commit
0b90b27eb8
17 changed files with 304 additions and 0 deletions
@ -0,0 +1,16 @@ |
|||||||
|
#!/usr/bin/perl -w |
||||||
|
|
||||||
|
use esmith::Build::CreateLinks qw(:all); |
||||||
|
|
||||||
|
templates2events("/etc/rc.d/init.d/masq", "fail2ban-update"); |
||||||
|
templates2events("/etc/fail2ban/jail.conf", "fail2ban-conf"); |
||||||
|
templates2events("/etc/fail2ban/fail2ban.conf", "fail2ban-conf"); |
||||||
|
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-update/services2adjust/masq"); |
||||||
|
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-conf/services2adjust/fail2ban"); |
||||||
|
|
||||||
|
service_link_enhanced("fail2ban", "S92", "7"); |
||||||
|
service_link_enhanced("fail2ban", "K08", "6"); |
||||||
|
service_link_enhanced("fail2ban", "K08", "0"); |
||||||
|
safe_touch("root/var/service/fail2ban/down"); |
||||||
|
safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/fail2ban'); |
||||||
|
safe_symlink("/var/service/fail2ban" , 'root/service/fail2ban'); |
@ -0,0 +1 @@ |
|||||||
|
enabled |
@ -0,0 +1,4 @@ |
|||||||
|
[Definition] |
||||||
|
loglevel = 3 |
||||||
|
logtarget = STDOUT |
||||||
|
socket = /var/run/fail2ban/fail2ban.sock |
@ -0,0 +1 @@ |
|||||||
|
[DEFAULT] |
@ -0,0 +1,22 @@ |
|||||||
|
{ |
||||||
|
|
||||||
|
use esmith::NetworksDB; |
||||||
|
my $n = esmith::NetworksDB->open_ro() || |
||||||
|
die "Couldn't open networks DB\n"; |
||||||
|
|
||||||
|
my @ip = (127.0.0.1); |
||||||
|
|
||||||
|
# Add hosts which can access the server-manager to the whitelist |
||||||
|
push @ip, " $_" foreach (split /[,;], (${'httpd-admin'}{'ValidFrom'} || '')); |
||||||
|
|
||||||
|
if (($fail2ban{FilterLocalNetworks} || 'disabled' eq 'enabled' ){ |
||||||
|
foreach my $network ($n->networks){ |
||||||
|
my $key = $network->key; |
||||||
|
my $mask = $network->prop('Mask); |
||||||
|
push @ip, "$key/$mask"; |
||||||
|
} |
||||||
|
} |
||||||
|
|
||||||
|
$OUT .= "ignoreip = " . join(" ", @ip); |
||||||
|
|
||||||
|
} |
@ -0,0 +1,7 @@ |
|||||||
|
{ |
||||||
|
|
||||||
|
my $bantime = $fail2ban{'BanTime'} || '600'; |
||||||
|
|
||||||
|
$OUT .= "bantime = $bantime"; |
||||||
|
|
||||||
|
} |
@ -0,0 +1,7 @@ |
|||||||
|
{ |
||||||
|
|
||||||
|
my $findtime = $fail2ban{'FindTime'} || '600'; |
||||||
|
|
||||||
|
$OUT .= "findtime = $findtime"; |
||||||
|
|
||||||
|
} |
@ -0,0 +1,6 @@ |
|||||||
|
{ |
||||||
|
my $maxretry = $fail2ban{'MaxRetry'} || '3'; |
||||||
|
|
||||||
|
$OUT .= "maxretry = $maxretry"; |
||||||
|
|
||||||
|
} |
@ -0,0 +1 @@ |
|||||||
|
backend = auto |
@ -0,0 +1,12 @@ |
|||||||
|
{ |
||||||
|
|
||||||
|
my $port = $sshd{'TCPPort'} || '22'; |
||||||
|
$OUT .=<<"EOF"; |
||||||
|
[ssh] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
filter = sshd |
||||||
|
action = smeserver[port=$port, protocol=tcp] |
||||||
|
logpath = /var/log/sshd/current |
||||||
|
EOF |
||||||
|
} |
@ -0,0 +1,10 @@ |
|||||||
|
# A blacklist chain for fail2ban |
||||||
|
/sbin/iptables --new-chain Fail2Ban |
||||||
|
/sbin/iptables --new-chain Fail2Ban_1 |
||||||
|
/sbin/iptables --append Fail2Ban -j Fail2Ban_1 |
||||||
|
# TODO: add a prop to filter only external or internal and external interfaces |
||||||
|
# Check for banned hosts after local_chk and state_chk |
||||||
|
# TODO: add a prop to block established connections for banned host |
||||||
|
# which means insert into position 1 instead of 3 |
||||||
|
/sbin/iptables --insert INPUT 3 \ |
||||||
|
-j Fail2Ban |
@ -0,0 +1,26 @@ |
|||||||
|
{ |
||||||
|
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban'); |
||||||
|
# Find the current Fail2Ban_$$ chain, and create a new one. |
||||||
|
$OUT .=<<'EOF'; |
||||||
|
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find) |
||||||
