joao.goncalves
/
NgixProxy_Pathfinder
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: joao.goncalves:main
Branches Tags
joao.goncalves:main
joao.goncalves:producao
joao.goncalves:antes-do-docker
..
compare: joao.goncalves:antes-do-docker
Branches Tags
joao.goncalves:producao
joao.goncalves:antes-do-docker
joao.goncalves:main

No commits in common. "main" and "antes-do-docker" have entirely different histories.
main ... antes-do-d

629 changed files with 22486 additions and 1493 deletions
Show Stats Expand all files Collapse all files

54
.dockerignore
View File

@ -1,54 +0,0 @@
# Documentation and config folders
.gemini/
.git/
.github/
.vscode/
.idea/
# Legacy files (not needed in container)
legacy/
_backup/
# Logs and debug files
*.log
debug_logs*.txt
nginx_test*.log
# Environment files
.env
.env.local
# Git files
.gitignore
.gitattributes
# Documentation
README.md
*.md
!nginx.conf
# Docker files (avoid recursive includes)
docker-compose*.yml
Dockerfile*
# Temporary and backup files
*.tmp
*.bak
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# SSL private keys (should be mounted as volume, not baked in)
ssl/*.key
# Caddy Data
caddy_data/
caddy_config/
caddy_logs/
# Disabled configs
*.disabled

135
.gemini/GEMINI.md
View File

@ -1,135 +0,0 @@
# NGINX Pathfinder Proxy - Documentação Técnica
## Visão Geral
Projeto de infraestrutura para Proxy Reverso de Alta Disponibilidade, utilizando Containers Docker para modularidade e fácil manutenção.
## Arquitetura de Containers
O projeto roda sobre 3 serviços orquestrados via `docker-compose.yml`:
| Serviço | Imagem | Porta Exposta | Função |
|---------|--------|---------------|--------|
| **modsecurity** | `owasp/modsecurity-crs:nginx-alpine` | `80`, `443` | **Frontend (WAF)**. Recebe todo o tráfego da internet, filtra ataques (SQLi, XSS) e encaminha requisições limpas para o Proxy. |
| **nginx-proxy** | `alpine` (Custom Build) | `8080` (Interna) | **Backend Proxy**. Gerencia vhosts, terminação SSL, cache, compressão Brotli e roteamento para as aplicações finais. |
| **fail2ban** | `crazymax/fail2ban` | - | **Watchdog**. Lê logs compartilhados dos dois containers acima e bane IPs maliciosos diretamente no host (via iptables). |
---
## Automação SSL
O sistema possui um mecanismo de **auto-cura** para certificados SSL.
### Componentes
1. **Certbot**: Instalado dentro do container `nginx-proxy`.
2. **Volumes**:
- `ssl/`: Onde ficam os arquivos `.crt` e `.key` usados pelo NGINX.
- `certbot/`: Onde o Certbot guarda os arquivos originais do Let's Encrypt.
3. **Scripts**:
- `scripts/inject_acme.sh`: Varre todos os arquivos em `conf.d/` e injeta o snippet de validação ACME (`.well-known`) se não existir.
- `scripts/renew_ssl.sh`:
1. Verifica a data de expiração de cada certificado ativo.
2. Se faltar **3 dias ou menos**, dispara `certbot renew`.
3. Copia os novos arquivos gerados para a pasta `ssl/`.
4. Recarrega o NGINX.
### Agendamento
- **Cron**: Configurado no `pre-flight.sh` para rodar todos os dias às **01:00 AM**.
- **Startup**: A verificação também roda a cada reinício do container.
---
## Estrutura de Arquivos
```
.
├── conf.d/ # Configurações de sites (VHosts)
├── snippets/ # Trechos reutilizáveis
│ ├── acme_challenge.conf # Snippet para validação Let's Encrypt
│ ├── internal_networks.conf # IPs permitidos (VPN/Local)
│ └── ...
├── scripts/ # Scripts de automação
│ ├── pre-flight.sh # Entrypoint (DNS Check + Cron Setup)
│ ├── inject_acme.sh # Injetor de config ACME
│ └── renew_ssl.sh # Lógica de renovação
├── ssl/ # Certificados em uso
├── fail2ban/ # Configs do Fail2ban
│ ├── jail.d/ # Definição das prisões
│ └── filter.d/ # Regex de detecção
├── .gemini/ # Documentação do projeto
└── docker-compose.yml # Orquestração
```
---
## Módulos Especiais
### 1. Brotli & Headers More
O container `nginx-proxy` é construído manualmente (`Dockerfile`) para incluir módulos que não vêm por padrão no Alpine:
- `nginx-mod-http-brotli`
- `nginx-mod-http-headers-more`
### 2. ModSecurity (WAF)
Rodar o WAF em container separado (`modsecurity`) evita a necessidade de compilar o ModSecurity no NGINX principal.
**Arquitetura Customizada:**
- **Injeção de Template**: Um arquivo `modsec.conf.template` local é montado durante o boot para contornar limitações de permissão do container oficial. Ele instrui o NGINX a carregar regras customizadas.
- **Regras Modulares**: Localizadas em `modsec_rules/`, divididas por aplicação (`gitea-rule-exceptions.conf`, `nextcloud...`).
- **Global**: `global-exceptions.conf` define apenas a whitelist de rede.
- **Bypass de Emergência**: Se o WAF falhar, altere as portas no `docker-compose.yml` para expor o `nginx-proxy` diretamente.
---
## Fluxo de Deploy Atualizado
```mermaid
graph TD
Start[Deploy] --> DetectIP[Detectar IP Público]
DetectIP --> Build[Docker Build (NGINX + Certbot)]
Build --> Up[Docker Compose Up]
Up --> PreFlight[Pre-Flight Script]
PreFlight --> DNSCheck[Validar DNS dos Domínios]
DNSCheck --> CronSetup[Configurar Cron Job]
CronSetup --> SSLCheck[Verificar Validade SSL]
SSLCheck -- Vence > 3 dias --> StartNginx[Iniciar NGINX]
SSLCheck -- Vence <= 3 dias --> Renew[Rodar renew_ssl.sh]
Renew --> StartNginx
```
---
## Comandos Operacionais
**Verificar status dos serviços:**
```bash
docker compose ps
```
**Verificar validade dos SSL (Log):**
```bash
docker compose logs nginx-proxy | grep "SSL"
```
**Forçar renovação SSL manualmente:**
```bash
docker compose exec nginx-proxy /scripts/renew_ssl.sh
```
**Reload Zero-Downtime (Blue-Green Logic):**
Este comando valida a configuração e executa um reload gracioso (`nginx -s reload`), onde novos workers assumem as novas configurações enquanto os antigos terminam as requisições correntes.
```bash
./scripts/reload.sh # Linux
./scripts/reload.ps1 # Windows PowerShell
```
**Banir um IP manualmente:**
```bash
docker compose exec fail2ban fail2ban-client set nginx-badbots banip 1.2.3.4
```
**Adicionar novo site:**
1. Criar `conf.d/novo-site.conf`
2. `docker compose restart nginx-proxy`
3. O script de startup irá validar o DNS e injetar o suporte ACME automaticamente.

40
.gemini/TODO.md
View File

@ -1,40 +0,0 @@
# Tarefas Pendentes e Melhorias Futuras
## 1. Gestão Dinâmica de DNS
**Origem:** Migração de `legacy/hosts`
- **Problema:** O método atual usa `extra_hosts` no `docker-compose.yml`, que é estático e exige recriação do container para alterações.
- **Objetivo:** Mudar o modo de registro e atualização de DNS para ser mais dinâmico ou simples.
- **Ideias:** DNS containerizado (Bind/CoreDNS) ou Service Discovery.
## 2. Revisão de Regras ModSecurity
**Origem:** Migração de `legacy/nginx/modsecurity/*.conf` (Regras Antigas)
- **Status:** ✅ Concluído.
- **Resolução:** Regras refatoradas para estrutura modular (`modsec_rules/`). WAF ativo e configurado via template injection para Gitea, Nextcloud, Exchange, Zabbix e outros.
- **Ação:** Monitorar logs (`modsec_audit.log`) para ajustes finos futuros.
## 3. Atualizações Zero-Downtime (Sem Queda)
**Objetivo:** Criar um método para atualizar configurações de sites sem que clientes externos percam a conexão.
- **Status:** ✅ Concluído.
- **Solução Implementada:** Script `./scripts/reload.sh` que executa `nginx -t` e `nginx -s reload` (Reload Suave/Process-Level Blue-Green).
- **Como usar:** Execute `./scripts/reload.sh` após alterar qualquer `.conf`.
## 4. Conexão Direta na Interface do Host
**Objetivo:** Configurar o proxy para rotear tráfego tanto internamente (entre containers Docker) quanto externamente (para serviços fora do Docker).
- **Status:** 🧪 Implementado - Aguardando Teste no Host
- **Solução Implementada:**
- Adicionado `host.docker.internal:host-gateway` no `docker-compose.yml` para ambos containers
- Criado `snippets/docker_resolver.conf` para resolução DNS dinâmica de containers
- Criado `conf.d/test-connectivity.conf` (temporário) com endpoints de teste
- Atualizado diagrama de arquitetura no `README.md`
- **Testes Necessários (no host de deploy):**
```bash
# Rebuild e restart
docker compose build --no-cache nginx-proxy
docker compose down && docker compose up -d
# Testar conectividade
docker compose exec nginx-proxy ping -c 2 10.10.253.254
docker compose exec nginx-proxy ping -c 2 10.10.253.128
```
- **Após Validação:** Deletar `conf.d/test-connectivity.conf` e marcar como ✅ Concluído.

42
.gitignore vendored
View File

@ -1,42 +0,0 @@
# Logs and debug files
*.log
debug_logs*.txt
nginx_test*.log
# Environment files
.env
.env.local
# Docker
docker-compose.override.yml
# SSL certificates (sensitive - should be managed separately)
ssl/*.key
ssl/*.crt
ssl/*.pem
# Editor files
.vscode/
.idea/
*.swp
*.swo
*~
# OS files
.DS_Store
Thumbs.db
# Temporary files
*.tmp
*.bak
# Disabled configs
*.disabled
# Backups
_backup/
# Caddy Data
caddy_data/
caddy_config/
caddy_logs/

239
README.md
View File

@ -1,238 +1,61 @@
# NGINX Pathfinder Proxy
# Serviço de Sincronização de Configurações - Proxy-Sinc
Solução moderna de Proxy Reverso containerizado, construída com NGINX, ModSecurity WAF e automação de SSL.
Este repositório contém as configurações e os scripts de automação para o serviço `proxy-sinc`, desenhado para automatizar o controlo de versões de ficheiros de configuração de servidores Linux para um repositório Git (Gitea).
## 🚀 Funcionalidades
O objetivo é criar um sistema robusto, auto-documentado e fácil de gerir para o backup e o histórico de alterações de configurações críticas como as do Nginx e do Fail2ban.
### 🛡️ Segurança em Primeiro Lugar
- **ModSecurity WAF**: Conjunto de Regras OWASP (CRS) integrado rodando como proxy sidecar/frontend.
- **Fail2ban**: Serviço "cão de guarda" que bane IPs com comportamento suspeito (bots ruins, excesso de erros 4xx/5xx).
- **Mapas de Segurança**: Bloqueio automatizado de User-Agents maliciosos e restrições de rede interna.
## Funcionalidades Principais Implementadas pelo Instalador
### ⚡ Performance
- **HTTP/3 (QUIC)**: Habilitado para conexões modernas de baixa latência.
- **Compressão Brotli**: Melhores taxas de compressão que o Gzip padrão.
- **Headers More**: Manipulação avançada de cabeçalhos para respostas limpas.
### Gestão de Dependências
### 🔒 SSL Automatizado
- **Renovação Zero-Touch**: O Certbot integrado verifica a validade diariamente.
- **Auto-Renovação**: Renova automaticamente certificados próximos do vencimento (<= 3 dias).
- **Injeção Inteligente**: Injeta automaticamente os snippets de desafio ACME nas configurações dos sites.
* Verifica e instala automaticamente as dependências necessárias (`git`, `rsync`) usando `apt`.
---
### Configuração Interativa e Segura
## 🛠️ Como Trabalhar neste Repositório
* Pede ao utilizador a URL do repositório, o nome de utilizador do Gitea e um Token de Acesso (que fica oculto durante a digitação) para a autenticação.
### Pré-requisitos
- Docker & Docker Compose instalados
- Acesso à internet (para baixar imagens e validar SSL)
* A URL do repositório é reconfigurada para incluir as credenciais, permitindo que as operações `git` futuras (como o `git push`) sejam executadas de forma não-interativa.
### 1. Implantar o Servidor (Deploy)
Para iniciar toda a infraestrutura:
```bash
./deploy.sh
```
*Este script detecta seu IP público, configura o ambiente e sobe os containers.*
### Identidade de Commit Automática
### 2. Adicionar um Novo Site
Todas as configurações de sites ficam na pasta `conf.d/`.
* O nome do autor dos commits é automaticamente definido como o hostname completo do servidor (ex: `srvproxy001.itguys.com.br`).
1. **Crie o arquivo de configuração**:
Crie um arquivo `.conf` em `conf.d/` (ex: `meusite.com.br.conf`). Use um dos arquivos existentes como modelo.
* O email do autor é gerado automaticamente a partir do hostname (ex: `srvproxy001@itguys.com.br`).
**Modelo Básico (com SSL):**
```nginx
# Backend (para onde vai o tráfego)
upstream meu_backend {
server 192.168.1.10:8080;
}
### Gestão Inteligente de SSL
# Redirecionamento HTTP -> HTTPS
server {
listen 80;
server_name meusite.com.br;
include /etc/nginx/snippets/acme_challenge.conf; # Importante para SSL
return 301 https://$host$request_uri;
}
* O script testa automaticamente a conexão com o Gitea. Se detetar um problema de certificado SSL (comum em ambientes internos), ele configura o repositório local para ignorar a verificação SSL, garantindo que a sincronização funcione.
# Bloco HTTPS
server {
listen 443 ssl;
http2 on;
server_name meusite.com.br;
### Registo de Deploy
ssl_certificate /etc/nginx/ssl/meusite.com.br.crt;
ssl_certificate_key /etc/nginx/ssl/meusite.com.br.key;
* Na primeira instalação num novo servidor, o script cria um ficheiro de registo (`_deployment_logs/hostname.md`) no repositório, documentando quem (utilizador do Gitea) instalou o serviço e quando, criando uma trilha de auditoria.
include /etc/nginx/snippets/ssl_params.conf;
### Instalação como Serviço `systemd`
location / {
proxy_pass http://meu_backend;
include /etc/nginx/includes/proxy_backend.conf;
}
}
```
* Gera e instala um serviço `systemd` (`proxy-sinc.service`) e um `timer` (`proxy-sinc.timer`).
2. **Aplique as alterações**:
```bash
docker compose restart nginx-proxy
```
*No reinício, o script de pre-flight validará o DNS e injetará configurações de SSL necessárias.*
* Esta abordagem é superior ao `cron` pois integra-se perfeitamente com o sistema de logs `journald`, permitindo uma gestão fácil com `systemctl status`, `start`, `stop`, etc.
### 3. Modificar Configurações Globais
As configurações globais são modularizadas na pasta `snippets/`.
* O timer está configurado para executar o script de sincronização **a cada minuto**.
- **Rate Limiting**: Edite `snippets/rate_limit.conf` para ajustar os limites de requisições por segundo.
- **Bloqueio de Bots**: Edite `snippets/security_maps.conf` para adicionar novos User-Agents à lista negra.
- **Cache**: Edite `snippets/cache_zones.conf` para definir novas zonas ou tempos de cache.
### Sincronização Dinâmica de Ficheiros
### 3.1. Modificar Regras do WAF (ModSecurity)
O WAF agora utiliza uma estrutura modular de regras localizada na pasta `modsec_rules/`.
- **Arquivos Específicos**: Regras para Gitea, Nextcloud, Exchange, Zabbix, etc. ficam em seus respectivos arquivos `.conf`.
- **Global**: `global-exceptions.conf` contém apenas whitelists de rede interna.
- **Aplicação**: Após editar qualquer regra, reinicie o container do WAF para aplicar:
```bash
docker compose restart modsecurity
```
> **Nota Técnica**: O arquivo `modsec.conf.template` na raiz é injetado no container durante o boot para contornar problemas de permissão e garantir o carregamento das regras customizadas.
* O script principal de sincronização (`commit_configs.sh`) agora lê os caminhos a serem versionados a partir de um ficheiro de configuração central (`/etc/proxy-sinc/paths.conf`).
### 4. Gerenciar Certificados SSL
O sistema gerencia isso automaticamente, mas você pode intervir manualmente se necessário.
* Isto permite que os administradores adicionem ou removam ficheiros e pastas para sincronização no futuro, simplesmente editando este ficheiro de texto, sem precisar de alterar o script.
- **Verificar Validade**:
Verifique os logs do startup para ver o status de todos os domínios:
```bash
docker compose logs nginx-proxy | grep "SSL"
```
### Auto-Versionamento
- **Forçar Renovação**:
Se precisar renovar um certificado imediatamente:
```bash
docker compose exec nginx-proxy /scripts/renew_ssl.sh
```
* O script `commit_configs.sh` foi desenhado para se incluir a si mesmo e a todos os seus ficheiros de configuração e de serviço (`.service`, `.timer`, `man page`, `paths.conf`) no repositório Git. Desta forma, qualquer alteração na própria automação também é versionada.
- **Reload sem Downtime (Recomendado)**:
Para aplicar alterações de configuração (vhosts, SSL) sem derrubar conexões ativas:
```bash
./scripts/reload.sh
```
### Funcionalidade de Auto-Atualização
### 5. Monitorar e Debugar
* Instala um novo comando no sistema, `proxy-sinc-update`.
- **Verificar Status dos Containers**:
```bash
docker compose ps
```
* Quando executado, este comando baixa a versão mais recente do `setup.sh` a partir de uma URL pré-definida no repositório Gitea e executa-a, permitindo uma atualização fácil e centralizada de toda a automação.
- **Ver Logs em Tempo Real**:
```bash
docker compose logs -f
```
### Documentação Integrada (`man page`)
- **Verificar se o WAF (ModSecurity) bloqueou algo**:
```bash
docker compose logs modsecurity | grep "Access denied"
```
* Gera e instala uma página de manual (`man proxy-sinc`) no sistema.
- **Verificar Banimentos do Fail2ban**:
```bash
docker compose exec fail2ban fail2ban-client status nginx-badbots
```
---
## 🏗️ Visão Geral da Stack
```mermaid
graph TD
subgraph Internet
Client[Cliente Externo]
end
subgraph Host["Host Docker (Portainer)"]
subgraph PathfinderStack["Stack: Pathfinder-Proxy<br/>Rede: 172.112.0.0/16"]
WAF["ModSecurity WAF<br/>172.112.0.3<br/>:80, :443"]
NGINX["nginx-proxy<br/>172.112.0.2<br/>:8080 interno"]
F2B["fail2ban<br/>network: host"]
end
subgraph HostNetwork["Rede Física do Host"]
HostIP["host.docker.internal<br/>(gateway)"]
end
subgraph OtherStacks["Outras Stacks Docker"]
Container1["Container A<br/>172.111.0.x"]
Container2["Container B<br/>172.113.0.x"]
end
end
subgraph ExternalServers["Servidores Externos"]
Server254["10.10.253.254"]
Server128["10.10.253.128<br/>Gitea"]
end
Client -->|":80/:443"| WAF
WAF -->|"proxy_pass :8080"| NGINX
F2B -.->|"lê logs"| WAF
F2B -.->|"lê logs"| NGINX
NGINX -->|"extra_hosts<br/>host-gateway"| HostIP
NGINX -.->|"bridge network"| Container1
NGINX -.->|"bridge network"| Container2
HostIP -->|"roteamento"| Server254
HostIP -->|"roteamento"| Server128
style WAF fill:#e74c3c,stroke:#c0392b,color:#fff
style NGINX fill:#3498db,stroke:#2980b9,color:#fff
style F2B fill:#27ae60,stroke:#1e8449,color:#fff
style Server128 fill:#9b59b6,stroke:#8e44ad,color:#fff
style Server254 fill:#9b59b6,stroke:#8e44ad,color:#fff
style HostIP fill:#f39c12,stroke:#d68910,color:#fff
style Container1 fill:#1abc9c,stroke:#16a085,color:#fff
style Container2 fill:#1abc9c,stroke:#16a085,color:#fff
```
---
## 📋 Sistemas e Servidores Configurados
Lista de todos os sistemas roteados pelo proxy, organizados por tipo de infraestrutura.
| Domínio | IP/Backend | Docker | VM | LXC | Descrição |
|---------|------------|:------:|:--:|:---:|-----------|
| `git.itguys.com.br` | 10.10.253.128 | ❌ | ❌ | ✅ | Gitea - Servidor Git |
| `zammad.itguys.com.br` | 172.16.254.59 | ❌ | ❌ | ✅ | Zammad - Helpdesk |
| `monitoramento.itguys.com.br` | 172.16.254.x | ❌ | ❌ | ✅ | Zabbix/Grafana |
| `mimir.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Mimir - Métricas |
| `windmill.grupopralog.com.br` | 172.16.253.103:8000 | ❌ | ❌ | ✅ | Windmill - Automação |
| `katalog.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Katalog |
| `verbocloud.itguys.com.br` | 172.16.253.13:11580 | ❌ | ❌ | ✅ | Nextcloud AIO |
| `cloud.grupopralog.com.br` | 172.16.253.12 | ❌ | ❌ | ✅ | Nextcloud Pralog |
| `srvoffice001.itguys.com.br` | 172.16.253.101 | ❌ | ✅ | ❌ | Exchange Server |
| `business.itguys.com.br` | 172.16.121.13 | ❌ | ✅ | ❌ | Exchange OWA |
| `vcenter.itguys.com.br` | 172.16.254.110:443 | ❌ | ✅ | ❌ | VMware vCenter |
| `unifi.itguys.com.br` | 172.16.254.123:8443 | ❌ | ✅ | ❌ | UniFi Controller |
| `workspace.itguys.com.br` | 172.16.121.2 | ❌ | ✅ | ❌ | Workspace Windows |
| `vscode.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | VS Code Server |
| `telefonia.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Central Telefônica |
| `proxy.itguys.com.br` | localhost | ✅ | ❌ | ❌ | Este proxy |
| `itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Principal |
| `pralog.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pralog |
| `anatram.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Anatram |
| `ferreirareal.com.br` | 172.16.x.x | ✅ | ❌ | ❌ | Site Ferreira Real |
| `petytransportes.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Site Pety Transportes |
| `solucionei.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Solucionei |
| `rhema.itguys.com.br` | 172.16.x.x | ❌ | ✅ | ❌ | Rhema |
| `integra.grupopralog.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | Integração Pralog |
| `ns1.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Primário |
| `ns2.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Secundário |
| `dns-primario.itguys.com.br` | 172.16.x.x | ❌ | ❌ | ✅ | DNS Admin |
> [!NOTE]
> **Legenda:** Docker = Container Docker | VM = Máquina Virtual (VMware/Hyper-V) | LXC = Linux Container (Proxmox)
>
> IPs marcados como `172.16.x.x` precisam ser verificados nos arquivos de configuração individuais.
---
*Mantido por IT Guys*
* O manual explica o que o serviço faz, como o gerir, como o atualizar e, o mais importante, como adicionar novos caminhos de ficheiros para serem sincronizados, tornando a ferramenta fácil de usar para qualquer membro da equipa no futuro.

