initial commit of file from CVS for smeserver-fail2ban on Sat Sep 7 19:53:17 AEST 2024

2024-09-07 19:53:18 +10:00
parent 1700d73fa1
commit 197253af46
86 changed files with 8686 additions and 2 deletions
--- a/root/etc/fail2ban/action.d/smeserver-iptables.conf
+++ b/root/etc/fail2ban/action.d/smeserver-iptables.conf
@@ -0,0 +1,13 @@
+
+[Definition]
+
+actionstart =
+actionstop =
+actioncheck =
+actionban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --proto=<protocol> --port=<port> --bantime=<bantime>
+actionunban = /sbin/e-smith/smeserver-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port>
+
+[Init]
+protocol = undef
+port = undef
+bantime = undef
--- a/root/etc/fail2ban/action.d/smeserver-sendmail.conf
+++ b/root/etc/fail2ban/action.d/smeserver-sendmail.conf
@@ -0,0 +1,21 @@
+
+[Definition]
+
+actionstart =
+actionstop  =
+actioncheck =
+actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip>
+            From: Fail2Ban <<sender>>
+            To: <dest>\n
+            Hi,\n
+            The IP <ip> has just been banned by Fail2Ban after
+            <failures> attempts against <name>.\n
+            Regards,\n
+            Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
+actionunban =
+
+[Init]
+name = default
+dest = root
+sender = fail2ban
+
--- a/root/etc/fail2ban/filter.d/apache-auth.local
+++ b/root/etc/fail2ban/filter.d/apache-auth.local
@@ -0,0 +1,2 @@
+[Definition]
+ignoreregex = ^%(_apache_error_client)s (AH01797: )?client denied by server configuration: /etc/httpd/conf/proxy/proxy\.pac\s*$
--- a/root/etc/fail2ban/filter.d/apache-scan.conf
+++ b/root/etc/fail2ban/filter.d/apache-scan.conf
@@ -0,0 +1,11 @@
+[Definition]
+re_pma = (admin|administrator|database|db|sql|typo3|xampp\/)?(pma|PMA|phpmyadmin|phpMyAdmin(\-?[\d\.\-]+((rc|pl|beta)\d+)?)?|myadmin|mysql|mysqladmin|sqladmin|mypma|xampp|mysqldb|mydb|db|pmadb|phpmyadmin1|myadmin2|php\-my\-admin|sqlmanager|websql|sqlweb|MyAdmin|phpadmin|sql|pma2005|databaseadmin|phpmanager)(\/main\.php|setup\.php|read_dump\.php|read_dump\.phpmain\.php)?
+re_admin = administrator(\/index\.php)?|manager(\/(status|html))?|webadmin|ecrire|admin((\.php)|(\/(config|login)\.php))?|mailadmin|setup\.php|admin\/modules\/backup\/page\.backup\.php
+re_proxy = freenode-proxy-checker\.txt|proxychecker|proxyheader\.php
+re_various = vtigercrm|typo3|scripts|wp\-admin|wp\-login\.php|wordpress|horde(\d+(\/+README)?)?|w00tw00t\.*|\/?plmplmplm\/plm\.php
+
+failregex = \[client <HOST>\] File does not exist: .*\/(%(re_pma)s|%(re_admin)s|%(re_proxy)s|%(re_various)s)$
+            \[client <HOST>\] client denied by server configuration: .*\/(%(re_admin)s|%(re_proxy)s)$
+            \[client <HOST>\] client sent HTTP/1.1 request without hostname \(see RFC2616 section 14.23\):
+
+ignoreregex =
--- a/root/etc/fail2ban/filter.d/apache-xmlrpc.conf
+++ b/root/etc/fail2ban/filter.d/apache-xmlrpc.conf
@@ -0,0 +1,5 @@
+[Definition]
+failregex = ^<HOST> .*POST .*xmlrpc\.php.*
+ignoreregex =
+
+# source http://xplus3.net/2013/05/09/securing-xmlrpc-wordpress/
--- a/root/etc/fail2ban/filter.d/lemonldap-ng.conf
+++ b/root/etc/fail2ban/filter.d/lemonldap-ng.conf
@@ -0,0 +1,11 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+_daemon = lemonldap\-ng
+
+failregex = ^\s*%(__prefix_line)s\s*Lemonldap::NG : .* was not found in LDAP directory \(<HOST>\)\s*$