|
NEW_Fail2Ban=$(get_safe_id Fail2Ban filter new) |
||||||
|
/sbin/iptables --new-chain $NEW_Fail2Ban |
||||||
|
EOF |
||||||
|
|
||||||
|
foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){ |
||||||
|
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . |
||||||
|
" -s " . $ban->key . " -j denylog\n" |
||||||
|
if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' ); |
||||||
|
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . |
||||||
|
" -j RETURN\n"; |
||||||
|
} |
||||||
|
|
||||||
|
# Having created a new Fail2Ban chain, activate it and destroy the old. |
||||||
|
$OUT .=<<'EOF'; |
||||||
|
/sbin/iptables --replace Fail2Ban 1 \ |
||||||
|
--jump $NEW_Fail2Ban |
||||||
|
/sbin/iptables --flush $OLD_Fail2Ban |
||||||
|
/sbin/iptables --delete-chain $OLD_Fail2Ban |
||||||
|
EOF |
||||||
|
|
||||||
|
} |
@ -0,0 +1,9 @@ |
|||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
actionban = /sbin/e-smith/sme-fail2ban --host=<ip> --proto=<protocol> --port=<port> |
||||||
|
actionunban = /sbin/e-smith/sme-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port> |
||||||
|
|
||||||
|
[Init] |
||||||
|
protocol = undef |
||||||
|
port = undef |
@ -0,0 +1,119 @@ |
|||||||
|
#!/usr/bin/perl -w |
||||||
|
|
||||||
|
use strict; |
||||||
|
use warnings; |
||||||
|
use esmith::ConfigDB; |
||||||
|
use Getopt::Long; |
||||||
|
|
||||||
|
our $f2bdb = esmith::ConfigDB->open('fail2ban'); |
||||||
|
our %opts; |
||||||
|
|
||||||
|
|
||||||
|
sub usage(){ |
||||||
|
print<<"EOF"; |
||||||
|
|
||||||
|
Usage: $0 --host=<ip> [--unban] [--protocol=tcp|udp|icmp|all] [--port=<port number>] |
||||||
|
|
||||||
|
* --host must specify a valid IPv4 adress in the form 10.11.12.13 |
||||||
|
* --protocol can be used to specify the protocol to block. Only tcp, udp, icmp and all are valid (default is all) |
||||||
|
* --port can be used to specify the port to block. Only valid for tcp and udp. You can also specify a range |
||||||
|
of port like 10000:20000 |
||||||
|
* if --unban is specified, the given host will be removed from the blacklist |
||||||
|
default is to add to the blacklist instead |
||||||
|
|
||||||
|
EOF |
||||||
|
} |
||||||
|
|
||||||
|
# Check if port is valid |
||||||
|
sub is_valid_port($){ |
||||||
|
my $port = shift; |
||||||
|
my $ret = 0; |
||||||
|
if ($port =~ m/^(\d+)[\-:](\d+)$/){ |
||||||
|
$ret = 1 if ($1 >= 0 && |
||||||
|
$1 < 65636 && |
||||||
|
$2 >= 0 && |
||||||
|
$2 < 65636); |
||||||
|
} |
||||||
|
else{ |
||||||
|
$ret = 1 if ($port > 0 && |
||||||
|
$port < 65636); |
||||||
|
} |
||||||
|
return $ret; |
||||||
|
} |
||||||
|
|
||||||
|
# Generate a random uniq ID |
||||||
|
sub generate_uniq_id(){ |
||||||
|
my @chars = ('a'..'z','0'..'9'); |
||||||
|
my $id = ''; |
||||||
|
my $round = 0; |
||||||
|
foreach (1..10){ |
||||||
|
foreach (1..15){ |
||||||
|
$id .= $chars[rand @chars]; |
||||||
|
} |
||||||
|
my $eid = $f2bdb->get($id); |
||||||
|
last unless ($eid); |
||||||
|
} |
||||||
|
die "Couldn't generate a valid uniq ID\n" |
||||||
|
if ($id eq ''); |
||||||
|
return $id; |
||||||
|
} |
||||||
|
|
||||||
|
# default is to ban a host |
||||||
|
$opts{unban} = '0'; |
||||||
|
|
||||||
|
GetOptions( |
||||||
|
"host=s" => \$opts{host}, |
||||||
|
"unban" => \$opts{unban}, |
||||||
|
"protocol=s" => \$opts{proto}, |
||||||
|
"port=i" => \$opts{port} |
||||||
|
); |
||||||
|
|
||||||
|
# special "undef" value for port and proto |
||||||
|
undef $opts{proto} if ($opts{proto} eq 'undef'); |
||||||
|
undef $opts{port} if ($opts{port} eq 'undef'); |
||||||
|
|
||||||
|
# Check options are valid |
||||||
|
|
||||||
|
# host is required |
||||||
|
my @req = qw(host); |
||||||
|
foreach (@req){ |
||||||
|
usage() && die unless (defined $opts{$_}); |