49
TODO.md
View File

@ -1,49 +0,0 @@
# Relatório de Diagnóstico e Pontos de Dor (Pain Points)
Este documento sumariza os problemas arquiteturais e técnicos identificados durante a tentativa de estabilizar o stack `nginx-pathfinder-proxy`. O objetivo é fornecer um contexto claro para um futuro Agente de IA simplificar a solução.
## 1. Arquitetura Excessivamente Complexa (Split Container)
Atualmente, temos dois containers NGINX separados:
1. **Frontend (`modsecurity`)**: Recebe a internet, faz WAF, termina SSL.
2. **Backend (`nginx-proxy`)**: Recebe do WAF, faz roteamento, gerencia certificados (Certbot), roda scripts.
**Problemas Causados:**
- **Inferno de Permissões (Permission Hell):** O Backend (onde roda o Certbot) gera certificados no volume compartilhado como `root`. O Frontend tenta ler esses arquivos e falha com `Permission denied` porque roda com outro UID/GID. Tentar corrigir com `chmod` é frágil e inseguro.
- **Configuração Duplicada:** É preciso configurar o Nginx duas vezes. Uma no Frontend (para saber onde estão os certs) e uma no Backend (para saber como tratar a requisição na porta 8080).
- **SSL "Ping-Pong":** O Backend gerencia a renovação, mas o Frontend é quem *usa* o certificado. Isso exige reload sincronizado em dois containers diferentes.
## 2. Problema do "Ovo e a Galinha" (SSL Bootstrap)
- O NGINX **não sobe** se o arquivo de certificado não existir.
- O Certbot **não gera** o certificado se o NGINX não estiver rodando (para responder o desafio HTTP-01).
- **Solução Atual (Gambiarra):** Criamos um script complexo (`pre-flight.sh` + `renew_ssl.sh`) que gera certificados falsos (self-signed) só para o NGINX subir, e depois tenta baixar os reais. Isso adiciona muita lógica propensa a falhas.
## 3. Fragilidade de Deploy (Portainer / Docker)
- **Mount Error:** O Portainer falha ao tentar montar arquivos de configuração (`modsec_conf/...`) que ainda não foram baixados pelo git no host.
- **Solução Atual:** Tivemos que "assar" (bake) as configurações dentro da imagem Docker (`COPY conf.d ...`). Isso tira a agilidade de alterar uma config no git e dar deploy rápido; agora exige rebuild da imagem.
## 4. Scripts de Automação Frágeis
- O script `pre-flight.sh` tenta fazer `git clone/pull` dentro do container. Isso gera erros de "Resource busy" quando tenta limpar pastas montadas via volume.
- Lógica de `sed/grep` para ler arquivos `.conf` e achar domínios é suscetível a erros de sintaxe no arquivo de config.
---
# Recomendação de Simplificação (Para o Próximo Agente)
### Opção A: Single "Super" Container (Recomendada)
Unificar tudo em um único container.
- **Base:** Usar a imagem oficial com ModSecurity já compilado (ou compilar num multi-stage build).
- **Benefício:** Resolve problemas de permissão (mesmo processo lê e escreve). Resolve problema de setup (um único serviço). Remove complexidade de rede (sem proxy pass interno desnecessário).
### Opção B: Caddy Server (Radical)
Substituir NGINX + Certbot por **Caddy**.
- **Benefício:** Caddy tem HTTPS automático (resolve o problema do Ovo/Galinha nativamente).
- **WAF:** Existe plugin de WAF para Caddy (Coraza), mas exige validação se atende os requisitos de segurança do Oestepan.
### Opção C: NGINX Proxy Manager (GUI)
Usar uma solução pronta como NGINX Proxy Manager.
- Tem interface web.
- Gerencia SSL sozinho.
- Pode ser difícil integrar ModSecurity customizado.
### Resumo do Pedido de Refatoração
> "Simplificar a infraestrutura eliminando a separação Frontend/Backend. Criar um container único que faça WAF + Proxy + SSL Management, eliminando scripts complexos de bootstrap e problemas de permissão de volume."

12
_automation_scripts/etc/proxy-sinc/paths.conf Normal file
View File

@ -0,0 +1,12 @@
# Adicione aqui os caminhos completos para os ficheiros e diretórios que deseja versionar, um por linha.
# Linhas que começam com '#' são ignoradas.
/etc/nginx
/etc/fail2ban
/etc/resolv.conf
/etc/nsswitch.conf
/etc/hosts
/etc/ufw
/etc/zabbix
/etc/sudoers.d
/etc/tmpfiles.d
/etc/ssl

6
_automation_scripts/etc/systemd/system/proxy-sinc.service Normal file
View File

@ -0,0 +1,6 @@
[Unit]
Description=Serviço de Sincronização de Configurações do Nginx para o Git
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/commit_configs.sh

8
_automation_scripts/etc/systemd/system/proxy-sinc.timer Normal file
View File

@ -0,0 +1,8 @@
[Unit]
Description=Executa o serviço de sincronização de configurações a cada minuto
[Timer]
OnBootSec=1min
OnUnitActiveSec=1min
Unit=proxy-sinc.service
[Install]
WantedBy=timers.target

60
_automation_scripts/usr/local/sbin/commit_configs.sh Normal file
View File

@ -0,0 +1,60 @@
#!/bin/bash
set -e
REPO_PATH="/opt/config_repo"
CONFIG_DIR="/etc/proxy-sinc"
PATHS_FILE="${CONFIG_DIR}/paths.conf"
AUTOMATION_FILES_SOURCE=("/usr/local/sbin/commit_configs.sh" "/usr/local/sbin/proxy-sinc-update" "/etc/systemd/system/proxy-sinc.service" "/etc/systemd/system/proxy-sinc.timer" "/usr/share/man/man8/proxy-sinc.8.gz" "${PATHS_FILE}")
AUTOMATION_FILES_DEST="$REPO_PATH/_automation_scripts/"
log_info() { echo "[INFO] $1"; }
log_info "--- Iniciando a verificação de sincronização [$(date)] ---"
if [ "$EUID" -ne 0 ]; then echo "[ERRO] O script deve ser executado como root." >&2; exit 1; fi
if [ ! -d "$REPO_PATH/.git" ]; then echo "[ERRO] O diretório do repositório $REPO_PATH não é um repositório Git válido." >&2; exit 1; fi
log_info "Sincronizando ficheiros de configuração definidos em $PATHS_FILE..."
if [ ! -f "$PATHS_FILE" ]; then
echo "[AVISO] O ficheiro de caminhos $PATHS_FILE não foi encontrado. Nenhum ficheiro de configuração foi sincronizado."
else
while IFS= read -r path_to_sync || [ -n "$path_to_sync" ]; do
if [ -z "$path_to_sync" ] || [[ "$path_to_sync" =~ ^# ]]; then
continue
fi
if [ -e "$path_to_sync" ]; then
# Copia para a raiz do repositório
rsync -avz --delete --exclude='*.swp' --exclude='*.bak' --exclude='sites-enabled/' --exclude='modules-enabled/' --exclude='/var/log/' --exclude='/var/run/' --exclude='/var/cache/' "$path_to_sync" "$REPO_PATH/"
else
echo "[AVISO] O caminho '$path_to_sync' definido em $PATHS_FILE não existe. A ignorar."
fi
done < "$PATHS_FILE"
fi
log_info "Sincronizando ficheiros de automação..."
mkdir -p "$AUTOMATION_FILES_DEST"
for file in "${AUTOMATION_FILES_SOURCE[@]}"; do
if [ -f "$file" ]; then
rsync -aR "$file" "$AUTOMATION_FILES_DEST"
fi
done
cd "$REPO_PATH"
log_info "A verificar o status do repositório Git..."
if [ -n "$(git status --porcelain)" ]; then
log_info "Alterações detetadas. A preparar o commit."
log_info "A puxar alterações do repositório remoto para evitar conflitos..."
git pull --ff-only
log_info "A adicionar alterações ao stage..."
git add .
COMMIT_MESSAGE="[Auto-Sync] Atualização das configurações em $(hostname -f) - $(date +'%Y-%m-%d %H:%M:%S')"
log_info "A fazer o commit com a mensagem: $COMMIT_MESSAGE"
git commit -m "$COMMIT_MESSAGE"
log_info "A enviar as alterações para o Gitea (git push)..."
git push origin main
echo "[SUCESSO] As alterações foram enviadas para o repositório remoto!"
else
log_info "Nenhuma alteração de configuração detetada. O repositório está atualizado."
fi
log_info "--- Verificação de sincronização concluída [$(date)] ---"
exit 0

27
_automation_scripts/usr/local/sbin/proxy-sinc-update Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
set -e
echo "A procurar por atualizações para o serviço Proxy-Sinc..."
UPDATE_SCRIPT_URL="https://git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder/raw/branch/main/Instal-Proxy-Sinc.sh"
TEMP_SCRIPT="/tmp/setup_latest.sh"
echo "A baixar a versão mais recente do instalador de: $UPDATE_SCRIPT_URL"
SSL_VERIFY_FLAG=""
if [ -d "/opt/config_repo/.git" ]; then
if [ "$(cd /opt/config_repo && git config --get http.sslVerify)" == "false" ]; then
SSL_VERIFY_FLAG="--insecure"
echo "[AVISO] A usar o modo inseguro para baixar a atualização devido à configuração do repositório."
fi
fi
if curl $SSL_VERIFY_FLAG -L "$UPDATE_SCRIPT_URL" -o "$TEMP_SCRIPT"; then
chmod +x "$TEMP_SCRIPT"
echo "Instalador baixado com sucesso. A executar a atualização..."
sudo "$TEMP_SCRIPT"
rm "$TEMP_SCRIPT"
echo "Atualização concluída!"
else
echo "ERRO: Falha ao baixar o script de atualização." >&2
exit 1
fi
exit 0

BIN
_automation_scripts/usr/share/man/man8/proxy-sinc.8.gz Normal file
View File

Binary file not shown.

88
_backup/conf.d/gps.oestepan.com.br.conf
View File

@ -1,88 +0,0 @@
# ==============================================================================
# ARQUIVO: /etc/nginx/sites-available/gps.oestepan.com.br.conf
# AUTOR: Gemini (Especialista NGINX)
# DATA: 27/01/2026
#
# CONTEXTO:
# Proxy Reverso para Traccar GPS (OESTEPAN).
# ModSecurity (WAF) termina o SSL e envia tráfego descriptografado para a porta 8080.
# ==============================================================================
upstream traccar_backend {
server host.docker.internal:8083;
keepalive 32;
}
# ------------------------------------------------------------------------------
# BLOCO PRINCIPAL: Porta 8080 (Tráfego vindo do ModSecurity)
# ------------------------------------------------------------------------------
server {
listen 8080;
listen [::]:8080;
server_name gps.oestepan.com.br;
include /etc/nginx/snippets/acme_challenge.conf;
limit_req zone=global_limit burst=20 nodelay;
# ============================================================================
# LOGS
# ============================================================================
client_max_body_size 50M;
access_log /var/log/nginx/gps.oestepan.com.br.access.log detailed_proxy;
error_log /var/log/nginx/gps.oestepan.com.br.error.log warn;
# ============================================================================
# ROTAS (Sem SSL pois o WAF já terminou a encriptação)
# ============================================================================
# 1. WebSocket
location /api/socket {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
}
# 2. Rota Principal
location / {
proxy_pass http://traccar_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # Informa ao backend que é HTTPS
proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 90s;
}
}
# ------------------------------------------------------------------------------
# BLOCO DUMMY: Apenas para que o script renew_ssl.sh encontre os caminhos do SSL
# ------------------------------------------------------------------------------
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name gps.oestepan.com.br;
# Important: These paths MUST be in /etc/nginx/ssl/ (shared volume)
# so ModSecurity can access them. renew_ssl.sh will copy the certs here.
ssl_certificate /etc/nginx/ssl/gps.oestepan.com.br.fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/gps.oestepan.com.br.privkey.pem;
# Retorna 444 (No Response) se alguém tentar conectar direto (bypass WAF)
location / {
return 444;
}
}

12
_backup/conf.d/internal_networks.conf
View File

@ -1,12 +0,0 @@
# Internal Networks Configuration
# Define internal network ranges for access control
# Allow access from internal networks
allow 10.10.0.0/16;
allow 10.11.0.0/16;
allow 10.12.0.0/16;
allow 172.16.0.0/16;
allow 127.0.0.1;
# Deny all others (uncomment if needed)
# deny all;

75
_backup/modsec.conf.template
View File

@ -1,75 +0,0 @@
# Original of the latest recommended version:
# https://github.com/owasp-modsecurity/ModSecurity/blob/v3/master/modsecurity.conf-recommended
# Directives configured upstream (in the same order)
SecRuleEngine ${MODSEC_RULE_ENGINE}
SecRequestBodyAccess ${MODSEC_REQ_BODY_ACCESS}
SecRequestBodyLimit ${MODSEC_REQ_BODY_LIMIT}
SecRequestBodyNoFilesLimit ${MODSEC_REQ_BODY_NOFILES_LIMIT}
SecRequestBodyLimitAction ${MODSEC_REQ_BODY_LIMIT_ACTION}
SecRequestBodyJsonDepthLimit ${MODSEC_REQ_BODY_JSON_DEPTH_LIMIT}
SecArgumentsLimit ${MODSEC_ARGUMENTS_LIMIT}
SecPcreMatchLimit ${MODSEC_PCRE_MATCH_LIMIT}
SecPcreMatchLimitRecursion ${MODSEC_PCRE_MATCH_LIMIT_RECURSION}
SecResponseBodyAccess ${MODSEC_RESP_BODY_ACCESS}
SecResponseBodyMimeType ${MODSEC_RESP_BODY_MIMETYPE}
SecResponseBodyLimit ${MODSEC_RESP_BODY_LIMIT}
SecResponseBodyLimitAction ${MODSEC_RESP_BODY_LIMIT_ACTION}
SecTmpDir ${MODSEC_TMP_DIR}
SecDataDir ${MODSEC_DATA_DIR}
SecAuditEngine ${MODSEC_AUDIT_ENGINE}
SecAuditLogRelevantStatus "${MODSEC_AUDIT_LOG_RELEVANT_STATUS}"
SecAuditLogParts ${MODSEC_AUDIT_LOG_PARTS}
SecAuditLogType ${MODSEC_AUDIT_LOG_TYPE}
SecAuditLog ${MODSEC_AUDIT_LOG}
SecArgumentSeparator ${MODSEC_ARGUMENT_SEPARATOR}
SecCookieFormat ${MODSEC_COOKIE_FORMAT}
# SecUnicodeMapFile unicode.mapping ${MODSEC_UNICODE_MAPPING}
SecStatusEngine ${MODSEC_STATUS_ENGINE}
# Additional directives
SecAuditLogFormat ${MODSEC_AUDIT_LOG_FORMAT}
SecAuditLogStorageDir ${MODSEC_AUDIT_STORAGE_DIR}
SecDebugLog ${MODSEC_DEBUG_LOG}
SecDebugLogLevel ${MODSEC_DEBUG_LOGLEVEL}
SecDisableBackendCompression ${MODSEC_DISABLE_BACKEND_COMPRESSION}
SecTmpSaveUploadedFiles ${MODSEC_TMP_SAVE_UPLOADED_FILES}
SecUploadDir ${MODSEC_UPLOAD_DIR}
SecUploadFileMode ${MODSEC_UPLOAD_FILE_MODE}
SecUploadKeepFiles ${MODSEC_UPLOAD_KEEP_FILES}
# Rules configured upstream (in the same order)
SecRule REQUEST_HEADERS:Content-Type "^(?:application(?:/soap\+|/)|text/)xml" \
"id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"
SecRule REQUEST_HEADERS:Content-Type "^application/json" \
"id:'200001',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
SecRule &ARGS "@ge ${MODSEC_ARGUMENTS_LIMIT}" \
"id:'200007', phase:2,t:none,log,deny,status:400,msg:'Failed to fully parse request body due to large argument count',severity:2"
SecRule REQBODY_ERROR "!@eq 0" \
"id:'200002', phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"
SecRule MULTIPART_STRICT_ERROR "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,status:400, \
msg:'Multipart request body failed strict validation: \
PE %{REQBODY_PROCESSOR_ERROR}, \
BQ %{MULTIPART_BOUNDARY_QUOTED}, \
BW %{MULTIPART_BOUNDARY_WHITESPACE}, \
DB %{MULTIPART_DATA_BEFORE}, \
DA %{MULTIPART_DATA_AFTER}, \
HF %{MULTIPART_HEADER_FOLDING}, \
LF %{MULTIPART_LF_LINE}, \
SM %{MULTIPART_MISSING_SEMICOLON}, \
IQ %{MULTIPART_INVALID_QUOTING}, \
IP %{MULTIPART_INVALID_PART}, \
IH %{MULTIPART_INVALID_HEADER_FOLDING}, \
FL %{MULTIPART_FILE_LIMIT_EXCEEDED}'"
SecRule MULTIPART_UNMATCHED_BOUNDARY "@eq 1" \
"id:'200004',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"
SecRule TX:/^MSC_/ "!@streq 0" \
"id:'200005',phase:2,t:none,log,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"
# Additional rules
SecRule REQUEST_HEADERS:Content-Type "^application/[a-z0-9.-]+[+]json" \
"id:'200006',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON"
# Gemini: Include Custom Rules
include /etc/nginx/custom_rules/*.conf

2
_backup/modsec_includes.conf
View File

@ -1,2 +0,0 @@
# Include all custom rules form legacy migration
include /etc/nginx/custom_rules/*.conf

15
_backup/modsec_rules/exchange-rule-exceptions.conf
View File

@ -1,15 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Microsoft Exchange (ATUALIZADO)
# --------------------------------------------------------------------------
# Exchange Protocols Whitelist
# --------------------------------------------------------------------------
# Whitelists standard Exchange 2016/2019 paths to prevent WAF blocking
# essential email and admin functionality.
SecRule REQUEST_URI "@rx ^/(owa|ecp|Microsoft-Server-ActiveSync|EWS|OAB|Autodiscover|rpc|mapi)/" \
"id:10006, \
phase:1, \
pass, \
nolog, \
ctl:ruleEngine=Off, \
msg:'WHITELIST: Microsoft Exchange Services'"

45
_backup/modsec_rules/gitea-rule-exceptions.conf
View File

@ -1,45 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Gitea (ATUALIZADO)
# --------------------------------------------------------------------------
# Git Operations & Web Interface
# --------------------------------------------------------------------------
# ID 10008: Permitir operacoes de edição na UI
SecRule REQUEST_URI "@rx ^/.*/(src/branch|_edit|_new|commits/branch)/" \
"id:10008,phase:1,nolog,allow,ctl:ruleEngine=Off"
# ID 10011: Permitir acesso a assets e raw files
SecRule REQUEST_URI "@rx ^/.*/.*(raw|assets)/" \
"id:10011,phase:1,nolog,pass,ctl:ruleEngine=Off"
# ID 10013: Permitir acesso a arquivos .conf (git repos)
SecRule REQUEST_FILENAME "@rx \.conf$" \
"id:10013,phase:1,nolog,pass,chain,msg:'[CUSTOM] Whitelist .conf files for Git server'"
SecRule SERVER_NAME "@streq git.itguys.com.br" "ctl:ruleRemoveById=930120"
# ID 10025: Upload de Arquivos na UI
SecRule REQUEST_URI "@rx ^/[^/]+/[^/]+/upload-file$" \
"id:10025,phase:1,pass,nolog,ctl:ruleEngine=Off"
# ID 10026: Wiki
SecRule REQUEST_URI "@rx ^/[^/]+/[^/]+/wiki$" \
"id:10026,phase:1,pass,nolog,ctl:ruleEngine=Off"
# --------------------------------------------------------------------------
# Git Hooks & Uploads
# --------------------------------------------------------------------------
# ID 10040: Git Smart Protocol (Push/Pull)
# Disables rule engine and INCREASES request body limit for git-receive-pack (Push)
# to allow large uploads.
SecRule REQUEST_URI "@rx /git-(upload|receive)-pack$" \
"id:10040, \
phase:1, \
pass, \
nolog, \
ctl:ruleEngine=Off, \
ctl:requestBodyAccess=Off"
# ID 10041: Permitir LFS (Large File Storage) e Uploads via HTTP
SecRule REQUEST_URI "@rx /(info/lfs|objects/batch)" \
"id:10041,phase:1,pass,nolog,ctl:ruleEngine=Off"

14
_backup/modsec_rules/global-exceptions.conf
View File

@ -1,14 +0,0 @@
# ==========================================================================
# Arquivo Global de Exceções do ModSecurity
# ==========================================================================
# Este arquivo contém apenas regras genéricas ou de infraestrutura.
# Regras específicas de aplicações estão em arquivos separados.
# WHITELIST: Acesso permitido da rede interna, ModSecurity desativado
SecRule REMOTE_ADDR "@ipMatch 172.16.0.0/16,10.10.0.0/16,10.11.0.0/16,10.12.0.0/16" \
"id:10000, \
phase:1, \
pass, \
nolog, \
ctl:ruleEngine=Off, \
msg:'WHITELIST: Acesso permitido da rede interna, ModSecurity desativado'"

5
_backup/modsec_rules/grafana-rule-exceptions.conf
View File

@ -1,5 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Grafana
# ID 10009: Whitelist Grafana Dashboard API
SecRule REQUEST_URI "@beginsWith /api/dashboards/" \
"id:10009,phase:1,pass,nolog,allow,ctl:ruleRemoveById=9XXXXX"

30
_backup/modsec_rules/nextcloud-rule-exceptions.conf
View File

@ -1,30 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Nextcloud (ATUALIZADO)
# --------------------------------------------------------------------------
# Broad API & Extension Whitelist (User Request: "Liberate all APIs")
# --------------------------------------------------------------------------
# Allows /apps/, /ocs/ (Open Cloud Standard), and /remote.php (WebDAV)
# to ensure plugins and sync clients work without restriction.
SecRule REQUEST_URI "@rx ^/(index\.php/apps|apps|ocs|remote\.php)/" \
"id:10050,phase:1,pass,nolog,ctl:ruleEngine=Off"
# --------------------------------------------------------------------------
# Office Online (WOPI & Hosting)
# --------------------------------------------------------------------------
# Whitelist for Office Online server communication
SecRule REQUEST_URI "@rx ^/(hosting|op|we|wv|p|x|lo|m|o|browser)/" \
"id:10014,phase:1,pass,nolog,ctl:ruleEngine=Off"
# Proxy Whitelist for Office Online (Internal)
SecRule REMOTE_ADDR "@ipMatch 172.16.254.1" \
"id:10034,phase:1,pass,nolog,chain,msg:'WHITELIST: [Proxy 172.16.254.1] Office Online WOPI'"
SecRule REQUEST_URI "@beginsWith /index.php/apps/officeonline/wopi/files/" "ctl:ruleEngine=Off"
# --------------------------------------------------------------------------
# Specific Sync & Discovery (Legacy/Specific IDs reserved)
# --------------------------------------------------------------------------
SecRule REQUEST_URI "@streq /.well-known/caldav" "id:10002,phase:1,pass,nolog,ctl:ruleEngine=Off"
SecRule REQUEST_URI "@streq /.well-known/carddav" "id:10003,phase:1,pass,nolog,ctl:ruleEngine=Off"
# Preview Generator
SecRule REQUEST_URI "@beginsWith /index.php/core/preview" "id:10010,phase:1,pass,nolog,ctl:ruleRemoveById=9XXXXX"

22
_backup/modsec_rules/zabbix-rule-exceptions.conf
View File

@ -1,22 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Zabbix (ATUALIZADO)
# --------------------------------------------------------------------------
# Zabbix Web Interface Protection
# --------------------------------------------------------------------------
# REMOVED: zabbix.php whitelist. The UI should be protected by WAF.
# REMOVED: api_jsonrpc.php whitelist. This should only be accessed via VPN
# (covered by Global Internal Network rule 10000).
# --------------------------------------------------------------------------
# Dashboard Noise Reduction
# --------------------------------------------------------------------------
# Allows jsrpc.php which handles some background AJAX for the dashboard.
# If this causes security concerns, it can be removed, but usually generates false positives.
SecRule REQUEST_URI "@streq /jsrpc.php" \
"id:10004,phase:1,pass,nolog,ctl:ruleEngine=Off"
# --------------------------------------------------------------------------
# Host Discovery
# --------------------------------------------------------------------------
SecRule REQUEST_URI "@beginsWith /zabbix/host_discovery.php" \
"id:10005,phase:1,pass,nolog,ctl:ruleRemoveById=9XXXXX,ctl:ruleRemoveById=9YYYYY"

5
_backup/modsec_rules/zammad-rule-exceptions.conf
View File

@ -1,5 +0,0 @@
# Ficheiro de Exceções do ModSecurity para o Zammad
# ID 10007: Whitelist Zammad API
SecRule REQUEST_URI "@beginsWith /api/v1/" \
"id:10007,phase:1,pass,nolog,allow,ctl:ruleRemoveById=9XXXXX"

46
_backup/nginx.conf
View File

@ -1,46 +0,0 @@
load_module modules/ngx_http_brotli_filter_module.so;
load_module modules/ngx_http_brotli_static_module.so;
load_module modules/ngx_http_headers_more_filter_module.so;
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 16384;
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
server_tokens off;
proxy_headers_hash_bucket_size 512;
keepalive_timeout 65;
# SSL Session Cache
ssl_session_cache shared:SSL:60m;
# Include Snippets
# Include Snippets (Global HTTP context)
# Excludes acme_challenge.conf which is server-context only
include /etc/nginx/snippets/cache_zones.conf;
include /etc/nginx/snippets/log_formats.conf;
include /etc/nginx/snippets/rate_limit.conf;
include /etc/nginx/snippets/security_maps.conf;
# include /etc/nginx/snippets/custom_errors.conf; # Optional globally
# Global Fallback Logs
error_log /var/log/nginx/error.log warn;
access_log /var/log/nginx/access.log;
# Include Site Configurations
include /etc/nginx/conf.d/*.conf;
}

55
_backup/scripts/git_sync.sh
View File

@ -1,55 +0,0 @@
#!/bin/sh
# ==============================================================================
# SCRIPT: git_sync.sh
# AUTHOR: Gemini (Automated)
# PURPOSE: Pull latest changes from git and reload Nginx if successful
# CRON: Scheduled in pre-flight.sh
# ==============================================================================
REPO_DIR="/opt/repo"
# URL Encoded Password for 'o3!VV3H6qBg^rucv2UvF6mdK$NWyNj@3'
# ! = %21, ^ = %5E, $ = %24, @ = %40
GIT_USER="gitea-deploy"
GIT_PASS="o3%21VV3H6qBg%5Erucv2UvF6mdK%24NWyNj%403"
GIT_REPO="git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder.git"
BRANCH="producao"
GIT_URL="https://${GIT_USER}:${GIT_PASS}@${GIT_REPO}"
echo "[Git-Sync] $(date): Starting sync process..."
if [ ! -d "$REPO_DIR" ]; then
echo "[Git-Sync] ERROR: Repository directory $REPO_DIR does not exist."
exit 1
fi
# Trust the directory (fix for 'dubious ownership' in container)
git config --global --add safe.directory "$REPO_DIR"
cd "$REPO_DIR"
# Fetch and Pull
OUTPUT=$(git pull "$GIT_URL" "$BRANCH" 2>&1)
EXIT_CODE=$?
echo "[Git-Sync] Output: $OUTPUT"
if [ $EXIT_CODE -ne 0 ]; then
echo "[Git-Sync] ERROR: Git pull failed."
exit $EXIT_CODE
fi
if echo "$OUTPUT" | grep -q "Already up to date"; then
echo "[Git-Sync] No changes detected."
exit 0
else
echo "[Git-Sync] Changes detected. Validating Nginx config..."
if nginx -t; then
echo "[Git-Sync] Configuration valid. Reloading Nginx..."
nginx -s reload
echo "[Git-Sync] Reload successful."
else
echo "[Git-Sync] CRITICAL: Nginx configuration test failed! Not reloading."
exit 1
fi
fi

28
_backup/scripts/inject_acme.sh
View File

@ -1,28 +0,0 @@
#!/bin/sh
# Inject ACME challenge snippet into all site configs
# Target: Server blocks listening on port 80
CONF_DIR="/etc/nginx/conf.d"
SNIPPET="include /etc/nginx/snippets/acme_challenge.conf;"
echo "[Inject-ACME] Starting injection..."
for conf in $CONF_DIR/*.conf; do
[ -e "$conf" ] || continue
# Check if already injected
if grep -q "acme_challenge.conf" "$conf"; then
echo "[Inject-ACME] Skipping $conf (already has ACME snippet)"
continue
fi
echo "[Inject-ACME] Injecting into $conf..."
# Logic: Insert snippet before 'return 301' or inside 'listen 80' block
# Simplest reliable way with sed: match "listen 80;" and append snippet after it
# Note: Some configs might use "listen 80;" or "listen [::]:80;" or "listen 80 default_server;"
sed -i '/listen 80.*;/a \ '"$SNIPPET" "$conf"
done
echo "[Inject-ACME] Injection complete."

