Edit file File name : dshield.conf Content :# Fail2Ban configuration file # # Author: Russell Odom <russ@gloomytrousers.co.uk> # Submits attack reports to DShield (http://www.dshield.org/) # # You MUST configure at least: # <port> (the port that's being attacked - use number not name). # # You SHOULD also provide: # <myip> (your public IP address, if it's not the address of eth0) # <userid> (your DShield userID, if you have one - recommended, but reports will # be used anonymously if not) # <protocol> (the protocol in use - defaults to tcp) # # Best practice is to provide <port> and <protocol> in jail.conf like this: # action = dshield[port=1234,protocol=tcp] # # ...and create "dshield.local" with contents something like this: # [Init] # myip = 10.0.0.1 # userid = 12345 # # Other useful configuration values are <mailargs> (you can use for specifying # a different sender address for the report e-mails, which should match what is # configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to # configure how often the buffer is flushed). # [Definition] # bypass ban/unban for restored tickets norestored = 1 # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = if [ -f <tmpfile>.buffer ]; then cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> date +%%s > <tmpfile>.lastsent fi rm -f <tmpfile>.buffer <tmpfile>.first # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # # See http://www.dshield.org/specs.html for more on report format/notes # # Note: We are currently using <time> for the timestamp because no tag is # available to indicate the timestamp of the log message(s) which triggered the # ban. Therefore the timestamps we are using in the report, whilst often only a # few seconds out, are incorrect. See # http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047 # actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE" PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols` if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer NOW=`date +%%s` if [ ! -f <tmpfile>.first ]; then echo <time> | cut -d. -f1 > <tmpfile>.first fi if [ ! -f <tmpfile>.lastsent ]; then echo 0 > <tmpfile>.lastsent fi LOGAGE=$(($NOW - `cat <tmpfile>.first`)) LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`)) LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' ) if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest> rm -f <tmpfile>.buffer <tmpfile>.first echo $NOW > <tmpfile>.lastsent fi # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = if [ -f <tmpfile>.first ]; then NOW=`date +%%s` LOGAGE=$(($NOW - `cat <tmpfile>.first`)) if [ $LOGAGE -gt <maxbufferage> ]; then cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest> rm -f <tmpfile>.buffer <tmpfile>.first echo $NOW > <tmpfile>.lastsent fi fi [Init] # Option: port # Notes.: The target port for the attack (numerical). MUST be provided in the # jail config, as it cannot be detected here. # Values: [ NUM ] # port = ??? # Option: userid # Notes.: Your DShield user ID. Should be provided either in the jail config or # in a .local file. # Register at https://secure.dshield.org/register.html # Values: [ NUM ] # userid = 0 # Option: myip # Notes.: The target IP for the attack (your public IP). Should be provided # either in the jail config or in a .local file unless your PUBLIC IP # is the first IP assigned to eth0 # Values: [ an IP address ] Default: Tries to find the IP address of eth0, # which in most cases will be a private IP, and therefore incorrect # myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'` # Option: protocol # Notes.: The protocol over which the attack is happening # Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp # protocol = tcp # Option: lines # Notes.: How many lines to buffer before making a report. Regardless of this, # reports are sent a minimum of <minreportinterval> apart, or if the # buffer contains an event over <maxbufferage> old, or on shutdown # Values: [ NUM ] # lines = 50 # Option: minreportinterval # Notes.: Minimum period (in seconds) that must elapse before we submit another # batch of reports. DShield request a minimum of 1 hour (3600 secs) # between reports. # Values: [ NUM ] # minreportinterval = 3600 # Option: maxbufferage # Notes.: Maximum age (in seconds) of the oldest report in the buffer before we # submit the batch, even if we haven't reached <lines> yet. Note that # this is only checked on each ban/unban, and that we always send # anything in the buffer on shutdown. Must be greater than # Values: [ NUM ] # maxbufferage = 21600 # Option: srcport # Notes.: The source port of the attack. You're unlikely to have this info, so # you can leave the default # Values: [ NUM ] # srcport = ??? # Option: tcpflags # Notes.: TCP flags on attack. You're unlikely to have this info, so you can # leave empty # Values: [ STRING ] # tcpflags = # Option: mailcmd # Notes.: Your system mail command. Is passed 2 args: subject and recipient # Values: CMD # mailcmd = mail -s # Option: mailargs # Notes.: Additional arguments to mail command. e.g. for standard Unix mail: # CC reports to another address: # -c me@example.com # Appear to come from a different address (the From address must match # the one configured at DShield - the '--' indicates arguments to be # passed to Sendmail): # -- -f me@example.com # Values: [ STRING ] # mailargs = # Option: dest # Notes.: Destination e-mail address for reports # Values: [ STRING ] # dest = reports@dshield.org # Option: tmpfile # Notes.: Base name of temporary files used for buffering # Values: [ STRING ] # tmpfile = /var/run/fail2ban/tmp-dshield Save