diff options
| author | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
|---|---|---|
| committer | Lukasz Kasprzak <lukasz.kasprzak@pm.me> | 2026-03-20 19:16:32 +0100 |
| commit | 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 (patch) | |
| tree | 9221704f413398cfb5d5759083b1e7032566820e /straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf | |
| parent | 6b59b75c3a294060dea66bdee16ffaf95ae92889 (diff) | |
| download | bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.tar.gz bin-39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2.zip | |
feat: first fully successful run e2e on straper
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf')
| -rw-r--r-- | straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf | 207 |
1 files changed, 207 insertions, 0 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf new file mode 100644 index 0000000..3d5a7a5 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf @@ -0,0 +1,207 @@ +# Fail2Ban configuration file +# +# Author: Russell Odom <russ@gloomytrousers.co.uk> +# Submits attack reports to DShield (http://www.dshield.org/) +# +# You MUST configure at least: +# <port> (the port that's being attacked - use number not name). +# +# You SHOULD also provide: +# <myip> (your public IP address, if it's not the address of eth0) +# <userid> (your DShield userID, if you have one - recommended, but reports will +# be used anonymously if not) +# <protocol> (the protocol in use - defaults to tcp) +# +# Best practice is to provide <port> and <protocol> in jail.conf like this: +# action = dshield[port=1234,protocol=tcp] +# +# ...and create "dshield.local" with contents something like this: +# [Init] +# myip = 10.0.0.1 +# userid = 12345 +# +# Other useful configuration values are <mailargs> (you can use for specifying +# a different sender address for the report e-mails, which should match what is +# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to +# configure how often the buffer is flushed). +# + +[Definition] + +# bypass ban/unban for restored tickets +norestored = 1 + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = if [ -f <tmpfile>.buffer ]; then + cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> + date +%%s > <tmpfile>.lastsent + fi + rm -f <tmpfile>.buffer <tmpfile>.first + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# See http://www.dshield.org/specs.html for more on report format/notes +# +# Note: We are currently using <time> for the timestamp because no tag is +# available to indicate the timestamp of the log message(s) which triggered the +# ban. Therefore the timestamps we are using in the report, whilst often only a +# few seconds out, are incorrect. See +# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047 +# +actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` + DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE" + PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols` + if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi + printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer + NOW=`date +%%s` + if [ ! -f <tmpfile>.first ]; then + echo <time> | cut -d. -f1 > <tmpfile>.first + fi + if [ ! -f <tmpfile>.lastsent ]; then + echo 0 > <tmpfile>.lastsent + fi + LOGAGE=$(($NOW - `cat <tmpfile>.first`)) + LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`)) + LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' ) + if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then + cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest> + rm -f <tmpfile>.buffer <tmpfile>.first + echo $NOW > <tmpfile>.lastsent + fi + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = if [ -f <tmpfile>.first ]; then + NOW=`date +%%s` + LOGAGE=$(($NOW - `cat <tmpfile>.first`)) + if [ $LOGAGE -gt <maxbufferage> ]; then + cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> + rm -f <tmpfile>.buffer <tmpfile>.first + echo $NOW > <tmpfile>.lastsent + fi + fi + + +[Init] +# Option: port +# Notes.: The target port for the attack (numerical). MUST be provided in the +# jail config, as it cannot be detected here. +# Values: [ NUM ] +# +port = ??? + +# Option: userid +# Notes.: Your DShield user ID. Should be provided either in the jail config or +# in a .local file. +# Register at https://secure.dshield.org/register.html +# Values: [ NUM ] +# +userid = 0 + +# Option: myip +# Notes.: The target IP for the attack (your public IP). Should be provided +# either in the jail config or in a .local file unless your PUBLIC IP +# is the first IP assigned to eth0 +# Values: [ an IP address ] Default: Tries to find the IP address of eth0, +# which in most cases will be a private IP, and therefore incorrect +# +myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'` + +# Option: protocol +# Notes.: The protocol over which the attack is happening +# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp +# +protocol = tcp + +# Option: lines +# Notes.: How many lines to buffer before making a report. Regardless of this, +# reports are sent a minimum of <minreportinterval> apart, or if the +# buffer contains an event over <maxbufferage> old, or on shutdown +# Values: [ NUM ] +# +lines = 50 + +# Option: minreportinterval +# Notes.: Minimum period (in seconds) that must elapse before we submit another +# batch of reports. DShield request a minimum of 1 hour (3600 secs) +# between reports. +# Values: [ NUM ] +# +minreportinterval = 3600 + +# Option: maxbufferage +# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we +# submit the batch, even if we haven't reached <lines> yet. Note that +# this is only checked on each ban/unban, and that we always send +# anything in the buffer on shutdown. Must be greater than +# Values: [ NUM ] +# +maxbufferage = 21600 + +# Option: srcport +# Notes.: The source port of the attack. You're unlikely to have this info, so +# you can leave the default +# Values: [ NUM ] +# +srcport = ??? + +# Option: tcpflags +# Notes.: TCP flags on attack. You're unlikely to have this info, so you can +# leave empty +# Values: [ STRING ] +# +tcpflags = + +# Option: mailcmd +# Notes.: Your system mail command. Is passed 2 args: subject and recipient +# Values: CMD +# +mailcmd = mail -E 'set escape' -s + +# Option: mailargs +# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: +# CC reports to another address: +# -c me@example.com +# Appear to come from a different address (the From address must match +# the one configured at DShield - the '--' indicates arguments to be +# passed to Sendmail): +# -- -f me@example.com +# Values: [ STRING ] +# +mailargs = + +# Option: dest +# Notes.: Destination e-mail address for reports +# Values: [ STRING ] +# +dest = reports@dshield.org + +# Option: tmpfile +# Notes.: Base name of temporary files used for buffering +# Values: [ STRING ] +# +tmpfile = /var/run/fail2ban/tmp-dshield + |