+            ^\s*%(__prefix_line)s\s*Lemonldap::NG : Bad password for .* \(<HOST>\)\s*$
+
+ignoreregex =
--- a/root/etc/fail2ban/filter.d/qpsmtpd.conf
+++ b/root/etc/fail2ban/filter.d/qpsmtpd.conf
@@ -0,0 +1,11 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+_daemon = qpsmtpd
+
+failregex = ^\s*\d+\s*logging::logterse plugin \(deny\): ` <HOST>\s*.*90\d.*msg denied before queued$
+            ^\s*\d+\s*\(deny\) logging::logterse: ` <HOST>\s*.*90\d.*msg denied before queued$
+
+ignoreregex = logters.*greylisting.*90.*temporarily denied
--- a/root/etc/fail2ban/filter.d/smanager.conf
+++ b/root/etc/fail2ban/filter.d/smanager.conf
@@ -0,0 +1,12 @@
+# Fail2Ban filter for Smanager attempted bypasses
+
+[Definition]
+#[Mon Nov  9 20:33:34 2020] [info] Login FAILED: mab	192.168.0.11
+
+failregex = ^\[.*\] \[info\] Login FAILED: .*\t<HOST>$
+
+ignoreregex = ^\[.*\] \[debug\] .*$
+ignoreregex = ^\[.*\] \[info\] Login succeeded: .*$
+
+datepattern = {^LN-BEG}
+
--- a/root/etc/fail2ban/filter.d/sshd-ddos.conf
+++ b/root/etc/fail2ban/filter.d/sshd-ddos.conf
@@ -0,0 +1,28 @@
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+#  http://www.securityfocus.com/bid/17958/exploit
+#  The example code here shows the pushing of the exploit straight after
+#  reading the server version. This is where the client version string normally
+#  pushed. As such the server will read this unparsible information as
+#  "Did not receive identification string".
+# Author: Yaroslav Halchenko
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)sDid not receive identification string from <HOST>\s*$
+
+ignoreregex =.
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
--- a/root/etc/fail2ban/filter.d/wordpress-hard.conf
+++ b/root/etc/fail2ban/filter.d/wordpress-hard.conf
@@ -0,0 +1,28 @@
+# Fail2Ban filter for WordPress hard failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+failregex = ^%(__prefix_line)sSpam comment \d+ from <HOST>$
+            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC multicall authentication failure from <HOST>$
+            ^%(__prefix_line)sBlocked user enumeration attempt from <HOST>$
+            ^%(__prefix_line)sBlocked authentication attempt for .* from <HOST>$
+            ^%(__prefix_line)sAuthentication attempt for unknown user .* from <HOST>$
+            ^%(__prefix_line)sREST authentication attempt for unknown user .* from <HOST>$
+            ^%(__prefix_line)sPingback error .* generated from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication attempt for unknown user .* from <HOST>$
+
+ignoreregex =
+
+# DEV Notes:
+# Requires the 'WP fail2ban' plugin:
+# https://wordpress.org/plugins/wp-fail2ban/
+#
+# Author: Charles Lecklider
--- a/root/etc/fail2ban/filter.d/wordpress-soft.conf
+++ b/root/etc/fail2ban/filter.d/wordpress-soft.conf
@@ -0,0 +1,34 @@
+# Fail2Ban configuration file
+#
+# Author: Charles Lecklider
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:wordpress|wp)
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sEmpty username from <HOST>$
+            ^%(__prefix_line)sAuthentication failure for .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication failure from <HOST>$
+            ^%(__prefix_line)sREST authentication failure for .* from <HOST>$
+            ^%(__prefix_line)sXML-RPC authentication failure for .* from <HOST>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =