First commit

tags/0.0.1
Daniel Berteaud 12 years ago
commit 0b90b27eb8
  1. 16
      createlinks
  2. 1
      root/etc/e-smith/db/configuration/defaults/fail2ban/status
  3. 4
      root/etc/e-smith/templates/etc/fail2ban/fail2ban.conf/10All
  4. 1
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/00Default
  5. 22
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
  6. 7
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/10BanTime
  7. 7
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/10FindTime
  8. 6
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/15MaxRetries
  9. 1
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/20Backend
  10. 12
      root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service10ssh
  11. 10
      root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Fail2Ban
  12. 26
      root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
  13. 9
      root/etc/fail2ban/action.d/smeserver.conf
  14. 119
      root/sbin/e-smith/sme-fail2ban
  15. 6
      root/var/service/fail2ban/log/run
  16. 3
      root/var/service/fail2ban/run
  17. 54
      smeserver-fail2ban.spec

@ -0,0 +1,16 @@
#!/usr/bin/perl -w
use esmith::Build::CreateLinks qw(:all);
templates2events("/etc/rc.d/init.d/masq", "fail2ban-update");
templates2events("/etc/fail2ban/jail.conf", "fail2ban-conf");
templates2events("/etc/fail2ban/fail2ban.conf", "fail2ban-conf");
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-update/services2adjust/masq");
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-conf/services2adjust/fail2ban");
service_link_enhanced("fail2ban", "S92", "7");
service_link_enhanced("fail2ban", "K08", "6");
service_link_enhanced("fail2ban", "K08", "0");
safe_touch("root/var/service/fail2ban/down");
safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/fail2ban');
safe_symlink("/var/service/fail2ban" , 'root/service/fail2ban');

@ -0,0 +1,4 @@
[Definition]
loglevel = 3
logtarget = STDOUT
socket = /var/run/fail2ban/fail2ban.sock

@ -0,0 +1,22 @@
{
use esmith::NetworksDB;
my $n = esmith::NetworksDB->open_ro() ||
die "Couldn't open networks DB\n";
my @ip = (127.0.0.1);
# Add hosts which can access the server-manager to the whitelist
push @ip, " $_" foreach (split /[,;], (${'httpd-admin'}{'ValidFrom'} || ''));
if (($fail2ban{FilterLocalNetworks} || 'disabled' eq 'enabled' ){
foreach my $network ($n->networks){
my $key = $network->key;
my $mask = $network->prop('Mask);
push @ip, "$key/$mask";
}
}
$OUT .= "ignoreip = " . join(" ", @ip);
}

@ -0,0 +1,7 @@
{
my $bantime = $fail2ban{'BanTime'} || '600';
$OUT .= "bantime = $bantime";
}

@ -0,0 +1,7 @@
{
my $findtime = $fail2ban{'FindTime'} || '600';
$OUT .= "findtime = $findtime";
}

@ -0,0 +1,6 @@
{
my $maxretry = $fail2ban{'MaxRetry'} || '3';
$OUT .= "maxretry = $maxretry";
}

@ -0,0 +1,12 @@
{
my $port = $sshd{'TCPPort'} || '22';
$OUT .=<<"EOF";
[ssh]
enabled = true
filter = sshd
action = smeserver[port=$port, protocol=tcp]
logpath = /var/log/sshd/current
EOF
}

@ -0,0 +1,10 @@
# A blacklist chain for fail2ban
/sbin/iptables --new-chain Fail2Ban
/sbin/iptables --new-chain Fail2Ban_1
/sbin/iptables --append Fail2Ban -j Fail2Ban_1
# TODO: add a prop to filter only external or internal and external interfaces
# Check for banned hosts after local_chk and state_chk
# TODO: add a prop to block established connections for banned host
# which means insert into position 1 instead of 3
/sbin/iptables --insert INPUT 3 \
-j Fail2Ban

@ -0,0 +1,26 @@
{
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban');
# Find the current Fail2Ban_$$ chain, and create a new one.
$OUT .=<<'EOF';
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)
NEW_Fail2Ban=$(get_safe_id Fail2Ban filter new)
/sbin/iptables --new-chain $NEW_Fail2Ban
EOF
foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" .
" -s " . $ban->key . " -j denylog\n"
if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' );
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" .
" -j RETURN\n";
}
# Having created a new Fail2Ban chain, activate it and destroy the old.
$OUT .=<<'EOF';
/sbin/iptables --replace Fail2Ban 1 \
--jump $NEW_Fail2Ban
/sbin/iptables --flush $OLD_Fail2Ban
/sbin/iptables --delete-chain $OLD_Fail2Ban
EOF
}

@ -0,0 +1,9 @@
[Definition]
actionban = /sbin/e-smith/sme-fail2ban --host=<ip> --proto=<protocol> --port=<port>
actionunban = /sbin/e-smith/sme-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port>
[Init]
protocol = undef
port = undef