111
_backup/scripts/pre-flight.sh
View File

@ -1,111 +0,0 @@
#!/bin/sh
set -e
echo "[Pre-Flight] Starting checks..."
# Check environment
if [ -z "$HOST_PUBLIC_IP" ]; then
echo "[Pre-Flight] WARNING: HOST_PUBLIC_IP not set. DNS checks might be inaccurate."
fi
# Iterate site configs for DNS checks
for conf in /etc/nginx/conf.d/*.conf; do
[ -e "$conf" ] || continue
echo "[Pre-Flight] Checking config: $conf"
# Simple extraction of server_name (naive, but works for standard configs)
DOMAINS=$(grep -E "^\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/')
for domain in $DOMAINS; do
if [ "$domain" = "_" ] || [ "$domain" = "localhost" ]; then continue; fi
echo "[Pre-Flight] Validating DNS for $domain..."
RESOLVED_IP=$(dig +short "$domain" @1.1.1.1 | tail -n 1)
if [ "$RESOLVED_IP" != "$HOST_PUBLIC_IP" ]; then
echo "[Pre-Flight] WARNING: Domain $domain resolves to $RESOLVED_IP, expected $HOST_PUBLIC_IP"
else
echo "[Pre-Flight] DNS OK: $domain -> $RESOLVED_IP"
fi
done
done
# Run SSL Renewal Check (handles its own iteration)
echo "[Pre-Flight] Running SSL renewal check..."
/scripts/renew_ssl.sh
# Setup Daily Cron for Renewal (run at 01:00)
# ==============================================================================
# GIT SYNC & DYNAMIC CONFIG SETUP
# ==============================================================================
REPO_DIR="/opt/repo"
GIT_USER="gitea-deploy"
GIT_PASS="o3%21VV3H6qBg%5Erucv2UvF6mdK%24NWyNj%403"
GIT_REPO="git.itguys.com.br/joao.goncalves/NgixProxy_Pathfinder.git"
GIT_URL="https://${GIT_USER}:${GIT_PASS}@${GIT_REPO}"
echo "[Pre-Flight] Checking repository at $REPO_DIR..."
if [ ! -d "$REPO_DIR/.git" ]; then
echo "[Pre-Flight] Repository not found. Cloning..."
# Ensure dir exists
mkdir -p "$REPO_DIR"
# Clone
git clone "$GIT_URL" "$REPO_DIR"
else
echo "[Pre-Flight] Repository exists. Pulling latest..."
cd "$REPO_DIR"
git config --global --add safe.directory "$REPO_DIR"
# Attempt pull, if fails (lock file or corruption), wipe and re-clone
if ! git pull; then
echo "[Pre-Flight] ERROR: Git pull failed (likely corrupt ref/lock). Re-cloning..."
# If REPO_DIR is a mountpoint, we cannot remove it. We must empty it.
# find is safer than globbing for hidden files
find "$REPO_DIR" -mindepth 1 -delete
git clone "$GIT_URL" "$REPO_DIR"
fi
fi
# SYMLINK SETUP
# We want Nginx to use the configs from the repo (dynamic) instead of the baked-in ones (static).
echo "[Pre-Flight] Setting up symlinks..."
# 1. conf.d (Sites)
if [ -d "$REPO_DIR/conf.d" ]; then
echo "[Pre-Flight] Linking conf.d..."
rm -rf /etc/nginx/conf.d
ln -s "$REPO_DIR/conf.d" /etc/nginx/conf.d
fi
# 2. snippets (Optional, but good for consistency)
if [ -d "$REPO_DIR/snippets" ]; then
echo "[Pre-Flight] Linking snippets..."
rm -rf /etc/nginx/snippets
ln -s "$REPO_DIR/snippets" /etc/nginx/snippets
fi
# 3. ModSecurity Rules (Optional)
if [ -d "$REPO_DIR/modsec_rules" ]; then
echo "[Pre-Flight] Linking modsec_rules..."
rm -rf /etc/nginx/custom_rules
ln -s "$REPO_DIR/modsec_rules" /etc/nginx/custom_rules
fi
# Setup Daily Cron for Renewal (run at 01:00)
echo "0 1 * * * /scripts/renew_ssl.sh >> /var/log/nginx/ssl_renew.log 2>&1" >> /etc/crontabs/root
# Setup Git Sync Cron (Run every 5 minutes)
echo "*/5 * * * * /scripts/git_sync.sh >> /var/log/nginx/git_sync.log 2>&1" >> /etc/crontabs/root
# Start Crond in background
crond -b -l 8
echo "[Pre-Flight] Checks complete. Starting NGINX..."
# Background: Trigger SSL renewal again in 60s
# This catches the fresh snakeoil certs (1 day expire) and renews them using the NOW RUNNING Nginx.
(sleep 60 && /scripts/renew_ssl.sh >> /var/log/nginx/ssl_bootstrap.log 2>&1) &
exec "$@"

24
_backup/scripts/reload.ps1
View File

@ -1,24 +0,0 @@
$ContainerName = "nginx-proxy"
Write-Host "[Reload] Checking configuration in $ContainerName..." -ForegroundColor Cyan
# 1. Validate Configuration
docker exec $ContainerName nginx -t
if ($LASTEXITCODE -eq 0) {
Write-Host "[Reload] Configuration is VALID." -ForegroundColor Green
# 2. Graceful Reload
Write-Host "[Reload] Triggering graceful reload..." -ForegroundColor Cyan
docker exec $ContainerName nginx -s reload
if ($LASTEXITCODE -eq 0) {
Write-Host "[Reload] ✅ Reload signal sent successfully." -ForegroundColor Green
Write-Host "[Reload] Zero-downtime update in progress." -ForegroundColor Green
} else {
Write-Host "[Reload] ❌ Failed to send reload signal." -ForegroundColor Red
exit 1
}
} else {
Write-Host "[Reload] ❌ Configuration is INVALID. Aborting reload." -ForegroundColor Red
exit 1
}

26
_backup/scripts/reload.sh
View File

@ -1,26 +0,0 @@
#!/bin/bash
# Zero-Downtime Reload Script
# Validates config first, then reloads NGINX gracefully.
CONTAINER_NAME="nginx-proxy"
echo "[Reload] Checking configuration in $CONTAINER_NAME..."
# 1. Validate Configuration (nginx -t)
if docker exec "$CONTAINER_NAME" nginx -t; then
echo "[Reload] Configuration is VALID."
else
echo "[Reload] ❌ Configuration is INVALID. Aborting reload."
exit 1
fi
# 2. Graceful Reload (nginx -s reload)
# This starts new workers with new config, while old workers finish requests.
echo "[Reload] Triggering graceful reload..."
if docker exec "$CONTAINER_NAME" nginx -s reload; then
echo "[Reload] ✅ Reload signal sent successfully."
echo "[Reload] Zero-downtime update in progress."
else
echo "[Reload] ❌ Failed to send reload signal."
exit 1
fi

105
_backup/scripts/renew_ssl.sh
View File

@ -1,105 +0,0 @@
#!/bin/sh
# SSL Renewal Script
# Checks expiry and attempts renewal if < 3 days
echo "[SSL-Renew] Starting check at $(date)..."
# Ensure ACME snippet is present (idempotent)
/scripts/inject_acme.sh
# Iterate configs to find certs
for conf in /etc/nginx/conf.d/*.conf; do
[ -e "$conf" ] || continue
# Extract Cert File
CRT_FILE=$(grep -E "\s*ssl_certificate\s+" "$conf" | sed -r 's/.*ssl_certificate\s+(.*);/\1/' | head -n 1)
# Extract Server Name for Certbot
DOMAIN=$(grep -E "\s*server_name\s+" "$conf" | sed -r 's/.*server_name\s+(.*);/\1/' | head -n 1)
# Validation: Skip configs without SSL or Domain
if [ -z "$CRT_FILE" ] || [ -z "$DOMAIN" ]; then
# echo "[SSL-Renew] Skipping $conf (No SSL/Domain found)"
continue
fi
if [ -f "$CRT_FILE" ]; then
# Check if cert expires in the next 3 days (259200 seconds)
# openssl -checkend returns 0 if valid for the duration, 1 if expires
if openssl x509 -checkend 259200 -noout -in "$CRT_FILE" > /dev/null; then
echo "[SSL-Renew] Cert for $DOMAIN is valid."
else
echo "[SSL-Renew] WARNING: Cert for $DOMAIN expires soon (or is invalid)!"
echo "[SSL-Renew] Attempting renewal via Certbot..."
# Attempt non-interactive renewal
certbot certonly --webroot -w /var/www/certbot \
-d "$DOMAIN" \
--email suporte@itguys.com.br \
--agree-tos \
--no-eff-email \
--non-interactive \
--keep-until-expiring
if [ $? -eq 0 ]; then
echo "[SSL-Renew] Certbot success. Updating symlinks/files..."
LE_CERT="/etc/letsencrypt/live/$DOMAIN/fullchain.pem"
LE_KEY="/etc/letsencrypt/live/$DOMAIN/privkey.pem"
if [ -f "$LE_CERT" ]; then
cp "$LE_CERT" "$CRT_FILE"
chmod 644 "$CRT_FILE"
# Key file assumption: usually same name but .key/privkey.pem
KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
if [ -f "$KEY_FILE" ]; then
# If key path is found, copy it
cp "$LE_KEY" "$KEY_FILE"
chmod 644 "$KEY_FILE"
else
# Fallback: try to derive key path from cert path if variable is empty
# (This handles edge cases where parsing failed but cert existed)
echo "[SSL-Renew] Warning: Could not parse ssl_certificate_key from config."
fi
echo "[SSL-Renew] Files updated. Queuing NGINX reload."
RELOAD_NEEDED=1
fi
else
echo "[SSL-Renew] Certbot failed for $DOMAIN."
fi
fi
else
echo "[SSL-Renew] CRT Not Found for $DOMAIN. Generating Self-Signed Bootstrap Cert..."
# Ensure dir exists
mkdir -p "$(dirname "$CRT_FILE")"
KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
if [ -z "$KEY_FILE" ]; then
echo "[SSL-Renew] Error: Cannot determine key file path for bootstrap. Skipping."
continue
fi
mkdir -p "$(dirname "$KEY_FILE")"
# Generate minimal self-signed cert valid for 1 day (forces renewal next run)
openssl req -x509 -nodes -days 1 -newkey rsa:2048 \
-keyout "$KEY_FILE" \
-out "$CRT_FILE" \
-subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
chmod 644 "$KEY_FILE" "$CRT_FILE"
echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
fi
done
if [ "$RELOAD_NEEDED" = "1" ]; then
echo "[SSL-Renew] Reloading NGINX..."
nginx -s reload
fi
echo "[SSL-Renew] Check complete."

9
_backup/snippets/acme_challenge.conf
View File

@ -1,9 +0,0 @@
# ACME Challenge Snippet
# Include this in port 80 server blocks to allow Certbot validation
location ^~ /.well-known/acme-challenge/ {
root /var/www/certbot;
try_files $uri =404;
allow all;
auth_basic off;
}

33
_backup/snippets/cache_zones.conf
View File

@ -1,33 +0,0 @@
# Cache Zone Definitions
# Include this file in nginx.conf http block
# General caches
proxy_cache_path /var/cache/nginx/static_cache levels=1:2 keys_zone=static_cache:10m max_size=2g inactive=90d use_temp_path=off;
proxy_cache_path /var/cache/nginx/api_cache levels=1:2 keys_zone=api_cache:10m max_size=100m inactive=5m use_temp_path=off;
# Site-specific caches
proxy_cache_path /var/cache/nginx/itguys_cache levels=1:2 keys_zone=itguys_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/business_cache levels=1:2 keys_zone=business_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/gitea_cache levels=1:2 keys_zone=gitea_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/zammad_cache levels=1:2 keys_zone=zammad_cache:10m max_size=500m inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/grafana_cache levels=1:2 keys_zone=grafana_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/unifi_cache levels=1:2 keys_zone=unifi_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/workspace_cache levels=1:2 keys_zone=workspace_cache:10m max_size=1g inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/solucionei_cache levels=1:2 keys_zone=solucionei_cache:20m max_size=2g inactive=90d use_temp_path=off;
proxy_cache_path /var/cache/nginx/rhema_cache levels=1:2 keys_zone=rhema_cache:20m max_size=2g inactive=90d use_temp_path=off;
proxy_cache_path /var/cache/nginx/vcenter_cache levels=1:2 keys_zone=vcenter_cache:10m max_size=1g inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/ferreirareal_cache levels=1:2 keys_zone=ferreirareal_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/snipeit_cache levels=1:2 keys_zone=snipeit_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/technitium_cache levels=1:2 keys_zone=technitium_cache:10m inactive=60m max_size=1g;
proxy_cache_path /var/cache/nginx/magnusbilling_cache levels=1:2 keys_zone=magnusbilling_cache:10m max_size=1g inactive=7d use_temp_path=off;
# Nextcloud caches
proxy_cache_path /var/cache/nginx/nextcloud_private_cache levels=1:2 keys_zone=nextcloud_private_cache:20m max_size=1g inactive=15m use_temp_path=off;
proxy_cache_path /var/cache/nginx/nextcloud_previews_cache levels=1:2 keys_zone=nextcloud_previews:20m max_size=2g inactive=7d use_temp_path=off;
proxy_cache_path /var/cache/nginx/nextcloud_cache_grupopralog levels=1:2 keys_zone=nextcloud_cache:120m max_size=10g inactive=6h use_temp_path=off;
proxy_cache_path /var/cache/nginx/nextcloud_session_cache levels=1:2 keys_zone=nextcloud_session_cache:50m max_size=500m inactive=30m use_temp_path=off;
proxy_cache_path /var/cache/nginx/foldertree_cache keys_zone=foldertree_cache:10m levels=1:2 inactive=1m max_size=100m;
# Exchange/Zabbix caches
proxy_cache_path /var/cache/nginx/zabbix_cache levels=1:2 keys_zone=zabbix_cache:10m max_size=1g inactive=60m use_temp_path=off;
proxy_cache_path /var/cache/nginx/exchange_private_cache levels=1:2 keys_zone=exchange_private_cache:20m max_size=500m inactive=10m use_temp_path=off;

11
_backup/snippets/custom_errors.conf
View File

@ -1,11 +0,0 @@
# Custom Error Pages Snippet
# Include this file INSIDE a server block
# Custom error pages
error_page 502 @error_502;
error_page 503 @error_503;
error_page 504 @error_504;
# Named locations for error handling
# These should be defined in the server block, not here
# The including site config should define its own error handling locations

11
_backup/snippets/docker_resolver.conf
View File

@ -1,11 +0,0 @@
# Docker DNS Resolver
# Use dentro de location blocks quando precisar resolver
# nomes de containers dinamicamente (ex: com variáveis)
#
# Uso:
# set $backend "container-name:port";
# include /etc/nginx/snippets/docker_resolver.conf;
# proxy_pass http://$backend;
resolver 127.0.0.11 valid=30s ipv6=off;
resolver_timeout 5s;

77
_backup/snippets/log_formats.conf
View File

@ -1,77 +0,0 @@
# Log Format Definitions
# Include this file in nginx.conf http block
log_format detailed_proxy escape=json
'{'
# Timestamps e Identificadores
'"@timestamp":"$time_iso8601",'
'"time_local":"$time_local",'
'"msec":"$msec",'
'"request_id":"$request_id",'
'"hostname":"$hostname",'
'"worker_pid":$pid,'
# Informações de Conexão e Cliente
'"remote_addr":"$remote_addr",'
'"remote_port":$remote_port,'
'"server_addr":"$server_addr",'
'"server_port":"$server_port",'
'"real_ip":"$http_x_forwarded_for",'
'"http_x_real_ip":"$http_x_real_ip",'
'"remote_user":"$remote_user",'
# Detalhes da Requisição HTTP
'"request":"$request",'
'"request_method":"$request_method",'
'"scheme":"$scheme",'
'"server_protocol":"$server_protocol",'
'"host_header":"$host",'
'"request_uri":"$request_uri",'
'"uri":"$uri",'
'"document_uri":"$document_uri",'
'"args":"$args",'
'"query_string":"$query_string",'
'"request_length":$request_length,'
# Headers da Requisição
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"http_accept_encoding":"$http_accept_encoding",'
'"http_accept_language":"$http_accept_language",'
# Detalhes da Resposta
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"bytes_sent":$bytes_sent,'
'"sent_http_content_type":"$sent_http_content_type",'
'"sent_http_cache_control":"$sent_http_cache_control",'
# Performance e Conexão
'"request_time":$request_time,'
'"connection":"$connection",'
'"connection_requests":$connection_requests,'
# SSL/TLS
'"ssl_protocol":"$ssl_protocol",'
'"ssl_cipher":"$ssl_cipher",'
'"ssl_session_reused":"$ssl_session_reused",'
# Upstream
'"upstream_addr":"$upstream_addr",'
'"upstream_status":"$upstream_status",'
'"upstream_connect_time":"$upstream_connect_time",'
'"upstream_header_time":"$upstream_header_time",'
'"upstream_response_time":"$upstream_response_time",'
'"upstream_cache_status":"$upstream_cache_status",'
# Compressão
'"compression_ratio":"$gzip_ratio",'
# Variáveis Customizadas
'"is_bad_bot":"$is_bad_bot",'
'"is_suspicious_uri":"$is_suspicious_uri",'
'"block_request":"$block_request",'
'"is_internal_ip":"$is_internal"'
'}';
log_format suspicious_bot 'SUSPICIOUS_BOT: $remote_addr - "$http_user_agent" - "$request"';

6
_backup/snippets/rate_limit.conf
View File

@ -1,6 +0,0 @@
# Rate Limit Zones
# Include this file in nginx.conf http block
# Smart rate limiting - excludes internal IPs
limit_req_zone $limit_key zone=global_limit:20m rate=10r/s;
limit_req_zone $bad_bot_key zone=bad_bot_limit:10m rate=5r/m;

49
_backup/snippets/security_maps.conf
View File

@ -1,49 +0,0 @@
# Security Maps and Variables
# Include this file in nginx.conf http block
# Bad Bot Detection
map $http_user_agent $is_bad_bot {
default 0;
~*(nikto|sqlmap|wpscan|gobuster|dirbuster|feroxbuster|nessus|nmap|curl) 1;
}
# Suspicious URI Detection
map $request_uri $is_suspicious_uri {
default 0;
~*(\.env|\.git|/vendor/|/setup\.php|/\.well-known/|/phpmyadmin|/config\.php|composer\.json) 1;
}
# Combined Block Request
map $is_bad_bot$is_suspicious_uri $block_request {
default 0;
~1 1;
}
# Internal IP Detection
geo $is_internal {
default 0;
10.10.0.0/16 1; 10.11.0.0/16 1; 10.12.0.0/16 1; 172.16.0.0/16 1;
45.169.73.155 1; 201.73.213.130 1; 177.74.160.17 1; 177.74.160.18 1;
177.74.160.19 1; 177.74.160.20 1; 177.74.160.21 1; 177.74.160.22 1;
177.74.160.23 1; 45.169.87.168 1; 45.169.87.169 1; 45.169.87.170 1;
45.169.87.171 1; 45.169.87.172 1; 45.169.87.173 1; 45.169.87.174 1;
45.169.87.175 1; 45.169.73.154 1; 201.73.213.129 1;
}
# Rate Limit Key (excludes internal IPs)
map $is_internal $limit_key {
0 $binary_remote_addr;
1 "";
}
# Bad Bot Rate Limit Key
map $is_bad_bot $bad_bot_key {
1 $binary_remote_addr;
default "";
}
# Cache Asset TTL
map $request_uri $cache_asset {
~*\.(css|js|mjs|svg|gif|png|jpg|jpeg|ico|wasm|woff|woff2|ttf|otf)$ 1y;
default off;
}

30
_deployment_logs/srvproxy001.itguys.com.br.md Normal file
View File

@ -0,0 +1,30 @@
# Registo de Deploy do Proxy-Sinc
**Servidor:** srvproxy001.itguys.com.br
**Instalado por:** joao.goncalves
**Data de Instalação:** ter 16 set 2025 19:03:23 -03
---
**Tipo de Ação:** Instalação Manual Inicial
**Executado por:** joao.goncalves@itguys.com.br
**Data:** ter 16 set 2025 20:13:37 -03
---
**Tipo de Ação:** Atualização Manual
**Executado por:** joao.goncalves@itguys.com.br
**Data:** ter 16 set 2025 20:16:56 -03
---
**Tipo de Ação:** Atualização Manual
**Executado por:** joao.goncalves@itguys.com.br
**Data:** ter 16 set 2025 20:29:19 -03
---
**Tipo de Ação:** Atualização Manual
**Executado por:** joao.goncalves@itguys.com.br
**Data:** ter 16 set 2025 20:35:37 -03
---
**Tipo de Ação:** Atualização Manual
**Executado por:** joao.goncalves@itguys.com.br
**Data:** ter 16 set 2025 20:41:37 -03

25
caddy_core/Caddyfile
View File

@ -1,25 +0,0 @@
{
# Global Options
email admin@oestepan.com.br
# Enable Admin API for the watcher to trigger reloads
admin :2019
}
# Import dynamic sites
import sites/*
# Default Site: Traccar GPS
gps.oestepan.com.br {
# Reverse Proxy to the backend service
reverse_proxy host.docker.internal:8083 {
# Trust original IPs
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
# Enable logging
log {
output file /var/log/caddy/gps.access.log
}
}

15
deploy.sh
View File

@ -1,15 +0,0 @@
#!/bin/bash
set -e
echo "Deploying Caddy Proxy..."
# Pull latest code
git pull
# Ensure containers are up
docker compose up -d
# Force a reload just in case
docker compose exec caddy caddy reload
echo "Deployment Complete."

21
docker-compose.yml
View File

@ -1,21 +0,0 @@
services:
caddy:
image: caddy:latest
container_name: proxy_caddy
restart: always
ports:
- "80:80"
- "443:443"
volumes:
- ./caddy_core/Caddyfile:/etc/caddy/Caddyfile
- ./sites:/etc/caddy/sites
- caddy_data:/data
- caddy_config:/config
- caddy_logs:/var/log/caddy
extra_hosts:
- "host.docker.internal:host-gateway"
volumes:
caddy_data:
caddy_config:
caddy_logs:

104
fail2ban/action.d/abuseipdb.conf Normal file
View File

@ -0,0 +1,104 @@
# Fail2ban configuration file
#
# Action to report IP address to abuseipdb.com
# You must sign up to obtain an API key from abuseipdb.com.
#
# NOTE: These reports may include sensitive Info.
# If you want cleaner reports that ensure no user data see the helper script at the below website.
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#
# This action relies on a api_key being added to the above action conf,
# and the appropriate categories set.
#
# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
# action = %(known/action)s
# abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
#
# See below for categories.
#
# Added to fail2ban by Andrew James Collett (ajcollett)
## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call.
# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
# ID Title Description
# 3 Fraud Orders
# 4 DDoS Attack
# 9 Open Proxy
# 10 Web Spam
# 11 Email Spam
# 14 Port Scan
# 18 Brute-Force
# 19 Bad Web Bot
# 20 Exploited Host
# 21 Web App Attack
# 22 SSH Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
# 23 IoT Targeted
# See https://abuseipdb.com/categories for more descriptions
[Definition]
# bypass action for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# ** IMPORTANT! **
#
# By default, this posts directly to AbuseIPDB's API, unfortunately
# this results in a lot of backslashes/escapes appearing in the
# reports. This also may include info like your hostname.
# If you have your own web server with PHP available, you can
# use my (Shaun's) helper PHP script by commenting out the first #actionban
# line below, uncommenting the second one, and pointing the URL at
# wherever you install the helper script. For the PHP helper script, see
# <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
#
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: abuseipdb_apikey
# Notes Your API key from abuseipdb.com
# Values: STRING Default: None
# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
# You will need to set the category in the action call.
abuseipdb_apikey =

25
fail2ban/action.d/apf.conf Normal file
View File

@ -0,0 +1,25 @@
# Fail2Ban configuration file
# https://www.rfxn.com/projects/advanced-policy-firewall/
#
# Note: APF doesn't play nicely with other actions. It has been observed to
# remove bans created by other iptables based actions. If you are going to use
# this action, use it for all of your jails.
#
# DON'T MIX APF and other IPTABLES based actions
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = apf --deny <ip> "banned by Fail2Ban <name>"
actionunban = apf --remove <ip>
[Init]
# Name used in APF configuration
#
name = default
# DEV NOTES:
#
# Author: Mark McKinstry

49
fail2ban/action.d/apprise.conf Normal file
View File

@ -0,0 +1,49 @@
# Fail2Ban configuration file
#
# Author: Chris Caron <lead2gold@gmail.com>
#
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = printf %%b "The jail <name> has been stopped." | <apprise> -t "[Fail2Ban] <name>: stopped on `uname -n`"
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "The IP <ip> has just been banned by Fail2Ban after <failures> attempts against <name>" | <apprise> -n "warning" -t "[Fail2Ban] <name>: banned <ip> from `uname -n`"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Define location of the default apprise configuration file to use
#
config = /etc/fail2ban/apprise.conf
#
apprise = apprise -c "<config>"

84
fail2ban/action.d/blocklist_de.conf Normal file
View File

@ -0,0 +1,84 @@
# Fail2Ban configuration file
#
# Author: Steven Hiscocks
#
#
# Action to report IP address to blocklist.de
# Blocklist.de must be signed up to at www.blocklist.de
# Once registered, one or more servers can be added.
# This action requires the server 'email address' and the associated apikey.
#
# From blocklist.de:
# www.blocklist.de is a free and voluntary service provided by a
# Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
# Mail-Login-, FTP-, Webserver- and other services.
# The mission is to report all attacks to the abuse departments of the
# infected PCs/servers to ensure that the responsible provider can inform
# the customer about the infection and disable them
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
# * The recidive where the IP has been banned multiple times
# * Where maxretry has been set quite high, beyond the normal user typing
# password incorrectly.
# * For filters that have a low likelihood of receiving human errors
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl --fail --data-urlencode "server=<email>" --data "apikey=<apikey>" --data "service=<service>" --data "ip=<ip>" --data-urlencode "logs=<matches><br>" --data 'format=text' --user-agent "<agent>" "https://www.blocklist.de/en/httpreports.html"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
# Option: email
# Notes server email address, as per blocklist.de account
# Values: STRING Default: None
#
#email =
# Option: apikey
# Notes your user blocklist.de user account apikey
# Values: STRING Default: None
#
#apikey =
# Option: service
# Notes service name you are reporting on, typically aligns with filter name
# see http://www.blocklist.de/en/httpreports.html for full list
# Values: STRING Default: None
#
#service =

94
fail2ban/action.d/bsd-ipfw.conf Normal file
View File

@ -0,0 +1,94 @@
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Ken Menzel
# Daniel Black (start/stop)
# Fabian Wenk (many ideas as per fail2ban users list)
#
# Ensure firewall_enable="YES" in the top of /etc/rc.conf
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipfw show | fgrep -c -m 1 -s 'table(<table>)' > /dev/null 2>&1 || (
num=$(ipfw show | awk 'BEGIN { b = <lowest_rule_num> } { if ($1 == b) { b = $1 + 1 } } END { print b }');
ipfw -q add "$num" <blocktype> <block> from table\(<table>\) to me <port>; echo "$num" > "<startstatefile>"
)
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = [ ! -f <startstatefile> ] || ( read num < "<startstatefile>" <br> ipfw -q delete $num <br> rm "<startstatefile>" )
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
# requires an ipfw rule like "deny ip from table(1) to me"
actionban = e=`ipfw table <table> add <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XADD): File exists' ] || echo "$e" | grep -q "record already exists" || { echo "$e" 1>&2; exit $x; }
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = e=`ipfw table <table> delete <ip> 2>&1`; x=$?; [ $x -eq 0 -o "$e" = 'ipfw: setsockopt(IP_FW_TABLE_XDEL): No such process' ] || echo "$e" | grep -q "record not found" || { echo "$e" 1>&2; exit $x; }
[Init]
# Option: table
# Notes: The ipfw table to use. If a ipfw rule using this table already exists,
# this action will not create a ipfw rule to block it and the following
# options will have no effect.
# Values: NUM
table = 1
# Option: port
# Notes.: Specifies port to monitor. Blank indicate block all ports.
# Values: [ NUM | STRING ]
#
port =
# Option: startstatefile
# Notes: A file to indicate that the table rule that was added. Ensure it is unique per table.
# Values: STRING
startstatefile = /var/run/fail2ban/ipfw-started-table_<table>
# Option: block
# Notes: This is how much to block.
# Can be "ip", "tcp", "udp" or various other options.
# Values: STRING
block = ip
# Option: blocktype
# Notes.: How to block the traffic. Use a action from man 5 ipfw
# Common values: deny, unreach port, reset
# ACTION defination at the top of man ipfw for allowed values.
# Values: STRING
#
blocktype = unreach port
# Option: lowest_rule_num
# Notes: When fail2ban starts with action and there is no rule for the given table yet
# then fail2ban will start looking for an empty slot starting with this rule number.
# Values: NUM
lowest_rule_num = 111

92
fail2ban/action.d/cloudflare-token.conf Normal file
View File

@ -0,0 +1,92 @@
#
# Author: Logic-32
#
# IMPORTANT
#
# Please set jail.local's permission to 640 because it contains your CF API token.
#
# This action depends on curl.
#
# To get your Cloudflare API token: https://developers.cloudflare.com/api/tokens/create/
#
# Cloudflare Firewall API: https://developers.cloudflare.com/firewall/api/cf-firewall-rules/endpoints/
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
actionban = curl -s -X POST "<_cf_api_url>" \
<_cf_api_prms> \
--data '{"mode":"<cfmode>","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"<notes>"}'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
<_cf_api_prms> \
| awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
| tr -d ' "' \
| head -n 1)
if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
curl -s -X DELETE "<_cf_api_url>/$id" \
<_cf_api_prms> \
--data '{"cascade": "none"}'
_cf_api_url = https://api.cloudflare.com/client/v4/zones/<cfzone>/firewall/access_rules/rules
_cf_api_prms = -H "Authorization: Bearer <cftoken>" -H "Content-Type: application/json"
[Init]
# Declare your Cloudflare Authorization Bearer Token in the [DEFAULT] section of your jail.local file.
# The Cloudflare <ZONE_ID> of hte domain you want to manage.
#
# cfzone =
# Your personal Cloudflare token. Ideally restricted to just have "Zone.Firewall Services" permissions.
#
# cftoken =
# Target of the firewall rule. Default is "ip" (v4).
#
cftarget = ip
# The firewall mode Cloudflare should use. Default is "block" (deny access).
# Consider also "js_challenge" or other "allowed_modes" if you want.
#
cfmode = block
# The message to include in the firewall IP banning rule.
#
notes = Fail2Ban <name>
[Init?family=inet6]
cftarget = ip6

88
fail2ban/action.d/cloudflare.conf Normal file
View File

@ -0,0 +1,88 @@
#
# Author: Mike Rushton
#
# IMPORTANT
#
# Please set jail.local's permission to 640 because it contains your CF API key.
#
# This action depends on curl (and optionally jq).
# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
#
# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account
#
# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# API v1
#actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
-d '{"mode":"block","configuration":{"target":"<cftarget>","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
<_cf_api_url>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# API v1
#actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
# API v4
actionunban = id=$(curl -s -X GET <_cf_api_prms> \
"<_cf_api_url>?mode=block&configuration_target=<cftarget>&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
| { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
_cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Content-Type: application/json'
[Init]
# If you like to use this action with mailing whois lines, you could use the composite action
# action_cf_mwl predefined in jail.conf, just define in your jail:
#
# action = %(action_cf_mwl)s
# # Your CF account e-mail
# cfemail =
# # Your CF API Key
# cfapikey =
cftoken =
cfuser =
cftarget = ip
[Init?family=inet6]
cftarget = ip6

121
fail2ban/action.d/complain.conf Normal file
View File

@ -0,0 +1,121 @@
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
# Sends a complaint e-mail to addresses listed in the whois record for an
# offending IP address.
# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
#
# DEPENDENCIES:
# This requires the dig command from bind-utils
#
# You should provide the <logpath> in the jail config - lines from the log
# matching the given IP address will be provided in the complaint as evidence.
#
# WARNING
# -------
#
# Please do not use this action unless you are certain that fail2ban
# does not result in "false positives" for your deployment. False
# positive reports could serve a mis-favor to the original cause by
# flooding corresponding contact addresses, and complicating the work
# of administration personnel responsible for handling (verified) legit
# complains.
#
# Please consider using e.g. sendmail-whois-lines.conf action which
# would send the reports with relevant information to you, so the
# report could be first reviewed and then forwarded to a corresponding
# contact if legit.
#
[INCLUDES]
before = helpers-common.conf
[Definition]
# Used in test cases for coverage internal transformations
debug = 0
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = oifs=${IFS};
RESOLVER_ADDR="%(addr_resolver)s"
if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
IFS=,; ADDRESSES=$(echo $ADDRESSES)
IFS=${oifs}
IP=<ip>
if [ ! -z "$ADDRESSES" ]; then
( printf %%b "<message>\n"; date '+Note: Local timezone is %%z (%%Z)';
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
) | <mailcmd> "Abuse from <ip>" <mailargs> $ADDRESSES
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
# Server as resolver used in dig command
#
addr_resolver = <ip-rev>abuse-contacts.abusix.org
# Default message used for abuse content
#
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to a abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban.\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
# CC reports to another address:
# -c me@example.com
# Appear to come from a different address - the '--' indicates
# arguments to be passed to Sendmail:
# -- -f me@example.com
# Values: [ STRING ]
#
mailargs =
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>

