From 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 Mon Sep 17 00:00:00 2001 From: Lukasz Kasprzak Date: Fri, 20 Mar 2026 19:16:32 +0100 Subject: feat: first fully successful run e2e on straper --- .../fail2ban/etc-fail2ban/action.d/abuseipdb.conf | 104 +++++++++ .../public/fail2ban/etc-fail2ban/action.d/apf.conf | 25 +++ .../fail2ban/etc-fail2ban/action.d/apprise.conf | 49 +++++ .../etc-fail2ban/action.d/blocklist_de.conf | 84 ++++++++ .../fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf | 94 ++++++++ .../etc-fail2ban/action.d/cloudflare-token.conf | 93 ++++++++ .../fail2ban/etc-fail2ban/action.d/cloudflare.conf | 88 ++++++++ .../fail2ban/etc-fail2ban/action.d/complain.conf | 121 +++++++++++ .../fail2ban/etc-fail2ban/action.d/dshield.conf | 207 ++++++++++++++++++ .../fail2ban/etc-fail2ban/action.d/dummy.conf | 63 ++++++ .../action.d/firewallcmd-allports.conf | 45 ++++ .../etc-fail2ban/action.d/firewallcmd-common.conf | 76 +++++++ .../etc-fail2ban/action.d/firewallcmd-ipset.conf | 127 +++++++++++ .../action.d/firewallcmd-multiport.conf | 26 +++ .../etc-fail2ban/action.d/firewallcmd-new.conf | 47 ++++ .../action.d/firewallcmd-rich-logging.conf | 29 +++ .../action.d/firewallcmd-rich-rules.conf | 44 ++++ .../etc-fail2ban/action.d/helpers-common.conf | 17 ++ .../fail2ban/etc-fail2ban/action.d/hostsdeny.conf | 62 ++++++ .../fail2ban/etc-fail2ban/action.d/ipfilter.conf | 58 +++++ .../fail2ban/etc-fail2ban/action.d/ipfw.conf | 68 ++++++ .../etc-fail2ban/action.d/iptables-allports.conf | 15 ++ .../action.d/iptables-ipset-proto4.conf | 74 +++++++ .../action.d/iptables-ipset-proto6-allports.conf | 27 +++ .../action.d/iptables-ipset-proto6.conf | 27 +++ .../etc-fail2ban/action.d/iptables-ipset.conf | 96 +++++++++ .../action.d/iptables-multiport-log.conf | 68 ++++++ .../etc-fail2ban/action.d/iptables-multiport.conf | 14 ++ .../etc-fail2ban/action.d/iptables-new.conf | 15 ++ .../action.d/iptables-xt_recent-echo.conf | 87 ++++++++ .../fail2ban/etc-fail2ban/action.d/iptables.conf | 162 ++++++++++++++ .../fail2ban/etc-fail2ban/action.d/ipthreat.conf | 107 +++++++++ .../etc-fail2ban/action.d/mail-buffered.conf | 86 ++++++++ .../etc-fail2ban/action.d/mail-whois-common.conf | 28 +++ .../etc-fail2ban/action.d/mail-whois-lines.conf | 92 ++++++++ .../fail2ban/etc-fail2ban/action.d/mail-whois.conf | 71 ++++++ .../fail2ban/etc-fail2ban/action.d/mail.conf | 65 ++++++ .../fail2ban/etc-fail2ban/action.d/mikrotik.conf | 84 ++++++++ .../etc-fail2ban/action.d/mynetwatchman.conf | 143 ++++++++++++ .../fail2ban/etc-fail2ban/action.d/netscaler.conf | 33 +++ .../etc-fail2ban/action.d/nftables-allports.conf | 17 ++ .../etc-fail2ban/action.d/nftables-common.local | 2 + .../etc-fail2ban/action.d/nftables-multiport.conf | 17 ++ .../fail2ban/etc-fail2ban/action.d/nftables.conf | 203 +++++++++++++++++ .../etc-fail2ban/action.d/nginx-block-map.conf | 117 ++++++++++ .../public/fail2ban/etc-fail2ban/action.d/npf.conf | 61 ++++++ .../fail2ban/etc-fail2ban/action.d/nsupdate.conf | 114 ++++++++++ .../fail2ban/etc-fail2ban/action.d/osx-afctl.conf | 16 ++ .../fail2ban/etc-fail2ban/action.d/osx-ipfw.conf | 87 ++++++++ .../public/fail2ban/etc-fail2ban/action.d/pf.conf | 128 +++++++++++ .../fail2ban/etc-fail2ban/action.d/route.conf | 29 +++ .../etc-fail2ban/action.d/sendmail-buffered.conf | 99 +++++++++ .../etc-fail2ban/action.d/sendmail-common.conf | 77 +++++++ .../action.d/sendmail-geoip-lines.conf | 59 +++++ .../action.d/sendmail-whois-ipjailmatches.conf | 41 ++++ .../action.d/sendmail-whois-ipmatches.conf | 41 ++++ .../action.d/sendmail-whois-lines.conf | 52 +++++ .../action.d/sendmail-whois-matches.conf | 41 ++++ .../etc-fail2ban/action.d/sendmail-whois.conf | 40 ++++ .../fail2ban/etc-fail2ban/action.d/sendmail.conf | 37 ++++ .../action.d/shorewall-ipset-proto6.conf | 101 +++++++++ .../fail2ban/etc-fail2ban/action.d/shorewall.conf | 73 +++++++ .../public/fail2ban/etc-fail2ban/action.d/smtp.py | 240 +++++++++++++++++++++ .../action.d/symbiosis-blacklist-allports.conf | 60 ++++++ .../public/fail2ban/etc-fail2ban/action.d/ufw.conf | 75 +++++++ .../etc-fail2ban/action.d/xarf-login-attack.conf | 143 ++++++++++++ 66 files changed, 4791 insertions(+) create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/abuseipdb.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/apf.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/apprise.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/blocklist_de.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/cloudflare-token.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/cloudflare.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/complain.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/dshield.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/dummy.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-allports.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-common.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-ipset.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-multiport.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-new.