initial commit of file from CVS for smeserver-fail2ban on Sat Sep 7 19:53:17 AEST 2024
This commit is contained in:
Trevor Batley
@@ -0,0 +1,22 @@
|
||||
#Only non rpm owned files are backupe there
|
||||
{
|
||||
use RPM2;
|
||||
my $rpm_db = RPM2->open_rpm_db();
|
||||
|
||||
my @dirs = qw(
|
||||
/etc/fail2ban
|
||||
/etc/fail2ban/action.d
|
||||
/etc/fail2ban/fail2ban.d
|
||||
/etc/fail2ban/filter.d
|
||||
/etc/fail2ban/jail.d
|
||||
);
|
||||
|
||||
foreach my $some_dir (@dirs) {
|
||||
opendir(my $dh, $some_dir) || die "Can't open $some_dir: $!";
|
||||
while ( (my $file = readdir $dh) ) {
|
||||
next if $file =~ /^\.{1,2}$/;
|
||||
$OUT .= "$some_dir/$file\n" unless $rpm_db->find_by_file("$some_dir/$file");
|
||||
}
|
||||
closedir $dh;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
[Definition]
|
||||
loglevel = INFO
|
||||
logtarget = /var/log/fail2ban/daemon.log
|
||||
syslogsocket = auto
|
||||
socket = /var/run/fail2ban/fail2ban.sock
|
||||
pidfile = /var/run/fail2ban/fail2ban.pid
|
||||
dbfile = /var/lib/fail2ban/fail2ban.sqlite3
|
||||
dbpurgeage = 604800
|
||||
@@ -0,0 +1 @@
|
||||
[DEFAULT]
|
||||
38
root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
Normal file
38
root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
Normal file
@@ -0,0 +1,38 @@
|
||||
{
|
||||
|
||||
use esmith::NetworksDB;
|
||||
use Net::IPv4Addr;
|
||||
|
||||
my $n = esmith::NetworksDB->open_ro() ||
|
||||
die "Couldn't open networks DB\n";
|
||||
|
||||
my @ip = ("127.0.0.0/8", $LocalIP);
|
||||
|
||||
# Add hosts which can access the server-manager to the whitelist
|
||||
unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
|
||||
foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_");
|
||||
push @ip, "$ip/$bits" unless "$ip" eq '0.0.0.0';
|
||||
}
|
||||
}
|
||||
|
||||
unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
|
||||
foreach my $net ($n->networks){
|
||||
my $key = $net->key;
|
||||
my $mask = $net->prop('Mask');
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$key/$mask");
|
||||
push @ip, "$ip/$bits";
|
||||
}
|
||||
}
|
||||
|
||||
# Add a local whitelist
|
||||
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
|
||||
my $addr = $_;
|
||||
$addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
|
||||
push @ip, "$ip/$bits";
|
||||
}
|
||||
|
||||
$OUT .= "ignoreip = " . join(" ", @ip);
|
||||
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
|
||||
our $bantime = $fail2ban{'BanTime'} || '1800';
|
||||
|
||||
$OUT .= "bantime = $bantime";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
|
||||
our $findtime = $fail2ban{'FindTime'} || '900';
|
||||
|
||||
$OUT .= "findtime = $findtime";
|
||||
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
{
|
||||
our $maxretry = $fail2ban{'MaxRetry'} || '3';
|
||||
|
||||
$OUT .= "maxretry = $maxretry";
|
||||
|
||||
}
|
||||
1
root/etc/e-smith/templates/etc/fail2ban/jail.conf/16Dns
Normal file
1
root/etc/e-smith/templates/etc/fail2ban/jail.conf/16Dns
Normal file
@@ -0,0 +1 @@
|
||||
usedns = yes
|
||||
@@ -0,0 +1 @@
|
||||
backend = auto
|
||||
@@ -0,0 +1,7 @@
|
||||
{
|
||||
|
||||
our $mail = $fail2ban{'Mail'} || 'disabled';
|
||||
our $maildest = $fail2ban{'MailRecipient'} || 'root';
|
||||
return '';
|
||||
|
||||
}
|
||||
@@ -0,0 +1,31 @@
|
||||
{
|
||||
|
||||
my $port = $sshd{'TCPPort'} || '22';
|
||||
my $status = $sshd{'status'} || 'disabled';
|
||||
my $f2b = $sshd{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[ssh]
|
||||
enabled = true
|
||||
filter = sshd
|
||||
logpath = /var/log/sshd/sshd.log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"SSH\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[ssh-ddos]
