1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>
# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
#
# You MUST configure at least:
# <port> (the port that's being attacked - use number not name).
# <mnwlogin> (your mNW login).
# <mnwpass> (your mNW password).
#
# You SHOULD also provide:
# <myip> (your public IP address, if it's not the address of eth0)
# <protocol> (the protocol in use - defaults to tcp)
#
# Best practice is to provide <port> and <protocol> in jail.conf like this:
# action = mynetwatchman[port=1234,protocol=udp]
#
# ...and create "mynetwatchman.local" with contents something like this:
# [Init]
# mnwlogin = me@example.com
# mnwpass = SECRET
# myip = 10.0.0.1
#
# Another useful configuration value is <getcmd>, if you don't have wget
# installed (an example config for curl is given below)
#
# $Revision$
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
#
# Note: We are currently using <time> for the timestamp because no tag is
# available to indicate the timestamp of the log message(s) which triggered the
# ban. Therefore the timestamps we are using in the report, whilst often only a
# few seconds out, are incorrect. See
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
#
actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
<getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: port
# Notes.: The target port for the attack (numerical). MUST be provided in
# the jail config, as it cannot be detected here.
# Values: [ NUM ] Default: ???
#
port = 0
# Option: mnwlogin
# Notes.: Your mNW login e-mail address. MUST be provided either in the jail
# config or in a .local file.
# Register at http://www.mynetwatchman.com/reg.asp
# Values: [ STRING ] Default: (empty)
#
mnwlogin =
# Option: mnwpass
# Notes.: The password corresponding to your mNW login e-mail address. MUST be
# provided either in the jail config or in a .local file.
# Values: [ STRING ] Default: (empty)
#
mnwpass =
# Option: myip
# Notes.: The target IP for the attack (your public IP). Should be overridden
# either in the jail config or in a .local file unless your PUBLIC IP
# is the first IP assigned to eth0
# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
# which in most cases will be a private IP, and therefore incorrect
#
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
# Option: protocol
# Notes.: The protocol over which the attack is happening
# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
#
protocol = tcp
# Option: getcmd
# Notes.: A command to fetch a URL. Should output page to STDOUT
# Values: CMD Default: wget
#
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=Fail2Ban
# Alternative value:
# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent Fail2Ban
# Option: srcport
# Notes.: The source port of the attack. You're unlikely to have this info, so
# you can leave the default
# Values: [ NUM ] Default: 0
#
srcport = 0
# Option: mnwurl
# Notes.: The report service URL on the mNW site
# Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp
#
mnwurl = http://mynetwatchman.com/insertwebreport.asp
# Option: tmpfile
# Notes.: Base name of temporary files
# Values: [ STRING ] Default: /var/run/fail2ban/tmp-mynetwatchman
#
tmpfile = /var/run/fail2ban/tmp-mynetwatchman
|