Compare commits
33 Commits
Author | SHA1 | Date |
---|---|---|
Daniel Berteaud | a9211f5f93 | |
Daniel Berteaud | bc93ec4649 | |
Daniel Berteaud | 3738f0a5bf | |
Daniel Berteaud | f96b380bcb | |
Daniel Berteaud | 5e941c60c9 | |
Daniel Berteaud | 8584e39c21 | |
Daniel Berteaud | 885ab8ac54 | |
Daniel Berteaud | 96a290ca5e | |
Daniel Berteaud | 0b1549615d | |
Daniel Berteaud | 7ed43d4171 | |
Daniel Berteaud | 2ab1d8ab05 | |
Daniel Berteaud | 756a93cb37 | |
Daniel Berteaud | 07c989d8ce | |
Daniel Berteaud | 9fb1fe4b75 | |
Daniel Berteaud | 5b1a6c367a | |
Daniel Berteaud | 13cf1a2f6e | |
Daniel Berteaud | 65854c6909 | |
Daniel Berteaud | a0f024c486 | |
Daniel Berteaud | 35b64f0502 | |
Daniel Berteaud | 97e122e4cb | |
Daniel Berteaud | bc63b7a9fe | |
Daniel Berteaud | 30db831b06 | |
Daniel Berteaud | b23fc96e2e | |
Daniel Berteaud | bd770e2f11 | |
Daniel Berteaud | 1db538bbd0 | |
Daniel Berteaud | 42b940281f | |
Daniel Berteaud | 8d1b7034ed | |
Daniel Berteaud | 27fffc9ef4 | |
Daniel Berteaud | 593c151120 | |
Daniel Berteaud | a862d25328 | |
Daniel Berteaud | fbc84a6219 | |
Daniel Berteaud | f214e95046 | |
Daniel Berteaud | 9ef3a867ec |
|
@ -17,7 +17,11 @@ safe_symlink("restart", "root/etc/e-smith/events/fail2ban-conf/services2adjust/f
|
|||
safe_symlink("restart", "root/etc/e-smith/events/network-create/services2adjust/fail2ban");
|
||||
safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/fail2ban");
|
||||
safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
|
||||
event_link("fail2ban-suspend-logs", "logrotate", "02");
|
||||
event_link("fail2ban-resume-logs", "logrotate", "98");
|
||||
|
||||
service_link_enhanced("fail2ban", "S92", "7");
|
||||
safe_touch("root/var/log/fail2ban/daemon.log");
|
||||
|
||||
service_link_enhanced("fail2ban", "S99", "7");
|
||||
service_link_enhanced("fail2ban", "K08", "6");
|
||||
service_link_enhanced("fail2ban", "K08", "0");
|
||||
|
|
|
@ -0,0 +1,32 @@
|
|||
#!/bin/sh
|
||||
|
||||
STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
|
||||
if [ "$STATUS" != "enabled" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
sleep 1
|
||||
# Makes sure /var/log/httpd/error_log is not a dangling symlink
|
||||
[ -e /var/log/httpd/error_log ] || touch /var/log/httpd/error_log
|
||||
for JAIL in http-overflows http-noscript http-scan http-auth; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL addlogpath /var/log/httpd/error_log
|
||||
fi
|
||||
done
|
||||
|
||||
[ -e /var/log/secure ] || touch /var/log/secure
|
||||
for JAIL in pam-generic ftp; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL addlogpath /var/log/secure
|
||||
fi
|
||||
done
|
||||
|
||||
[ -e /var/log/messages ] || touch /var/log/messages
|
||||
for JAIL in lemonldap; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL addlogpath /var/log/messages
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/sh
|
||||
|
||||
STATUS=$(/sbin/e-smith/db configuration getprop fail2ban status || echo disabled)
|
||||
if [ "$STATUS" != "enabled" ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for JAIL in http-overflows http-noscript http-scan http-auth; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL dellogpath /var/log/httpd/error_log
|
||||
fi
|
||||
done
|
||||
|
||||
for JAIL in pam-generic ftp; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL dellogpath /var/log/secure
|
||||
fi
|
||||
done
|
||||
|
||||
for JAIL in lemonldap; do
|
||||
/usr/bin/fail2ban-client status $JAIL > /dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
/usr/bin/fail2ban-client set $JAIL dellogpath /var/log/messages
|
||||
fi
|
||||
done
|
|
@ -1,4 +1,8 @@
|
|||
[Definition]
|
||||
loglevel = 3
|
||||
loglevel = INFO
|
||||
logtarget = /var/log/fail2ban/daemon.log
|
||||
syslogsocket = auto
|
||||
socket = /var/run/fail2ban/fail2ban.sock
|
||||
pidfile = /var/run/fail2ban/fail2ban.pid
|
||||
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
|
||||