|
||||
enabled = true
|
||||
filter = sshd-ddos
|
||||
logpath = /var/log/sshd/sshd.log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"SSH\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
|
||||
my $status = $dovecot{'status'} || 'disabled';
|
||||
my $f2b = $dovecot{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my @ports = ();
|
||||
push @ports, ($imap{'TCPPort'} || '143')
|
||||
if (($imap{'status'} || 'disabled') eq 'enabled');
|
||||
push @ports, ($imaps{'TCPPort'} || '993')
|
||||
if (($imaps{'status'} || 'disabled') eq 'enabled');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[imap]
|
||||
enabled = true
|
||||
filter = dovecot
|
||||
logpath = /var/log/dovecot/dovecot.log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Dovecot\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
{
|
||||
|
||||
my $status = $qpsmtpd{'status'} || 'disabled';
|
||||
my $f2b = $qpsmtpd{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my @ports = ();
|
||||
push @ports, ($qpsmtpd{'TCPPort'} || '25');
|
||||
push @ports, ($sqpsmtpd{'TCPPort'} || '465')
|
||||
if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
my $max = $maxretry*3;
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[qpsmtpd]
|
||||
enabled = true
|
||||
filter = qpsmtpd
|
||||
logpath = /var/log/*qpsmtpd/current
|
||||
maxretry = $max
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Qpsmtpd\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,97 @@
|
||||
{
|
||||
|
||||
my $status = ${'httpd-e-smith'}{'status'} || 'disabled';
|
||||
my $f2b = ${'httpd-e-smith'}{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my @ports = ();
|
||||
push @ports, (${'httpd-e-smith'}{'TCPPort'} || '80');
|
||||
push @ports, ($modSSL{'TCPPort'} || '443');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-overflows]
|
||||
enabled = true
|
||||
filter = apache-overflows
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (overflows)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-noscript]
|
||||
enabled = true
|
||||
filter = apache-noscript
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (noscript)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-scan]
|
||||
enabled = true
|
||||
filter = apache-scan
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (scan)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-auth]
|
||||
enabled = true
|
||||
filter = apache-auth
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (auth)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-badbots]
|
||||
enabled = true
|
||||
filter = apache-badbots
|
||||
logpath = /var/log/httpd/access_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (badbots)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-shellshock]
|
||||
enabled = true
|
||||
filter = apache-shellshock
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (shellshock)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[http-fakegooglebot]
|
||||
enabled = true
|
||||
filter = apache-fakegooglebot
|
||||
logpath = /var/log/httpd/error_log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Apache (fakegooglebot)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
|
||||
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
|
||||
[pam-generic]
|
||||
enabled = true
|
||||
filter = pam-generic
|
||||
logpath = /var/log/secure
|
||||
maxretry = {$maxretry*2}
|
||||
action = smeserver-iptables[bantime={"$bantime"}]
|
||||
{
|
||||
$OUT .= " smeserver-sendmail[name=\"PAM generic\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
{
|
||||
my $port = (${'httpd-e-smith'}{'TCPPort'} || '80') .','.
