aboutsummaryrefslogtreecommitdiff
path: root/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf
diff options
context:
space:
mode:
authorLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
committerLukasz Kasprzak <lukasz.kasprzak@pm.me>2026-03-20 19:16:32 +0100
commit39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch)
tree9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf
parent6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff)
downloadbin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz
bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf')
-rw-r--r--straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf207
1 files changed, 207 insertions, 0 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf
new file mode 100644
index 0000000..3d5a7a5
--- /dev/null
+++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf
@@ -0,0 +1,207 @@
+# Fail2Ban configuration file
+#
+# Author: Russell Odom <russ@gloomytrousers.co.uk>
+# Submits attack reports to DShield (http://www.dshield.org/)
+#
+# You MUST configure at least:
+# <port> (the port that's being attacked - use number not name).
+#
+# You SHOULD also provide:
+# <myip> (your public IP address, if it's not the address of eth0)
+# <userid> (your DShield userID, if you have one - recommended, but reports will
+# be used anonymously if not)
+# <protocol> (the protocol in use - defaults to tcp)
+#
+# Best practice is to provide <port> and <protocol> in jail.conf like this:
+# action = dshield[port=1234,protocol=tcp]
+#
+# ...and create "dshield.local" with contents something like this:
+# [Init]
+# myip = 10.0.0.1
+# userid = 12345
+#
+# Other useful configuration values are <mailargs> (you can use for specifying
+# a different sender address for the report e-mails, which should match what is
+# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
+# configure how often the buffer is flushed).
+#
+
+[Definition]
+
+# bypass ban/unban for restored tickets
+norestored = 1
+
+# Option: actionstart
+# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values: CMD
+#
+actionstart =
+
+# Option: actionstop
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
+# Values: CMD
+#
+actionstop = if [ -f <tmpfile>.buffer ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ date +%%s > <tmpfile>.lastsent
+ fi
+ rm -f <tmpfile>.buffer <tmpfile>.first
+
+# Option: actioncheck
+# Notes.: command executed once before each actionban command
+# Values: CMD
+#
+actioncheck =
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+# See http://www.dshield.org/specs.html for more on report format/notes
+#
+# Note: We are currently using <time> for the timestamp because no tag is
+# available to indicate the timestamp of the log message(s) which triggered the
+# ban. Therefore the timestamps we are using in the report, whilst often only a
+# few seconds out, are incorrect. See
+# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
+#
+actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
+ DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
+ PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
+ if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
+ printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
+ NOW=`date +%%s`
+ if [ ! -f <tmpfile>.first ]; then
+ echo <time> | cut -d. -f1 > <tmpfile>.first
+ fi
+ if [ ! -f <tmpfile>.lastsent ]; then
+ echo 0 > <tmpfile>.lastsent
+ fi
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
+ LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
+ if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = if [ -f <tmpfile>.first ]; then
+ NOW=`date +%%s`
+ LOGAGE=$(($NOW - `cat <tmpfile>.first`))
+ if [ $LOGAGE -gt <maxbufferage> ]; then
+ cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
+ rm -f <tmpfile>.buffer <tmpfile>.first
+ echo $NOW > <tmpfile>.lastsent
+ fi
+ fi
+
+
+[Init]
+# Option: port
+# Notes.: The target port for the attack (numerical). MUST be provided in the
+# jail config, as it cannot be detected here.
+# Values: [ NUM ]
+#
+port = ???
+
+# Option: userid
+# Notes.: Your DShield user ID. Should be provided either in the jail config or
+# in a .local file.
+# Register at https://secure.dshield.org/register.html
+# Values: [ NUM ]
+#
+userid = 0
+
+# Option: myip
+# Notes.: The target IP for the attack (your public IP). Should be provided
+# either in the jail config or in a .local file unless your PUBLIC IP
+# is the first IP assigned to eth0
+# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
+# which in most cases will be a private IP, and therefore incorrect
+#
+myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
+
+# Option: protocol
+# Notes.: The protocol over which the attack is happening
+# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
+#
+protocol = tcp
+
+# Option: lines
+# Notes.: How many lines to buffer before making a report. Regardless of this,
+# reports are sent a minimum of <minreportinterval> apart, or if the
+# buffer contains an event over <maxbufferage> old, or on shutdown
+# Values: [ NUM ]
+#
+lines = 50
+
+# Option: minreportinterval
+# Notes.: Minimum period (in seconds) that must elapse before we submit another
+# batch of reports. DShield request a minimum of 1 hour (3600 secs)
+# between reports.
+# Values: [ NUM ]
+#
+minreportinterval = 3600
+
+# Option: maxbufferage
+# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we
+# submit the batch, even if we haven't reached <lines> yet. Note that
+# this is only checked on each ban/unban, and that we always send
+# anything in the buffer on shutdown. Must be greater than
+# Values: [ NUM ]
+#
+maxbufferage = 21600
+
+# Option: srcport
+# Notes.: The source port of the attack. You're unlikely to have this info, so
+# you can leave the default
+# Values: [ NUM ]
+#
+srcport = ???
+
+# Option: tcpflags
+# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
+# leave empty
+# Values: [ STRING ]
+#
+tcpflags =
+
+# Option: mailcmd
+# Notes.: Your system mail command. Is passed 2 args: subject and recipient
+# Values: CMD
+#
+mailcmd = mail -E 'set escape' -s
+
+# Option: mailargs
+# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
+# CC reports to another address:
+# -c me@example.com
+# Appear to come from a different address (the From address must match
+# the one configured at DShield - the '--' indicates arguments to be
+# passed to Sendmail):
+# -- -f me@example.com
+# Values: [ STRING ]
+#
+mailargs =
+
+# Option: dest
+# Notes.: Destination e-mail address for reports
+# Values: [ STRING ]
+#
+dest = reports@dshield.org
+
+# Option: tmpfile
+# Notes.: Base name of temporary files used for buffering
+# Values: [ STRING ]
+#
+tmpfile = /var/run/fail2ban/tmp-dshield
+