diff --git a/ansible/roles/fail2ban/README.md b/ansible/roles/fail2ban/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/ansible/roles/fail2ban/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/ansible/roles/fail2ban/defaults/main.yml b/ansible/roles/fail2ban/defaults/main.yml new file mode 100644 index 0000000..6ecbedc --- /dev/null +++ b/ansible/roles/fail2ban/defaults/main.yml @@ -0,0 +1,18 @@ +--- +# defaults file for /etc/ansible/roles/fail2ban +# +packages: [fail2ban] +ssh_port: 22 +relay_host: "[sub.domain.com]:777" +email: "email@domain.com" +nginx_botsearch: "true" +nginx_http_auth: "true" +nginx_nobinary: "true" +nginx_nohome: "true" +nginx_noproxy: "true" +nginx_noscan: "true" +nginx_noenv: "true" +nginx_noscript: "true" +sshd: "true" +sshd_badproto: "true" + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/3proxy.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/3proxy.conf new file mode 100644 index 0000000..76c7573 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/3proxy.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter for 3proxy +# +# + +[Definition] + + +failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s + +ignoreregex = + +datepattern = {^LN-BEG} + +# DEV Notes: +# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are +# all authentication problems (%E field) +# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" +# +# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-auth.conf new file mode 100644 index 0000000..d9a6fa5 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-auth.conf @@ -0,0 +1,60 @@ +# Fail2Ban apache-auth filter +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# apache-common.local +before = apache-common.conf + +[Definition] + +prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$ + +# auth_type = ((?:Digest|Basic): )? +auth_type = ([A-Z]\w+: )? + +failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b + ^user (?:\S*|.*?) (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b + ^Authorization of user (?:\S*|.*?) to access .*? failed\b + ^%(auth_type)suser (?:\S*|.*?): password mismatch\b + ^%(auth_type)suser `(?:[^']*|.*?)' in realm `.+' (not found|denied by provider)\b + ^%(auth_type)sinvalid nonce .* received - length is not\b + ^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b + ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b + ^invalid qop `(?:[^']*|.*?)' received\b + ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b + +ignoreregex = + +# DEV Notes: +# +# This filter matches the authorization failures of Apache. It takes the log messages +# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or +# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. +# +# An unauthorized response 401 is the first step for a browser to instigate authentication +# however apache doesn't log this as an error. Only subsequent errors are logged in the +# error log. +# +# Source: +# +# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* +# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get +# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core +# to return the actual failure. +# +# Note that URI can contain spaces. +# +# See also: http://wiki.apache.org/httpd/ListOfErrors +# Expressions that don't have tests and aren't common. +# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 +# ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ +# ^user .*: one-time-nonce mismatch - sending new nonce\s*$ +# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$ +# +# Because url/referer are foreign input, short form of regex used if long enough to idetify failure. +# +# Author: Cyril Jaquier +# Major edits by Daniel Black and Ben Rubson. +# Rewritten for v.0.10 by Sergey Brester (sebres). diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-badbots.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-badbots.conf new file mode 100644 index 0000000..12d4105 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-badbots.conf @@ -0,0 +1,24 @@ +# Fail2Ban configuration file +# +# Regexp to catch known spambots and software alike. Please verify +# that it is your intent to block IPs which were driven by +# above mentioned bots. + + +[Definition] + +badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee +badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +ignoreregex = + +datepattern = ^[^\[]*\[({DATE}) + {^LN-BEG} + +# DEV Notes: +# List of bad bots fetched from http://www.user-agents.org +# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. +# +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-botsearch.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-botsearch.conf new file mode 100644 index 0000000..872f199 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-botsearch.conf @@ -0,0 +1,39 @@ +# Fail2Ban filter to match web requests for selected URLs that don't exist +# +# This filter is aimed at blocking specific URLs that don't exist. This +# could be a set of URLs places in a Disallow: directive in robots.txt or +# just some web services that don't exist caused bots are searching for +# exploitable content. This filter is designed to have a low false positive +# rate due. +# +# An alternative to this is the apache-noscript filter which blocks all +# types of scripts that don't exist. +# +# +# This is normally a predefined list of exploitable or valuable web services +# that are hidden or aren't actually installed. +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +# Load regexes for filtering from botsearch-common.conf +before = apache-common.conf + botsearch-common.conf + +[Definition] + +prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$ + +failregex = ^(?:File does not exist|script not found or unable to stat): (, referer: \S+)?\s*$ + ^script '' not found or unable to stat(, referer: \S+)?\s*$ + +ignoreregex = + +# Webroot represents the webroot on which all other files are based +webroot = /var/www/ + + +# DEV Notes: +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-common.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-common.conf new file mode 100644 index 0000000..3eec83d --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-common.conf @@ -0,0 +1,42 @@ +# Generic configuration items (to be used as interpolations) in other +# apache filters. + +[INCLUDES] + +before = common.conf +# Load customizations if any available +after = apache-common.local + +[DEFAULT] + +# Apache logging mode: +# all - universal prefix (logfile, syslog) +# logfile - logfile only +# syslog - syslog only +# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog). +# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants. +logging = logfile + +# Apache logging prefixes (date-pattern prefix, server, process etc.): +apache-prefix-syslog = %(__prefix_line)s +apache-prefix-logfile = \[\]\s +apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)? + +# Setting for __prefix_line (only `logging=syslog`): +_daemon = (?:apache\d*|httpd(?:/\w+)?) + +apache-prefix = > + +_apache_error_client = \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (:\d{1,5})?\] + +datepattern = {^LN-BEG} + +# Common prefix for [error] apache messages which also would include +# Depending on the version it could be +# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] +# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] +# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to +# +# Reference: https://github.com/fail2ban/fail2ban/issues/268 +# +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-fakegooglebot.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-fakegooglebot.conf new file mode 100644 index 0000000..729410a --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-fakegooglebot.conf @@ -0,0 +1,16 @@ +# Fail2Ban filter for fake Googlebot User Agents + +[Definition] + +failregex = ^ .*Googlebot.*$ + +ignoreregex = + +datepattern = ^[^\[]*\[({DATE}) + {^LN-BEG} + +# DEV Notes: +# +# Author: Lee Clemens +# Thanks: Johannes B. Ullrich, Ph.D. +# Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-modsecurity.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-modsecurity.conf new file mode 100644 index 0000000..e296227 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-modsecurity.conf @@ -0,0 +1,19 @@ +# Fail2Ban apache-modsec filter +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# apache-common.local +before = apache-common.conf + +[Definition] + + +failregex = ^%(_apache_error_client)s ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d + +ignoreregex = + +# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats +# Author: Daniel Black +# Sergey G. Brester aka sebres (review, optimization) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-nohome.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-nohome.conf new file mode 100644 index 0000000..358d6d3 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-nohome.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter to web requests for home directories on Apache servers +# +# Regex to match failures to find a home directory on a server, which +# became popular last days. Most often attacker just uses IP instead of +# domain name -- so expect to see them in generic error.log if you have +# per-domain log files. + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + + +failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* + +ignoreregex = + +# Author: Yaroslav O. Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-noscript.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-noscript.conf new file mode 100644 index 0000000..fbc1af6 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-noscript.conf @@ -0,0 +1,32 @@ +# Fail2Ban filter to block web requests for scripts (on non scripted websites) +# +# This matches many types of scripts that don't exist. This could generate a +# lot of false positive matches in cases like wikis and forums where users +# no affiliated with the website can insert links to missing files/scripts into +# pages and cause non-malicious browsers of the site to trigger against this +# filter. +# +# If you'd like to match specific URLs that don't exist see the +# apache-botsearch filter. +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + +failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$ + ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$ + +ignoreregex = + + +# DEV Notes: +# +# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs +# +# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2 +# +# Author: Cyril Jaquier diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-overflows.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-overflows.conf new file mode 100644 index 0000000..02a2ef2 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-overflows.conf @@ -0,0 +1,40 @@ +# Fail2Ban filter to block web requests on a long or suspicious nature +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + +failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) + +ignoreregex = + +# DEV Notes: +# +# [sebres] Because this apache-log could contain very long URLs (and/or referrer), +# the parsing of it anchored way may be very vulnerable (at least as regards +# the system resources, see gh-1790). Thus rewritten without end-anchor ($). +# +# fgrep -r 'URI too long' httpd-2.* +# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); +# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)", +# +# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid +# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request); +# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request); +# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'. +# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request); +# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request); +# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request); +# +# fgrep -r 'invalid characters in URI' httpd-2.* +# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI"); +# +# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620 +# ...possible attempt to establish SSL connection on non-SSL port +# +# https://wiki.apache.org/httpd/ListOfErrors +# Author: Tim Connors diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-pass.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-pass.conf new file mode 100644 index 0000000..3cab87b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-pass.conf @@ -0,0 +1,19 @@ +# Fail2Ban Apache pass filter +# This filter is for access.log, NOT for error.log +# +# The knocking request must have a referer. + +[Definition] + +failregex = ^ - \w+ \[\] "GET HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ + +ignoreregex = + +datepattern = ^[^\[]*\[({DATE}) + {^LN-BEG} + +[Init] + +knocking_url = /knocking/ + +# Author: Viktor Szépe diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-shellshock.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-shellshock.conf new file mode 100644 index 0000000..55c17c8 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/apache-shellshock.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug +# +# + +[INCLUDES] + +# overwrite with apache-common.local if _apache_error_client is incorrect. +before = apache-common.conf + +[Definition] + +prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: .+$ + +failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$ + ^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$ + +ignoreregex = + + +# DEV Notes: +# +# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs +# +# example log lines: +# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt +# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' +# +# Author: Eugene Hopkinson (e.hopkinson@gmail.com) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/assp.