commit
0b90b27eb8
17 changed files with 304 additions and 0 deletions
@ -0,0 +1,16 @@ |
||||
#!/usr/bin/perl -w |
||||
|
||||
use esmith::Build::CreateLinks qw(:all); |
||||
|
||||
templates2events("/etc/rc.d/init.d/masq", "fail2ban-update"); |
||||
templates2events("/etc/fail2ban/jail.conf", "fail2ban-conf"); |
||||
templates2events("/etc/fail2ban/fail2ban.conf", "fail2ban-conf"); |
||||
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-update/services2adjust/masq"); |
||||
safe_symlink("adjust", "root/etc/e-smith/events/fail2ban-conf/services2adjust/fail2ban"); |
||||
|
||||
service_link_enhanced("fail2ban", "S92", "7"); |
||||
service_link_enhanced("fail2ban", "K08", "6"); |
||||
service_link_enhanced("fail2ban", "K08", "0"); |
||||
safe_touch("root/var/service/fail2ban/down"); |
||||
safe_symlink("../daemontools" , 'root/etc/rc.d/init.d/supervise/fail2ban'); |
||||
safe_symlink("/var/service/fail2ban" , 'root/service/fail2ban'); |
@ -0,0 +1 @@ |
||||
enabled |
@ -0,0 +1,4 @@ |
||||
[Definition] |
||||
loglevel = 3 |
||||
logtarget = STDOUT |
||||
socket = /var/run/fail2ban/fail2ban.sock |
@ -0,0 +1 @@ |
||||
[DEFAULT] |
@ -0,0 +1,22 @@ |
||||
{ |
||||
|
||||
use esmith::NetworksDB; |
||||
my $n = esmith::NetworksDB->open_ro() || |
||||
die "Couldn't open networks DB\n"; |
||||
|
||||
my @ip = (127.0.0.1); |
||||
|
||||
# Add hosts which can access the server-manager to the whitelist |
||||
push @ip, " $_" foreach (split /[,;], (${'httpd-admin'}{'ValidFrom'} || '')); |
||||
|
||||
if (($fail2ban{FilterLocalNetworks} || 'disabled' eq 'enabled' ){ |
||||
foreach my $network ($n->networks){ |
||||
my $key = $network->key; |
||||
my $mask = $network->prop('Mask); |
||||
push @ip, "$key/$mask"; |
||||
} |
||||
} |
||||
|
||||
$OUT .= "ignoreip = " . join(" ", @ip); |
||||
|
||||
} |
@ -0,0 +1,7 @@ |
||||
{ |
||||
|
||||
my $bantime = $fail2ban{'BanTime'} || '600'; |
||||
|
||||
$OUT .= "bantime = $bantime"; |
||||
|
||||
} |
@ -0,0 +1,7 @@ |
||||
{ |
||||
|
||||
my $findtime = $fail2ban{'FindTime'} || '600'; |
||||
|
||||
$OUT .= "findtime = $findtime"; |
||||
|
||||
} |
@ -0,0 +1,6 @@ |
||||
{ |
||||
my $maxretry = $fail2ban{'MaxRetry'} || '3'; |
||||
|
||||
$OUT .= "maxretry = $maxretry"; |
||||
|
||||
} |
@ -0,0 +1 @@ |
||||
backend = auto |
@ -0,0 +1,12 @@ |
||||
{ |
||||
|
||||
my $port = $sshd{'TCPPort'} || '22'; |
||||
$OUT .=<<"EOF"; |
||||
[ssh] |
||||
|
||||
enabled = true |
||||
filter = sshd |
||||
action = smeserver[port=$port, protocol=tcp] |
||||
logpath = /var/log/sshd/current |
||||
EOF |
||||
} |
@ -0,0 +1,10 @@ |
||||
# A blacklist chain for fail2ban |
||||
/sbin/iptables --new-chain Fail2Ban |
||||
/sbin/iptables --new-chain Fail2Ban_1 |
||||
/sbin/iptables --append Fail2Ban -j Fail2Ban_1 |
||||
# TODO: add a prop to filter only external or internal and external interfaces |
||||
# Check for banned hosts after local_chk and state_chk |
||||
# TODO: add a prop to block established connections for banned host |
||||
# which means insert into position 1 instead of 3 |
||||
/sbin/iptables --insert INPUT 3 \ |
||||
-j Fail2Ban |
@ -0,0 +1,26 @@ |
||||
{ |
||||
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban'); |
||||
# Find the current Fail2Ban_$$ chain, and create a new one. |
||||
$OUT .=<<'EOF'; |
||||
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find) |
