Fixed and extended ssh template and README (thx bartos@cesnet.cz)

41543e09 · Pavel Kácha · fef21b54 · 41543e09 · 41543e09
Commit 41543e09 authored Sep 18, 2017 by Pavel Kácha
--- a/warden3/contrib/connectors/fail2ban/README
+++ b/warden3/contrib/connectors/fail2ban/README
@@ -29,7 +29,8 @@ In the corresponding action following invocation can be used:
   actionban = /usr/local/bin/f2ban_XXX.sh <ip> <failures> <time>
 Please, edit corresponding paths and Warden names in the corresponding
-script preamble.
+script preamble and check/edit contents of the IDEA template (e.g. Target IP 
+address in f2ban_ssh.sh).
 Scripts write generated Idea_ events into warden_filer compatible
 directory, so you will need to run properly configured (and registered

--- a/warden3/contrib/connectors/fail2ban/f2ban_ssh.sh
+++ b/warden3/contrib/connectors/fail2ban/f2ban_ssh.sh
@@ -31,9 +31,9 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
   "ID": "$event_id",
   "DetectTime": "$detect_time",
   "CreateTime": "$create_time",
-   "Category": ["Abusive.Spam"],
+   "Category": ["Attempt.Login"],
   "Description": "SSH dictionary/bruteforce attack",
-   "Count": $failures,
+   "ConnCount": $failures,
   "Note": "IP attempted $failures logins to SSH service",
   "Source": [{
      "IP4": ["$src_ip"],
@@ -41,8 +41,10 @@ cat >"$filer_dir/tmp/$event_id" <<EOF
   }],
   "Target": [{
       "Type": ["Anonymised"],
-       "IP4": ["160.217.0.0/16"],
+       "IP4": ["192.0.2.0/24"],
-       "Anonymised": true
+       "Anonymised": true,
+       "Proto": ["tcp", "ssh"],
+       "Port": [22]
   }],
   "Node": [{
         "Name": "$node_name",