dbpurgeage = 604800
|
||||
|
|
|
@ -9,9 +9,11 @@ my $n = esmith::NetworksDB->open_ro() ||
|
|||
my @ip = ("127.0.0.0/8", $LocalIP);
|
||||
|
||||
# Add hosts which can access the server-manager to the whitelist
|
||||
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
|
||||
push @ip, "$ip/$bits";
|
||||
unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
|
||||
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
|
||||
push @ip, "$ip/$bits" unless "$ip/$bits" eq '0.0.0.0/0';
|
||||
}
|
||||
}
|
||||
|
||||
unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
|
||||
|
@ -25,7 +27,9 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
|
|||
|
||||
# Add a local whitelist
|
||||
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
|
||||
my $addr = $_;
|
||||
$addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
|
||||
push @ip, "$ip/$bits";
|
||||
}
|
||||
|
||||
|
|
|
@ -55,4 +55,43 @@ EOF
|
|||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (auth)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-badbots]
|
||||
enabled = true
|
||||
filter = apache-badbots
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (badbots)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-shellshock]
|
||||
enabled = true
|
||||
filter = apache-shellshock
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (shellshock)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-fakegooglebot]
|
||||
enabled = true
|
||||
filter = apache-fakegooglebot
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (fakegooglebot)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
|
|
@ -10,7 +10,7 @@ my $port = join (",", @ports);
|
|||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[sogo]
|
||||
[lemonldap]
|
||||
enabled = true
|
||||
filter = lemonldap-ng
|
||||
logpath = /var/log/messages
|
||||
|
|
|
@ -9,7 +9,7 @@ $OUT .=<<"EOF";
|
|||
|
||||
[ejabberd]
|
||||
enabled = true
|
||||
filter = ejabberd
|
||||
filter = ejabberd-auth
|
||||
logpath = /var/log/ejabberd.run/current
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
|
||||
[Definition]
|
||||
|
||||
actionstart =
|
||||
actionstop =
|
||||
actioncheck =
|
||||
actionban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --proto=<protocol> --port=<port> --bantime=<bantime>
|
||||
actionunban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port>
|
||||
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
[Definition]
|
||||
ignoreregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: /etc/httpd/conf/proxy/proxy\.pac\s*$
|
|
@ -1,7 +1,7 @@
|
|||
[Definition]
|
||||
re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)?|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager)(\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)?
|
||||
re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php
|
||||
re_proxy = freenode-proxy-checker\.txt|proxy|proxychecker|proxyheader\.php
|
||||
re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php
|
||||
re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php
|
||||
|
||||
failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$
|
||||
|
|
|
@ -1,4 +0,0 @@
|
|||
[Definition]
|
||||
|
||||
failregex = Failed authentication for .*@.* from IP <HOST>
|
||||
ignoreregex =
|
|
@ -5,5 +5,7 @@ before = common.conf
|
|||
|
||||
_daemon = qpsmtpd
|
||||
|
||||
failregex = ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
|
||||
failregex = ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
|
||||
^\s*\d+\s*\(deny\) logging::logterse: ` <HOST>\s*.*90\d.*msg denied before queued$
|
||||
|
||||
ignoreregex =
|
||||
|
|
|
@ -1,20 +0,0 @@
|
|||
# /etc/fail2ban/filter.d/sogo-auth.conf
|
||||
#
|
||||
# Fail2Ban configuration file
|
||||
# By Arnd Brandes
|
||||
# SOGo
|
||||
#
|
||||
|
||||
[Definition]
|
||||
# Option: failregex
|
||||
# Filter Ban in /var/log/sogo/sogo.log
|
||||
# Note: the error log may contain multiple hosts, whereas the first one
|