|
||||
($modSSL{'TCPPort'} || '443');
|
||||
my $status = $smanager{'status'} || 'disabled';
|
||||
my $f2b = $smanager{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[smanager]
|
||||
enabled = true
|
||||
port = $port
|
||||
filter = smanager
|
||||
logpath = /usr/share/smanager/log/production.log
|
||||
maxretry = 3
|
||||
findtime = 300
|
||||
bantime = 1800
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"SManager\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,24 @@
|
||||
{
|
||||
|
||||
my $status = $sogod{'status'} || 'disabled';
|
||||
my $f2b = $sogod{'Fail2Ban'} || 'enabled';
|
||||
return "\n#Sogo not available" unless ( -f "/var/log/sogo/sogo.log" );
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my @ports = ();
|
||||
push @ports, (${'httpd-e-smith'}{'TCPPort'} || '80');
|
||||
push @ports, ($modSSL{'TCPPort'} || '443');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[sogo]
|
||||
enabled = true
|
||||
filter = sogo-auth
|
||||
logpath = /var/log/sogo/sogo.log
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"SOGo\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
{
|
||||
|
||||
my $status = ${'lemonldap'}{'status'} || 'disabled';
|
||||
my $f2b = ${'lemonldap'}{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my @ports = ();
|
||||
push @ports, (${'httpd-e-smith'}{'TCPPort'} || '80');
|
||||
push @ports, ($modSSL{'TCPPort'} || '443');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[lemonldap]
|
||||
enabled = true
|
||||
filter = lemonldap-ng
|
||||
logpath = /var/log/messages
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"LemonLDAP::NG\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
|
||||
my $port = $ftp{'TCPPort'} || '21';
|
||||
my $status = $ftp{'status'} || 'disabled';
|
||||
my $f2b = $ftp{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
# add the data channel port
|
||||
$port .= ',20';
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[ftp]
|
||||
enabled = true
|
||||
filter = proftpd
|
||||
logpath = /var/log/secure
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"FTP\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
{
|
||||
|
||||
my $status = $ejabberd{'status'} || 'disabled';
|
||||
my $f2b = $ejabberd{'Fail2Ban'} || 'enabled';
|
||||
return "" if (($status ne 'enabled') || ($f2b ne 'enabled'));
|
||||
my $port = $ejabberd{'TCPPorts'} || '5222,5223,5269';
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[ejabberd]
|
||||
enabled = true
|
||||
filter = ejabberd-auth
|
||||
logpath = /var/log/ejabberd.run/current
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
$OUT .= " smeserver-sendmail[name=\"Ejabberd\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
|
||||
@@ -0,0 +1,68 @@
|
||||
{
|
||||
|
||||
my $status = $fail2ban{'wordpress'} || 'disabled';
|
||||
return "\n# wordpress disabled \n" if ($status ne 'enabled') ;
|
||||
my @ports = ();
|
||||
push @ports, (${'httpd-e-smith'}{'TCPPort'} || '80');
|
||||
push @ports, ($modSSL{'TCPPort'} || '443');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
my $wphbantime = $fail2ban{'WPHbantime'} || $bantime;
|
||||
my $wpsbantime = $fail2ban{'WPSbantime'} || $bantime;
|
||||
my $wpxbantime = $fail2ban{'WPXbantime'} || $bantime;
|
||||
my $wphfindtime = $fail2ban{'WPHfindtime'} || $findtime;
|
||||
my $wpsfindtime = $fail2ban{'WPSfindtime'} || $findtime;
|
||||
my $wpxfindtime = $fail2ban{'WPXfindtime'} || $findtime;
|
||||
my $wphmaxretry = $fail2ban{'WPHmaxretry'} || $maxretry;
|
||||
my $wpsmaxretry = $fail2ban{'WPSmaxretry'} || $maxretry;
|
||||
my $wpxmaxretry = $fail2ban{'WPXmaxretry'} || $maxretry;
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[wordpress-hard]
|
||||
enabled = true
|
||||
filter = wordpress-hard
|
||||
logpath = /var/log/messages
|
||||
