From 3583c0f63d43b4b959b9b4b6f38ee639149a2c3e Mon Sep 17 00:00:00 2001 From: Nicolas KAROLAK <nicolas@karolak.fr> Date: Mon, 26 Mar 2018 15:43:08 +0200 Subject: [PATCH] fail2ban config --- 2.Common_services/8.Fail2ban/0_setup.py | 51 +++++++++++++++++++ .../8.Fail2ban/filter.d/mediaserver.conf | 13 +++++ .../8.Fail2ban/jail.d/mediaserver.conf | 29 +++++++++++ global-conf.sh | 12 +++-- 4 files changed, 102 insertions(+), 3 deletions(-) create mode 100644 2.Common_services/8.Fail2ban/0_setup.py create mode 100644 2.Common_services/8.Fail2ban/filter.d/mediaserver.conf create mode 100644 2.Common_services/8.Fail2ban/jail.d/mediaserver.conf diff --git a/2.Common_services/8.Fail2ban/0_setup.py b/2.Common_services/8.Fail2ban/0_setup.py new file mode 100644 index 00000000..3dfb1bc1 --- /dev/null +++ b/2.Common_services/8.Fail2ban/0_setup.py @@ -0,0 +1,51 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +import os + +import utils + + +def setup(interactive=True): + # install fail2ban + utils.log('Install fail2ban') + cmds = [ + 'apt-get update', + 'apt-get install -y fail2ban', + ] + utils.run_commands(cmds) + # configure fail2ban + os.makedirs('/etc/fail2ban/filter.d', exist_ok=True) + os.makedirs('/etc/fail2ban/jail.d', exist_ok=True) + dir_path = utils.get_dir(__file__) + action = 'action_mwl' if bool(utils.get_conf('FAIL2BAN_SEND_EMAIL', '')) else 'action_' + sender = utils.get_conf('EMAIL_SENDER', 'root@localhost') + destemail = utils.get_conf('FAIL2BAN_EMAIL_ADMINS', 'root@localhost') + maxretry = utils.get_conf('FAIL2BAN_MAXRETRY', '6') + bantime = utils.get_conf('FAIL2BAN_BANTIME', '30') + cmds = [ + dict( + line='write', + template='%s/filter.d/mediaserver.conf' % dir_path, + target='/etc/fail2ban/filter.d/mediaserver.conf' + ), + dict( + line='write', + template='%s/jail.d/mediaserver.conf' % dir_path, + target='/etc/fail2ban/jail.d/mediaserver.conf', + params=( + ('{{ action }}', action), + ('{{ sender }}', sender), + ('{{ destemail }}', destemail), + ('{{ maxretry }}', maxretry), + ('{{ bantime }}', bantime), + ) + ), + ] + utils.run_commands(cmds) + # restart fail2ban + utils.log('Enable and restart fail2ban') + cmds = [ + 'systemctl enable fail2ban', + 'systemctl restart fail2ban', + ] + utils.run_commands(cmds) diff --git a/2.Common_services/8.Fail2ban/filter.d/mediaserver.conf b/2.Common_services/8.Fail2ban/filter.d/mediaserver.conf new file mode 100644 index 00000000..508b3551 --- /dev/null +++ b/2.Common_services/8.Fail2ban/filter.d/mediaserver.conf @@ -0,0 +1,13 @@ +# Fail2Ban filter for MediaServer + +[INCLUDES] + +before = common.conf +after = mediaserver.local + +[Definition] + +failregex = INFO Wrong credentials given to login\. IP: <HOST>, username: \S+\.$ + INFO Wrong crendentials given to login\. IP: <HOST>, username: \S+\.$ + +ignoreregex = diff --git a/2.Common_services/8.Fail2ban/jail.d/mediaserver.conf b/2.Common_services/8.Fail2ban/jail.d/mediaserver.conf new file mode 100644 index 00000000..a7b28be2 --- /dev/null +++ b/2.Common_services/8.Fail2ban/jail.d/mediaserver.conf @@ -0,0 +1,29 @@ +[mediaserver] +enabled = true +filter = mediaserver +maxretry = {{ maxretry }} +bantime = {{ bantime }} +logpath = /home/msuser/mstmp/mediaserver.log +action = %({{ action }})s +sender = {{ sender }} +destemail = {{ destemail }} + +[skyreach] +enabled = true +filter = mediaserver +maxretry = {{ maxretry }} +bantime = {{ bantime }} +logpath = /home/skyreach/.skyreach/logs/skyreach.log +action = %({{ action }})s +sender = {{ sender }} +destemail = {{ destemail }} + +[monitor] +enabled = true +filter = mediaserver +maxretry = {{ maxretry }} +bantime = {{ bantime }} +logpath = /home/msmonitor/msmonitor/logs/site.log +action = %({{ action }})s +sender = {{ sender }} +destemail = {{ destemail }} diff --git a/global-conf.sh b/global-conf.sh index d9ce1822..463484bb 100644 --- a/global-conf.sh +++ b/global-conf.sh @@ -105,20 +105,26 @@ BURP_MAIL_DEST='sysadmin@ubicast.eu' BURP_CLIENT_NAME= BURP_CLIENT_MAIL_DEST='sysadmin@ubicast.eu' -# -- tmbackup.sh -- +# -- Fail2ban specific settings -- +FAIL2BAN_SEND_EMAIL='1' +FAIL2BAN_EMAIL_ADMINS=EMAIL_ADMINS +FAIL2BAN_MAXRETRY='6' +FAIL2BAN_BANTIME='30' + +# -- tmbackup.sh -- BACKUP_SERVER='' # CSV separated LOCAL_BACKUP_FOLDERS='' # -- FTP -- -# move uploaded files into hotfolder +# move uploaded files into hotfolder # login:pass CSV separated #FTP_INCOMING_USERS='ftpuser1:ftppass1,ftpuser2:ftppass2' FTP_INCOMING_USERS= # -- HOTFOLDER -- # csv-separated -HOTFOLDERS='/home/ftp/storage/hotfolder' +HOTFOLDERS='/home/ftp/storage/hotfolder' # -- Tester config -- # separate values with commas -- GitLab