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-logging.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/firewallcmd-rich-rules.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/helpers-common.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/hostsdeny.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/ipfilter.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/ipfw.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-allports.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-ipset-proto4.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-ipset-proto6-allports.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-ipset-proto6.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-ipset.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-multiport-log.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-multiport.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-new.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables-xt_recent-echo.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/iptables.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/ipthreat.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mail-buffered.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mail-whois-common.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mail-whois-lines.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mail-whois.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mail.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mikrotik.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/mynetwatchman.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/netscaler.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nftables-allports.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nftables-common.local create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nftables-multiport.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nftables.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/npf.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/nsupdate.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/osx-afctl.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/osx-ipfw.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/pf.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/route.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-buffered.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-common.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-geoip-lines.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-whois-ipjailmatches.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-whois-ipmatches.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-whois-lines.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-whois-matches.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail-whois.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/sendmail.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/shorewall-ipset-proto6.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/shorewall.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/smtp.py create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/symbiosis-blacklist-allports.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/ufw.conf create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d') diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/abuseipdb.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/abuseipdb.conf new file mode 100644 index 0000000..ed958c8 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/abuseipdb.conf @@ -0,0 +1,104 @@ +# Fail2ban configuration file +# +# Action to report IP address to abuseipdb.com +# You must sign up to obtain an API key from abuseipdb.com. +# +# NOTE: These reports may include sensitive Info. +# If you want cleaner reports that ensure no user data see the helper script at the below website. +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# +# This action relies on a api_key being added to the above action conf, +# and the appropriate categories set. +# +# Example, for ssh bruteforce (in section [sshd] of `jail.local`): +# action = %(known/action)s +# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"] +# +# See below for categories. +# +# Added to fail2ban by Andrew James Collett (ajcollett) + +## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call. +# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"] +# ID Title Description +# 3 Fraud Orders +# 4 DDoS Attack +# 9 Open Proxy +# 10 Web Spam +# 11 Email Spam +# 14 Port Scan +# 18 Brute-Force +# 19 Bad Web Bot +# 20 Exploited Host +# 21 Web App Attack +# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories. +# 23 IoT Targeted +# See https://abuseipdb.com/categories for more descriptions + +[Definition] + +# bypass action for restored tickets +norestored = 1 + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# +# ** IMPORTANT! ** +# +# By default, this posts directly to AbuseIPDB's API, unfortunately +# this results in a lot of backslashes/escapes appearing in the +# reports. This also may include info like your hostname. +# If you have your own web server with PHP available, you can +# use my (Shaun's) helper PHP script by commenting out the first #actionban +# line below, uncommenting the second one, and pointing the URL at +# wherever you install the helper script. For the PHP helper script, see +# +# +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = lgm=$(printf '%%.1000s\n...' ""); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: " --data-urlencode "comment=$lgm" --data-urlencode "ip=" --data "categories=" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] +# Option: abuseipdb_apikey +# Notes Your API key from abuseipdb.com +# Values: STRING Default: None +# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below. +# You will need to set the category in the action call. +abuseipdb_apikey = diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/apf.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/apf.conf new file mode 100644 index 0000000..5c4a261 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/apf.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# https://www.rfxn.com/projects/advanced-policy-firewall/ +# +# Note: APF doesn't play nicely with other actions. It has been observed to +# remove bans created by other iptables based actions. If you are going to use +# this action, use it for all of your jails. +# +# DON'T MIX APF and other IPTABLES based actions +[Definition] + +actionstart = +actionstop = +actioncheck = +actionban = apf --deny "banned by Fail2Ban " +actionunban = apf --remove + +[Init] + +# Name used in APF configuration +# +name = default + +# DEV NOTES: +# +# Author: Mark McKinstry diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/apprise.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/apprise.conf new file mode 100644 index 0000000..37c42ea --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/apprise.conf @@ -0,0 +1,49 @@ +# Fail2Ban configuration file +# +# Author: Chris Caron +# +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = printf %%b "The jail as been started successfully." | -t "[Fail2Ban] : started on `uname -n`" + +# Option: actionstop +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = printf %%b "The jail has been stopped." | -t "[Fail2Ban] : stopped on `uname -n`" + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = printf %%b "The IP has just been banned by Fail2Ban after attempts against " | -n "warning" -t "[Fail2Ban] : banned from `uname -n`" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +[Init] + +# Define location of the default apprise configuration file to use +# +config = /etc/fail2ban/apprise.conf +# +apprise = apprise -c "" diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/blocklist_de.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/blocklist_de.conf new file mode 100644 index 0000000..ba6d427 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/blocklist_de.conf @@ -0,0 +1,84 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +# Action to report IP address to blocklist.de +# Blocklist.de must be signed up to at www.blocklist.de +# Once registered, one or more servers can be added. +# This action requires the server 'email address' and the associated apikey. +# +# From blocklist.de: +# www.blocklist.de is a free and voluntary service provided by a +# Fraud/Abuse-specialist, whose servers are often attacked on SSH-, +# Mail-Login-, FTP-, Webserver- and other services. +# The mission is to report all attacks to the abuse departments of the +# infected PCs/servers to ensure that the responsible provider can inform +# the customer about the infection and disable them +# +# IMPORTANT: +# +# Reporting an IP of abuse is a serious complaint. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# + +[Definition] + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = curl --fail --data-urlencode "server=" --data "apikey=" --data "service=" --data "ip=" --data-urlencode "logs=
" --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = + +# Option: email +# Notes server email address, as per blocklist.de account +# Values: STRING Default: None +# +#email = + +# Option: apikey +# Notes your user blocklist.de user account apikey +# Values: STRING Default: None +# +#apikey = + +# Option: service +# Notes service name you are reporting on, typically aligns with filter name +# see http://www.blocklist.de/en/httpreports.html for full list +# Values: STRING Default: None +# +#service = diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf new file mode 100644 index 0000000..d002945 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/bsd-ipfw.conf @@ -0,0 +1,94 @@ +# Fail2Ban configuration file +# +# Author: Nick Munger +# Modified by: Ken Menzel +# Daniel Black (start/stop) +# Fabian Wenk (many ideas as per fail2ban users list) +# +# Ensure firewall_enable="YES" in the top of /etc/rc.conf +# + +[Definition] + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = ipfw show | fgrep -c -m 1 -s 'table()' > /dev/null 2>&1 || ( + num=$(ipfw show | awk 'BEGIN { b = } { if ($1 == b) { b = $1 + 1 } } END { print b }'); + ipfw -q add "$num" from table\(