@ -0,0 +1,119 @@
#!/usr/bin/perl -w
use strict;
use warnings;
use esmith::ConfigDB;
use Getopt::Long;
our $f2bdb = esmith::ConfigDB->open('fail2ban');
our %opts;
sub usage(){
print<<"EOF";
Usage: $0 --host=<ip> [--unban] [--protocol=tcp|udp|icmp|all] [--port=<port number>]
* --host must specify a valid IPv4 adress in the form 10.11.12.13
* --protocol can be used to specify the protocol to block. Only tcp, udp, icmp and all are valid (default is all)
* --port can be used to specify the port to block. Only valid for tcp and udp. You can also specify a range
of port like 10000:20000
* if --unban is specified, the given host will be removed from the blacklist
default is to add to the blacklist instead
EOF
}
# Check if port is valid
sub is_valid_port($){
my $port = shift;
my $ret = 0;
if ($port =~ m/^(\d+)[\-:](\d+)$/){
$ret = 1 if ($1 >= 0 &&
$1 < 65636 &&
$2 >= 0 &&
$2 < 65636);
}
else{
$ret = 1 if ($port > 0 &&
$port < 65636);
}
return $ret;
}
# Generate a random uniq ID
sub generate_uniq_id(){
my @chars = ('a'..'z','0'..'9');
my $id = '';
my $round = 0;
foreach (1..10){
foreach (1..15){
$id .= $chars[rand @chars];
}
my $eid = $f2bdb->get($id);
last unless ($eid);
}
die "Couldn't generate a valid uniq ID\n"
if ($id eq '');
return $id;
}
# default is to ban a host
$opts{unban} = '0';
GetOptions(
"host=s" => \$opts{host},
"unban" => \$opts{unban},
"protocol=s" => \$opts{proto},
"port=i" => \$opts{port}
);
# special "undef" value for port and proto
undef $opts{proto} if ($opts{proto} eq 'undef');
undef $opts{port} if ($opts{port} eq 'undef');
# Check options are valid
# host is required
my @req = qw(host);
foreach (@req){
usage() && die unless (defined $opts{$_});
}
# host must look like an IP address
usage() && die
unless ($opts{host} =~ m/^(?:(?:[01]?\d?\d?|2[0-4]\d|25[0-5])(?:\.|$)){4}$/);
# protocol must can only be undefined, tcp, udp or icmp
usage() && die
if ($opts{proto} && $opts{proto} !~ m/^tcp|udp|icmp|all$/);
# port must be a valid port number, and is only valid for tcp and udp
usage && die
if ($opts{port} && (($opts{proto} && $opts{proto} !~ m/^tcp|udp$/) || !is_valid_port($opts{port})));
if ($opts{unban}){
foreach ($f2bdb->get_all_by_prop(Host => $opts{host})){
my $proto = $_->prop('Protocol') || '';
my $port = $_->prop('Port') || '';
next if ($opts{proto} && $proto ne $opts{proto});
next if ($opts{port} && $port ne $opts{port} && $proto =~ m/^tcp|udp$/);
$_->delete();
}
}
else{
my $id = generate_uniq_id();
$f2bdb->new_record($id, {type => 'ban'});
$f2bdb->set_prop($id, 'Host', $opts{host});
$f2bdb->set_prop($id, 'Protocol', $opts{proto})
if ($opts{proto});
$f2bdb->set_prop($id, 'Port', $opts{port})
if ($opts{port});
# Set the current timestamp
$f2bdb->set_prop($id, 'Timestamp', time());
}
die "An error occured while updating the firewall rules"
unless (system("/sbin/e-smith/signal-event fail2ban-update") == 0);
exit(0);

@ -0,0 +1,6 @@
#!/bin/sh
exec \
/usr/local/bin/setuidgid smelog \
/usr/local/bin/multilog t s5000000 \
/var/log/fail2ban

@ -0,0 +1,3 @@
#!/bin/sh
exec /usr/bin/fail2ban-server -fx

@ -0,0 +1,54 @@
%define version 0.0.1
%define release 1.beta0
%define name smeserver-fail2ban
Summary: fail2ban integration on SME Server
Name: %{name}
Version: %{version}
Release: %{release}%{?dist}
License: GPL
Group: Networking/Daemons
Source: %{name}-%{version}.tar.gz
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch
BuildRequires: e-smith-devtools
Requires: e-smith-base >= 5.2.0
Requires: fail2ban
%description
Configure fail2ban on SME Server
%changelog
* Sun Apr 28 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.0-1.sme
- initial release
%prep
%setup -q -n %{name}-%{version}
%build
%{__mkdir_p} root/var/log/fail2ban
perl createlinks
%install
/bin/rm -rf $RPM_BUILD_ROOT
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT)
/bin/rm -f %{name}-%{version}-filelist
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \
--file /var/service/fail2ban/run 'attr(0755,root,root)' \
--file /var/service/fail2ban/log/run 'attr(0755,root,root)' \
--dir /var/log/fail2ban 'attr(0750,smelog,smelog)' \
> %{name}-%{version}-filelist
%files -f %{name}-%{version}-filelist
%defattr(-,root,root)
%clean
rm -rf $RPM_BUILD_ROOT
%post
%preun
Loading…
Cancel
Save