Subversion Repositories configs

# Fail2Ban configuration file

#

# Author: Russell Odom <russ@gloomytrousers.co.uk>

# Submits attack reports to DShield (http://www.dshield.org/)

#

# You MUST configure at least:

# <port> (the port that's being attacked - use number not name).

#

# You SHOULD also provide:

# <myip> (your public IP address, if it's not the address of eth0)

# <userid> (your DShield userID, if you have one - recommended, but reports will

# be used anonymously if not)

# <protocol> (the protocol in use - defaults to tcp)

#

# Best practice is to provide <port> and <protocol> in jail.conf like this:

# action = dshield[port=1234,protocol=tcp]

#

# ...and create "dshield.local" with contents something like this:

# [Init]

# myip = 10.0.0.1

# userid = 12345

#

# Other useful configuration values are <mailargs> (you can use for specifying

# a different sender address for the report e-mails, which should match what is

# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to

# configure how often the buffer is flushed).

#

[Definition]

# bypass ban/unban for restored tickets

norestored = 1

# Option:  actionstart

# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).

# Values:  CMD

#

actionstart =

# Option:  actionstop

# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)

# Values:  CMD

#

actionstop = if [ -f <tmpfile>.buffer ]; then

                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>

                 date +%%s > <tmpfile>.lastsent

             fi

             rm -f <tmpfile>.buffer <tmpfile>.first

# Option:  actioncheck

# Notes.:  command executed once before each actionban command

# Values:  CMD

#

actioncheck =

# Option:  actionban

# Notes.:  command executed when banning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

# See http://www.dshield.org/specs.html for more on report format/notes

#

# Note: We are currently using <time> for the timestamp because no tag is

# available to indicate the timestamp of the log message(s) which triggered the

# ban. Therefore the timestamps we are using in the report, whilst often only a

# few seconds out, are incorrect. See

# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047

#

actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`

            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"

	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`

	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi

            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer

            NOW=`date +%%s`

            if [ ! -f <tmpfile>.first ]; then

                echo <time> | cut -d. -f1 > <tmpfile>.first

            fi

            if [ ! -f <tmpfile>.lastsent ]; then

                echo 0 > <tmpfile>.lastsent

            fi

            LOGAGE=$(($NOW - `cat <tmpfile>.first`))

            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))

            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )

            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then

                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>

                rm -f <tmpfile>.buffer <tmpfile>.first

                echo $NOW > <tmpfile>.lastsent

            fi

# Option:  actionunban

# Notes.:  command executed when unbanning an IP. Take care that the

#          command is executed with Fail2Ban user rights.

# Tags:    See jail.conf(5) man page

# Values:  CMD

#

actionunban = if [ -f <tmpfile>.first ]; then

                  NOW=`date +%%s`

                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))

                  if [ $LOGAGE -gt <maxbufferage> ]; then

                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>

                      rm -f <tmpfile>.buffer <tmpfile>.first

                      echo $NOW > <tmpfile>.lastsent

                  fi

              fi

[Init]

# Option:  port

# Notes.:  The target port for the attack (numerical). MUST be provided in the

#          jail config, as it cannot be detected here.

# Values:  [ NUM ]

#

port = ???

# Option:  userid

# Notes.:  Your DShield user ID. Should be provided either in the jail config or

#          in a .local file.

#          Register at https://secure.dshield.org/register.html

# Values:  [ NUM ]

#

userid = 0

# Option:  myip

# Notes.:  The target IP for the attack (your public IP). Should be provided

#          either in the jail config or in a .local file unless your PUBLIC IP

#          is the first IP assigned to eth0

# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,

#          which in most cases will be a private IP, and therefore incorrect

#

myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`

# Option:  protocol

# Notes.:  The protocol over which the attack is happening

# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp

#

protocol = tcp

# Option:  lines

# Notes.:  How many lines to buffer before making a report. Regardless of this,

#          reports are sent a minimum of <minreportinterval> apart, or if the

#          buffer contains an event over <maxbufferage> old, or on shutdown

# Values:  [ NUM ]

#

lines = 50

# Option:  minreportinterval

# Notes.:  Minimum period (in seconds) that must elapse before we submit another

#          batch of reports. DShield request a minimum of 1 hour (3600 secs)

#          between reports.

# Values:  [ NUM ]

#

minreportinterval = 3600

# Option:  maxbufferage

# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we

#          submit the batch, even if we haven't reached <lines> yet. Note that

#          this is only checked on each ban/unban, and that we always send

#          anything in the buffer on shutdown. Must be greater than

# Values:  [ NUM ]

#

maxbufferage = 21600

# Option:  srcport

# Notes.:  The source port of the attack. You're unlikely to have this info, so

#          you can leave the default

# Values:  [ NUM ]

#

srcport = ???

# Option:  tcpflags

# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can

#          leave empty

# Values:  [ STRING ]

#

tcpflags =

# Option:  mailcmd

# Notes.:  Your system mail command. Is passed 2 args: subject and recipient

# Values:  CMD

#

mailcmd = mail -s

# Option:  mailargs

# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:

#          CC reports to another address:

#              -c me@example.com

#          Appear to come from a different address (the From address must match

#          the one configured at DShield - the '--' indicates arguments to be

#          passed to Sendmail):

#              -- -f me@example.com

# Values:  [ STRING ]

#

mailargs =

# Option:  dest

# Notes.:  Destination e-mail address for reports

# Values:  [ STRING ]

#

dest = reports@dshield.org

# Option:  tmpfile

# Notes.:  Base name of temporary files used for buffering

# Values:  [ STRING ]

#

tmpfile = /var/run/fail2ban/tmp-dshield