findtime = $wphfindtime
|
||||
maxretry = $wphmaxretry
|
||||
bantime = $wphbantime
|
||||
backend = polling
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wphbantime]
|
||||
EOF
|
||||
$OUT .= " smeserver-sendmail[name=\"Wordpress (hard)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[wordpress-soft]
|
||||
enabled = true
|
||||
filter = wordpress-soft
|
||||
logpath = /var/log/messages
|
||||
findtime = $wpsfindtime
|
||||
maxretry = $wpsmaxretry
|
||||
bantime = $wpsbantime
|
||||
backend = polling
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wpsbantime]
|
||||
EOF
|
||||
$OUT .= " smeserver-sendmail[name=\"Wordpress (soft)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[apache-xmlrpc]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = apache-xmlrpc
|
||||
logpath = /var/log/httpd/access_log
|
||||
findtime = $wpxfindtime
|
||||
maxretry = $wpxmaxretry
|
||||
bantime = $wpxbantime
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$wpxbantime]
|
||||
EOF
|
||||
$OUT .= " smeserver-sendmail[name=\"Wordpress (xmlrpc)\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
}
|
||||
|
||||
21
root/etc/e-smith/templates/etc/fail2ban/jail.conf/90Recidive
Normal file
21
root/etc/e-smith/templates/etc/fail2ban/jail.conf/90Recidive
Normal file
@@ -0,0 +1,21 @@
|
||||
{
|
||||
my $rbantime = $fail2ban{'RecidiveBanTime'} || '604800';
|
||||
my $rfindtime = $fail2ban{'RecidiveFindTime'} || '86400';
|
||||
my $rmaxretry = $fail2ban{'RecidiveMaxRetry'} || '5';
|
||||
my $raction = 'smeserver-iptables[bantime=' . $rbantime . ']' . "\n";
|
||||
$raction .= " smeserver-sendmail[name=\"Recidive\",dest=$maildest]\n"
|
||||
if ($mail eq 'enabled');
|
||||
|
||||
$OUT .=<<"EOF";
|
||||
|
||||
[recidive]
|
||||
enabled = true
|
||||
filter = recidive
|
||||
logpath = /var/log/fail2ban/daemon.log
|
||||
bantime = $rbantime
|
||||
findtime = $rfindtime
|
||||
maxretry = $rmaxretry
|
||||
backend = polling
|
||||
action = $raction
|
||||
EOF
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
/var/log/fail2ban/*.log \{
|
||||
missingok
|
||||
weekly
|
||||
rotate 24
|
||||
compress
|
||||
notifempty
|
||||
copytruncate
|
||||
\}
|
||||
@@ -0,0 +1,6 @@
|
||||
# A blacklist chain for fail2ban
|
||||
/sbin/iptables --new-chain Fail2Ban
|
||||
/sbin/iptables --new-chain Fail2Ban_1
|
||||
/sbin/iptables --append Fail2Ban -j Fail2Ban_1
|
||||
/sbin/iptables --insert INPUT 1 \
|
||||
-j Fail2Ban
|
||||
@@ -0,0 +1,33 @@
|
||||
{
|
||||
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') ||
|
||||
esmith::ConfigDB->create('fail2ban');
|
||||
# Find the current Fail2Ban_$$ chain, and create a new one.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)
|
||||
NEW_Fail2Ban=$(get_safe_id Fail2Ban filter new)
|
||||
/sbin/iptables --new-chain $NEW_Fail2Ban
|
||||
EOF
|
||||
|
||||
if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' ){
|
||||
foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){
|
||||
my $ip = $ban->prop('Host');
|
||||
my $proto = $ban->prop('Protocol') || '';
|
||||
my $port = $ban->prop('Port') || '';
|
||||
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban -s $ip";
|
||||
$OUT .= " -p $proto" if ($proto =~ m/^tcp|udp|icmp$/);
|
||||
$OUT .= " -m multiport --dports $port" if ($proto =~ m/^tcp|udp$/ && $port =~ m/^\d+(,\d+)*$/);
|
||||
$OUT .= " -j denylog\n";
|
||||
}
|
||||
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" .
|
||||
" -j RETURN\n";
|
||||
}
|
||||
|
||||
# Having created a new Fail2Ban chain, activate it and destroy the old.
|
||||
$OUT .=<<'EOF';
|
||||
/sbin/iptables --replace Fail2Ban 1 \
|
||||
--jump $NEW_Fail2Ban
|
||||
/sbin/iptables --flush $OLD_Fail2Ban
|
||||
/sbin/iptables --delete-chain $OLD_Fail2Ban
|
||||
EOF
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user