diff options
Diffstat (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf')
| -rw-r--r-- | straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf | 207 |
1 files changed, 0 insertions, 207 deletions
diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf deleted file mode 100644 index 3d5a7a5..0000000 --- a/straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf +++ /dev/null @@ -1,207 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Russell Odom <russ@gloomytrousers.co.uk> -# Submits attack reports to DShield (http://www.dshield.org/) -# -# You MUST configure at least: -# <port> (the port that's being attacked - use number not name). -# -# You SHOULD also provide: -# <myip> (your public IP address, if it's not the address of eth0) -# <userid> (your DShield userID, if you have one - recommended, but reports will -# be used anonymously if not) -# <protocol> (the protocol in use - defaults to tcp) -# -# Best practice is to provide <port> and <protocol> in jail.conf like this: -# action = dshield[port=1234,protocol=tcp] -# -# ...and create "dshield.local" with contents something like this: -# [Init] -# myip = 10.0.0.1 -# userid = 12345 -# -# Other useful configuration values are <mailargs> (you can use for specifying -# a different sender address for the report e-mails, which should match what is -# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to -# configure how often the buffer is flushed). -# - -[Definition] - -# bypass ban/unban for restored tickets -norestored = 1 - -# Option: actionstart -# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). -# Values: CMD -# -actionstart = - -# Option: actionstop -# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) -# Values: CMD -# -actionstop = if [ -f <tmpfile>.buffer ]; then - cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> - date +%%s > <tmpfile>.lastsent - fi - rm -f <tmpfile>.buffer <tmpfile>.first - -# Option: actioncheck -# Notes.: command executed once before each actionban command -# Values: CMD -# -actioncheck = - -# Option: actionban -# Notes.: command executed when banning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -# See http://www.dshield.org/specs.html for more on report format/notes -# -# Note: We are currently using <time> for the timestamp because no tag is -# available to indicate the timestamp of the log message(s) which triggered the -# ban. Therefore the timestamps we are using in the report, whilst often only a -# few seconds out, are incorrect. See -# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047 -# -actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` - DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE" - PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols` - if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi - printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer - NOW=`date +%%s` - if [ ! -f <tmpfile>.first ]; then - echo <time> | cut -d. -f1 > <tmpfile>.first - fi - if [ ! -f <tmpfile>.lastsent ]; then - echo 0 > <tmpfile>.lastsent - fi - LOGAGE=$(($NOW - `cat <tmpfile>.first`)) - LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`)) - LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' ) - if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then - cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest> - rm -f <tmpfile>.buffer <tmpfile>.first - echo $NOW > <tmpfile>.lastsent - fi - -# Option: actionunban -# Notes.: command executed when unbanning an IP. Take care that the -# command is executed with Fail2Ban user rights. -# Tags: See jail.conf(5) man page -# Values: CMD -# -actionunban = if [ -f <tmpfile>.first ]; then - NOW=`date +%%s` - LOGAGE=$(($NOW - `cat <tmpfile>.first`)) - if [ $LOGAGE -gt <maxbufferage> ]; then - cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> - rm -f <tmpfile>.buffer <tmpfile>.first - echo $NOW > <tmpfile>.lastsent - fi - fi - - -[Init] -# Option: port -# Notes.: The target port for the attack (numerical). MUST be provided in the -# jail config, as it cannot be detected here. -# Values: [ NUM ] -# -port = ??? - -# Option: userid -# Notes.: Your DShield user ID. Should be provided either in the jail config or -# in a .local file. -# Register at https://secure.dshield.org/register.html -# Values: [ NUM ] -# -userid = 0 - -# Option: myip -# Notes.: The target IP for the attack (your public IP). Should be provided -# either in the jail config or in a .local file unless your PUBLIC IP -# is the first IP assigned to eth0 -# Values: [ an IP address ] Default: Tries to find the IP address of eth0, -# which in most cases will be a private IP, and therefore incorrect -# -myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'` - -# Option: protocol -# Notes.: The protocol over which the attack is happening -# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp -# -protocol = tcp - -# Option: lines -# Notes.: How many lines to buffer before making a report. Regardless of this, -# reports are sent a minimum of <minreportinterval> apart, or if the -# buffer contains an event over <maxbufferage> old, or on shutdown -# Values: [ NUM ] -# -lines = 50 - -# Option: minreportinterval -# Notes.: Minimum period (in seconds) that must elapse before we submit another -# batch of reports. DShield request a minimum of 1 hour (3600 secs) -# between reports. -# Values: [ NUM ] -# -minreportinterval = 3600 - -# Option: maxbufferage -# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we -# submit the batch, even if we haven't reached <lines> yet. Note that -# this is only checked on each ban/unban, and that we always send -# anything in the buffer on shutdown. Must be greater than -# Values: [ NUM ] -# -maxbufferage = 21600 - -# Option: srcport -# Notes.: The source port of the attack. You're unlikely to have this info, so -# you can leave the default -# Values: [ NUM ] -# -srcport = ??? - -# Option: tcpflags -# Notes.: TCP flags on attack. You're unlikely to have this info, so you can -# leave empty -# Values: [ STRING ] -# -tcpflags = - -# Option: mailcmd -# Notes.: Your system mail command. Is passed 2 args: subject and recipient -# Values: CMD -# -mailcmd = mail -E 'set escape' -s - -# Option: mailargs -# Notes.: Additional arguments to mail command. e.g. for standard Unix mail: -# CC reports to another address: -# -c me@example.com -# Appear to come from a different address (the From address must match -# the one configured at DShield - the '--' indicates arguments to be -# passed to Sendmail): -# -- -f me@example.com -# Values: [ STRING ] -# -mailargs = - -# Option: dest -# Notes.: Destination e-mail address for reports -# Values: [ STRING ] -# -dest = reports@dshield.org - -# Option: tmpfile -# Notes.: Base name of temporary files used for buffering -# Values: [ STRING ] -# -tmpfile = /var/run/fail2ban/tmp-dshield - |