||||
NEW_Fail2Ban=$(get_safe_id Fail2Ban filter new) |
||||
/sbin/iptables --new-chain $NEW_Fail2Ban |
||||
EOF |
||||
|
||||
foreach my $ban ( $f2bdb->get_all_by_prop(type=>('ban')) ){ |
||||
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . |
||||
" -s " . $ban->key . " -j denylog\n" |
||||
if ( ($fail2ban{'status'} || 'disabled') eq 'enabled' ); |
||||
$OUT .= " /sbin/iptables --append \$NEW_Fail2Ban" . |
||||
" -j RETURN\n"; |
||||
} |
||||
|
||||
# Having created a new Fail2Ban chain, activate it and destroy the old. |
||||
$OUT .=<<'EOF'; |
||||
/sbin/iptables --replace Fail2Ban 1 \ |
||||
--jump $NEW_Fail2Ban |
||||
/sbin/iptables --flush $OLD_Fail2Ban |
||||
/sbin/iptables --delete-chain $OLD_Fail2Ban |
||||
EOF |
||||
|
||||
} |
@ -0,0 +1,9 @@ |
||||
|
||||
[Definition] |
||||
|
||||
actionban = /sbin/e-smith/sme-fail2ban --host=<ip> --proto=<protocol> --port=<port> |
||||
actionunban = /sbin/e-smith/sme-fail2ban --host=<ip> --unban --proto=<protocol> --port=<port> |
||||
|
||||
[Init] |
||||
protocol = undef |
||||
port = undef |
@ -0,0 +1,119 @@ |
||||
#!/usr/bin/perl -w |
||||
|
||||
use strict; |
||||
use warnings; |
||||
use esmith::ConfigDB; |
||||
use Getopt::Long; |
||||
|
||||
our $f2bdb = esmith::ConfigDB->open('fail2ban'); |
||||
our %opts; |
||||
|
||||
|
||||
sub usage(){ |
||||
print<<"EOF"; |
||||
|
||||
Usage: $0 --host=<ip> [--unban] [--protocol=tcp|udp|icmp|all] [--port=<port number>] |
||||
|
||||
* --host must specify a valid IPv4 adress in the form 10.11.12.13 |
||||
* --protocol can be used to specify the protocol to block. Only tcp, udp, icmp and all are valid (default is all) |
||||
* --port can be used to specify the port to block. Only valid for tcp and udp. You can also specify a range |
||||
of port like 10000:20000 |
||||
* if --unban is specified, the given host will be removed from the blacklist |
||||
default is to add to the blacklist instead |
||||
|
||||
EOF |
||||
} |
||||
|
||||
# Check if port is valid |
||||
sub is_valid_port($){ |
||||
my $port = shift; |
||||
my $ret = 0; |
||||
if ($port =~ m/^(\d+)[\-:](\d+)$/){ |
||||
$ret = 1 if ($1 >= 0 && |
||||
$1 < 65636 && |
||||
$2 >= 0 && |
||||
$2 < 65636); |
||||
} |
||||
else{ |
||||
$ret = 1 if ($port > 0 && |
||||
$port < 65636); |
||||
} |
||||
return $ret; |
||||
} |
||||
|
||||
# Generate a random uniq ID |
||||
sub generate_uniq_id(){ |
||||
my @chars = ('a'..'z','0'..'9'); |
||||
my $id = ''; |
||||
my $round = 0; |
||||
foreach (1..10){ |
||||
foreach (1..15){ |
||||
$id .= $chars[rand @chars]; |
||||
} |
||||
my $eid = $f2bdb->get($id); |
||||
last unless ($eid); |
||||
} |
||||
die "Couldn't generate a valid uniq ID\n" |
||||
if ($id eq ''); |
||||
return $id; |
||||
} |
||||
|
||||
# default is to ban a host |
||||
$opts{unban} = '0'; |
||||
|
||||
GetOptions( |
||||
"host=s" => \$opts{host}, |
||||
"unban" => \$opts{unban}, |
||||
"protocol=s" => \$opts{proto}, |
||||
"port=i" => \$opts{port} |
||||
); |
||||
|
||||
# special "undef" value for port and proto |
||||
undef $opts{proto} if ($opts{proto} eq 'undef'); |
||||
undef $opts{port} if ($opts{port} eq 'undef'); |
||||
|
||||
# Check options are valid |
||||
|
||||
# host is required |
||||
my @req = qw(host); |
||||
foreach (@req){ |
||||
usage() && die unless (defined $opts{$_}); |
||||
} |
||||
|
||||
# host must look like an IP address |
||||
usage() && die |
||||
unless ($opts{host} =~ m/^(?:(?:[01]?\d?\d?|2[0-4]\d|25[0-5])(?:\.|$)){4}$/); |
||||
|
||||
# protocol must can only be undefined, tcp, udp or icmp |
||||
usage() && die |
||||
if ($opts{proto} && $opts{proto} !~ m/^tcp|udp|icmp|all$/); |
||||
|
||||
# port must be a valid port number, and is only valid for tcp and udp |
||||
usage && die |
||||
if ($opts{port} && (($opts{proto} && $opts{proto} !~ m/^tcp|udp$/) || !is_valid_port($opts{port}))); |
||||
|
||||
if ($opts{unban}){ |
||||
foreach ($f2bdb->get_all_by_prop(Host => $opts{host})){ |
||||
my $proto = $_->prop('Protocol') || ''; |
||||
my $port = $_->prop('Port') || ''; |
||||
next if ($opts{proto} && $proto ne $opts{proto}); |
||||
next if ($opts{port} && $port ne $opts{port} && $proto =~ m/^tcp|udp$/); |
||||
$_->delete(); |
||||
} |
||||
} |
||||
else{ |
||||
my $id = generate_uniq_id(); |
||||
$f2bdb->new_record($id, {type => 'ban'}); |
||||
$f2bdb->set_prop($id, 'Host', $opts{host}); |
||||
$f2bdb->set_prop($id, 'Protocol', $opts{proto}) |
||||
if ($opts{proto}); |
||||
$f2bdb->set_prop($id, 'Port', $opts{port}) |
||||
if ($opts{port}); |
||||
# Set the current timestamp |
||||
$f2bdb->set_prop($id, 'Timestamp', time()); |
||||
} |
||||
|
||||
die "An error occured while updating the firewall rules" |
||||
unless (system("/sbin/e-smith/signal-event fail2ban-update") == 0); |
||||
|
||||
exit(0); |
@ -0,0 +1,6 @@ |
||||
#!/bin/sh |
||||
|
||||
exec \ |
||||
/usr/local/bin/setuidgid smelog \ |
||||
/usr/local/bin/multilog t s5000000 \ |
||||
/var/log/fail2ban |
@ -0,0 +1,3 @@ |
||||
#!/bin/sh |
||||
|
||||
exec /usr/bin/fail2ban-server -fx |
@ -0,0 +1,54 @@ |
||||
%define version 0.0.1 |
||||
%define release 1.beta0 |
||||
%define name smeserver-fail2ban |
||||
|
||||
|
||||
Summary: fail2ban integration on SME Server |
||||
Name: %{name} |
||||
Version: %{version} |
||||
Release: %{release}%{?dist} |
||||
License: GPL |
||||
Group: Networking/Daemons |
||||
Source: %{name}-%{version}.tar.gz |
||||
|
||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot |
||||
BuildArchitectures: noarch |
||||
BuildRequires: e-smith-devtools |
||||
|
||||
Requires: e-smith-base >= 5.2.0 |
||||
Requires: fail2ban |
||||
|
||||
%description |
||||
Configure fail2ban on SME Server |
||||
|
||||
%changelog |
||||
* Sun Apr 28 2013 Daniel Berteaud <daniel@firewall-services.com> - 0.1.0-1.sme |
||||
- initial release |
||||
|
||||
%prep |
||||
%setup -q -n %{name}-%{version} |
||||
|
||||
%build |
||||
%{__mkdir_p} root/var/log/fail2ban |
||||
perl createlinks |
||||
|
||||
%install |
||||
/bin/rm -rf $RPM_BUILD_ROOT |
||||
(cd root ; /usr/bin/find . -depth -print | /bin/cpio -dump $RPM_BUILD_ROOT) |
||||
/bin/rm -f %{name}-%{version}-filelist |
||||
/sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ |
||||
--file /var/service/fail2ban/run 'attr(0755,root,root)' \ |
||||
--file /var/service/fail2ban/log/run 'attr(0755,root,root)' \ |
||||
--dir /var/log/fail2ban 'attr(0750,smelog,smelog)' \ |
||||
> %{name}-%{version}-filelist |
||||
|
||||
%files -f %{name}-%{version}-filelist |
||||
%defattr(-,root,root) |
||||
|
||||
%clean |
||||
rm -rf $RPM_BUILD_ROOT |
||||
|
||||
%post |
||||
|
||||
%preun |
||||
|
Loading…
Reference in new issue