207
fail2ban/action.d/dshield.conf Normal file
View File

@ -0,0 +1,207 @@
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>
# Submits attack reports to DShield (http://www.dshield.org/)
#
# You MUST configure at least:
# <port> (the port that's being attacked - use number not name).
#
# You SHOULD also provide:
# <myip> (your public IP address, if it's not the address of eth0)
# <userid> (your DShield userID, if you have one - recommended, but reports will
# be used anonymously if not)
# <protocol> (the protocol in use - defaults to tcp)
#
# Best practice is to provide <port> and <protocol> in jail.conf like this:
# action = dshield[port=1234,protocol=tcp]
#
# ...and create "dshield.local" with contents something like this:
# [Init]
# myip = 10.0.0.1
# userid = 12345
#
# Other useful configuration values are <mailargs> (you can use for specifying
# a different sender address for the report e-mails, which should match what is
# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
# configure how often the buffer is flushed).
#
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile>.buffer ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
date +%%s > <tmpfile>.lastsent
fi
rm -f <tmpfile>.buffer <tmpfile>.first
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
# See http://www.dshield.org/specs.html for more on report format/notes
#
# Note: We are currently using <time> for the timestamp because no tag is
# available to indicate the timestamp of the log message(s) which triggered the
# ban. Therefore the timestamps we are using in the report, whilst often only a
# few seconds out, are incorrect. See
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
#
actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
NOW=`date +%%s`
if [ ! -f <tmpfile>.first ]; then
echo <time> | cut -d. -f1 > <tmpfile>.first
fi
if [ ! -f <tmpfile>.lastsent ]; then
echo 0 > <tmpfile>.lastsent
fi
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
rm -f <tmpfile>.buffer <tmpfile>.first
echo $NOW > <tmpfile>.lastsent
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = if [ -f <tmpfile>.first ]; then
NOW=`date +%%s`
LOGAGE=$(($NOW - `cat <tmpfile>.first`))
if [ $LOGAGE -gt <maxbufferage> ]; then
cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
rm -f <tmpfile>.buffer <tmpfile>.first
echo $NOW > <tmpfile>.lastsent
fi
fi
[Init]
# Option: port
# Notes.: The target port for the attack (numerical). MUST be provided in the
# jail config, as it cannot be detected here.
# Values: [ NUM ]
#
port = ???
# Option: userid
# Notes.: Your DShield user ID. Should be provided either in the jail config or
# in a .local file.
# Register at https://secure.dshield.org/register.html
# Values: [ NUM ]
#
userid = 0
# Option: myip
# Notes.: The target IP for the attack (your public IP). Should be provided
# either in the jail config or in a .local file unless your PUBLIC IP
# is the first IP assigned to eth0
# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
# which in most cases will be a private IP, and therefore incorrect
#
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
# Option: protocol
# Notes.: The protocol over which the attack is happening
# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
#
protocol = tcp
# Option: lines
# Notes.: How many lines to buffer before making a report. Regardless of this,
# reports are sent a minimum of <minreportinterval> apart, or if the
# buffer contains an event over <maxbufferage> old, or on shutdown
# Values: [ NUM ]
#
lines = 50
# Option: minreportinterval
# Notes.: Minimum period (in seconds) that must elapse before we submit another
# batch of reports. DShield request a minimum of 1 hour (3600 secs)
# between reports.
# Values: [ NUM ]
#
minreportinterval = 3600
# Option: maxbufferage
# Notes.: Maximum age (in seconds) of the oldest report in the buffer before we
# submit the batch, even if we haven't reached <lines> yet. Note that
# this is only checked on each ban/unban, and that we always send
# anything in the buffer on shutdown. Must be greater than
# Values: [ NUM ]
#
maxbufferage = 21600
# Option: srcport
# Notes.: The source port of the attack. You're unlikely to have this info, so
# you can leave the default
# Values: [ NUM ]
#
srcport = ???
# Option: tcpflags
# Notes.: TCP flags on attack. You're unlikely to have this info, so you can
# leave empty
# Values: [ STRING ]
#
tcpflags =
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
mailcmd = mail -E 'set escape' -s
# Option: mailargs
# Notes.: Additional arguments to mail command. e.g. for standard Unix mail:
# CC reports to another address:
# -c me@example.com
# Appear to come from a different address (the From address must match
# the one configured at DShield - the '--' indicates arguments to be
# passed to Sendmail):
# -- -f me@example.com
# Values: [ STRING ]
#
mailargs =
# Option: dest
# Notes.: Destination e-mail address for reports
# Values: [ STRING ]
#
dest = reports@dshield.org
# Option: tmpfile
# Notes.: Base name of temporary files used for buffering
# Values: [ STRING ]
#
tmpfile = /var/run/fail2ban/tmp-dshield

63
fail2ban/action.d/dummy.conf Normal file
View File

@ -0,0 +1,63 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = if [ ! -z '<target>' ]; then touch <target>; fi;
printf %%b "<init>\n" <to_target>
echo "%(debug)s started"
# Option: actionflush
# Notes.: command executed once to flush (clear) all IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = printf %%b "-*\n" <to_target>
echo "%(debug)s clear all"
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ ! -z '<target>' ]; then rm -f <target>; fi;
echo "%(debug)s stopped"
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "+<ip>\n" <to_target>
echo "%(debug)s banned <ip> (family: <family>)"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = printf %%b "-<ip>\n" <to_target>
echo "%(debug)s unbanned <ip> (family: <family>)"
debug = [<name>] <actname> <target> --
[Init]
init = 123
target = /var/run/fail2ban/fail2ban.dummy
to_target = >> <target>

45
fail2ban/action.d/firewallcmd-allports.conf Normal file
View File

@ -0,0 +1,45 @@
# Fail2Ban configuration file
#
# Author: Donald Yandt
# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#
# Author: Donald Yandt
# Uses "FirewallD" instead of the "iptables daemon".
#
#
# Output:
# actionstart:
# $ firewall-cmd --direct --add-chain ipv4 filter f2b-recidive
# success
# $ firewall-cmd --direct --add-rule ipv4 filter f2b-recidive 1000 -j RETURN
# success
# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-recidive
# success

76
fail2ban/action.d/firewallcmd-common.conf Normal file
View File

@ -0,0 +1,76 @@
# Fail2Ban configuration file
#
# Author: Donald Yandt
#
[Init]
# Option: name
# Notes Default name of the chain
# Values: STRING
name = default
# Option port
# Notes Can also use port numbers separated by a comma and in rich-rules comma and/or space.
# Value STRING Default: 1:65535
port = 1:65535
# Option: protocol
# Notes [ tcp | udp | icmp | all ]
# Values: STRING Default: tcp
protocol = tcp
# Option: family(ipv4)
# Notes specifies the socket address family type
# Values: STRING
family = ipv4
# Option: chain
# Notes specifies the firewalld chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT_direct
chain = INPUT_direct
# Option: zone
# Notes use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones
# Values: STRING Default: public
zone = public
# Option: service
# Notes use command firewall-cmd --get-services to see a list of services available
# Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
# Values: STRING Default: ssh
service = ssh
# Option: rejecttype (ipv4)
# Notes See iptables/firewalld man pages for ipv4 reject types.
# Values: STRING
rejecttype = icmp-port-unreachable
# Option: blocktype (ipv4/ipv6)
# Notes See iptables/firewalld man pages for jump targets. Common values are REJECT,
# REJECT --reject-with icmp-port-unreachable, DROP
# Values: STRING
blocktype = REJECT --reject-with <rejecttype>
# Option: rich-blocktype (ipv4/ipv6)
# Notes See firewalld man pages for jump targets. Common values are reject,
# reject type="icmp-port-unreachable", drop
# Values: STRING
rich-blocktype = reject type='<rejecttype>'
[Init?family=inet6]
# Option: family(ipv6)
# Notes specifies the socket address family type
# Values: STRING
family = ipv6
# Option: rejecttype (ipv6)
# Note: See iptables/firewalld man pages for ipv6 reject types.
# Values: STRING
rejecttype = icmp6-port-unreachable

121
fail2ban/action.d/firewallcmd-ipset.conf Normal file
View File

@ -0,0 +1,121 @@
# Fail2Ban action file for firewall-cmd/ipset
#
# This requires:
# ipset (package: ipset)
# firewall-cmd (package: firewalld)
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart = <ipstype_<ipsettype>/actionstart>
firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
actionflush = <ipstype_<ipsettype>/actionflush>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
<actionflush>
<ipstype_<ipsettype>/actionstop>
actionban = <ipstype_<ipsettype>/actionban>
# actionprolong = %(actionban)s
actionunban = <ipstype_<ipsettype>/actionunban>
[ipstype_ipset]
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
actionflush = ipset flush <ipmset>
actionstop = ipset destroy <ipmset>
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
actionunban = ipset -exist del <ipmset> <ip>
[ipstype_firewalld]
actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
# TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
actionflush =
actionstop = firewall-cmd --direct --delete-ipset=<ipmset>
actionban = firewall-cmd --ipset=<ipmset> --add-entry=<ip>
actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
[Init]
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: [ STRING ]
#
chain = INPUT_direct
# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
default-ipsettime = 0
# Option: ipsettime
# Notes: specifies ticket timeout (handled ipset timeout only)
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
# Option: ipsettype
# Notes.: defines type of ipset used for match-set (firewalld or ipset)
# Values: firewalld or ipset
# Default: ipset
ipsettype = ipset
# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>
# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=<allports>]
# for all protocols: banaction = firewallcmd-ipset[actiontype=""]
allports = -p <protocol>
# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: banaction = firewallcmd-ipset[actiontype=<multiport>]
multiport = -p <protocol> -m multiport --dports <port>
ipmset = f2b-<name>
familyopt =
firewalld_familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = family inet6
firewalld_familyopt = --option=family=inet6
# DEV NOTES:
#
# Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness

26
fail2ban/action.d/firewallcmd-multiport.conf Normal file
View File

@ -0,0 +1,26 @@
# Fail2Ban configuration file
#
# Author: Donald Yandt
# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>

47
fail2ban/action.d/firewallcmd-new.conf Normal file
View File

@ -0,0 +1,47 @@
# Fail2Ban configuration file
#
# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports <port> -j f2b-<name>
firewall-cmd --direct --remove-rules <family> filter f2b-<name>
firewall-cmd --direct --remove-chain <family> filter f2b-<name>
actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
# DEV NOTES:
#
# Author: Edgar Hoch
# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
# It uses "firewall-cmd" instead of "iptables".
#
# Output:
#
# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
# success
# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
# success
# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 22 -j fail2ban-name
# success
# $ firewall-cmd --direct --get-chains ipv4 filter
# fail2ban-name
# $ firewall-cmd --direct --get-chains ipv4 filter | od -h
# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
# 0
# $ firewall-cmd -V
# 0.3.8

29
fail2ban/action.d/firewallcmd-rich-logging.conf Normal file
View File

@ -0,0 +1,29 @@
# Fail2Ban configuration file
#
# Authors: Donald Yandt, Sergey G. Brester
#
# Because of the rich rule commands requires firewalld-0.3.1+
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
# by chain. So for an example all deny rules will be listed under <zone>_deny and all log rules under <zone>_log.
#
# Also this action logs banned access attempts so you can filter that and increase ban time for offenders.
#
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
#
# This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters.
[INCLUDES]
before = firewallcmd-rich-rules.conf
[Definition]
rich-suffix = log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>
[Init]
# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
level = info
# log rate per minute
rate = 1

44
fail2ban/action.d/firewallcmd-rich-rules.conf Normal file
View File

@ -0,0 +1,44 @@
# Fail2Ban configuration file
#
# Author: Donald Yandt
#
# Because of the rich rule commands requires firewalld-0.3.1+
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
# by chain. So for an example all deny rules will be listed under <zone>_deny.
#
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
#
# Example commands to view rules:
# firewall-cmd [--zone=<zone>] --list-rich-rules
# firewall-cmd [--zone=<zone>] --list-all
# firewall-cmd [--zone=zone] --query-rich-rule='rule'
[INCLUDES]
before = firewallcmd-common.conf
[Definition]
actionstart =
actionstop =
actioncheck =
#you can also use zones and/or service names.
#
# zone example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <rich-blocktype>"
#
# service name example:
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <rich-blocktype>"
#
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp
fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
rich-suffix = <rich-blocktype>

17
fail2ban/action.d/helpers-common.conf Normal file
View File

@ -0,0 +1,17 @@
[DEFAULT]
# Usage:
# _grep_logs_args = 'test'
# (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...
#
_grep_logs = logpath="<logpath>"; grep <grepopts> %(_grep_logs_args)s $logpath | <greplimit>
# options `-wF` used to match only whole words and fixed string (not as pattern)
_grep_logs_args = -wF "<ip>"
# Used for actions, that should not by executed if ticket was restored:
_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;
[Init]
greplimit = tail -n <grepmax>
grepmax = 1000
grepopts = -m <grepmax>

62
fail2ban/action.d/hostsdeny.conf Normal file
View File

@ -0,0 +1,62 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black
#
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "<daemon_list>: <ip_value>\n" >> <file>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = IP=$(echo "<ip_value>" | sed 's/[][\.]/\\\0/g') && sed -i "/^<daemon_list>: $IP$/d" <file>
[Init]
# Option: file
# Notes.: hosts.deny file path.
# Values: STR Default: /etc/hosts.deny
#
file = /etc/hosts.deny
# Option: daemon_list
# Notes: The list of services that this action will deny. See the man page
# for hosts.deny/hosts_access. Default is all services.
# Values: STR Default: ALL
daemon_list = ALL
# internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets):
ip_value = <ip>
[Init?family=inet6]
ip_value = [<ip>]

58
fail2ban/action.d/ipfilter.conf Normal file
View File

@ -0,0 +1,58 @@
# Fail2Ban configuration file
#
# NetBSD ipfilter (ipf command) ban/unban
#
# Author: Ed Ravin <eravin@panix.com>
#
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# enable IPF if not already enabled
actionstart = /sbin/ipf -E
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# don't disable IPF with "/sbin/ipf -D", there may be other filters in use
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -f -
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = echo block <blocktype> in quick from <ip>/32 | /sbin/ipf -r -f -
[Init]
# Option: Blocktype
# Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent
# Shell expansion. This should be blank (unquoted) to drop the packet.
# Values: STRING
blocktype = "return-icmp(port-unr)"

68
fail2ban/action.d/ipfw.conf Normal file
View File

@ -0,0 +1,68 @@
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Cyril Jaquier
#
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipfw add <blocktype> tcp from <ip> to <localhost> <port>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipfw delete `ipfw list | grep -i "[^0-9]<ip>[^0-9]" | awk '{print $1;}'`
[Init]
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ]
#
port = ssh
# Option: localhost
# Notes.: the local IP address of the network interface
# Values: IP
#
localhost = 127.0.0.1
# Option: blocktype
# Notes.: How to block the traffic. Use a action from man 5 ipfw
# Common values: deny, unreach port, reset
# Values: STRING
#
blocktype = unreach port

15
fail2ban/action.d/iptables-allports.conf Normal file
View File

@ -0,0 +1,15 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
#
# Obsolete: superseded by iptables[type=allports]
[INCLUDES]
before = iptables.conf
[Definition]
type = allports

66
fail2ban/action.d/iptables-ipset-proto4.conf Normal file
View File

@ -0,0 +1,66 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is for ipset protocol 4 (ipset v4.2). If you have a later version
# of ipset try to use the iptables-ipset-proto6.conf as it does some things
# nicer.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules. Debian squeeze can do this with:
# apt-get install xtables-addons-source
# module-assistant auto-install xtables-addons
#
# Debian wheezy and above uses protocol 6
[INCLUDES]
before = iptables.conf
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset --create f2b-<name> iphash
<_ipt_add_rules>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset --flush f2b-<name>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <_ipt_del_rules>
<actionflush>
ipset --destroy f2b-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset --test f2b-<name> <ip> || ipset --add f2b-<name> <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
# Several capabilities used internaly:
rule-jump = -m set --match-set f2b-<name> src -j <blocktype>

27
fail2ban/action.d/iptables-ipset-proto6-allports.conf Normal file
View File

@ -0,0 +1,27 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules which probably won't be protocol version 6.
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
#
# Obsolete: superseded by iptables-ipset[type=allports]
[INCLUDES]
before = iptables-ipset.conf
[Definition]
type = allports

27
fail2ban/action.d/iptables-ipset-proto6.conf Normal file
View File

@ -0,0 +1,27 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable (see new section Init?family=inet6)
#
# Obsolete: superseded by iptables-ipset[type=multiport]
[INCLUDES]
before = iptables-ipset.conf
[Definition]
type = multiport

90
fail2ban/action.d/iptables-ipset.conf Normal file
View File

@ -0,0 +1,90 @@
# Fail2Ban configuration file
#
# Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# Use ipset -V to see the protocol and version. Version 4 should use
# iptables-ipset-proto4.conf.
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
#
# If you are running on an older kernel you make need to patch in external
# modules.
#
[INCLUDES]
before = iptables.conf
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
<_ipt_add_rules>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = ipset flush <ipmset>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <_ipt_del_rules>
<actionflush>
ipset destroy <ipmset>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset -exist del <ipmset> <ip>
# Several capabilities used internaly:
rule-jump = -m set --match-set <ipmset> src -j <blocktype>
[Init]
# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
default-ipsettime = 0
# Option: ipsettime
# Notes: specifies ticket timeout (handled ipset timeout only)
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
ipmset = f2b-<name>
familyopt =
[Init?family=inet6]
ipmset = f2b-<name>6
familyopt = family inet6

68
fail2ban/action.d/iptables-multiport-log.conf Normal file
View File

@ -0,0 +1,68 @@
# Fail2Ban configuration file
#
# Author: Guido Bozzetto
# Modified: Cyril Jaquier
#
# make "f2b-<name>" chain to match drop IP
# make "f2b-<name>-log" chain to log and drop
# insert a jump to f2b-<name> from -I <chain> if proto/port match
#
#
[INCLUDES]
before = iptables.conf
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
<iptables> -N f2b-<name>-log
<iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
<iptables> -A f2b-<name>-log -j <blocktype>
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <iptables> -F f2b-<name>
<iptables> -F f2b-<name>-log
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<actionflush>
<iptables> -X f2b-<name>
<iptables> -X f2b-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
[Init]

