mirror of
https://github.com/jrbrtsn/ban2fail
synced 2024-06-16 03:48:03 +00:00
Improve documentation
This commit is contained in:
parent
7fddfb7a16
commit
64f7ae5e39
143
README.md
143
README.md
@ -34,18 +34,43 @@ default that IP will be blocked.
|
|||||||
|
|
||||||
```
|
```
|
||||||
LOGTYPE auth {
|
LOGTYPE auth {
|
||||||
|
|
||||||
|
# Where to find the log files
|
||||||
DIR= /var/log
|
DIR= /var/log
|
||||||
PREFIX= auth.log
|
PREFIX= auth.log
|
||||||
|
|
||||||
# imapd[20193]= Login failed user=redacted auth=redacted@nowhere.com host=[186.179.170.12]
|
# How to read the timestamp
|
||||||
|
TIMESTAMP auth_ts {
|
||||||
|
# isolates the timestamp from a line matched by a TARGET
|
||||||
|
REGEX= ^(.*) srv
|
||||||
|
# Passed to strptime() to intrepret the timestamp string
|
||||||
|
STRPTIME= %b %d %T
|
||||||
|
# These stamps do not include the year, so it is implied.
|
||||||
|
FLAGS= GUESS_YEAR
|
||||||
|
}
|
||||||
|
|
||||||
|
TARGET imap {
|
||||||
|
# Pattern to search for, isolates the IP address
|
||||||
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
||||||
|
# Assign this as the severity of the offense.
|
||||||
|
SEVERITY= 3
|
||||||
|
}
|
||||||
|
|
||||||
# sshd[6165]= Failed password for invalid user user from 185.224.137.201 port 44865 ssh2
|
TARGET ssh {
|
||||||
|
SEVERITY= 4
|
||||||
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
|
REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
|
||||||
|
REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port
|
||||||
|
}
|
||||||
|
|
||||||
# Unable to negotiate with 193.188.22.188 port ...
|
TARGET negotiate_fail {
|
||||||
# REGEX= Unable to negotiate with ([0-9.]+) port
|
SEVERITY= 2
|
||||||
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
|
REGEX= Unable to negotiate with ([0-9.a-f:]+) port
|
||||||
|
}
|
||||||
|
|
||||||
|
TARGET dovecot {
|
||||||
|
SEVERITY= 3
|
||||||
|
REGEX= dovecot.*authentication failure.*rhost=([0-9.]+)
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
@ -74,24 +99,70 @@ IP is blocked. Offenses will naturally disappear as old logfiles are deleted by
|
|||||||
*logrotate*.
|
*logrotate*.
|
||||||
|
|
||||||
```
|
```
|
||||||
# Take it easy on home boys
|
# Whitelist ourself
|
||||||
MAX_OFFENSES 5 {
|
|
||||||
COUNTRY= US
|
|
||||||
}
|
|
||||||
|
|
||||||
# GeoIP doesn't know the location of every IP address
|
|
||||||
MAX_OFFENSES 3 {
|
|
||||||
COUNTRY= unknown
|
|
||||||
}
|
|
||||||
|
|
||||||
# This is your whitelist: -1 means no limit.
|
|
||||||
MAX_OFFENSES -1 {
|
MAX_OFFENSES -1 {
|
||||||
|
# Put your server's IP addresses here
|
||||||
|
# IP= 1.2.3.4
|
||||||
|
IP= 127.0.0.1
|
||||||
|
# IP= dead:beef::20::32a
|
||||||
|
IP= ::1
|
||||||
|
}
|
||||||
|
|
||||||
|
# Allegedly legit servers
|
||||||
|
MAX_OFFENSES 50 {
|
||||||
|
|
||||||
|
# Google Ireland
|
||||||
|
IP= 2a00:1450:4864:20::32a
|
||||||
|
IP= 2a00:1450:4864:20::336
|
||||||
|
|
||||||
|
# Google EU
|
||||||
|
# Attempted to break in
|
||||||
|
# IP= 35.205.240.168
|
||||||
|
|
||||||
|
# Google US
|
||||||
|
IP= 09.85.216.42
|
||||||
|
# Attempted to break in
|
||||||
|
# IP= 130.211.246.128
|
||||||
|
IP= 209.85.166.194
|
||||||
|
IP= 209.85.166.195
|
||||||
|
IP= 209.85.208.67
|
||||||
|
IP= 209.85.214.194
|
||||||
|
IP= 209.85.215.173
|
||||||
|
IP= 209.85.215.175
|
||||||
|
IP= 209.85.215.193
|
||||||
|
IP= 209.85.216.42
|
||||||
|
IP= 2607:f8b0:4864:20::1034
|
||||||
|
IP= 2607:f8b0:4864:20::a46
|
||||||
|
|
||||||
|
# Yahoo
|
||||||
|
IP= 106.10.244.139
|
||||||
|
|
||||||
|
# Outlook
|
||||||
|
IP= 40.92.4.30
|
||||||
|
IP= 40.107.73.61
|
||||||
|
IP= 40.107.74.48
|
||||||
|
IP= 40.107.74.72
|
||||||
|
IP= 40.107.76.74
|
||||||
|
IP= 40.107.79.52
|
||||||
|
IP= 40.107.79.59
|
||||||
|
IP= 40.107.80.40
|
||||||
|
IP= 40.107.80.53
|
||||||
|
IP= 40.107.80.78
|
||||||
|
IP= 40.107.82.75
|
||||||
|
IP= 52.101.129.30
|
||||||
|
IP= 52.101.132.108
|
||||||
|
IP= 52.101.136.79
|
||||||
|
IP= 52.101.140.230
|
||||||
|
}
|
||||||
|
|
||||||
|
# "trusted" addresses
|
||||||
|
MAX_OFFENSES 200 {
|
||||||
|
|
||||||
# me from home
|
# me from home
|
||||||
IP= 205.144.171.37/20
|
# IP= 1.2.3.4/20
|
||||||
|
|
||||||
# Some user
|
# Customer
|
||||||
IP= 173.236.196.36
|
# IP= 5.6.7.8/24
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -109,11 +180,27 @@ There are two primary modes in which *ban2fail* is used:
|
|||||||
|
|
||||||
### Production
|
### Production
|
||||||
|
|
||||||
In production mode it is expected that *ban2fail* is running from a cron job,
|
In production mode it is expected that *ban2fail* is running non-interactively,
|
||||||
and no output is printed unless addresses are (un)blocked. It is also possible
|
and no output is printed unless addresses are (un)blocked. It is also possible
|
||||||
to generate a listing of addresses, offense counts, and status with the -a
|
to generate a listing of addresses, offense counts, and status with the -a
|
||||||
command flag. Likewise, a listing of countries and offense counts is available
|
command flag. Likewise, a listing of countries and offense counts is available
|
||||||
with the -c flag.
|
with the *-c* flag. In order to get DNS information for the *-a* flag, follow
|
||||||
|
with a plus for all DNS info *-a+*, or a minus for only legit (backward &
|
||||||
|
forward match) info *-a-*. In the list, DNS issues are presented like so:
|
||||||
|
|
||||||
|
```
|
||||||
|
# DNS is good
|
||||||
|
0 Dec 04 11:04 185.31.204.22 1/0 offenses GB [BLK] mail.damianbasel.audise.com
|
||||||
|
|
||||||
|
# Reverse lookup does not match forward lookup
|
||||||
|
0 Dec 04 08:47 103.238.80.23 2/0 offenses VN [BLK] example.com !
|
||||||
|
|
||||||
|
# Forward DNS is unavailable
|
||||||
|
4 Dec 04 10:54 106.51.230.190 2/0 offenses IN [BLK] broadband.actcorp.in !!
|
||||||
|
|
||||||
|
# DNS is inconclusive due to lack of response from DNS servers
|
||||||
|
0 Dec 04 04:13 87.120.246.53 1/0 offenses BG [BLK] client.playtime.bg ~
|
||||||
|
```
|
||||||
|
|
||||||
### Testing
|
### Testing
|
||||||
|
|
||||||
@ -138,16 +225,28 @@ about any modern Linux distro. It uses the following libraries:
|
|||||||
|
|
||||||
+ *libcrypto* from the libssl package, for md5 checksums
|
+ *libcrypto* from the libssl package, for md5 checksums
|
||||||
|
|
||||||
+ *libgeoip* to identify the country of origin for IP addresses
|
+ *libGeoIP* to identify the country of origin for IP addresses
|
||||||
|
|
||||||
+ *libz* to read compressed log files
|
+ *libz* to read compressed log files
|
||||||
|
|
||||||
|
+ *libpthread* for parallel DNS lookups (200 simulataneous)
|
||||||
|
|
||||||
|
+ *libdb=5.3* caching of offense location and size in log files
|
||||||
|
|
||||||
Build and install like so:
|
Build and install like so:
|
||||||
|
|
||||||
```
|
```
|
||||||
make release
|
make release
|
||||||
sudo make install
|
make install
|
||||||
```
|
```
|
||||||
|
|
||||||
The executable will be placed in "/usr/local/bin".
|
The executable will be placed in "/usr/local/bin".
|
||||||
|
|
||||||
|
In order to run *ban2fail* as a systemd service which actively monitors log
|
||||||
|
files, put the service file *ban2fail.service* in place as well as placing
|
||||||
|
*ban2fail.sh* in '/usr/local/share/ban2fail/'.
|
||||||
|
|
||||||
|
*ban2fail.sh* can also be tested from the command line. The user must belong to
|
||||||
|
group 'adm' in order to run iptables, which is accomplished via setuid() at the
|
||||||
|
appropriate time.
|
||||||
|
|
||||||
|
@ -68,17 +68,24 @@ MAX_OFFENSES 200 {
|
|||||||
|
|
||||||
LOGTYPE auth {
|
LOGTYPE auth {
|
||||||
|
|
||||||
|
# Where to find the log files
|
||||||
DIR= /var/log
|
DIR= /var/log
|
||||||
PREFIX= auth.log
|
PREFIX= auth.log
|
||||||
|
|
||||||
|
# How to read the timestamp
|
||||||
TIMESTAMP auth_ts {
|
TIMESTAMP auth_ts {
|
||||||
|
# isolates the timestamp from a line matched by a TARGET
|
||||||
REGEX= ^(.*) srv
|
REGEX= ^(.*) srv
|
||||||
|
# Passed to strptime() to intrepret the timestamp string
|
||||||
STRPTIME= %b %d %T
|
STRPTIME= %b %d %T
|
||||||
|
# These stamps do not include the year, so it is implied.
|
||||||
FLAGS= GUESS_YEAR
|
FLAGS= GUESS_YEAR
|
||||||
}
|
}
|
||||||
|
|
||||||
TARGET imap {
|
TARGET imap {
|
||||||
|
# Pattern to search for, isolates the IP address
|
||||||
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
|
||||||
|
# Assign this as the severity of the offense.
|
||||||
SEVERITY= 3
|
SEVERITY= 3
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user