From 38d3f01a511d168328e310f8c441698969ec1d5f Mon Sep 17 00:00:00 2001 From: Sander Hoentjen Date: Tue, 8 Mar 2016 13:58:03 +0100 Subject: [PATCH 001/408] add support for the CSF firewall --- config/action.d/csf.conf | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 config/action.d/csf.conf diff --git a/config/action.d/csf.conf b/config/action.d/csf.conf new file mode 100644 index 00000000..c2dc51b6 --- /dev/null +++ b/config/action.d/csf.conf @@ -0,0 +1,26 @@ +# Fail2Ban configuration file +# http://configserver.com/cp/csf.html +# +# Note: CSF doesn't play nicely with other actions. It has been observed to +# remove bans created by other iptables based actions. If you are going to use +# this action, use it for all of your jails. +# +# DON'T MIX CSF and other IPTABLES based actions + +[Definition] + +actionstart = +actionstop = +actioncheck = +actionban = csf --deny "banned by Fail2Ban " +actionunban = csf --denyrm + +[Init] + +# Name used in CSF configuration +# +name = default + +# DEV NOTES: +# +# based on apf.conf by Mark McKinstry From 1fb7ffe759f5d4ff73a6d271c5b98c8c18a0ad1c Mon Sep 17 00:00:00 2001 From: Michele Bologna Date: Fri, 14 Sep 2018 22:12:52 +0200 Subject: [PATCH 002/408] Feat: ban nginx forbidden accesses If you have configured nginx to forbid some paths in your webserver, e.g.: location ~ /\. { deny all; } if a client tries to access https://yoursite/.user.ini then you will see in nginx error log: 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net" By carefully setting this filter we ban every IP that tries too many times to access forbidden resources. Author: Michele Bologna https://www.michelebologna.net/ --- config/filter.d/nginx-forbidden.conf | 21 +++++++++++++++++++++ fail2ban/tests/files/logs/nginx-forbidden | 5 +++++ 2 files changed, 26 insertions(+) create mode 100644 config/filter.d/nginx-forbidden.conf create mode 100644 fail2ban/tests/files/logs/nginx-forbidden diff --git a/config/filter.d/nginx-forbidden.conf b/config/filter.d/nginx-forbidden.conf new file mode 100644 index 00000000..3c54e61e --- /dev/null +++ b/config/filter.d/nginx-forbidden.conf @@ -0,0 +1,21 @@ +# fail2ban filter configuration for nginx forbidden accesses +# +# If you have configured nginx to forbid some paths in your webserver, e.g.: +# +# location ~ /\. { +# deny all; +# } +# +# if a client tries to access https://yoursite/.user.ini then you will see +# in nginx error log: +# +# 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net" +# +# By carefully setting this filter we ban every IP that tries too many times to +# access forbidden resources. +# +# Author: Michele Bologna https://www.michelebologna.net/ + +[Definition] +failregex = \[error\] \d+#\d+: \*\d+ access forbidden by rule, client: +ignoreregex = diff --git a/fail2ban/tests/files/logs/nginx-forbidden b/fail2ban/tests/files/logs/nginx-forbidden new file mode 100644 index 00000000..6da3ed01 --- /dev/null +++ b/fail2ban/tests/files/logs/nginx-forbidden @@ -0,0 +1,5 @@ +# failJSON: { "time": "2018-09-14T19:03:05", "match": true , "host": "12.34.56.78" } +2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 12.34.56.78, server: www.example.net, request: "GET /wp-content/themes/evolve/js/back-end/libraries/fileuploader/upload_handler.php HTTP/1.1", host: "www.example.net", referrer: "http://example.net/foo.php" + +# failJSON: { "time": "2018-09-13T15:42:05", "match": true , "host": "12.34.56.78" } +2018/09/13 15:42:05 [error] 2035#2035: *287 access forbidden by rule, client: 12.34.56.78, server: www.example.com, request: "GET /wp-config.php~ HTTP/1.1", host: "www.example.com" From 7e88ae0ee66628893a283d6fed06a347f9f6673e Mon Sep 17 00:00:00 2001 From: Michele Bologna Date: Fri, 14 Sep 2018 23:08:12 +0200 Subject: [PATCH 003/408] Feat: add forbidden to jail.conf --- config/jail.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/config/jail.conf b/config/jail.conf index 697c81dd..a6f2ac5a 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -390,6 +390,11 @@ port = http,https logpath = %(nginx_error_log)s maxretry = 2 +[nginx-forbidden] + +port = http,https +logpath = %(nginx_error_log)s +maxretry = 10 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year From 93272188430d0d856ed29a5e040748e4d41c8b99 Mon Sep 17 00:00:00 2001 From: Noel Kuntze Date: Sat, 29 Jun 2019 01:39:38 +0200 Subject: [PATCH 004/408] Improved blocklist_de action to not resend bans that were already reported --- config/action.d/blocklist_de.conf | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/config/action.d/blocklist_de.conf b/config/action.d/blocklist_de.conf index ba6d427b..d8a4b3e5 100644 --- a/config/action.d/blocklist_de.conf +++ b/config/action.d/blocklist_de.conf @@ -54,7 +54,21 @@ actioncheck = # Tags: See jail.conf(5) man page # Values: CMD # -actionban = curl --fail --data-urlencode "server=" --data "apikey=" --data "service=" --data "ip=" --data-urlencode "logs=
" --data 'format=text' --user-agent "" "https://www.blocklist.de/en/httpreports.html" + +tmpfile = "/var/run/fail2ban/last-log-.time" + +actionban = if [ ! -e "" ] + then + # if the file doesn't exist yet, create it + touch -d @