14
fail2ban/action.d/iptables-multiport.conf Normal file
View File

@ -0,0 +1,14 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#
# Obsolete: superseded by iptables[type=multiport]
[INCLUDES]
before = iptables.conf
[Definition]
type = multiport

15
fail2ban/action.d/iptables-new.conf Normal file
View File

@ -0,0 +1,15 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Copied from iptables.conf and modified by Yaroslav Halchenko
# to fulfill the needs of bugreporter dbts#350746.
#
# Obsolete: superseded by iptables[pre-rule='-m state --state NEW<sp>']
[INCLUDES]
before = iptables.conf
[Definition]
pre-rule = -m state --state NEW<sp>

87
fail2ban/action.d/iptables-xt_recent-echo.conf Normal file
View File

@ -0,0 +1,87 @@
# Fail2Ban configuration file
#
# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
#
# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
# made config file IPv6 capable
[INCLUDES]
before = iptables.conf
[Definition]
_ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
_ipt_for_proto-iter =
_ipt_for_proto-done =
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# Changing iptables rules requires root privileges. If fail2ban is
# configured to run as root, firewall setup can be performed by
# fail2ban automatically. However, if fail2ban is configured to run as
# a normal user, the configuration must be done by some other means
# (e.g. using static firewall configuration with the
# iptables-persistent package).
#
# Explanation of the rule below:
# Check if any packets coming from an IP on the <iptname>
# list have been seen in the last 3600 seconds. If yes, update the
# timestamp for this IP and drop the packet. If not, let the packet
# through.
#
# Fail2ban inserts blacklisted hosts into the <iptname> list
# and removes them from the list after some time, according to its
# own rules. The 3600 second timeout is independent and acts as a
# safeguard in case the fail2ban process dies unexpectedly. The
# shorter of the two timeouts actually matters.
actionstart = if [ `id -u` -eq 0 ];then
{ %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
fi
# Option: actionflush
#
# [TODO] Flushing is currently not implemented for xt_recent
#
actionflush =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = echo / > /proc/net/xt_recent/<iptname>
if [ `id -u` -eq 0 ];then
<iptables> -D <chain> %(_ipt_chain_rule)s;
fi
# Option: actioncheck
# Notes.: command executed as invariant check (error by ban)
# Values: CMD
#
actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = echo +<ip> > /proc/net/xt_recent/<iptname>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = echo -<ip> > /proc/net/xt_recent/<iptname>
[Init]
iptname = f2b-<name>
[Init?family=inet6]
iptname = f2b-<name>6

162
fail2ban/action.d/iptables.conf Normal file
View File

@ -0,0 +1,162 @@
# Fail2Ban configuration file
#
# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black,
# Yaroslav O. Halchenko, Alexander Koeppe et al.
#
[Definition]
# Option: type
# Notes.: type of the action.
# Values: [ oneport | multiport | allports ] Default: oneport
#
type = oneport
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <iptables> -F f2b-<name>
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; }
<_ipt_add_rules>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = <_ipt_del_rules>
<actionflush>
<iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <_ipt_check_rules>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
# Option: pre-rule
# Notes.: prefix parameter(s) inserted to the begin of rule. No default (empty)
#
pre-rule =
rule-jump = -j <_ipt_rule_target>
# Several capabilities used internaly:
_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
_ipt_for_proto-done = done
_ipt_add_rules = <_ipt_for_proto-iter>
{ %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
<_ipt_for_proto-done>
_ipt_del_rules = <_ipt_for_proto-iter>
<iptables> -D <chain> %(_ipt_chain_rule)s
<_ipt_for_proto-done>
_ipt_check_rules = <_ipt_for_proto-iter>
%(_ipt_check_rule)s
<_ipt_for_proto-done>
_ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
_ipt_rule_target = f2b-<name>
[ipt_oneport]
_chain_rule = -p $proto --dport <port> <rule-jump>
[ipt_multiport]
_chain_rule = -p $proto -m multiport --dports <port> <rule-jump>
[ipt_allports]
_chain_rule = -p $proto <rule-jump>
[Init]
# Option: chain
# Notes specifies the iptables chain to which the Fail2Ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp-port-unreachable
# Option: returntype
# Note: This is the default rule on "actionstart". This should be RETURN
# in all (blocking) actions, except REJECT in allowing actions.
# Values: STRING
returntype = RETURN
# Option: lockingopt
# Notes.: Option was introduced to iptables to prevent multiple instances from
# running concurrently and causing irratic behavior. -w was introduced
# in iptables 1.4.20, so might be absent on older systems
# See https://github.com/fail2ban/fail2ban/issues/1122
# Values: STRING
lockingopt = -w
# Option: iptables
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = iptables <lockingopt>
[Init?family=inet6]
# Option: blocktype (ipv6)
# Note: This is what the action does with rules. This can be any jump target
# as per the iptables man page (section 8). Common values are DROP
# REJECT, REJECT --reject-with icmp6-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp6-port-unreachable
# Option: iptables (ipv6)
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
iptables = ip6tables <lockingopt>

107
fail2ban/action.d/ipthreat.conf Normal file
View File

@ -0,0 +1,107 @@
# IPThreat configuration file
#
# Added to fail2ban by Jeff Johnson (jjxtra)
#
# Action to report IP address to ipthreat.net
#
# You must sign up to obtain an API key from ipthreat.net and request bulk report permissions
# https://ipthreat.net/integrations
#
# IPThreat is a 100% free site and service, all data is licensed under a creative commons by attribution license
# Please do not integrate if you do not agree to the license
#
# IMPORTANT:
#
# Reporting an IP is a serious action. Make sure that it is legit.
# Consider using this action only for:
# * IP that has been banned more than once
# * High max retry to avoid user mis-typing password
# * Filters that are unlikely to be human error
#
# Example:
# ```
# action = %(known/action)s
# ipthreat[]
# ```
#
# The action accepts the following arguments: ipthreat[ipthreat_flags="8",ipthreat_system="SSH", ipthreat_apikey=...]
# In most cases your action could be as simple as: ipthreat[], since the default flags and system are set to the most correct default values.
# You can optionally override ipthreat_system and ipthreat_flags if desired.
# The ipthreat_apikey must be set at the bottom of this configuration file.
#
# `ipthreat_system` is a short name of the system attacked, i.e. SSH, SMTP, MYSQL, PHP, etc.
#
# For `ipthreat_flags`, most cases will use 8 (BruteForce) which is the default, but you could use others.
# You can use the name or the ordinal.
# Multiple values are comma separated.
# ```
# Name Ordinal Description
# Dns 1 Abuse/attack of dns (domain name server)
# Fraud 2 General fraud, whether orders, misuse of payment info, etc
# DDos 4 Distributed denial of service attack, whether through http requests, large ping attack, etc
# BruteForce 8 Brute force login attack
# Proxy 16 IP is a proxy like TOR or other proxy server
# Spam 32 Email, comment or other type of spam
# Vpn 64 IP is part of a VPN
# Hacking 128 General hacking outside of brute force attack (includes vulnerability scans, sql injection, etc.). Use port scan flag instead if it's just probe on ports.
# BadBot 256 Bad bot that is not honoring robots.txt or just flooding with too many requests, etc
# Compromised 512 The ip has been taken over by malware or botnet
# Phishing 1024 The ip is involved in phishing or spoofing
# Iot 2048 The ip has targetted an iot (Internet of Things) device
# PortScan 4096 Port scan
# See https://ipthreat.net/bulkreportformat for more information
# ```
[Definition]
# bypass action for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
#
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl -sSf "https://api.ipthreat.net/api/report" -X POST -H "Content-Type: application/json" -H "X-API-KEY: <ipthreat_apikey>" -d "{\"ip\":\"<ip>\",\"flags\":\"<ipthreat_flags>\",\"system\":\"<ipthreat_system>\",\"notes\":\"fail2ban\"}"
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: ipthreat_apikey
# Notes Your API key from ipthreat.net
# Values: STRING Default: None
# Register for ipthreat [https://ipthreat.net], get api key and set below.
# You will need to set the flags and system in the action call in jail.conf
ipthreat_apikey =
# By default, the ipthreat system is the name of the fail2ban jail
ipthreat_system = <name>
# By default the ip threat flags is 8 (brute force), but you can override this per jail if desired
ipthreat_flags = 8

86
fail2ban/action.d/mail-buffered.conf Normal file
View File

@ -0,0 +1,86 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
printf %%b "Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary from <fq-hostname>" <dest>
rm <tmpfile>
fi
printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -ge <lines> ]; then
printf %%b "Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
\nRegards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: Summary" <dest>
rm <tmpfile>
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Default name of the chain
#
name = default
# Default number of lines that are buffered
#
lines = 5
# Default temporary file
#
tmpfile = /var/run/fail2ban/tmp-mail.txt
# Destination/Addressee of the mail
#
dest = root

28
fail2ban/action.d/mail-whois-common.conf Normal file
View File

@ -0,0 +1,28 @@
# Fail2Ban configuration file
#
# Common settings for mail actions
#
# Users can override the defaults in mail-whois-common.local
[INCLUDES]
# Load customizations if any available
after = mail-whois-common.local
[DEFAULT]
#original character set of whois output will be sent to mail program
_whois = whois <ip> || echo "missing whois program"
# use heuristics to convert charset of whois output to a target
# character set before sending it to a mail program
# make sure you have 'file' and 'iconv' commands installed when opting for that
_whois_target_charset = UTF-8
_whois_convert_charset = (%(_whois)s) |
{ WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; }
# choose between _whois and _whois_convert_charset in mail-whois-common.local
# or other *.local which include mail-whois-common.conf.
_whois_command = %(_whois)s
#_whois_command = %(_whois_convert_charset)s
[Init]

92
fail2ban/action.d/mail-whois-lines.conf Normal file
View File

@ -0,0 +1,92 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
#
[INCLUDES]
before = mail-whois-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | <mailcmd> "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
_ban_mail_content = ( printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n"
%(_whois_command)s;
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" )
actionban = %(_ban_mail_content)s | <mailcmd> "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: mailcmd
# Notes.: Your system mail command. Is passed 2 args: subject and recipient
# Values: CMD
#
mailcmd = mail -E 'set escape' -s
# Default name of the chain
#
name = default
# Destinataire of the mail
#
dest = root
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>

71
fail2ban/action.d/mail-whois.conf Normal file
View File

@ -0,0 +1,71 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Default name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root

65
fail2ban/action.d/mail.conf Normal file
View File

@ -0,0 +1,65 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: started on <fq-hostname>" <dest>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: stopped on <fq-hostname>" <dest>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] <name>: banned <ip> from <fq-hostname>" <dest>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Default name of the chain
#
name = default
# Destination/Addressee of the mail
#
dest = root

143
fail2ban/action.d/mynetwatchman.conf Normal file
View File

@ -0,0 +1,143 @@
# Fail2Ban configuration file
#
# Author: Russell Odom <russ@gloomytrousers.co.uk>
# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
#
# You MUST configure at least:
# <port> (the port that's being attacked - use number not name).
# <mnwlogin> (your mNW login).
# <mnwpass> (your mNW password).
#
# You SHOULD also provide:
# <myip> (your public IP address, if it's not the address of eth0)
# <protocol> (the protocol in use - defaults to tcp)
#
# Best practice is to provide <port> and <protocol> in jail.conf like this:
# action = mynetwatchman[port=1234,protocol=udp]
#
# ...and create "mynetwatchman.local" with contents something like this:
# [Init]
# mnwlogin = me@example.com
# mnwpass = SECRET
# myip = 10.0.0.1
#
# Another useful configuration value is <getcmd>, if you don't have wget
# installed (an example config for curl is given below)
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
#
# Note: We are currently using <time> for the timestamp because no tag is
# available to indicate the timestamp of the log message(s) which triggered the
# ban. Therefore the timestamps we are using in the report, whilst often only a
# few seconds out, are incorrect. See
# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
#
actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
<getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Option: port
# Notes.: The target port for the attack (numerical). MUST be provided in
# the jail config, as it cannot be detected here.
# Values: [ NUM ] Default: ???
#
port = 0
# Option: mnwlogin
# Notes.: Your mNW login e-mail address. MUST be provided either in the jail
# config or in a .local file.
# Register at http://www.mynetwatchman.com/reg.asp
# Values: [ STRING ] Default: (empty)
#
mnwlogin =
# Option: mnwpass
# Notes.: The password corresponding to your mNW login e-mail address. MUST be
# provided either in the jail config or in a .local file.
# Values: [ STRING ] Default: (empty)
#
mnwpass =
# Option: myip
# Notes.: The target IP for the attack (your public IP). Should be overridden
# either in the jail config or in a .local file unless your PUBLIC IP
# is the first IP assigned to eth0
# Values: [ an IP address ] Default: Tries to find the IP address of eth0,
# which in most cases will be a private IP, and therefore incorrect
#
myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
# Option: protocol
# Notes.: The protocol over which the attack is happening
# Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
#
protocol = tcp
# Option: agent
# Default: Fail2ban
agent = Fail2ban
# Option: getcmd
# Notes.: A command to fetch a URL. Should output page to STDOUT
# Values: CMD Default: wget
#
getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=<agent>
# Alternative value:
# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent <agent>
# Option: srcport
# Notes.: The source port of the attack. You're unlikely to have this info, so
# you can leave the default
# Values: [ NUM ] Default: 0
#
srcport = 0
# Option: mnwurl
# Notes.: The report service URL on the mNW site
# Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp
#
mnwurl = http://mynetwatchman.com/insertwebreport.asp
# Option: tmpfile
# Notes.: Base name of temporary files
# Values: [ STRING ] Default: /var/run/fail2ban/tmp-mynetwatchman
#
tmpfile = /var/run/fail2ban/tmp-mynetwatchman

33
fail2ban/action.d/netscaler.conf Normal file
View File

@ -0,0 +1,33 @@
# Fail2ban Citrix Netscaler Action
# by Juliano Jeziorny
# juliano@jeziorny.eu
#
# The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level
# This dataset is then used to block IPs using responder policies on the netscaler.
#
# The script assumes using HTTPS with unsecure certificate to access the netscaler,
# if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k)
#
# This action depends on curl
#
# You need to populate the 3 options inside Init
#
# ns_host: IP or hostname of netslcaer appliance
# ns_auth: username:password, suggest base64 encoded for a little added security (echo -n "username:password" | base64)
# ns_dataset: Name of the netscaler dataset holding the IPs to be blocked.
#
# For further details on how to use it please check http://blog.ckzone.eu/2017/01/fail2ban-action-for-citrix-netscaler.html
[Init]
ns_host =
ns_auth =
ns_dataset =
[Definition]
actionstart = curl -kH 'Authorization: Basic <ns_auth>' https://<ns_host>/nitro/v1/config
actioncheck =
actionban = curl -k -H 'Authorization: Basic <ns_auth>' -X PUT -d '{"policydataset_value_binding":{"name":"<ns_dataset>","value":"<ip>"}}' https://<ns_host>/nitro/v1/config/
actionunban = curl -H 'Authorization: Basic <ns_auth>' -X DELETE -k "https://<ns_host>/nitro/v1/config/policydataset_value_binding/<ns_dataset>?args=value:<ip>"

17
fail2ban/action.d/nftables-allports.conf Normal file
View File

@ -0,0 +1,17 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
# Modified: Alexander Belykh <albel727@ngs.ru>
# adapted for nftables
#
# Obsolete: superseded by nftables[type=allports]
[INCLUDES]
before = nftables.conf
[Definition]
type = allports

17
fail2ban/action.d/nftables-multiport.conf Normal file
View File

@ -0,0 +1,17 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
# Modified: Alexander Belykh <albel727@ngs.ru>
# adapted for nftables
#
# Obsolete: superseded by nftables[type=multiport]
[INCLUDES]
before = nftables.conf
[Definition]
type = multiport