||||||
|
} |
||||||
|
|
||||||
|
# host must look like an IP address |
||||||
|
usage() && die |
||||||
|
unless ($opts{host} =~ m/^(?:(?:[01]?\d?\d?|2[0-4]\d|25[0-5])(?:\.|$)){4}$/); |
||||||
|
|
||||||
|
# protocol must can only be undefined, tcp, udp or icmp |
||||||
|
usage() && die |
||||||
|
if ($opts{proto} && $opts{proto} !~ m/^tcp|udp|icmp|all$/); |
||||||
|
|
||||||
|
# port must be a valid port number, and is only valid for tcp and udp |
||||||
|
usage && die |
||||||
|
if ($opts{port} && (($opts{proto} && $opts{proto} !~ m/^tcp|udp$/) || !is_valid_port($opts{port}))); |
||||||
|
|
||||||
|
if ($opts{unban}){ |
||||||
|
foreach ($f2bdb->get_all_by_prop(Host => $opts{host})){ |
||||||
|
my $proto = $_->prop('Protocol') || ''; |
||||||
|
my $port = $_->prop('Port') || ''; |
||||||
|
next if ($opts{proto} && $proto ne $opts{proto}); |
||||||
|
next if ($opts{port} && $port ne $opts{port} && $proto =~ m/^tcp|udp$/); |
||||||
|
$_->delete(); |
||||||
|
} |
||||||
|
} |
||||||
|
else{ |
||||||
|
my $id = generate_uniq_id(); |
||||||
|
$f2bdb->new_record($id, {type => 'ban'}); |
||||||
|
$f2bdb->set_prop($id, 'Host', $opts{host}); |
||||||
|
$f2bdb->set_prop($id, 'Protocol', $opts{proto}) |
||||||
|
if ($opts{proto}); |
||||||
|
$f2bdb->set_prop($id, 'Port', $opts{port}) |
||||||
|
if ($opts{port}); |
||||||
|
# Set the current timestamp |
||||||
|
$f2bdb->set_prop($id, 'Timestamp', time()); |
||||||
|
} |
||||||
|
|
||||||
|
die "An error occured while updating the firewall rules" |
||||||
|
unless (system("/sbin/e-smith/signal-event fail2ban-update") == 0); |
||||||
|
|
||||||
|
exit(0); |
@ -0,0 +1,6 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
exec \ |
||||||
|
/usr/local/bin/setuidgid smelog \ |
||||||
|
/usr/local/bin/multilog t s5000000 \ |
||||||
|
/var/log/fail2ban |
@ -0,0 +1,3 @@ |
|||||||
|
#!/bin/sh |
||||||
|
|
||||||
|
exec /usr/bin/fail2ban-server -fx |
@ -0,0 +1,54 @@ |
|||||||
|
%define version 0.0.1 |
||||||
|
%define release 1.beta0 |
||||||
|
%define name smeserver-fail2ban |
||||||
|
|
||||||
|
|
||||||
|
Summary: fail2ban integration on SME Server |
||||||
|
Name: %{name} |
||||||
|
Version: %{version} |
||||||
|
Release: %{release}%{?dist} |
||||||
|
License: GPL |
||||||
|
Group: Networking/Daemons |
||||||
|
Source: %{name}-%{version}.tar.gz |
||||||
|
|
||||||
|
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot |
||||||
|
BuildArchitectures: noarch |
||||||
|
BuildRequires: e-smith-devtools |
||||||
|
|
||||||
|
Requires: e-smith-base >= 5.2.0 |
||||||
|
Requires: fail2ban |
||||||
|
|
||||||
|
%description |
||||||
|
Configure fail2ban on SME Server |
||||||
|
|
||||||
|
%changelog |
||||||
|
* Sun Apr 28 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.0-1.sme |
||||||
|
- initial release |
||||||
|
|
||||||
|
%prep |
||||||
|
%setup -q -n %{name}-%{version} |
||||||
|
|
||||||
|
%build |
||||||
|
%{__mkdir_p} root/var/log/fail2ban |
||||||
|
perl createlinks |
||||||
|
|
||||||
|
%install |
||||||
|
/bin/rm -rf $RPM_BUILD_ROOT |
||||||
|
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) |
||||||
|
/bin/rm -f %{name}-%{version}-filelist |
||||||
|
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ |
||||||
|
--file /var/service/fail2ban/run 'attr(0755,root,root)' \ |
||||||
|
--file /var/service/fail2ban/log/run 'attr(0755,root,root)' \ |
||||||
|
--dir /var/log/fail2ban 'attr(0750,smelog,smelog)' \ |
||||||
|
> %{name}-%{version}-filelist |
||||||
|
|
||||||
|
%files -f %{name}-%{version}-filelist |
||||||
|
%defattr(-,root,root) |
||||||
|
|
||||||
|
%clean |
||||||
|
rm -rf $RPM_BUILD_ROOT |
||||||
|
|
||||||
|
%post |
||||||
|
|
||||||
|
%preun |
||||||
|
|
Loading…
Reference in new issue