||||
# is the client and all others are poxys. We match the first one, only
|
||||
|
||||
failregex = Login from '<HOST>' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
|
||||
|
||||
# Option: ignoreregex
|
||||
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||
# Values: TEXT
|
||||
#
|
||||
ignoreregex =
|
|
@ -1,4 +1,4 @@
|
|||
%define version 0.1.3
|
||||
%define version 0.1.17
|
||||
%define release 1
|
||||
%define name smeserver-fail2ban
|
||||
|
||||
|
@ -7,6 +7,7 @@ Summary: fail2ban integration on SME Server
|
|||
Name: %{name}
|
||||
Version: %{version}
|
||||
Release: %{release}%{?dist}
|
||||
Epoch: 9
|
||||
License: GPL
|
||||
Group: Networking/Daemons
|
||||
Source: %{name}-%{version}.tar.gz
|
||||
|
@ -22,6 +23,55 @@ Requires: fail2ban
|
|||
Configure fail2ban on SME Server
|
||||
|
||||
%changelog
|
||||
* Thu Nov 17 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.17-1.sme
|
||||
- Makes sur log files exist before resuming monitoring after a logrotate
|
||||
[SME: 9875]
|
||||
|
||||
* Tue Aug 2 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.16-1.sme
|
||||
- Add a new prop (FilterValidRemoteHosts) to allow blacklisting of hosts allowed
|
||||
to access the server-manager
|
||||
- Ignore 0.0.0.0/0.0.0.0 by default [SME: 9719]
|
||||
|
||||
* Tue Jul 5 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.15-1.sme
|
||||
- Fix compat with older qpsmtpd
|
||||
|
||||
* Thu Jun 9 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.14-1.sme
|
||||
- Update regex for qpsmtpd 0.96
|
||||
|
||||
* Mon Feb 29 2016 Daniel Berteaud <daniel@firewall-services.com> - 0.1.13-1.sme
|
||||
- Ignore failure to get proxy.pac
|
||||
|
||||
* Fri Jul 24 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.12-1.sme
|
||||
- Updates for fail2ban 0.9.2
|
||||
- Add more httpd jails
|
||||
- Switch to upstream Ejabberd filter
|
||||
|
||||
* Wed Apr 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.11-1.sme
|
||||
- Start fail2ban a bit later [SME: 8708]
|
||||
|
||||
* Tue Jan 27 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.10-1.sme
|
||||
- Suspend log monitoring during logrotate [SME: 8708]
|
||||
|
||||
* Thu Jan 15 2015 Daniel Berteaud <daniel@firewall-services.com> - 0.1.9-1.sme
|
||||
- Fix LL::NG jail name
|
||||
|
||||
* Wed Sep 17 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.8-1.sme
|
||||
- Restart fail2ban during logrotate event so it re-open apache log file [SME: 8557]
|
||||
|
||||
* Wed Jun 25 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.7-1.sme
|
||||
- Correctly handle single IP in IgnoreIP prop
|
||||
|
||||
* Tue Jun 24 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.6-1.sme
|
||||
- Relax proxy regex so requests for proxy.pac aren't matched
|
||||
|
||||
* Mon Jun 23 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.5-1.sme
|
||||
- Pre-create the logfile so fail2ban can start the first time
|
||||
- Remove most warnings on startup
|
||||
|
||||
* Wed Apr 23 2014 Daniel Berteaud <daniel@firewall-services.com> - 0.1.4-1.sme
|
||||
- New branch for SME9
|
||||
- Remove sogo-auth.conf which is included in EL6 build of fail2ban
|
||||
|
||||
* Wed Dec 18 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.3-1.sme
|
||||
- Fix port, which was incorrectly set to proto
|
||||
|
||||
|
@ -48,7 +98,9 @@ perl createlinks
|
|||
/bin/rm -f %{name}-%{version}-filelist
|
||||
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
|
||||
--dir /var/log/fail2ban 'attr(0750,root,root)' \
|
||||
--file /var/log/fail2ban/daemon.log 'config(noreplace) %attr(0600,root,root)' \
|
||||
--file /etc/cron.daily/cleanup_fail2ban 'attr(0755,root,root)' \
|
||||
--file /etc/fail2ban/filter.d/apache-auth.local 'config(noreplace) %attr(0644,root,root)' \
|
||||
> %{name}-%{version}-filelist
|
||||
|
||||
%files -f %{name}-%{version}-filelist
|
||||
|
|
Loading…
Reference in New Issue