diff options
author | Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> | 2010-05-01 13:26:02 +0000 |
---|---|---|
committer | Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> | 2010-05-01 13:26:02 +0000 |
commit | 4f4f0399efa4309beb8027c533a6fff9709921af (patch) | |
tree | ed7921160e80500e4155d7dcbfd8dabd94fc70e2 | |
parent | 5aec43ae352cb17e03924fce6c26d2b6fbdddfd6 (diff) | |
download | fail2ban-4f4f0399efa4309beb8027c533a6fff9709921af.tar.gz |
added psad filter and jail, needs some reviewing. works OK.
git-svn-id: https://fail2ban.svn.sourceforge.net/svnroot/fail2ban/trunk@759 a942ae1a-1317-0410-a47c-b1dcaea8d605
-rw-r--r-- | config/filter.d/psad.conf | 19 | ||||
-rw-r--r-- | config/jail.conf | 18 |
2 files changed, 35 insertions, 2 deletions
diff --git a/config/filter.d/psad.conf b/config/filter.d/psad.conf new file mode 100644 index 00000000..b19d45da --- /dev/null +++ b/config/filter.d/psad.conf @@ -0,0 +1,19 @@ +# Fail2Ban configuration file +# +# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> +# + +[Definition] + +# Option: failregex +# Notes.: regex to match psad "scan detected" line, example: +# +# Apr 30 23:35:06 mx4 psad: scan detected: 221.192.199.49 -> 85.13.200.90 tcp: [8000] flags: SYN tcp pkts: 1 DL: 2 +# +failregex = ^.*\ psad\:\ scan\ detected\:\ <HOST>\ \-\>\ .*$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/config/jail.conf b/config/jail.conf index 1fc8c4aa..75c53b76 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -153,8 +153,9 @@ action = shorewall logpath = /var/log/apache2/error_log # Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. +# through GET/POST variables. +# Make sure you edit the filter if you need to allow certain requests. +# Adapt logpath as required! [php-url-fopen] @@ -231,3 +232,16 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 + +# PSAD support for fail2ban by Buanzo. +# psad detects portscans, and logs the details to /var/log/messages +# With this jail, you can ban attackers that portscan you (for example, with the excellent Nmap) +# TODO: It needs a proper action, and decide on default port range/list + +[psad] + +enabled = false +port = ssh,http,https,smtp,ftp +filter = psad +logpath = /var/log/messages +maxretry = 1 |