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/assp.conf new file mode 100644 index 0000000..9837f71 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/assp.conf @@ -0,0 +1,46 @@ +# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP) +# Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later. +# Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended. +# +# Homepage: http://sourceforge.net/projects/assp/ +# ProjectSite: http://sourceforge.net/projects/assp/?source=directory +# +# + +[Definition] +# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibility reasons. + +__assp_actions = (?:dropping|refusing) + +failregex = ^(:? \[SSL-out\])? max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ + ^(?: \[SSL-out\])? SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ + ^ Blocking - too much AUTH errors \(\d{,3}\);$ + ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$ + ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$ + +ignoreregex = + +datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S + {^LN-BEG} + +# DEV Notes: +# V1 Examples matches: +# Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); +# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; +# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded +# +# V2 Examples matches: +# Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 to: user@example.org relay attempt blocked for: someone@example.org +# Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 +# Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: +# Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 relay attempt blocked for (parsing): +# Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 to: user2@example.com relay attempt blocked for (parsing): +# Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism +# Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response +# Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server +# Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server + +# +# Author: Enrico Labedzki (enrico.labedzki@deiwos.de) +# V2 Filters: Robert Hardy (rhardy@webcon.ca) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/asterisk.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/asterisk.conf new file mode 100644 index 0000000..337e957 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/asterisk.conf @@ -0,0 +1,46 @@ +# Fail2Ban filter for asterisk authentication failures +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = asterisk + +__pid_re = (?:\s*\[\d+\]) + +iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} + +# All Asterisk log messages begin like this: +log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)? + +prefregex = ^%(__prefix_line)s%(log_prefix)s .+$ + +failregex = ^Registration from '[^']*' failed for '(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ + ^Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context + ^(?:Host )? (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b) + ^No registration for peer '[^']*' \(from \)$ + ^hacking attempt detected ''$ + ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ + ^"Rejecting unknown SIP connection from "$ + ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ + +# FreePBX (todo: make optional in v.0.10): +# ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from $ + +ignoreregex = + +datepattern = {^LN-BEG} + +# Author: Xavier Devlamynck / Daniel Black +# +# General log format - main/logger.c:ast_log +# Address format - ast_sockaddr_stringify +# +# First regex: channels/chan_sip.c +# +# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/botsearch-common.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/botsearch-common.conf new file mode 100644 index 0000000..6052fab --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/botsearch-common.conf @@ -0,0 +1,19 @@ +# Generic configuration file for -botsearch filters + +[Init] + +# Block is the actual non-found directories to block +block = \/?(|||cgi-bin|mysqladmin)[^,]* + +# These are just convenient definitions that assist the blocking of stuff that +# isn't installed +webmail = roundcube|(ext)?mail|horde|(v-?)?webmail + +phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) + +wordpress = wp-(login|signup|admin)\.php + +# DEV Notes: +# Taken from apache-botsearch filter +# +# Author: Frantisek Sumsal diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/common.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/common.conf new file mode 100644 index 0000000..a8cba18 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/common.conf @@ -0,0 +1,67 @@ +# Generic configuration items (to be used as interpolations) in other +# filters or actions configurations +# + +[INCLUDES] + +# Load customizations if any available +after = common.local + + +[DEFAULT] + +# Daemon definition is to be specialized (if needed) in .conf file +_daemon = \S* + +# +# Shortcuts for easier comprehension of the failregex +# +# PID. +# EXAMPLES: [123] +__pid_re = (?:\[\d+\]) + +# Daemon name (with optional source_file:line or whatever) +# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) +__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? + +# extra daemon info +# EXAMPLE: [ID 800047 auth.info] +__daemon_extra_re = \[ID \d+ \S+\] + +# Combinations of daemon name and PID +# EXAMPLES: sshd[31607], pop(pam_unix)[4920] +__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) + +# Some messages have a kernel prefix with a timestamp +# EXAMPLES: kernel: [769570.846956] +__kernel_prefix = kernel: \[ *\d+\.\d+\] + +__hostname = \S+ + +# A MD5 hex +# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f +__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} + +# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or +# appearing before the host as per testcases/files/logs/bsd/*. +__bsd_syslog_verbose = <[^.]+\.[^.]+> + +__vserver = @vserver_\S+ + +__date_ambit = (?:\[\]) + +# Common line prefixes (beginnings) which could be used in filters +# +# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces +# +# This can be optional (for instance if we match named native log files) +__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)? + +# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, +# pam_ldap +__pam_auth = pam_unix + +# standardly all formats using prefix have line-begin anchored date: +datepattern = {^LN-BEG} + +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/counter-strike.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/counter-strike.conf new file mode 100644 index 0000000..294927b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/counter-strike.conf @@ -0,0 +1,15 @@ +# Fail2Ban filter for failure attempts in Counter Strike-1.6 +# +# + +[Definition] + +failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from ":\d+"$ + +ignoreregex = + +datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S + + +# Author: Daniel Black + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-auth.conf new file mode 100644 index 0000000..1ac3373 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-auth.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for courier authentication failures +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? + +failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[\]$ + +ignoreregex = + +datepattern = {^LN-BEG} + +# Author: Christoph Haas +# Modified by: Cyril Jaquier diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-smtp.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-smtp.conf new file mode 100644 index 0000000..888753c --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/courier-smtp.conf @@ -0,0 +1,22 @@ +# Fail2Ban filter to block relay attempts though a Courier smtp server +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = courieresmtpd + +prefregex = ^%(__prefix_line)serror,relay=,.+$ + +failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$ + ^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ + +ignoreregex = + +# Author: Cyril Jaquier diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/cyrus-imap.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/cyrus-imap.conf new file mode 100644 index 0000000..31dfda6 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/cyrus-imap.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter for authentication failures on Cyrus imap server +# +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) + +failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ + +ignoreregex = + +# Author: Jan Wagner diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/directadmin.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/directadmin.conf new file mode 100644 index 0000000..87c7802 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/directadmin.conf @@ -0,0 +1,22 @@ +# Fail2Ban configuration file for Directadmin +# +# +# + +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = ^: \'\' \d{1,3} failed login attempt(s)?. \s* + +ignoreregex = + +datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S + +# +# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590 +# +# Author: Cyril Roos + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/domino-smtp.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/domino-smtp.conf new file mode 100644 index 0000000..cdc1773 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/domino-smtp.conf @@ -0,0 +1,47 @@ +# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts +# +# Author: Christian Brandlehner +# +# $Revision: 003 $ +# +# Configuration: +# Set the following Domino Server parameters in notes.ini: +# console_log_enabled=1 +# log_sessions=2 +# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is: +# DateOrder=DMY +# DateSeparator=- +# ClockType=24_Hour +# TimeSeparator=: +# +# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log + +#[INCLUDES] +# Read common prefixes. If any customizations available -- read them from +# common.local +#before = common.conf + +[Definition] +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +# Sample log entries (used different time formats and an extra sample with process info in front of date) +# 01-23-2009 19:54:51 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 +# [28325:00010-3735542592] 22-06-2014 09:56:12 smtp: postmaster [1.2.3.4] authentication failure using internet password +# 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password +# 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 + +__prefix = (?:\[[^\]]+\])?\s+ +failregex = ^%(__prefix)sSMTP Server: Authentication failed for user .*? \; connecting host $ + ^%(__prefix)ssmtp: (?:[^\[]+ )*\[\] authentication failure using internet password\s*$ +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/dovecot.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/dovecot.conf new file mode 100644 index 0000000..2019a16 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/dovecot.conf @@ -0,0 +1,47 @@ +# Fail2Ban filter Dovecot authentication and pop3/imap server +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_auth_worker = (?:dovecot: )?auth(?:-worker)? +_daemon = (?:dovecot(?:-auth)?|auth) + +prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?.+$ + +failregex = ^authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ + ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth)\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + ^pam\(\S+,(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ + ^[a-z\-]{3,15}\(\S*,(?:,\S*)?\): (?:unknown user|invalid credentials)\s*$ + > + +mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=(?:[^>]*(?:, session=<\S+>)?)\s*$ + +mdre-normal = + +# Parameter `mode` - `normal` or `aggressive`. +# Aggressive mode can be used to match log-entries like: +# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'. +# Note it may produce lots of false positives on misconfigured MTAs. +# Ex.: +# filter = dovecot[mode=aggressive] +mode = normal + +ignoreregex = + +journalmatch = _SYSTEMD_UNIT=dovecot.service + +datepattern = {^LN-BEG}TAI64N + {^LN-BEG} + +# DEV Notes: +# * the first regex is essentially a copy of pam-generic.conf +# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) +# +# Author: Martin Waschbuesch +# Daniel Black (rewrote with begin and end anchors) +# Martin O'Neal (added LDAP authentication failure regex) +# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/dropbear.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/dropbear.conf new file mode 100644 index 0000000..930bb12 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/dropbear.conf @@ -0,0 +1,50 @@ +# Fail2Ban filter for dropbear +# +# NOTE: The regex below is ONLY intended to work with a patched +# version of Dropbear as described here: +# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches +# ^%(__prefix_line)sexit before auth from .*\s*$ +# +# The standard Dropbear output doesn't provide enough information to +# ban all types of attack. The Dropbear patch adds IP address +# information to the 'exit before auth' message which is always +# produced for any form of non-successful login. It is that message +# which this file matches. +# +# More information: http://bugs.debian.org/546913 + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = dropbear + +prefregex = ^%(__prefix_line)s(?:[Ll]ogin|[Bb]ad|[Ee]xit).