\) to me ; echo "$num" > "" + ) + + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = [ ! -f ] || ( read num < ""
ipfw -q delete $num
rm "" ) + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +# requires an ipfw rule like "deny ip from table(1) to me" +actionban = e=`ipfw table
add 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || echo "$e" | grep -q "record already exists" || { echo "$e" 1>&2; exit $x; } + + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = e=`ipfw table
delete 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || echo "$e" | grep -q "record not found" || { echo "$e" 1>&2; exit $x; } + +[Init] +# Option: table +# Notes: The ipfw table to use. If a ipfw rule using this table already exists, +# this action will not create a ipfw rule to block it and the following +# options will have no effect. +# Values: NUM +table = 1 + +# Option: port +# Notes.: Specifies port to monitor. Blank indicate block all ports. +# Values: [ NUM | STRING ] +# +port = + +# Option: startstatefile +# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table. +# Values: STRING +startstatefile = /var/run/fail2ban/ipfw-started-table_
+ +# Option: block +# Notes: This is how much to block. +# Can be "ip", "tcp", "udp" or various other options. +# Values: STRING +block = ip + +# Option: blocktype +# Notes.: How to block the traffic. Use a action from man 5 ipfw +# Common values: deny, unreach port, reset +# ACTION definition at the top of man ipfw for allowed values. +# Values: STRING +# +blocktype = unreach port + +# Option: lowest_rule_num +# Notes: When fail2ban starts with action and there is no rule for the given table yet +# then fail2ban will start looking for an empty slot starting with this rule number. +# Values: NUM +lowest_rule_num = 111 + + diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/cloudflare-token.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/cloudflare-token.conf new file mode 100644 index 0000000..ff5f5c4 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/cloudflare-token.conf @@ -0,0 +1,93 @@ +# +# Author: Logic-32 +# +# IMPORTANT +# +# Please set jail.local's permission to 640 because it contains your CF API token. +# +# This action depends on curl. +# +# To get your Cloudflare API token: https://developers.cloudflare.com/api/tokens/create/ +# +# Cloudflare Firewall API: https://developers.cloudflare.com/firewall/api/cf-firewall-rules/endpoints/ + +[Definition] + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#
+_nft_get_handle_id = grep -oP '@\s+.*\s+\Khandle\s+(\d+)$' + +_nft_add_set = add set
\{ type \; flags interval\; \} + <_nft_for_proto--iter> + add rule
%(rule_stat)s + <_nft_for_proto--done> +_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do + delete rule
$hdl; done + delete set
+ +# Option: _nft_shutdown_table +# Notes.: command executed after the stop in order to delete table (it checks that no sets are available): +# Values: CMD +# +_nft_shutdown_table = { list table
| grep -qP '^\s+set\s+'; } || { + delete table
+ } + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = add table
+ -- add chain
\{ type hook priority \; \} + %(_nft_add_set)s + +# Option: actionflush +# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action); +# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references) +# Values: CMD +# +actionflush = { flush set
2> /dev/null; } || { + %(_nft_del_set)s + %(_nft_add_set)s + } + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = %(_nft_del_set)s + <_nft_shutdown_table> + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = list chain
| grep -q '@[ \t]' + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionban = add element
\{ \} + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: See jail.conf(5) man page +# Values: CMD +# +actionunban = delete element
\{ \} + +[Init] + +# Option: table +# Notes.: main table to store chain and sets (automatically created on demand) +# Values: STRING Default: f2b-table +table = f2b-table + +# Option: table_family +# Notes.: address family to work in +# Values: [ip | ip6 | inet] Default: inet +table_family = inet + +# Option: chain +# Notes.: main chain to store rules +# Values: STRING Default: f2b-chain +chain = f2b-chain + +# Option: chain_type +# Notes.: refers to the kind of chain to be created +# Values: [filter | route | nat] Default: filter +# +chain_type = filter + +# Option: chain_hook +# Notes.: refers to the kind of chain to be created +# Values: [ prerouting | input | forward | output | postrouting ] Default: input +# +chain_hook = input + +# Option: chain_priority +# Notes.: priority in the chain. +# Values: NUMBER Default: -1 +# +chain_priority = -1 + +# Option: addr_type +# Notes.: address type to work with +# Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr +# +addr_type = ipv4_addr + +# Default name of the filtering set +# +name = default + +# Option: port +# Notes.: specifies port to monitor +# Values: [ NUM | STRING ] Default: +# +port = ssh + +# Option: protocol +# Notes.: internally used by config reader for interpolations. +# Values: [ tcp | udp ] Default: tcp +# +protocol = tcp + +# Option: blocktype +# Note: This is what the action does with rules. This can be any jump target +# as per the nftables man page (section 8). Common values are drop, +# reject, reject with icmpx type host-unreachable, redirect to 2222 +# Values: STRING +blocktype = reject + +# Option: nftables +# Notes.: Actual command to be executed, including common to all calls options +# Values: STRING +nftables = nft + +# Option: addr_set +# Notes.: The name of the nft set used to store banned addresses +# Values: STRING +addr_set = addr-set- + +# Option: addr_family +# Notes.: The family of the banned addresses +# Values: [ ip | ip6 ] +addr_family = ip + +[Init?family=inet6] +addr_family = ip6 +addr_type = ipv6_addr +addr_set = addr6-set- diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf new file mode 100644 index 0000000..0de382b --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/nginx-block-map.conf @@ -0,0 +1,117 @@ +# Fail2Ban configuration file for black-listing via nginx +# +# Author: Serg G. Brester (aka sebres) +# +# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration, +# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban). +# +# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user): +# +# http { +# ... +# # maps to check user is blacklisted (banned in f2b): +# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; } +# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; } +# ... +# # special log-format to notify fail2ban about failures: +# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user ' +# ;# '"$request" $status $bytes_sent ' +# # '"$http_referer" "$http_user_agent"'; +# +# # location checking blacklisted values: +# location ... { +# # check banned sessionid: +# if ($blck_lst_ses != "") { +# try_files "" @f2b-banned; +# } +# ... +# # notify fail2ban about a failure inside nginx: +# error_page 401 = @notify-f2b; +# ... +# } +# ... +# # location for return with "403 Forbidden" if banned: +# location @f2b-banned { +# default_type text/html; +# return 403 "
+# +# You are banned!
"; +# } +# ... +# # location to notify fail2ban about a failure inside nginx: +# location @notify-f2b { +# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors; +# } +# } +# ... +# +# Note that quote-character (and possibly other special characters) are not allowed currently as session-id. +# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service), +# like in example below: +# +# location ... { +# if ($cookie_session_id !~ "^[\w\-]+$") { +# return 403 "Wrong session-id" +# } +# ... +# } +# +# The parameters for jail corresponding log-format (f2b_session_errors): +# +# [nginx-blck-lst] +# filter = +# datepattern = ^Epoch +# failregex = ^ failure "[^"]+" - +# usedns = no +# +# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs): +# +# [nginx-blck-ip] +# maxretry = 100 +# filter = +# datepattern = ^Epoch +# failregex = ^ failure "[^"]+" - +# usedns = no +# + +[Definition] + +# path to configuration of nginx (used to target nginx-instance in multi-instance system, +# and as path for the blacklisted map): +srv_cfg_path = /etc/nginx/ + +# cmd-line arguments to supply to test/reload nginx: +#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf +srv_cmd = nginx + +# pid file (used to check nginx is running): +srv_pid = /run/nginx.pid + +# command used to check whether nginx is running and configuration is valid: +srv_is_running = [ -f "%(srv_pid)s" ] +srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt + +# first test nginx is running and configuration is correct, hereafter send reload signal: +blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then + %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi; + fi; + +# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`: +blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map + +# Action definition: + +actionstart_on_demand = false +actionstart = touch '%(blck_lst_file)s' + +actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s + +actionstop = %(actionflush)s + +actioncheck = + +_echo_blck_row = printf '\%%s 1;\n' "" + +actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s + +actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/npf.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/npf.conf new file mode 100644 index 0000000..3bbb2f5 --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/npf.conf @@ -0,0 +1,61 @@ +# Fail2Ban configuration file +# +# NetBSD npf ban/unban +# +# Author: Nils Ratusznik +# Based on pf.conf action file +# + +[Definition] + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +# we don't enable NPF automatically, as it will be enabled elsewhere +actionstart = + + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +# we don't disable NPF automatically either +actionstop = + + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#