fail2ban config

3583c0f6 · Nicolas KAROLAK · 0308a67b · 3583c0f6 · 3583c0f6 · 3583c0f6
Commit 3583c0f6 authored 7 years ago by Nicolas KAROLAK
--- a/2.Common_services/8.Fail2ban/0_setup.py
+++ b/2.Common_services/8.Fail2ban/0_setup.py
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+import os
+import utils
+def setup(interactive=True):
+    # install fail2ban
+    utils.log('Install fail2ban')
+    cmds = [
+        'apt-get update',
+        'apt-get install -y fail2ban',
+    ]
+    utils.run_commands(cmds)
+    # configure fail2ban
+    os.makedirs('/etc/fail2ban/filter.d', exist_ok=True)
+    os.makedirs('/etc/fail2ban/jail.d', exist_ok=True)
+    dir_path = utils.get_dir(__file__)
+    action = 'action_mwl' if bool(utils.get_conf('FAIL2BAN_SEND_EMAIL', '')) else 'action_'
+    sender = utils.get_conf('EMAIL_SENDER', 'root@localhost')
+    destemail = utils.get_conf('FAIL2BAN_EMAIL_ADMINS', 'root@localhost')
+    maxretry = utils.get_conf('FAIL2BAN_MAXRETRY', '6')
+    bantime = utils.get_conf('FAIL2BAN_BANTIME', '30')
+    cmds = [
+        dict(
+            line='write',
+            template='%s/filter.d/mediaserver.conf' % dir_path,
+            target='/etc/fail2ban/filter.d/mediaserver.conf'
+        ),
+        dict(
+            line='write',
+            template='%s/jail.d/mediaserver.conf' % dir_path,
+            target='/etc/fail2ban/jail.d/mediaserver.conf',
+            params=(
+                ('{{ action }}', action),
+                ('{{ sender }}', sender),
+                ('{{ destemail }}', destemail),
+                ('{{ maxretry }}', maxretry),
+                ('{{ bantime }}', bantime),
+            )
+        ),
+    ]
+    utils.run_commands(cmds)
+    # restart fail2ban
+    utils.log('Enable and restart fail2ban')
+    cmds = [
+        'systemctl enable fail2ban',
+        'systemctl restart fail2ban',
+    ]
+    utils.run_commands(cmds)
--- a/2.Common_services/8.Fail2ban/filter.d/mediaserver.conf
+++ b/2.Common_services/8.Fail2ban/filter.d/mediaserver.conf
+# Fail2Ban filter for MediaServer
+[INCLUDES]
+before = common.conf
+after = mediaserver.local
+[Definition]
+failregex = INFO Wrong credentials given to login\. IP: <HOST>, username: \S+\.$
+            INFO Wrong crendentials given to login\. IP: <HOST>, username: \S+\.$
+ignoreregex =
--- a/2.Common_services/8.Fail2ban/jail.d/mediaserver.conf
+++ b/2.Common_services/8.Fail2ban/jail.d/mediaserver.conf
+[mediaserver]
+enabled = true
+filter = mediaserver
+maxretry = {{ maxretry }}
+bantime = {{ bantime }}
+logpath = /home/msuser/mstmp/mediaserver.log
+action = %({{ action }})s
+sender = {{ sender }}
+destemail = {{ destemail }}
+[skyreach]
+enabled = true
+filter = mediaserver
+maxretry = {{ maxretry }}
+bantime = {{ bantime }}
+logpath = /home/skyreach/.skyreach/logs/skyreach.log
+action = %({{ action }})s
+sender = {{ sender }}
+destemail = {{ destemail }}
+[monitor]
+enabled = true
+filter = mediaserver
+maxretry = {{ maxretry }}
+bantime = {{ bantime }}
+logpath = /home/msmonitor/msmonitor/logs/site.log
+action = %({{ action }})s
+sender = {{ sender }}
+destemail = {{ destemail }}
--- a/global-conf.sh
+++ b/global-conf.sh
@@ -105,20 +105,26 @@ BURP_MAIL_DEST='sysadmin@ubicast.eu'
 BURP_CLIENT_NAME=
 BURP_CLIENT_MAIL_DEST='sysadmin@ubicast.eu'
-# -- tmbackup.sh -- 
+# -- Fail2ban specific settings --
+FAIL2BAN_SEND_EMAIL='1'
+FAIL2BAN_EMAIL_ADMINS=EMAIL_ADMINS
+FAIL2BAN_MAXRETRY='6'
+FAIL2BAN_BANTIME='30'
+# -- tmbackup.sh --
 BACKUP_SERVER=''
 # CSV separated
 LOCAL_BACKUP_FOLDERS=''
 # -- FTP --
-# move uploaded files into hotfolder 
+# move uploaded files into hotfolder
 # login:pass CSV separated
 #FTP_INCOMING_USERS='ftpuser1:ftppass1,ftpuser2:ftppass2'
 FTP_INCOMING_USERS=
 # -- HOTFOLDER --
 # csv-separated
-HOTFOLDERS='/home/ftp/storage/hotfolder' 
+HOTFOLDERS='/home/ftp/storage/hotfolder'
 # -- Tester config --
 # separate values with commas