+$ + +failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ + ^[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$ + ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$ + +ignoreregex = + +# DEV Notes: +# +# The first two regexs here match the unmodified dropbear messages. It isn't +# possible to match the source of the 'exit before auth' messages from dropbear +# as they don't include the "from " bit. +# +# The second last failregex line we need to match with the modified dropbear. +# +# For the second regex the following apply: +# +# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c +# http://svn.dd-wrt.com/changeset/16642#file64 +# +# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c +# +# Author: Francis Russell +# Zak B. Elep diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/drupal-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/drupal-auth.conf new file mode 100644 index 0000000..b60abe3 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/drupal-auth.conf @@ -0,0 +1,26 @@ +# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) +# +# +# Drupal must be setup to use Syslog, which defaults to the following format: +# +# !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message +# +# + +[INCLUDES] + +before = common.conf + + +[Definition] + +failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ + +ignoreregex = + + +# DEV Notes: +# +# https://www.drupal.org/documentation/modules/syslog +# +# Author: Lee Clemens diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/ejabberd-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/ejabberd-auth.conf new file mode 100644 index 0000000..48e82df --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/ejabberd-auth.conf @@ -0,0 +1,40 @@ +# Fail2Ban configuration file +# +# Author: Steven Hiscocks +# +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Multiline regexs should use tag "" to separate lines. +# This allows lines between the matching lines to continue to be +# searched for other failures. This tag can be used multiple times. +# Values: TEXT +# +failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?(?: \({{(?:\d+,){3}\d+},\d+}\))?$ + ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?(?:: |$) + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 2 + +# Option: journalmatch +# Notes.: systemd journalctl style match filter for journal based backend +# Values: TEXT +# +journalmatch = + +#datepattern = ^(?:=[^=]+={3,} )?({DATE}) +# explicit time format using prefix =...==== and no date in second string begins with I(...)... +datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?) + ^I\(()** diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-common.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-common.conf new file mode 100644 index 0000000..b3b2575 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-common.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter file for common exim expressions +# +# This is to be used by other exim filters + +[INCLUDES] + +# Load customizations if any available +after = exim-common.local + +[Definition] + +host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)? +host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s +host_info = %(host_info_pre)s\[\]%(host_info_suf)s +pid = (?: \[\d+\])? + +# DEV Notes: +# From exim source code: ./src/receive.c:add_host_info_for_log +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-spam.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-spam.conf new file mode 100644 index 0000000..733c884 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim-spam.conf @@ -0,0 +1,50 @@ +# Fail2Ban filter for exim the spam rejection messages +# +# Honeypot traps are very useful for fighting spam. You just activate an email +# address on your domain that you do not intend to use at all, and that normal +# people do not risk to try for contacting you. It may be something that +# spammers often test. You can also hide the address on a web page to be picked +# by spam spiders. Or simply parse your mail logs for an invalid address +# already being frequently targeted by spammers. Enable the address and +# redirect it to the blackhole. In Exim's alias file, you would add the +# following line (assuming the address is honeypot@yourdomain.com): +# +# honeypot: :blackhole: +# +# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used. +# +# To this filter use the jail.local should contain in the right jail: +# +# filter = exim-spam[honeypot=honeypot@yourdomain.com] +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# exim-common.local +before = exim-common.conf + +[Definition] + +failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ + ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ + ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ + ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[\]\) for $ + ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[\]\) for \S+$ + +ignoreregex = + +[Init] + +# Option: honeypot +# Notes.: honeypot is an email address that isn't published anywhere that a +# legitimate email sender would send email too. +# Values: email address + +honeypot = trap@example.com + +# DEV Notes: +# The %(host_info) defination contains a match +# +# Author: Cyril Jaquier +# Daniel Black (rewrote with strong regexs) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/exim.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim.conf new file mode 100644 index 0000000..f1e56a7 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/exim.conf @@ -0,0 +1,54 @@ +# Fail2Ban filter for exim +# +# This includes the rejection messages of exim. For spam and filter +# related bans use the exim-spam.conf +# + + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# exim-common.local +before = exim-common.conf + +[Definition] + +# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed): +#prefregex = ^%(pid)s \b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+$ + +failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ + ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ + ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ + ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ + ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ + ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$ + ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$ + ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ + > + +mdre-aggressive = ^%(pid)s no host name found for IP address $ + ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[\]\)$ + +mdre-normal = + +# Parameter `mode` - `normal` or `aggressive`. +# Aggressive mode can be used to match flood and ddos-similar log-entries like: +# 'no host found for IP', 'no IP found for host'. +# Note this is not an authentication failures, so it may produce lots of false +# positives on misconfigured MTAs. +# Ex.: +# filter = exim[mode=aggressive] +mode = normal + +ignoreregex = + +# DEV Notes: +# The %(host_info) defination contains a match +# +# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy +# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is +# user injectable data. +# +# Author: Cyril Jaquier +# Daniel Black (rewrote with strong regexs) +# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/freeswitch.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/freeswitch.conf new file mode 100644 index 0000000..4759fbe --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/freeswitch.conf @@ -0,0 +1,36 @@ +# Fail2Ban configuration file +# +# Enable "log-auth-failures" on each Sofia profile to monitor +# +# -- this requires a high enough loglevel on your logs to save these messages. +# +# In the fail2ban jail.local file for this filter set ignoreip to the internal +# IP addresses on your LAN. +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = freeswitch + +# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend +_pref_line = ^%(__prefix_line)s(?:\d+-\d+-\d+ \d+:\d+:\d+\.\d+)? + +failregex = %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip $ + %(_pref_line)s \[WARNING\] sofia_reg\.c:\d+ Can't find user \[[^@]+@[^\]]+\] from $ + +ignoreregex = + +datepattern = {^LN-BEG} + +# Author: Rupa SChomaker, soapee01, Daniel Black +# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban +# Thanks to Jim on mailing list of samples and guidance +# +# No need to match the following. Its a duplicate of the SIP auth regex. +# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP Rejected by acl "\S+"\. Falling back to Digest auth\.$ diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/froxlor-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/froxlor-auth.conf new file mode 100644 index 0000000..d8f3785 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/froxlor-auth.conf @@ -0,0 +1,40 @@ +# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) +# +# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages +# Froxlor: [Login Action ] Unknown user '' tried to login. +# Froxlor: [Login Action ] User '' tried to login with wrong password. +# +# Author: Joern Muehlencord +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = Froxlor + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# + +prefregex = ^%(__prefix_line)s\[Login Action \] .+$ + +failregex = ^Unknown user \S* tried to login.$ + ^User \S* tried to login with wrong password.$ + + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/groupoffice.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/groupoffice.conf new file mode 100644 index 0000000..166c5fe --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/groupoffice.conf @@ -0,0 +1,14 @@ +# Fail2Ban filter for Group-Office +# +# Enable logging with: +# $config['info_log']='/home/groupoffice/log/info.log'; +# + +[Definition] + +failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ + +ignoreregex = + +# Author: Daniel Black + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/gssftpd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/gssftpd.conf new file mode 100644 index 0000000..5f9fb6a --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/gssftpd.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter file for gssftp +# +# Note: gssftp is part of the krb5-appl-servers in Fedora +# +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = ftpd + +failregex = ^%(__prefix_line)srepeated login failures from \(\S+\)$ + +ignoreregex = + +# Author: Kevin Zembower +# Edited: Daniel Black - syslog based daemon diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/guacamole.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/guacamole.conf new file mode 100644 index 0000000..09b4e7b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/guacamole.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file for guacamole +# +# Author: Steven Hiscocks +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. +# Values: TEXT +# +failregex = ^.*\nWARNING: Authentication attempt from for user "[^"]*" failed\.$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 2 + +datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p + ^WARNING:()** + {^LN-BEG} \ No newline at end of file diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/haproxy-http-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/haproxy-http-auth.conf new file mode 100644 index 0000000..f92f9d6 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/haproxy-http-auth.conf @@ -0,0 +1,37 @@ +# Fail2Ban filter configuration file to match failed login attempts to +# HAProxy HTTP Authentication protected servers. +# +# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server +# which prompts their browser to ask for login details. +# This initial 401 is logged by HAProxy. +# In other words, even successful logins will have at least 1 fail regex match. +# Please keep this in mind when setting findtime and maxretry for jails. +# +# Author: Jordan Moeser +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = haproxy + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)s(?::\d+)?\s+.* -1/-1/-1/-1/\+*\d* 401 + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/horde.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/horde.conf new file mode 100644 index 0000000..b94ebf6 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/horde.conf @@ -0,0 +1,16 @@ +# fail2ban filter configuration for horde + + +[Definition] + + +failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$ + + +ignoreregex = + +# DEV NOTES: +# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132 +# https://github.com/horde/horde/blob/master/horde/login.php +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/ignorecommands/apache-fakegooglebot b/ansible/roles/fail2ban/files/fail2ban/filter.d/ignorecommands/apache-fakegooglebot new file mode 100755 index 0000000..3c44325 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/ignorecommands/apache-fakegooglebot @@ -0,0 +1,38 @@ +#!/usr/bin/env fail2ban-python +# Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ +# +# Written in Python to reuse built-in Python batteries and not depend on +# presence of host and cut commands +# +import sys +from fail2ban.server.ipdns import DNSUtils, IPAddr + +def process_args(argv): + if len(argv) != 2: + raise ValueError("Please provide a single IP as an argument. Got: %s\n" + % (argv[1:])) + ip = argv[1] + + if not IPAddr(ip).isValid: + raise ValueError("Argument must be a single valid IP. Got: %s\n" + % ip) + return ip + +google_ips = None + +def is_googlebot(ip): + import re + + host = DNSUtils.ipToName(ip) + if not host or not re.match('.*\.google(bot)?\.com$', host): + return False + host_ips = DNSUtils.dnsToIp(host) + return (ip in host_ips) + +if __name__ == '__main__': # pragma: no cover + try: + ret = is_googlebot(process_args(sys.argv)) + except ValueError as e: + sys.stderr.write(str(e)) + sys.exit(2) + sys.exit(0 if ret else 1) diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/kerio.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/kerio.conf new file mode 100644 index 0000000..0fde092 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/kerio.conf @@ -0,0 +1,24 @@ +# Fail2ban filter for kerio + +[Definition] + +failregex = ^ SMTP Spam attack detected from , + ^ IP address found in DNS blacklist + ^ Relay attempt from IP address + ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ + ^ Failed SMTP login from + ^ SMTP: User \S+ doesn't exist. Attempt from IP address + ^ Client with IP address has no reverse DNS entry, connection rejected before SMTP greeting$ + ^ Administration login into Web Administration from failed: IP address not allowed$ + ^ Message from IP address , sender \S+ rejected: sender domain does not exist$ + +ignoreregex = + +datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] + +# DEV NOTES: +# +# Author: A.P. Lawrence +# Updated by: M. Bischoff +# +# Based off: http://aplawrence.com/Kerio/fail2ban.html diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/lighttpd-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/lighttpd-auth.conf new file mode 100644 index 0000000..a68f4f4 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/lighttpd-auth.conf @@ -0,0 +1,10 @@ +# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module +# + +[Definition] + +failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ + +ignoreregex = + +# Author: Francois Boulogne diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/mongodb-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/mongodb-auth.conf new file mode 100644 index 0000000..66c27ab --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/mongodb-auth.conf @@ -0,0 +1,49 @@ +# Fail2Ban filter for unsuccesfull MongoDB authentication attempts +# +# Logfile /var/log/mongodb/mongodb.log +# +# add setting in /etc/mongodb.conf +# logpath=/var/log/mongodb/mongodb.log +# +# and use of the authentication +# auth = true +# + +[Definition] +#failregex = ^\s+\[initandlisten\] connection accepted from :\d+ \#(?P<__connid>\d+) \(1 connection now open\)\s+\[conn(?P=__connid)\] Failed to authenticate\s+ +failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+\s+\[conn(?P=__connid)\] end connection + +ignoreregex = + + +[Init] +maxlines = 10 + +# DEV Notes: +# +# Regarding the multiline regex: +# +# There can be a nunber of non-related lines between the first and second part +# of this regex maxlines of 10 is quite generious. +# +# Note the capture __connid, includes the connection ID, used in second part of regex. +# +# The first regex is commented out (but will match also), because it is better to use +# the host from "end connection" line (uncommented above): +# - it has the same prefix, searching begins directly with failure message +# (so faster, because ignores success connections at all) +# - it is not so vulnerable in case of possible race condition +# +# Log example: +# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) +# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test +# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) +# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) +# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } +# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch +# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) +# +# Authors: Alexander Finkhäuser +# Sergey G. Brester (sebres) + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/monit.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/monit.conf new file mode 100644 index 0000000..b652a1f --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/monit.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for monit.conf, looks for failed access attempts +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = monit + +# Regexp for previous (accessing monit httpd) and new (access denied) versions +failregex = ^\[\s*\]\s*error\s*:\s*Warning:\s+Client '' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$ + ^%(__prefix_line)s\w+: access denied -- client : (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$ + +# Ignore login with empty user (first connect, no user specified) +# ignoreregex = %(__prefix_line)s\w+: access denied -- client : (?:unknown user '') +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/murmur.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/murmur.conf new file mode 100644 index 0000000..f5f100a --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/murmur.conf @@ -0,0 +1,31 @@ +# Fail2Ban filter for murmur/mumble-server +# + +[INCLUDES] + +before = common.conf + + +[Definition] + +_daemon = murmurd + +# N.B. If you allow users to have usernames that include the '>' character you +# should change this to match the regex assigned to the 'username' +# variable in your server config file (murmur.ini / mumble-server.ini). +_usernameregex = [^>]+ + +_prefix = \s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+: + +prefregex = ^%(_prefix)s .+$ + +failregex = ^Invalid server password$ + ^Wrong certificate or password for existing user$ + +ignoreregex = + +datepattern = ^{DATE} + +# DEV Notes: +# +# Author: Ross Brown diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/mysqld-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/mysqld-auth.conf new file mode 100644 index 0000000..31bd205 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/mysqld-auth.conf @@ -0,0 +1,32 @@ +# Fail2Ban filter for unsuccesful MySQL authentication attempts +# +# +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: +# log-error=/var/log/mysqld.log +# log-warning = 2 +# +# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = mysqld + +failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ + +ignoreregex = + +# DEV Notes: +# +# Technically __prefix_line can equate to an empty string hence it can support +# syslog and non-syslog at once. +# Example: +# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) +# +# Authors: Artur Penttinen +# Yaroslav O. Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nagios.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nagios.conf new file mode 100644 index 0000000..0429d3f --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nagios.conf @@ -0,0 +1,17 @@ +# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) +# Detecting unauthorized access to the nrpe2 daemon +# typically logged in /var/log/messages syslog +# + +[INCLUDES] +# Read syslog common prefixes +before = common.conf + +[Definition] +_daemon = nrpe +failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ +ignoreregex = + +# DEV Notes: +# +# Author: Ivo Truxa - 2014/02/03 diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/named-refused.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/named-refused.conf new file mode 100644 index 0000000..2e14d44 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/named-refused.conf @@ -0,0 +1,50 @@ +# Fail2Ban filter file for named (bind9). +# + +# This filter blocks attacks against named (bind9) however it requires special +# configuration on bind. +# +# By default, logging is off with bind9 installation. +# +# You will need something like this in your named.conf to provide proper logging. +# +# logging { +# channel security_file { +# file "/var/log/named/security.log" versions 3 size 30m; +# severity dynamic; +# print-time yes; +# }; +# category security { +# security_file; +# }; +# }; + +[Definition] + +# Daemon name +_daemon=named + +# Shortcuts for easier comprehension of the failregex + +__pid_re=(?:\[\d+\]) +__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? +__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) + +# hostname daemon_id spaces +# this can be optional (for instance if we match named native log files) +__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? + +prefregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: .+$ + +failregex = ^(view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ + ^zone transfer '\S+/AXFR/\w+' denied\s*$ + ^bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ + +ignoreregex = + +# DEV Notes: +# Trying to generalize the +# structure which is general to capture general patterns in log +# lines to cover different configurations/distributions +# +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-botsearch.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-botsearch.conf new file mode 100644 index 0000000..0be895b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-botsearch.conf @@ -0,0 +1,23 @@ +# Fail2Ban filter to match web requests for selected URLs that don't exist +# + +[INCLUDES] + +# Load regexes for filtering +before = botsearch-common.conf + +[Definition] + +failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S+\" 404 .+$ + ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: \, server\: \S*\, request: \"(GET|POST|HEAD) \/ \S+\"\, .*?$ + +ignoreregex = + +datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? + ^[^\[]*\[({DATE}) + {^LN-BEG} + +# DEV Notes: +# Based on apache-botsearch filter +# +# Author: Frantisek Sumsal \ No newline at end of file diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-http-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-http-auth.conf new file mode 100644 index 0000000..93341cd --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-http-auth.conf @@ -0,0 +1,17 @@ +# fail2ban filter configuration for nginx + + +[Definition] + + +failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ + +ignoreregex = + +datepattern = {^LN-BEG} + +# DEV NOTES: +# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files +# Extensive search of all nginx auth failures not done yet. +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-limit-req.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-limit-req.conf new file mode 100644 index 0000000..e23548a --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-limit-req.conf @@ -0,0 +1,46 @@ +# Fail2ban filter configuration for nginx :: limit_req +# used to ban hosts, that were failed through nginx by limit request processing rate +# +# Author: Serg G. Brester (sebres) +# +# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module` +# and define `limit_req` and `limit_req_zone` as described in nginx documentation +# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html +# +# Example: +# +# http { +# ... +# limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s; +# ... +# # http, server, or location: +# location ... { +# limit_req zone=lr_zone burst=1 nodelay; +# ... +# } +# ... +# } +# ... +# + +[Definition] + +# Specify following expression to define exact zones, if you want to ban IPs limited +# from specified zones only. +# Example: +# +# ngx_limit_req_zones = lr_zone|lr_zone2 +# +ngx_limit_req_zones = [^"]+ + +# Use following full expression if you should range limit request to specified +# servers, requests, referrers etc. only : +# +# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ + +# Shortly, much faster and stable version of regexp: +failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , + +ignoreregex = + +datepattern = {^LN-BEG} diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nobinary.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nobinary.conf new file mode 100644 index 0000000..6bf6120 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nobinary.conf @@ -0,0 +1,6 @@ +[Definition] + +failregex = ^ -.*(.*\\x.*) + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noenv.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noenv.conf new file mode 100644 index 0000000..c026a09 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noenv.conf @@ -0,0 +1,6 @@ +[Definition] + +failregex = ^.*(\/\.).* + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nohome.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nohome.conf new file mode 100644 index 0000000..ee83f79 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-nohome.conf @@ -0,0 +1,5 @@ +[Definition] + +failregex = ^ -.*GET .*/~.* + +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noproxy.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noproxy.conf new file mode 100644 index 0000000..a091a0d --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noproxy.conf @@ -0,0 +1,5 @@ +[Definition] + +failregex = ^ -.*GET http.* + +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscan.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscan.conf new file mode 100644 index 0000000..981e69e --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscan.conf @@ -0,0 +1,6 @@ +[Definition] + +failregex = ^ -.*GET.*(masscan|ZmEu) + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscript.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscript.conf new file mode 100644 index 0000000..0244daf --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-noscript.conf @@ -0,0 +1,5 @@ +[Definition] + +failregex = ^ -.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi) + +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-wplogin.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-wplogin.conf new file mode 100644 index 0000000..c776bb7 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nginx-wplogin.conf @@ -0,0 +1,6 @@ +[Definition] + +failregex = ^ -.*GET.*(wp-login.php) + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/nsd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/nsd.conf new file mode 100644 index 0000000..bfd9954 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/nsd.conf @@ -0,0 +1,31 @@ +# Fail2Ban configuration file +# +# Author: Bas van den Dikkenberg +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = nsd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT + +failregex = ^%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ + ^%(__prefix_line)sinfo: .* refused, no acl matches\.$ + +ignoreregex = + +datepattern = {^LN-BEG}Epoch + {^LN-BEG} \ No newline at end of file diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/openhab.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/openhab.conf new file mode 100644 index 0000000..f6b9633 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/openhab.conf @@ -0,0 +1,15 @@ +# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf: +# +# Block IPs trying to auth openhab by web or rest api +# +# Matches e.g. +# 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 +# 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384 + +[Definition] +failregex = ^\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$ + +datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z + + + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/openwebmail.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/openwebmail.conf new file mode 100644 index 0000000..ef51031 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/openwebmail.conf @@ -0,0 +1,15 @@ +# Fail2Ban filter for Openwebmail +# banning hosts with authentication errors in /var/log/openwebmail.log +# OpenWebMail http://openwebmail.org +# + +[Definition] + +failregex = ^ - \[\d+\] \(\) (?P\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$ + ^ - \[\d+\] \(\) (?P\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$ + +ignoreregex = + +# DEV Notes: +# +# Author: Ivo Truxa (c) 2013 truXoft.com diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/oracleims.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/oracleims.conf new file mode 100644 index 0000000..7d75c32 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/oracleims.conf @@ -0,0 +1,63 @@ +# Fail2Ban configuration file +# for Oracle IMS with XML logging +# +# Author: Joel Snyder/jms@opus1.com/2014-June-01 +# +# + + +[INCLUDES] + +# Read common prefixes. +# If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages +# in the logfile. The host must be matched by a +# group named "host". The tag "" can +# be used for standard IP/hostname matching and is +# only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +# +# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: +# +# In OPTION.DAT you must have LOG_FORMAT=4 and +# bit 5 of LOG_CONNECTION must be set. +# +# Many of these sub-fields are optional and can be turned on and off +# by the system manager. We need the "tr" field +# (transport information (present if bit 5 of LOG_CONNECTION is +# set and transport information is available)). +# "di" should be there by default if you have LOG_FORMAT=4. +# Do not use "mi" as this is not included by default. +# +# Typical line IF YOU ARE USING TAGGING ! ! ! is: +# +# Format is generally documented in the PORT_ACCESS mapping +# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html +# +# All that would be on one line. +# Note that you MUST have LOG_FORMAT=4 for this to work! +# + +failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = + +datepattern = ^.+$ + +failregex = ^ruser=\S* rhost=\s*$ + ^ruser= rhost=\s+user=\S*\s*$ + ^ruser= rhost=\s+user=.*?\s*$ + ^ruser=.*? rhost=\s*$ + +ignoreregex = + +# DEV Notes: +# +# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) +# _daemon = \S*\(?pam_unix\)? +# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ +# +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/perdition.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/perdition.conf new file mode 100644 index 0000000..c47dcac --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/perdition.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for perdition +# +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon=perdition.\S+ + +failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ + ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ + +ignoreregex = + +# Author: Christophe Carles and Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/php-url-fopen.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/php-url-fopen.conf new file mode 100644 index 0000000..a7957c9 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/php-url-fopen.conf @@ -0,0 +1,23 @@ +# Fail2Ban filter for URLs with a URL as a script parameters +# which can be an indication of a fopen url php injection +# +# Example of web requests in Apache access log: +# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" + +[Definition] + +failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ + +ignoreregex = + +# DEV Notes: +# +# Version 2 +# fixes the failregex so REFERERS that contain =http:// don't get blocked +# (mentioned by "fasuto" (no real email provided... blog comment) in this entry: +# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 +# +# Author: Arturo 'Buanzo' Busleiman + +datepattern = ^[^\[]*\[({DATE}) + {^LN-BEG} diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/phpmyadmin-syslog.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/phpmyadmin-syslog.conf new file mode 100644 index 0000000..5b0862b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/phpmyadmin-syslog.conf @@ -0,0 +1,18 @@ +# Fail2Ban fitler for the phpMyAdmin-syslog +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = phpMyAdmin + +failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from \s*$ + +ignoreregex = + + +# Author: Pavel Mihadyuk +# Regex fixes: Serg G. Brester diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/portsentry.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/portsentry.conf new file mode 100644 index 0000000..35ca2a3 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/portsentry.conf @@ -0,0 +1,15 @@ +# Fail2Ban filter for failure attempts in Counter Strike-1.6 +# +# + +[Definition] + +failregex = \/ Port\: [0-9]+ (TCP|UDP) Blocked$ + +ignoreregex = + +datepattern = {^LN-BEG}Epoch + {^LN-BEG} + +# Author: Pacop + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix.conf new file mode 100644 index 0000000..d1505e3 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix.conf @@ -0,0 +1,71 @@ +# Fail2Ban filter for selected Postfix SMTP rejections +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? +_port = (?::\d+)? + +prefregex = ^%(__prefix_line)s> .+$ + +mdpr-normal = (?:NOQUEUE: reject:|improper command pipelining after \S+) +mdre-normal=^RCPT from [^[]*\[\]%(_port)s: 55[04] 5\.7\.1\s + ^RCPT from [^[]*\[\]%(_port)s: 45[04] 4\.7\.1 (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) + ^RCPT from [^[]*\[\]%(_port)s: 450 4\.7\.1 (<[^>]*>)?: Helo command rejected: Host not found\b + ^EHLO from [^[]*\[\]%(_port)s: 504 5\.5\.2 (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b + ^VRFY from [^[]*\[\]%(_port)s: 550 5\.1\.1\s + ^RCPT from [^[]*\[\]%(_port)s: 450 4\.1\.8 (<[^>]*>)?: Sender address rejected: Domain not found\b + ^from [^[]*\[\]%(_port)s:? + +mdpr-auth = warning: +mdre-auth = ^[^[]*\[\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) +mdre-auth2= ^[^[]*\[\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) +# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). + +# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: +mdpr-rbl = %(mdpr-normal)s +mdre-rbl = ^RCPT from [^[]*\[\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b + +# Mode "rbl" currently included in mode "normal" (within 1st rule) +mdpr-more = %(mdpr-normal)s +mdre-more = %(mdre-normal)s + +mdpr-ddos = lost connection after(?! DATA) [A-Z]+ +mdre-ddos = ^from [^[]*\[\]%(_port)s:? + +mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) +mdre-extra = %(mdre-auth)s + %(mdre-normal)s + +mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) +mdre-aggressive = %(mdre-auth2)s + %(mdre-normal)s + + + +failregex = > + +# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) +# Usage example (for jail.local): +# [postfix] +# mode = aggressive +# # or another jail (rewrite filter parameters of jail): +# [postfix-rbl] +# filter = postfix[mode=rbl] +# +mode = more + +ignoreregex = + +[Init] + +journalmatch = _SYSTEMD_UNIT=postfix.service + +# Author: Cyril Jaquier diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/proftpd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/proftpd.conf new file mode 100644 index 0000000..a7bd283 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/proftpd.conf @@ -0,0 +1,34 @@ +# Fail2Ban fitler for the Proftpd FTP daemon +# +# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. +# See: http://www.proftpd.org/docs/howto/DNS.html +# When the default locale for your system is not en_US.UTF-8 +# on Debian-based systems be sure to add this to /etc/default/proftpd +# export LC_TIME="en_US.UTF-8" + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = proftpd + +__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).? + + +prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ (?:USER|SECURITY|Maximum).+$ + + +failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$ + ^USER .* \(Login failed\): %(__suffix_failed_login)s\s*$ + ^SECURITY VIOLATION: .* login attempted\. *$ + ^Maximum login attempts \(\d+\) exceeded *$ + +ignoreregex = + +[Init] +journalmatch = _SYSTEMD_UNIT=proftpd.service + +# Author: Yaroslav Halchenko +# Daniel Black - hardening of regex diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/pure-ftpd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/pure-ftpd.conf new file mode 100644 index 0000000..034336f --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/pure-ftpd.conf @@ -0,0 +1,40 @@ +# Fail2Ban filter for pureftp +# +# Disable hostname based logging by: +# +# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve' +# +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = pure-ftpd + +# Error message specified in multiple languages +__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗) + +failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s\s*$ + +ignoreregex = + +[Init] + +journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd + +# Author: Cyril Jaquier +# Modified: Yaroslav Halchenko for pure-ftpd +# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal +# UTF-8 editing and mechanism thanks to Johannes Weberhofer +# +# Only logs to syslog though facility can be changed configuration file/command line +# +# To get messages in the right encoding: +# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages +# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages +# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages +# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages +# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/qmail.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/qmail.conf new file mode 100644 index 0000000..62d499c --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/qmail.conf @@ -0,0 +1,31 @@ +# Fail2Ban filters for qmail RBL patches/fake proxies +# +# the default djb RBL implementation doesn't log any rejections +# so is useless with this filter. +# +# One patch is here: +# +# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:qmail|rblsmtpd) + +failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: pid \d+ \S+ 4\d\d \S+\s*$ + ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip rbl: \S+\s*$ + ^%(__prefix_line)s\S+ blocked \S+ -\s*$ + +ignoreregex = + +# DEV Notes: +# +# These seem to be for two or 3 different patches to qmail or rblsmtpd +# so you'll probably only ever see one of these regex's that match. +# +# ref: https://github.com/fail2ban/fail2ban/pull/386 +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/recidive.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/recidive.conf new file mode 100644 index 0000000..e2501cf --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/recidive.conf @@ -0,0 +1,38 @@ +# Fail2Ban filter for repeat bans +# +# This filter monitors the fail2ban log file, and enables you to add long +# time bans for ip addresses that get banned by fail2ban multiple times. +# +# Reasons to use this: block very persistent attackers for a longer time, +# stop receiving email notifications about the same attacker over and +# over again. +# +# This jail is only useful if you set the 'findtime' and 'bantime' parameters +# in jail.conf to a higher value than the other jails. Also, this jail has its +# drawbacks, namely in that it works only with iptables, or if you use a +# different blocking mechanism for this jail versus others (e.g. hostsdeny +# for most jails, and shorewall for this one). + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = fail2ban\.actions\s* + +# The name of the jail that this filter is used for. In jail.conf, name the +# jail using this filter 'recidive', or change this line! +_jailname = recidive + +failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ + +ignoreregex = + +[Init] + +journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 + +# Author: Tom Hendrikx, modifications by Amir Caspi diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/roundcube-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/roundcube-auth.conf new file mode 100644 index 0000000..9912ff4 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/roundcube-auth.conf @@ -0,0 +1,39 @@ +# Fail2Ban configuration file for roundcube web server +# +# By default failed logins are printed to 'errors'. The first regex matches those +# The second regex matches those printed to 'userlogins' +# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php +# +# The logpath in your jail can be updated to userlogins if you wish +# + +[INCLUDES] + +before = common.conf + +[Definition] + +prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: .+$ + +failregex = ^(?:FAILED login|Login failed) for .* from (?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ + ^(?:<[\w]+> )?Failed login for .* from in session \w+( \(error: \d\))?$ + +ignoreregex = + +journalmatch = SYSLOG_IDENTIFIER=roundcube + +# DEV Notes: +# +# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 +# +# Part after comes straight from IMAP server up until the " in ....." +# Earlier versions didn't log the IMAP response hence optional. +# +# DoS resistance: +# +# Assume that the user can inject "from " into the imap response +# somehow. Write test cases around this to ensure that the combination of +# arbitrary user input and IMAP response doesn't inject the wrong IP for +# fail2ban +# +# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/screensharingd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/screensharingd.conf new file mode 100644 index 0000000..4cd7646 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/screensharingd.conf @@ -0,0 +1,31 @@ +# Fail2Ban configuration file +# +# Author: Simon Brown +# +# Filter for Mac OS X Screen Sharing service + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = screensharingd + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-common.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-common.conf new file mode 100644 index 0000000..b3e0ae4 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-common.conf @@ -0,0 +1,23 @@ +# Fail2Ban configuration file for generic SELinux audit messages +# +# This file is not intended to be used directly, and should be included into a +# filter file which would define following variables. See selinux-ssh.conf as +# and example. +# +# _type +# _uid +# _auid +# _subj +# _msg +# +# Also one of these variables must include . + +[Definition] + +failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ + +ignoreregex = + +datepattern = EPOCH + +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-ssh.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-ssh.conf new file mode 100644 index 0000000..6955094 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/selinux-ssh.conf @@ -0,0 +1,25 @@ +# Fail2Ban configuration file for SELinux ssh authentication errors +# + +[INCLUDES] + +after = selinux-common.conf + +[Definition] + +_type = USER_(ERR|AUTH) +_uid = 0 +_auid = \d+ +_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 + +_exe =/usr/sbin/sshd +_terminal = ssh + +_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed + +# DEV Notes: +# +# Note: USER_LOGIN is ignored as this is the duplicate messsage +# ssh logs after 3 USER_AUTH failures. +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-auth.conf new file mode 100644 index 0000000..35bf235 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-auth.conf @@ -0,0 +1,20 @@ +# Fail2Ban filter for sendmail authentication failures +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:sendmail|sm-(?:mta|acceptingconnections)) + +failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ + +ignoreregex = + +journalmatch = _SYSTEMD_UNIT=sendmail.service + +# DEV Notes: +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-reject.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-reject.conf new file mode 100644 index 0000000..bdc1c2c --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sendmail-reject.conf @@ -0,0 +1,66 @@ +# Fail2Ban filter for sendmail spam/relay type failures +# +# Some of the below failregex will only work properly, when the following +# options are set in the .mc file (see your Sendmail documentation on how +# to modify it and generate the corresponding .cf file): +# +# FEATURE(`delay_checks') +# FEATURE(`greet_pause', `500') +# FEATURE(`ratecontrol', `nodelay', `terminate') +# FEATURE(`conncontrol', `nodelay', `terminate') +# +# ratecontrol and conncontrol also need corresponding options ClientRate: +# and ClientConn: in the access file, see documentation for ratecontrol and +# conncontrol in the sendmail/cf/README file. + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) + +prefregex = ^%(__prefix_line)s(?:\w{14}: )?.+$ + +cmnfailre = ^ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ + ^ruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ + ^rejecting commands from (\S* )?\[\] due to pre-greeting traffic after \d+ seconds$ + ^(?:\S+ )?\[\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ + ^<[^@]+@[^>]+>\.\.\. No such user here$ + ^from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ + +mdre-normal = + +mdre-extra = ^(?:\S+ )?\[\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to M(?:TA|SP)(?:-\w+)?$ + +mdre-aggressive = %(mdre-extra)s + +failregex = %(cmnfailre)s + > + +# Parameter "mode": normal (default), extra or aggressive +# Usage example (for jail.local): +# [sendmail-reject] +# filter = sendmail-reject[mode=extra] +# +mode = normal + +ignoreregex = + +journalmatch = _SYSTEMD_UNIT=sendmail.service + +# DEV NOTES: +# +# Regarding the multiline regex: +# +# "No such user" lines generate a failure and needs to be matched together with +# another line with the HOST, therefore no-failure line was added as regex, that +# contains HOST (see line with tag ). +# +# Note the capture , includes both the __prefix_lines (which includes +# the sendmail PID), but also the `\w{14}` which the the sendmail assigned +# mail ID (todo: check this is necessary, possible obsolete). +# +# Author: Daniel Black, Fabian Wenk and Sergey Brester aka sebres. +# Rewritten using prefregex by Serg G. Brester. diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sieve.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sieve.conf new file mode 100644 index 0000000..4ec9c45 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sieve.conf @@ -0,0 +1,18 @@ +# Fail2Ban filter for sieve authentication failures +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = (?:cyrus/)?(?:tim)?sieved? + +failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ authentication failure$ + +ignoreregex = + +# Author: Jan Wagner diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/slapd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/slapd.conf new file mode 100644 index 0000000..22cf430 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/slapd.conf @@ -0,0 +1,25 @@ +# slapd (Stand-alone LDAP Daemon) openldap daemon filter +# +# Detecting invalid credentials: error code 49 +# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = slapd + +failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=:\d{1,5} \(IP=\S+\)\s*(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$ + +ignoreregex = + +[Init] + +# "maxlines" is number of log lines to buffer for multi-line regex searches +maxlines = 20 + +# Author: Andrii Melnyk diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sogo-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sogo-auth.conf new file mode 100644 index 0000000..48221dc --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sogo-auth.conf @@ -0,0 +1,22 @@ +# Fail2ban filter for SOGo authentcation +# +# Log file usually in /var/log/sogo/sogo.log + +[Definition] + +failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ + +ignoreregex = "^" + +datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? + {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)? + ^[^\[]*\[({DATE}) + {^LN-BEG} + +# +# DEV Notes: +# +# The error log may contain multiple hosts, whereas the first one +# is the client and all others are poxys. We match the first one, only +# +# Author: Arnd Brandes diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/solid-pop3d.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/solid-pop3d.conf new file mode 100644 index 0000000..ba19d66 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/solid-pop3d.conf @@ -0,0 +1,32 @@ +# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts +# +# Doesn't currently provide PAM support as PAM log messages don't include rhost as +# remote IP. +# +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = solid-pop3d + +failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - $ + ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - $ + ^%(__prefix_line)sroot login not allowed - $ + ^%(__prefix_line)scan't find APOP secret for user .*? - $ + +ignoreregex = + +# DEV Notes: +# +# solid-pop3d needs to be compiled with --enable-logextend to support +# IP addresses in log messages. +# +# solid-pop3d-0.15/src/main.c contains all authentication errors +# except for PAM authentication messages ( src/authenticate.c ) +# +# A pam authentication failure message (note no IP for rhost). +# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques +# +# Authors: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/squid.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/squid.conf new file mode 100644 index 0000000..58694c4 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/squid.conf @@ -0,0 +1,16 @@ +# Fail2Ban filter for Squid attempted proxy bypasses +# +# + +[Definition] + +failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ + ^\s+\d\s\s+NONE/405 .*$ + +ignoreregex = + +datepattern = {^LN-BEG}Epoch + {^LN-BEG} + +# Author: Daniel Black + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/squirrelmail.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/squirrelmail.conf new file mode 100644 index 0000000..31e922e --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/squirrelmail.conf @@ -0,0 +1,12 @@ + +[Definition] + +failregex = ^ \[LOGIN_ERROR\].*from : Unknown user or password incorrect\.$ + +ignoreregex = + +datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S + +# DEV NOTES: +# +# Author: Daniel Black diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd-badproto.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd-badproto.conf new file mode 100644 index 0000000..f2a1242 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd-badproto.conf @@ -0,0 +1,6 @@ +[Definition] + +failregex = ^.*(sshd).*(Bad protocol).*(from ).* + +ignoreregex = + diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd.conf new file mode 100644 index 0000000..ab5fd38 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/sshd.conf @@ -0,0 +1,105 @@ +# Fail2Ban filter for openssh +# +# If you want to protect OpenSSH from being bruteforced by password +# authentication then get public key authentication working before disabling +# PasswordAuthentication in sshd_config. +# +# +# "Connection from port \d+" requires LogLevel VERBOSE in sshd_config +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[DEFAULT] + +_daemon = sshd + +# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " +__pref = (?:(?:error|fatal): (?:PAM: )?)? +# optional suffix (logged from several ssh versions) like " [preauth]" +__suff = (?: \[preauth\])?\s* +__on_port_opt = (?: port \d+)?(?: on \S+(?: port \d+)?)? + +# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", +# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. +__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) + +[Definition] + +prefregex = ^%(__prefix_line)s%(__pref)s.+$ + +cmnfailre = ^[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*%(__suff)s$ + ^User not known to the underlying authentication module for .* from \s*%(__suff)s$ + ^Failed \S+ for invalid user (?P\S+)|(?:(?! from ).)*? from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) + ^Failed \b(?!publickey)\S+ for (?Pinvalid user )?(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+) from %(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) + ^ROOT LOGIN REFUSED.* FROM \s*%(__suff)s$ + ^[iI](?:llegal|nvalid) user .*? from %(__on_port_opt)s\s*$ + ^User .+ from not allowed because not listed in AllowUsers\s*%(__suff)s$ + ^User .+ from not allowed because listed in DenyUsers\s*%(__suff)s$ + ^User .+ from not allowed because not in any group\s*%(__suff)s$ + ^refused connect from \S+ \(\)\s*%(__suff)s$ + ^Received disconnect from %(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ + ^User .+ from not allowed because a group is listed in DenyGroups\s*%(__suff)s$ + ^User .+ from not allowed because none of user's groups are listed in AllowGroups\s*%(__suff)s$ + ^pam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*%(__suff)s$ + ^(error: )?maximum authentication attempts exceeded for .* from %(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ + ^User .+ not allowed because account is locked%(__suff)s + ^Disconnecting: Too many authentication failures(?: for .+?)?%(__suff)s + ^Received disconnect from : 11: + ^Connection closed by %(__suff)s$ + ^Accepted publickey for \S+ from (?:\s|$) + +mdre-normal = + +mdre-ddos = ^Did not receive identification string from %(__suff)s$ + ^Connection reset by %(__on_port_opt)s%(__suff)s + ^SSH: Server;Ltype: (?:Authname|Version|Kex);Remote: -\d+;[A-Z]\w+: + ^Read from socket failed: Connection reset by peer%(__suff)s + +mdre-extra = ^Received disconnect from %(__on_port_opt)s:\s*14: No supported authentication methods available%(__suff)s$ + ^Unable to negotiate with %(__on_port_opt)s: no matching <__alg_match> found. + ^Unable to negotiate a <__alg_match>%(__suff)s$ + ^no matching <__alg_match> found: + +mdre-aggressive = %(mdre-ddos)s + %(mdre-extra)s + +cfooterre = ^Connection from + +failregex = %(cmnfailre)s + > + %(cfooterre)s + +# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) +# Usage example (for jail.local): +# [sshd] +# mode = extra +# # or another jail (rewrite filter parameters of jail): +# [sshd-aggressive] +# filter = sshd[mode=aggressive] +# +mode = normal + +#filter = sshd[mode=aggressive] + +ignoreregex = + +maxlines = 1 + +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + +datepattern = {^LN-BEG} + +# DEV Notes: +# +# "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because +# it is coming before use of which is not hard-anchored at the end as well, +# and later catch-all's could contain user-provided input, which need to be greedily +# matched away first. +# +# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres +# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester. diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/stunnel.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/stunnel.conf new file mode 100644 index 0000000..2396d89 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/stunnel.conf @@ -0,0 +1,13 @@ +# Fail2ban filter for stunnel + +[Definition] + +failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ + +ignoreregex = + +# DEV NOTES: +# +# Author: Daniel Black +# +# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/suhosin.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/suhosin.conf new file mode 100644 index 0000000..46fbe38 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/suhosin.conf @@ -0,0 +1,28 @@ +# Fail2Ban filter for suhosian PHP hardening +# +# This occurs with lighttpd or directly from the plugin +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + + +[Definition] + +_daemon = (?:lighttpd|suhosin) + + +_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) + +failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '', file '[^']*'(?:, line \d+)?\)$ + +ignoreregex = + +# DEV Notes: +# +# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 +# +# Author: Arturo 'Buanzo' Busleiman diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/tine20.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/tine20.conf new file mode 100644 index 0000000..a80d89e --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/tine20.conf @@ -0,0 +1,24 @@ +# Fail2Ban filter for Tine 2.0 authentication +# +# Enable logging with: +# $config['info_log']='/var/log/tine20/tine20.log'; +# + +[Definition] + +failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from failed \(-[13]\)!$ + +ignoreregex = + +datepattern = ^[^-]+ -- [^-]+ -- - ({DATE}) + {^LN-BEG} + +# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 +# Editor: Daniel Black +# Advisor: Lars Kneschke +# +# Usernames can contain spaces. +# +# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 +# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php +# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/uwimap-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/uwimap-auth.conf new file mode 100644 index 0000000..f734eb7 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/uwimap-auth.conf @@ -0,0 +1,17 @@ +# Fail2Ban filter for uwimap +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = (?:ipop3d|imapd) + +failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[\]\s*$ + ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ + +ignoreregex = + +# Author: Amir Caspi diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/vsftpd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/vsftpd.conf new file mode 100644 index 0000000..2ecc44d --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/vsftpd.conf @@ -0,0 +1,22 @@ +# Fail2Ban filter for vsftp +# +# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch +# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the +# incoming ip address rather than domain names. + +[INCLUDES] + +before = common.conf + +[Definition] + +__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? +_daemon = vsftpd + +failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ + ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) + +ignoreregex = + +# Author: Cyril Jaquier +# Documentation from fail2ban wiki diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/webmin-auth.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/webmin-auth.conf new file mode 100644 index 0000000..a0f014c --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/webmin-auth.conf @@ -0,0 +1,22 @@ +# Fail2Ban filter for webmin +# + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = webmin + +failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ + ^%(__prefix_line)sInvalid login as .+ from \s*$ + +ignoreregex = + +# DEV Notes: +# +# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 +# webmin[29544]: Invalid login as root from 86.0.6.217 +# +# Rule Author: Delvit Guillaume diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/wuftpd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/wuftpd.conf new file mode 100644 index 0000000..6f6700e --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/wuftpd.conf @@ -0,0 +1,22 @@ +# Fail2Ban configuration file for wuftpd +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = wu-ftpd +__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:? + +failregex = ^%(__prefix_line)sfailed login from \S+ \[\]\s*$ + ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ + + +ignoreregex = + +# Author: Yaroslav Halchenko diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/xinetd-fail.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/xinetd-fail.conf new file mode 100644 index 0000000..b4093d9 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/xinetd-fail.conf @@ -0,0 +1,29 @@ +# Fail2Ban filter for xinetd failures +# +# Cfr.: /var/log/(daemon\.|sys)log +# +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = xinetd + +prefregex = ^%(__prefix_line)sFAIL: .+$ + +failregex = ^\S+ address from=$ + ^\S+ libwrap from=$ + +ignoreregex = + +# DEV Notes: +# +# libwrap => tcp wrappers: hosts.(allow|deny) +# address => xinetd: deny_from|only_from +# +# Author: Guido Bozzetto diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/zoneminder.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/zoneminder.conf new file mode 100644 index 0000000..cc82755 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/zoneminder.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for Zoneminder login failures + +[INCLUDES] +before = apache-common.conf + +[Definition] + +# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php +# +# +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. + +failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] + +ignoreregex = + +# Notes: +# Tested on Zoneminder 1.29.0 +# +# Author: John Marzella diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local new file mode 100644 index 0000000..40156d3 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/jail.local @@ -0,0 +1,949 @@ +# +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# +# Changes: in most of the cases you should not modify this +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: +# +# HOW TO ACTIVATE JAILS: +# +# YOU SHOULD NOT MODIFY THIS FILE. +# +# It will probably be overwritten or improved in a distribution update. +# +# Provide customizations in a jail.local file or a jail.d/customisation.local. +# For example to change the default bantime for all jails and to enable the +# ssh-iptables jail the following (uncommented) would appear in the .local file. +# See man 5 jail.conf for details. +# +# [DEFAULT] +# bantime = 1h +# +# [sshd] +# enabled = true +# +# See jail.conf(5) man page for more information + + + +# Comments: use '#' for comment lines and ';' (following a space) for inline comments + + +[INCLUDES] + +#before = paths-distro.conf +before = paths-debian.conf + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# +# MISCELLANEOUS OPTIONS +# + +# "ignorself" specifies whether the local resp. own IP addresses should be ignored +# (default is true). Fail2ban will not ban a host which matches such addresses. +#ignorself = true + +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +#ignoreip = 127.0.0.1/8 ::1 + +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + +# "bantime" is the number of seconds that a host is banned. +bantime = 10m + +# A host is banned if it has generated "maxretry" during the last "findtime" +# seconds. +findtime = 10m + +# "maxretry" is the number of failures before a host get banned. +maxretry = 5 + +# "backend" specifies the backend used to get files modification. +# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". +# This option can be overridden in each jail as well. +# +# pyinotify: requires pyinotify (a file alteration monitor) to be installed. +# If pyinotify is not installed, Fail2ban will use auto. +# gamin: requires Gamin (a file alteration monitor) to be installed. +# If Gamin is not installed, Fail2ban will use auto. +# polling: uses a polling algorithm which does not require external libraries. +# systemd: uses systemd python library to access the systemd journal. +# Specifying "logpath" is not valid for this backend. +# See "journalmatch" in the jails associated filter config +# auto: will try to use the following backends, in order: +# pyinotify, gamin, polling. +# +# Note: if systemd backend is chosen as the default but you enable a jail +# for which logs are present only in its own log files, specify some other +# backend for that jail (e.g. polling) and provide empty value for +# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 +backend = auto + +# "usedns" specifies if jails should trust hostnames in logs, +# warn when DNS lookups are performed, or ignore all hostnames in logs +# +# yes: if a hostname is encountered, a DNS lookup will be performed. +# warn: if a hostname is encountered, a DNS lookup will be performed, +# but it will be logged as a warning. +# no: if a hostname is encountered, will not be used for banning, +# but it will be logged as info. +# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) +usedns = warn + +# "logencoding" specifies the encoding of the log files handled by the jail +# This is used to decode the lines from the log file. +# Typical examples: "ascii", "utf-8" +# +# auto: will use the system locale setting +logencoding = auto + +# "enabled" enables the jails. +# By default all jails are disabled, and it should stay this way. +# Enable only relevant to your setup jails in your .local or jail.d/*.conf +# +# true: jail will be enabled and log files will get monitored for changes +# false: jail is not enabled +enabled = false + + +# "mode" defines the mode of the filter (see corresponding filter implementation for more info). +mode = normal + +# "filter" defines the filter to use by the jail. +# By default jails have names matching their filter name +# +filter = %(__name__)s[mode=%(mode)s] + + +# +# ACTIONS +# + +# Some options used for actions + +# Destination email address used solely for the interpolations in +# jail.{conf,local,d/*} configuration files. +destemail = {{ email }} + +# Sender email address used solely for some actions +sender = admin@bookstack + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = mail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in ban-actions expecting parameter chain +chain = + +# Ports to be banned +# Usually should be overridden in a particular jail +port = 0:65535 + +# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s + +# +# Action shortcuts. To be used to define action parameter + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport +banaction_allports = iptables-allports + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action +# +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines +# to the destemail. +action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] + +# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines +# to the destemail. +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Report block via blocklist.de fail2ban reporting service API +# +# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. +# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation +# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# corresponding jail.d/my-jail.local file). +# +action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] + +# Report ban via badips.com, and use as blacklist +# +# See BadIPsAction docstring in config/action.d/badips.py for +# documentation for this action. +# +# NOTE: This action relies on banaction being present on start and therefore +# should be last action defined for a jail. +# +action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] +# +# Report ban via badips.com (uses action.d/badips.conf for reporting only) +# +action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] + +# Report ban via abuseipdb.com. +# +# See action.d/abuseipdb.conf for usage example and details. +# +action_abuseipdb = abuseipdb + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_mwl)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +# To use more aggressive sshd modes set filter parameter "mode" in jail.local: +# normal (default), ddos, extra or aggressive (combines all). +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. +#mode = normal +port = {{ ssh_port }} +logpath = %(sshd_log)s +backend = %(sshd_backend)s +maxretry = 2 +bantime = -1 + +[dropbear] + +port = ssh +logpath = %(dropbear_log)s +backend = %(dropbear_backend)s + + +[selinux-ssh] + +port = ssh +logpath = %(auditd_log)s + + +# +# HTTP servers +# + +[apache-auth] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-badbots] +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. +port = http,https +logpath = %(apache_access_log)s +bantime = 48h +maxretry = 1 + + +[apache-noscript] + +port = http,https +logpath = %(apache_error_log)s + + +[apache-overflows] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-nohome] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-botsearch] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-fakegooglebot] + +port = http,https +logpath = %(apache_access_log)s +maxretry = 1 +ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot + + +[apache-modsecurity] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 2 + + +[apache-shellshock] + +port = http,https +logpath = %(apache_error_log)s +maxretry = 1 + + +[openhab-auth] + +filter = openhab +action = iptables-allports[name=NoAuthFailures] +logpath = /opt/openhab/logs/request.log + +[nginx-http-auth] + +enabled = {{ nginx_http_auth }} +port = http,https +logpath = %(nginx_error_log)s + +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# and define `limit_req` and `limit_req_zone` as described in nginx documentation +# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html +# or for example see in 'config/filter.d/nginx-limit-req.conf' +[nginx-limit-req] +port = http,https +logpath = %(nginx_error_log)s + +[nginx-botsearch] + +enabled = {{ nginx_botsearch }} +port = http,https +logpath = %(nginx_error_log)s +maxretry = 2 + +[nginx-noproxy] + +enabled = {{ nginx_noproxy }} +port = http,https +filter = nginx-noproxy +logpath = /var/log/nginx/access.log +maxretry = 2 + +[nginx-noscript] + +enabled = {{ nginx_noscript }} +port = http,https +filter = nginx-noscript +logpath = /var/log/nginx/access.log +maxretry = 6 + +[nginx-nohome] + +enabled = {{ nginx_nohome }} +port = http,https +filter = nginx-nohome +logpath = /var/log/nginx/access.log +maxretry = 2 + + +[nginx-noscan] +enabled = {{ nginx_noscan }} +port = http,https +filter = nginx-noscan +logpath = /var/log/nginx/access.log +maxretry = 1 +bantime = -1 + +[nginx-noenv] +enabled = {{ nginx_noenv }} +port = http,https +filter = nginx-noenv +logpath = /var/log/nginx/access.log +maxretry = 1 +bantime = 4 + + +[nginx-nobinary] +enabled = {{ nginx_nobinary }} +port = http,https +filter = nginx-nobinary +logpath = /var/log/nginx/access.log +maxretry = 1 +bantime = -1 + +[sshd-badproto] +enabled = {{ sshd_badproto }} +port = {{ ssh+port }} +filter = sshd-badproto +logpath = /var/log/auth.log +maxretry = 1 +bantime = -1 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +port = http,https +logpath = %(nginx_access_log)s + %(apache_access_log)s + + +[suhosin] + +port = http,https +logpath = %(suhosin_log)s + + +[lighttpd-auth] +# Same as above for Apache's mod_auth +# It catches wrong authentifications +port = http,https +logpath = %(lighttpd_error_log)s + + +# +# Webmail and groupware servers +# + +[roundcube-auth] + +port = http,https +logpath = %(roundcube_errors_log)s +# Use following line in your jail.local if roundcube logs to journal. +#backend = %(syslog_backend)s + + +[openwebmail] + +port = http,https +logpath = /var/log/openwebmail.log + + +[horde] + +port = http,https +logpath = /var/log/horde/horde.log + + +[groupoffice] + +port = http,https +logpath = /home/groupoffice/log/info.log + + +[sogo-auth] +# Monitor SOGo groupware server +# without proxy this would be: +# port = 20000 +port = http,https +logpath = /var/log/sogo/sogo.log + + +[tine20] + +logpath = /var/log/tine20/tine20.log +port = http,https + + +# +# Web Applications +# +# + +[drupal-auth] + +port = http,https +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + +[guacamole] + +port = http,https +logpath = /var/log/tomcat*/catalina.out + +[monit] +#Ban clients brute-forcing the monit gui login +port = 2812 +logpath = /var/log/monit + + +[webmin-auth] + +port = 10000 +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[froxlor-auth] + +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +# +# HTTP Proxy servers +# +# + +[squid] + +port = 80,443,3128,8080 +logpath = /var/log/squid/access.log + + +[3proxy] + +port = 3128 +logpath = /var/log/3proxy.log + + +# +# FTP servers +# + + +[proftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(proftpd_log)s +backend = %(proftpd_backend)s + + +[pure-ftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(pureftpd_log)s +backend = %(pureftpd_backend)s + + +[gssftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s + + +[wuftpd] + +port = ftp,ftp-data,ftps,ftps-data +logpath = %(wuftpd_log)s +backend = %(wuftpd_backend)s + + +[vsftpd] +# or overwrite it in jails.local to be +# logpath = %(syslog_authpriv)s +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats +port = ftp,ftp-data,ftps,ftps-data +logpath = %(vsftpd_log)s + + +# +# Mail servers +# + +# ASSP SMTP Proxy Jail +[assp] + +port = smtp,465,submission +logpath = /root/path/to/assp/logs/maillog.txt + + +[courier-smtp] + +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix] +# To use another modes set filter parameter "mode" in jail.local: +mode = more +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[postfix-rbl] + +filter = postfix[mode=rbl] +port = smtp,465,submission +logpath = %(postfix_log)s +backend = %(postfix_backend)s +maxretry = 1 + + +[sendmail-auth] + +port = submission,465,smtp +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[sendmail-reject] +# To use more aggressive modes set filter parameter "mode" in jail.local: +# normal (default), extra or aggressive +# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. +#mode = normal +port = smtp,465,submission +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[qmail-rbl] + +filter = qmail +port = smtp,465,submission +logpath = /service/qmail/log/main/current + + +# dovecot defaults to logging to the mail syslog facility +# but can be set by syslog_facility in the dovecot configuration. +[dovecot] + +port = pop3,pop3s,imap,imaps,submission,465,sieve +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[sieve] + +port = smtp,465,submission +logpath = %(dovecot_log)s +backend = %(dovecot_backend)s + + +[solid-pop3d] + +port = pop3,pop3s +logpath = %(solidpop3d_log)s + + +[exim] +# see filter.d/exim.conf for further modes supported from filter: +#mode = normal +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[exim-spam] + +port = smtp,465,submission +logpath = %(exim_main_log)s + + +[kerio] + +port = imap,smtp,imaps,465 +logpath = /opt/kerio/mailserver/store/logs/security.log + + +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# + +[courier-auth] + +port = smtp,465,submission,imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[postfix-sasl] + +filter = postfix[mode=auth] +port = smtp,465,submission,imap,imaps,pop3,pop3s +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = %(postfix_log)s +backend = %(postfix_backend)s + + +[perdition] + +port = imap,imaps,pop3,pop3s +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[squirrelmail] + +port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log + + +[cyrus-imap] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +[uwimap-auth] + +port = imap,imaps +logpath = %(syslog_mail)s +backend = %(syslog_backend)s + + +# +# +# DNS servers +# + + +# !!! WARNING !!! +# Since UDP is connection-less protocol, spoofing of IP and imitation +# of illegal actions is way too simple. Thus enabling of this filter +# might provide an easy way for implementing a DoS against a chosen +# victim. See +# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html +# Please DO NOT USE this jail unless you know what you are doing. +# +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks UDP traffic for DNS requests. +# [named-refused-udp] +# +# filter = named-refused +# port = domain,953 +# protocol = udp +# logpath = /var/log/named/security.log + +# IMPORTANT: see filter.d/named-refused for instructions to enable logging +# This jail blocks TCP traffic for DNS requests. + +[named-refused] + +port = domain,953 +logpath = /var/log/named/security.log + + +[nsd] + +port = 53 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log + + +# +# Miscellaneous +# + +[asterisk] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/asterisk/messages +maxretry = 10 + + +[freeswitch] + +port = 5060,5061 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] +logpath = /var/log/freeswitch.log +maxretry = 10 + + +# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or +# equivalent section: +# log-warning = 2 +# +# for syslog (daemon facility) +# [mysqld_safe] +# syslog +# +# for own logfile +# [mysqld] +# log-error=/var/log/mysqld.log +[mysqld-auth] + +port = 3306 +logpath = %(mysql_log)s +backend = %(mysql_backend)s + + +# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') +[mongodb-auth] +# change port when running with "--shardsvr" or "--configsvr" runtime operation +port = 27017 +logpath = /var/log/mongodb/mongodb.log + + +# Jail for more extended banning of persistent abusers +# !!! WARNINGS !!! +# 1. Make sure that your loglevel specified in fail2ban.conf/.local +# is not at DEBUG level -- which might then cause fail2ban to fall into +# an infinite loop constantly feeding itself with non-informative lines +# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) +# to maintain entries for failed logins for sufficient amount of time +[recidive] + +logpath = /var/log/fail2ban.log +banaction = %(banaction_allports)s +bantime = 1w +findtime = 1d + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] +# pam-generic filter can be customized to monitor specific subset of 'tty's +banaction = %(banaction_allports)s +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[xinetd-fail] + +banaction = iptables-multiport-log +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s +maxretry = 2 + + +# stunnel - need to set port for this +[stunnel] + +logpath = /var/log/stunnel4/stunnel.log + + +[ejabberd-auth] + +port = 5222 +logpath = /var/log/ejabberd/ejabberd.log + + +[counter-strike] + +logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 +udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] + +logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility +backend = %(syslog_backend)s +maxretry = 1 + + +[oracleims] +# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above +logpath = /opt/sun/comms/messaging64/log/mail.log_current +banaction = %(banaction_allports)s + +[directadmin] +logpath = /var/log/directadmin/login.log +port = 2222 + +[portsentry] +logpath = /var/lib/portsentry/portsentry.history +maxretry = 1 + +[pass2allow-ftp] +# this pass2allow example allows FTP traffic after successful HTTP authentication +port = ftp,ftp-data,ftps,ftps-data +# knocking_url variable must be overridden to some secret value in jail.local +knocking_url = /knocking/ +filter = apache-pass[knocking_url="%(knocking_url)s"] +# access log of the website with HTTP auth +logpath = %(apache_access_log)s +blocktype = RETURN +returntype = DROP +action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s] +bantime = 1h +maxretry = 1 +findtime = 1 + + +[murmur] +# AKA mumble-server +port = 64738 +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/mumble-server/mumble-server.log + + +[screensharingd] +# For Mac OS Screen Sharing Service (VNC) +logpath = /var/log/system.log +logencoding = utf-8 + +[haproxy-http-auth] +# HAProxy by default doesn't log to file you'll need to set it up to forward +# logs to a syslog server which would then write them to disk. +# See "haproxy-http-auth" filter for a brief cautionary note when setting +# maxretry and findtime. +logpath = /var/log/haproxy.log + +[slapd] +port = ldap,ldaps +logpath = /var/log/slapd.log + +[domino-smtp] +port = smtp,ssmtp +logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log + +[phpmyadmin-syslog] +port = http,https +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s + + +[zoneminder] +# Zoneminder HTTP/HTTPS web interface auth +# Logs auth failures to apache2 error log +port = http,https +logpath = %(apache_error_log)s + diff --git a/ansible/roles/fail2ban/handlers/main.yml b/ansible/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..e56a064 --- /dev/null +++ b/ansible/roles/fail2ban/handlers/main.yml @@ -0,0 +1,7 @@ +--- +# handlers file for /etc/ansible/roles/fail2ban +# + +- name: restart fail2ban + service: name=fail2ban state=restarted + diff --git a/ansible/roles/fail2ban/meta/main.yml b/ansible/roles/fail2ban/meta/main.yml new file mode 100644 index 0000000..446b823 --- /dev/null +++ b/ansible/roles/fail2ban/meta/main.yml @@ -0,0 +1,53 @@ +galaxy_info: + author: Shaun Reed + description: A template for basic fail2ban configuration + company: (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.4 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. + diff --git a/ansible/roles/fail2ban/tasks/configure.yml b/ansible/roles/fail2ban/tasks/configure.yml new file mode 100644 index 0000000..e332f81 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/configure.yml @@ -0,0 +1,7 @@ +--- +- name: Copy fail2ban jail.local configuration + template: src=files/fail2ban/jail.local dest=/etc/fail2ban/jail.local + +- name: Copy fail2ban jail filters + copy: src=files/fail2ban/filter.d/ dest=/etc/fail2ban/filter.d/ + diff --git a/ansible/roles/fail2ban/tasks/install.yml b/ansible/roles/fail2ban/tasks/install.yml new file mode 100644 index 0000000..4233fc2 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/install.yml @@ -0,0 +1,4 @@ +--- +- name: Install packages + apt: name="{{ item }}" state=latest + with_items: "{{ packages }}" diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..7ba00f2 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/main.yml @@ -0,0 +1,7 @@ +--- +# tasks file for /etc/ansible/roles/nginx + +- import_tasks: install.yml +- import_tasks: configure.yml +- import_tasks: service.yml + diff --git a/ansible/roles/fail2ban/tasks/service.yml b/ansible/roles/fail2ban/tasks/service.yml new file mode 100644 index 0000000..c985524 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/service.yml @@ -0,0 +1,3 @@ +--- +- name: Start and enable fail2ban service + service: name=fail2ban state=restarted enabled=yes diff --git a/ansible/roles/fail2ban/vars/main.yml b/ansible/roles/fail2ban/vars/main.yml new file mode 100644 index 0000000..5528d66 --- /dev/null +++ b/ansible/roles/fail2ban/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for /etc/ansible/roles/fail2ban