names in the corresponding
script preamble.
Scripts write generated Idea_ events into warden_filer compatible
directory, so you will need to run properly configured (and registered
into Warden server) warden_filer instance, which will take care for
picking up the events and submitting them.
.. _Warden: https://warden.cesnet.cz/
.. _Idea: https://idea.cesnet.cz/
------------------------------------------------------------------------------
Copyright (C) 2017 Cesnet z.s.p.o
fail2ban/f2ban_spam.sh 0 → 100755
+ 54
0
View file @ b6f8d77b
#!/bin/bash
umask 0111
filer_dir="/var/mentat/spool/_wardenout"
src_ip=$1
failures=$2
detect_time=$(date --date="@$3" --rfc-3339=seconds)
create_time=$(date --rfc-3339=seconds)
node_name="org.example.fail2ban.blacklist"
uuid() {
for ((n=0; n<16; n++)); do
read -n1 c < /dev/urandom
LC_CTYPE=C d=$(printf '%d' "'$c")
s=''
case $n in
6) ((d = d & 79 | 64));;
8) ((d = d & 191 | 128));;
3|5|9|7) s='-';;
esac
printf '%02x%s' $d "$s"
done
}
event_id=$(uuid)
cat >"$filer_dir/tmp/$event_id" <<EOF
{
"Format" : "IDEA0",
"ID" : "$event_id",
"DetectTime" : "$detect_time",
"CreateTime" : "$create_time",
"Category" : ["Abusive.Spam"],
"Description" : "Blacklisted host",
"Note" : "Block duration: 3600. IP was blacklisted, is listed on more than 5 public blacklists",
"Source" : [{
"Type": ["Spam"],
"IP4" : ["$src_ip"],
"Proto": ["tcp", "smtp"]
}],
"Node" : [{
"Name" : "$node_name",
"SW" : ["Fail2Ban"],
"Type" : ["Log", "Statistical"]
}],
"_CESNET" : {
"Impact" : "IP was blacklisted, is listed on more than 5 public blacklists",
"EventTemplate" : "f2b-001"
}
}
EOF
mv "$filer_dir/tmp/$event_id" "$filer_dir/incoming"
fail2ban/f2ban_ssh.sh 0 → 100755
+ 55
0
View file @ b6f8d77b
#!/bin/bash
umask 0111
filer_dir="/var/spool/warden_sender"
src_ip=$1
failures=$2
detect_time=$(date --date="@$3" --rfc-3339=seconds)
create_time=$(date --rfc-3339=seconds)
node_name="org.example.fail2ban.ssh"
uuid() {
for ((n=0; n<16; n++)); do
read -n1 c < /dev/urandom
LC_CTYPE=C d=$(printf '%d' "'$c")
s=''
case $n in
6) ((d = d & 79 | 64));;
8) ((d = d & 191 | 128));;
3|5|9|7) s='-';;
esac
printf '%02x%s' $d "$s"
done
}
event_id=$(uuid)
cat >"$filer_dir/tmp/$event_id" <<EOF
{
"Format": "IDEA0",
"ID": "$event_id",
"DetectTime": "$detect_time",
"CreateTime": "$create_time",
"Category": ["Abusive.Spam"],
"Description": "SSH dictionary/bruteforce attack",
"Count": $failures,
"Note": "IP attempted $failures logins to SSH service",
"Source": [{
"IP4": ["$src_ip"],
"Proto": ["tcp", "ssh"]
}],
"Target": [{
"Type": ["Anonymised"],
"IP4": ["160.217.0.0/16"],
"Anonymised": true
}],
"Node": [{
"Name": "$node_name",
"SW": ["Fail2Ban"],
"Type": ["Log", "Statistical"]
}]
}
EOF
mv "$filer_dir/tmp/$event_id" "$filer_dir/incoming"
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment