This is an old revision of the document!
# apt install fail2ban # cd /etc/fail2ban/
# pkg install py27-fail2ban # cat /etc/rc.conf
... fail2ban_enable="YES"
# cd /usr/local/etc/fail2ban/
# cat jail.conf # ls jail.d/ # cat filter.d/sshd.conf # cat filter.d/asterisk.conf
# cat jail.local
[sshd] maxretry = 6 [asterisk] enabled = true maxretry = 3
# cat jail.local
[sshd] enabled = true filter = sshd action = pf maxretry = 6 logpath = /var/log/auth.log [asterisk] # ignoreip = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 enabled = true action = pf maxretry = 3
# service fail2ban reload
# service fail2ban start
# tail -f /var/log/fail2ban.log
# fail2ban-client status # fail2ban-client status asterisk # fail2ban-client set asterisk unbanip 172.16.1.21 # tail -f /var/log/fail2ban.log
# fail2ban-regex /var/log/tmp_file.log /etc/fail2ban/filter.d/tmp_file_filter.conf
# cat action.d/tmp_file_action.conf
[Definition] actionban = echo "`date` f2ban detect ip: <ip>" >> /tmp/file_action.log
# cat jail.d/snort_jail.conf
[snort] enabled = true bantime = 300 filter = snort_filter maxretry = 1 logpath = /var/log/auth.log #action = iptables-allports #action = cisco-acl
# cat filter.d/snort_filter.conf
[INCLUDES] [Definition] failregex = .*snort.*Priority: 1.*} <HOST>.* # .*snort.*Priority: 2.*} <HOST>.* ignoreregex =
# iptables -A FORWARD -j f2b-default
# cat /root/cisco-acl-deny.sh
#!/bin/sh fail2ban-client status snort | grep Banned | cut -d':' -f2 | tr -s ' ' | tr " " "\n" | while read ip do test -z "$ip" && continue echo " deny ip host $ip any" done
# cat /root/cisco-acl-permit.txt
permit tcp any host 192.168.X.10 eq 80 permit tcp any host 192.168.X.10 eq 22 permit icmp any 192.168.X.0 0.0.0.255 permit ip any host 172.16.1.X permit udp any any permit tcp any any established deny ip any any log end
# cat /root/cisco-change-firewall.sh
#!/bin/sh cat > /root/firewall.acl <<EOF no ip access-list extended ACL_FIREWALL ip access-list extended ACL_FIREWALL EOF /root/cisco-acl-deny.sh >> /root/firewall.acl cat /root/cisco-acl-permit.txt >> /root/firewall.acl /usr/bin/rcp /root/firewall.acl router:running-config
# cat /etc/fail2ban/action.d/cisco-acl.conf
[Definition] actionban = /root/cisco-change-firewall.sh actionunban = /root/cisco-change-firewall.sh
# cat /etc/fail2ban/jail.d/cisco-change-config.conf
[cisco-change-config] enabled = true maxretry = 1 bantime = 30 filter = cisco-change-config logpath = /var/log/cisco.log action = cisco-backup-config
# cat /etc/fail2ban/filter.d/cisco-change-config.conf
[INCLUDES] [Definition] failregex = <HOST>.*Configured from console.*
# cat /etc/fail2ban/action.d/cisco-backup-config.conf
[Definition] actionban = /usr/bin/sshpass -p cisco /usr/bin/scp <ip>:running-config /srv/tftp/<ip>-running-config
# less filter.d/asterisk.conf
[INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>\S+) # Values: TEXT # failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - ACL error (permit/deny) NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - No matching peer found NOTICE.* .*: Registration from '\".*\".*' failed for '<HOST>:.*' - Wrong password NOTICE.* <HOST> failed to authenticate as '.*'$ NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*) NOTICE.* .*: Failed to authenticate user .*@<HOST>.* NOTICE.* .*: <HOST> failed to authenticate as '.*' NOTICE.* .*: <HOST> tried to authenticate with nonexistent user '.*' VERBOSE.*SIP/<HOST>-.*Received incoming SIP connection from unknown peer NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\) NOTICE.* .*: Failed to authenticate device .*\<sip:.*\@.*\>;tag=.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device.* \(<HOST>:.*\) NOTICE.* .*: Sending fake auth rejection for device .*\;tag=.* \(<HOST>:.*\) # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.+?".* SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.+?".*