203
fail2ban/action.d/nftables.conf Normal file
View File

@ -0,0 +1,203 @@
# Fail2Ban configuration file
#
# Author: Daniel Black
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# made active on all ports from original iptables.conf
# Modified: Alexander Belykh <albel727@ngs.ru>
# adapted for nftables
#
# This is a included configuration file and includes the definitions for the nftables
# used in all nftables based actions by default.
#
# The user can override the defaults in nftables-common.local
# Example: redirect flow to honeypot
#
# [Init]
# table_family = ip
# chain_type = nat
# chain_hook = prerouting
# chain_priority = -50
# blocktype = counter redirect to 2222
[INCLUDES]
after = nftables-common.local
[Definition]
# Option: type
# Notes.: type of the action.
# Values: [ multiport | allports ] Default: multiport
#
type = multiport
rule_match-custom =
rule_match-allports = meta l4proto \{ <protocol> \}
rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
match = <rule_match-<type>>
# Option: rule_stat
# Notes.: statement for nftables filter rule.
# leaving it empty will block all (include udp and icmp)
# Values: nftables statement
#
rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
# optional interator over protocol's:
_nft_for_proto-custom-iter =
_nft_for_proto-custom-done =
_nft_for_proto-allports-iter =
_nft_for_proto-allports-done =
_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
_nft_for_proto-multiport-done = done
_nft_list = <nftables> -a list chain <table_family> <table> <chain>
_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
<_nft_for_proto-<type>-iter>
<nftables> add rule <table_family> <table> <chain> %(rule_stat)s
<_nft_for_proto-<type>-done>
_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
<nftables> delete rule <table_family> <table> <chain> $hdl; done
<nftables> delete set <table_family> <table> <addr_set>
# Option: _nft_shutdown_table
# Notes.: command executed after the stop in order to delete table (it checks that no sets are available):
# Values: CMD
#
_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
<nftables> delete table <table_family> <table>
}
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = <nftables> add table <table_family> <table>
<nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
%(_nft_add_set)s
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
# uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
# Values: CMD
#
actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
%(_nft_del_set)s
%(_nft_add_set)s
}
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = %(_nft_del_set)s
<_nft_shutdown_table>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}
[Init]
# Option: table
# Notes.: main table to store chain and sets (automatically created on demand)
# Values: STRING Default: f2b-table
table = f2b-table
# Option: table_family
# Notes.: address family to work in
# Values: [ip | ip6 | inet] Default: inet
table_family = inet
# Option: chain
# Notes.: main chain to store rules
# Values: STRING Default: f2b-chain
chain = f2b-chain
# Option: chain_type
# Notes.: refers to the kind of chain to be created
# Values: [filter | route | nat] Default: filter
#
chain_type = filter
# Option: chain_hook
# Notes.: refers to the kind of chain to be created
# Values: [ prerouting | input | forward | output | postrouting ] Default: input
#
chain_hook = input
# Option: chain_priority
# Notes.: priority in the chain.
# Values: NUMBER Default: -1
#
chain_priority = -1
# Option: addr_type
# Notes.: address type to work with
# Values: [ipv4_addr | ipv6_addr] Default: ipv4_addr
#
addr_type = ipv4_addr
# Default name of the filtering set
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp ] Default: tcp
#
protocol = tcp
# Option: blocktype
# Note: This is what the action does with rules. This can be any jump target
# as per the nftables man page (section 8). Common values are drop,
# reject, reject with icmpx type host-unreachable, redirect to 2222
# Values: STRING
blocktype = reject
# Option: nftables
# Notes.: Actual command to be executed, including common to all calls options
# Values: STRING
nftables = nft
# Option: addr_set
# Notes.: The name of the nft set used to store banned addresses
# Values: STRING
addr_set = addr-set-<name>
# Option: addr_family
# Notes.: The family of the banned addresses
# Values: [ ip | ip6 ]
addr_family = ip
[Init?family=inet6]
addr_family = ip6
addr_type = ipv6_addr
addr_set = addr6-set-<name>

117
fail2ban/action.d/nginx-block-map.conf Normal file
View File

@ -0,0 +1,117 @@
# Fail2Ban configuration file for black-listing via nginx
#
# Author: Serg G. Brester (aka sebres)
#
# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,
# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).
#
# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):
#
# http {
# ...
# # maps to check user is blacklisted (banned in f2b):
# #map $arg_token_id $blck_lst_tok { include blacklisted-tokens.map; }
# map $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }
# ...
# # special log-format to notify fail2ban about failures:
# log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '
# ;# '"$request" $status $bytes_sent '
# # '"$http_referer" "$http_user_agent"';
#
# # location checking blacklisted values:
# location ... {
# # check banned sessionid:
# if ($blck_lst_ses != "") {
# try_files "" @f2b-banned;
# }
# ...
# # notify fail2ban about a failure inside nginx:
# error_page 401 = @notify-f2b;
# ...
# }
# ...
# # location for return with "403 Forbidden" if banned:
# location @f2b-banned {
# default_type text/html;
# return 403 "<br/><center>
# <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\">
# You are banned!</b></center>";
# }
# ...
# # location to notify fail2ban about a failure inside nginx:
# location @notify-f2b {
# access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;
# }
# }
# ...
#
# Note that quote-character (and possibly other special characters) are not allowed currently as session-id.
# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service),
# like in example below:
#
# location ... {
# if ($cookie_session_id !~ "^[\w\-]+$") {
# return 403 "Wrong session-id"
# }
# ...
# }
#
# The parameters for jail corresponding log-format (f2b_session_errors):
#
# [nginx-blck-lst]
# filter =
# datepattern = ^Epoch
# failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR>
# usedns = no
#
# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):
#
# [nginx-blck-ip]
# maxretry = 100
# filter =
# datepattern = ^Epoch
# failregex = ^ failure "[^"]+" - <ADDR>
# usedns = no
#
[Definition]
# path to configuration of nginx (used to target nginx-instance in multi-instance system,
# and as path for the blacklisted map):
srv_cfg_path = /etc/nginx/
# cmd-line arguments to supply to test/reload nginx:
#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
srv_cmd = nginx
# pid file (used to check nginx is running):
srv_pid = /run/nginx.pid
# command used to check whether nginx is running and configuration is valid:
srv_is_running = [ -f "%(srv_pid)s" ]
srv_check_cmd = %(srv_is_running)s && %(srv_cmd)s -qt
# first test nginx is running and configuration is correct, hereafter send reload signal:
blck_lst_reload = %(srv_check_cmd)s; if [ $? -eq 0 ]; then
%(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
fi;
# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:
blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map
# Action definition:
actionstart_on_demand = false
actionstart = touch '%(blck_lst_file)s'
actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s
actionstop = %(actionflush)s
actioncheck =
_echo_blck_row = printf '\%%s 1;\n' "<fid>"
actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s
actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s

61
fail2ban/action.d/npf.conf Normal file
View File

@ -0,0 +1,61 @@
# Fail2Ban configuration file
#
# NetBSD npf ban/unban
#
# Author: Nils Ratusznik <nils@NetBSD.org>
# Based on pf.conf action file
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# we don't enable NPF automatically, as it will be enabled elsewhere
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# we don't disable NPF automatically either
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /sbin/npfctl table <tablename> add <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = /sbin/npfctl table <tablename> rem <ip>
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ]
#
tablename = fail2ban

114
fail2ban/action.d/nsupdate.conf Normal file
View File

@ -0,0 +1,114 @@
# Fail2Ban configuration file
#
# Author: Andrew St. Jean
#
# Use nsupdate to perform dynamic DNS updates on a BIND zone file.
# One may want to do this to update a local RBL with banned IP addresses.
#
# Options
#
# domain DNS domain that will appear in nsupdate add and delete
# commands.
#
# ttl The time to live (TTL) in seconds of the TXT resource
# record.
#
# rdata Data portion of the TXT resource record.
#
# nsupdatecmd Full path to the nsupdate command.
#
# keyfile Full path to TSIG key file used for authentication between
# nsupdate and BIND.
#
# Create an nsupdate.local to set at least the <domain> and <keyfile>
# options as they don't have default values.
#
# The ban and unban commands assume nsupdate will authenticate to the BIND
# server using a TSIG key. The full path to the key file must be specified
# in the <keyfile> parameter. Use this command to generate your TSIG key.
#
# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST <key_name>
#
# Replace <key_name> with some meaningful name.
#
# This command will generate two files. Specify the .private file in the
# <keyfile> option. Note that the .key file must also be present in the same
# directory for nsupdate to use the key.
#
# Don't forget to add the key and appropriate allow-update or update-policy
# option to your named.conf file.
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = echo <ip> | awk -F. '{print "prereq nxrrset "$4"."$3"."$2"."$1".<domain> TXT"; print "update add "$4"."$3"."$2"."$1".<domain> <ttl> IN TXT \"<rdata>\""; print "send"}' | <nsupdatecmd> -k <keyfile>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = echo <ip> | awk -F. '{print "update delete "$4"."$3"."$2"."$1".<domain>"; print "send"}' | <nsupdatecmd> -k <keyfile>
[Init]
# Option: domain
# Notes.: DNS domain that nsupdate will update.
# Values: STRING
#
domain =
# Option: ttl
# Notes.: time to live (TTL) in seconds of TXT resource record
# added by nsupdate.
# Values: NUM
#
ttl = 60
# Option: rdata
# Notes.: data portion of the TXT resource record added by nsupdate.
# Values: STRING
#
rdata = Your IP has been banned
# Option: nsupdatecmd
# Notes.: specifies the full path to the nsupdate program that dynamically
# updates BIND zone files.
# Values: CMD
#
nsupdatecmd = /usr/bin/nsupdate
# Option: keyfile
# Notes.: specifies the full path to the file containing the
# TSIG key for communicating with BIND.
# Values: STRING
#
keyfile =

16
fail2ban/action.d/osx-afctl.conf Normal file
View File

@ -0,0 +1,16 @@
# Fail2Ban configuration file for using afctl on Mac OS X Server 10.5
#
# Anonymous author
# http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081
#
# Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /usr/libexec/afctl -a <ip> -t <bantime>
actionunban = /usr/libexec/afctl -r <ip>
actionprolong = %(actionunban)s && %(actionban)s

87
fail2ban/action.d/osx-ipfw.conf Normal file
View File

@ -0,0 +1,87 @@
# Fail2Ban configuration file
#
# Author: Nick Munger
# Modified by: Andy Fragen and Daniel Black
#
# Mod for OS X, using random rulenum as OSX ipfw doesn't include tables
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# Values: CMD
#
actionban = ipfw add <rulenum> set <setnum> <blocktype> log <block> from <ip> to <dst> <port>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# Values: CMD
#
actionunban = ipfw delete `ipfw -S list | grep -i 'set <setnum> <blocktype> log <block> from <ip> to <dst>' | awk '{print $1;}'`
[Init]
# Option: port
# Notes.: specifies port to block. Can be blank however may require block="ip"
# Values: [ NUM | STRING ]
#
port = ssh
# Option: dst
# Notes.: the local IP address of the network interface
# Values: IP, any, me or anything support by ipfw as a dst
#
dst = me
# Option: block
# Notes: This is how much to block.
# Can be "ip", "tcp", "udp" or various other options.
# Values: STRING
block = tcp
# Option: blocktype
# Notes.: How to block the traffic. Use a action from man 8 ipfw
# Common values: deny, unreach port, reset
# Values: STRING
#
blocktype = unreach port
# Option: set number
# Notes.: The ipset number this is added to.
# Values: 0-31
setnum = 10
# Option: number for ipfw rule
# Notes: This is meant to be automatically generated and not overwritten
# Values: Random value between 10000 and 12000
rulenum="`echo $((RANDOM%%2000+10000))`"
# Duplicate prevention mechanism
#rulenum = "`a=$((RANDOM%%2000+10000)); while ipfw show | grep -q ^$a\ ; do a=$((RANDOM%%2000+10000)); done; echo $a`"

124
fail2ban/action.d/pf.conf Normal file
View File

@ -0,0 +1,124 @@
# Fail2Ban configuration file
#
# OpenBSD pf ban/unban
#
# Author: Nick Hilliard <nick@foobar.org>
# Modified by: Alexander Koeppe making PF work seamless and with IPv4 and IPv6
#
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
# we don't enable PF automatically; to enable run pfctl -e
# or add `pf_enable="YES"` to /etc/rc.conf (tested on FreeBSD)
# also, these rulesets are loaded into (nested) anchors
# to enable them, add as wildcard:
# anchor "f2b/*"
# or using jail names:
# anchor f2b {
# anchor name1
# anchor name2
# ...
# }
# to your main pf ruleset, where "namei" are the names of the jails
# which invoke this action
actionstart = echo "table <<tablename>-<name>> persist counters" | <pfctl> -f-
port="<port>"; if [ "$port" != "" ] && case "$port" in \{*) false;; esac; then port="{$port}"; fi
echo "<block> proto <protocol> from <<tablename>-<name>> to <actiontype>" | <pfctl> -f-
# Option: start_on_demand - to start action on demand
# Example: `action=pf[actionstart_on_demand=true]`
actionstart_on_demand = false
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
# we only disable PF rules we've installed prior
actionstop = <pfctl> -sr 2>/dev/null | grep -v <tablename>-<name> | <pfctl> -f-
%(actionflush)s
<pfctl> -t <tablename>-<name> -T kill
# Option: actionflush
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
# Values: CMD
#
actionflush = <pfctl> -t <tablename>-<name> -T flush
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <pfctl> -sr | grep -q <tablename>-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = <pfctl> -t <tablename>-<name> -T add <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
# note -r option used to remove matching rule
actionunban = <pfctl> -t <tablename>-<name> -T delete <ip>
# Option: pfctl
#
# Use anchor as jailname to manipulate affected rulesets only.
# If more parameter expected it can be extended with `pf[pfctl="<known/pfctl> ..."]`
#
pfctl = pfctl -a f2b/<name>
[Init]
# Option: tablename
# Notes.: The pf table name.
# Values: [ STRING ]
#
tablename = f2b
# Option: block
#
# The action you want pf to take.
# Probably, you want "block quick", but adjust as needed.
block = block quick
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | ipv6-icmp ] Default: tcp
#
protocol = tcp
# Option: actiontype
# Notes.: defines additions to the blocking rule
# Values: leave empty to block all attempts from the host
# Default: Value of the multiport
actiontype = <multiport>
# Option: allports
# Notes.: default addition to block all ports
# Usage.: use in jail config: "banaction = pf[actiontype=<allports>]"
allports = any
# Option: multiport
# Notes.: addition to block access only to specific ports
# Usage.: use in jail config: "banaction = pf[actiontype=<multiport>]"
multiport = any port $port

29
fail2ban/action.d/route.conf Normal file
View File

@ -0,0 +1,29 @@
# Fail2Ban configuration file
#
# Author: Michael Gebetsroither
#
# This is for blocking whole hosts through blackhole routes.
#
# PRO:
# - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
# - It's FAST for very large numbers of blocked ips.
# - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
# - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
# - No additional software required beside iproute/iproute2
#
# CON:
# - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
[Definition]
actionban = ip route add <blocktype> <ip>
actionunban = ip route del <blocktype> <ip>
actioncheck =
actionstart =
actionstop =
[Init]
# Option: blocktype
# Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
# Values: STRING
blocktype = unreachable

99
fail2ban/action.d/sendmail-buffered.conf Normal file
View File

@ -0,0 +1,99 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Output will be buffered until <lines> lines are available.\n
Regards,\n
Fail2Ban" | <mailcmd>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = if [ -f <tmpfile> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | <mailcmd>
rm <tmpfile>
fi
printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
From: Fail2Ban <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | <mailcmd>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
if [ $LINE -ge <lines> ]; then
printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
These hosts have been banned by Fail2Ban.\n
`cat <tmpfile>`
Regards,\n
Fail2Ban" | <mailcmd>
rm <tmpfile>
fi
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Default name of the chain
#
name = default
# Default number of lines that are buffered
#
lines = 5
# Default temporary file
#
tmpfile = /var/run/fail2ban/tmp-mail.txt

77
fail2ban/action.d/sendmail-common.conf Normal file
View File

@ -0,0 +1,77 @@
# Fail2Ban configuration file
#
# Common settings for sendmail actions
#
# Users can override the defaults in sendmail-common.local
[INCLUDES]
after = sendmail-common.local
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been started successfully.\n
Regards,\n
Fail2Ban" | <mailcmd>
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The jail <name> has been stopped.\n
Regards,\n
Fail2Ban" | <mailcmd>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban =
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban =
[Init]
# Your system mail command
#
mailcmd = /usr/sbin/sendmail -f "<sender>" "<dest>"
# Recipient mail address
#
dest = root
# Sender mail address
#
sender = fail2ban
# Sender display name
#
sendername = Fail2Ban

59
fail2ban/action.d/sendmail-geoip-lines.conf Normal file
View File

@ -0,0 +1,59 @@
# Fail2Ban configuration file
#
# Author: Viktor Szépe
#
#
[INCLUDES]
before = sendmail-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: Command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# You need to install geoiplookup and the GeoLite or GeoIP databases.
# (geoip-bin and geoip-database in Debian)
# The host command comes from bind9-host package.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
http://bgp.he.net/ip/<ip>
http://www.projecthoneypot.org/ip_<ip>
http://whois.domaintools.com/<ip>\n\n
Country:`geoiplookup -f /usr/share/GeoIP/GeoIP.dat "<ip>" | cut -d':' -f2-`
AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-`
hostname: <ip-host>\n\n
Lines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" ) | <mailcmd>
[Init]
# Default name of the chain
#
name = default
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>

41
fail2ban/action.d/sendmail-whois-ipjailmatches.conf Normal file
View File

@ -0,0 +1,41 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n\n
Matches for <name> with <ipjailfailures> failures IP:<ip>\n
<ipjailmatches>\n\n
Regards,\n
Fail2Ban" | <mailcmd>
[Init]
# Default name of the chain
#
name = default

41
fail2ban/action.d/sendmail-whois-ipmatches.conf Normal file
View File

@ -0,0 +1,41 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n\n
Matches with <ipfailures> failures IP:<ip>\n
<ipmatches>\n\n
Regards,\n
Fail2Ban" | <mailcmd>
[Init]
# Default name of the chain
#
name = default

52
fail2ban/action.d/sendmail-whois-lines.conf Normal file
View File

@ -0,0 +1,52 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
helpers-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n"
%(_whois_command)s;
printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
%(_grep_logs)s;
printf %%b "\n
Regards,\n
Fail2Ban" ) | <mailcmd>
[Init]
# Default name of the chain
#
name = default
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
# Number of log lines to include in the email
#
#grepmax = 1000
#grepopts = -m <grepmax>

41
fail2ban/action.d/sendmail-whois-matches.conf Normal file
View File

@ -0,0 +1,41 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n\n
Matches:\n
<matches>\n\n
Regards,\n
Fail2Ban" | <mailcmd>
[Init]
# Default name of the chain
#
name = default

40
fail2ban/action.d/sendmail-whois.conf Normal file
View File

@ -0,0 +1,40 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
mail-whois-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
`%(_whois_command)s`\n
Regards,\n
Fail2Ban" | <mailcmd>
[Init]
# Default name of the chain
#
name = default

37
fail2ban/action.d/sendmail.conf Normal file
View File

@ -0,0 +1,37 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
before = sendmail-common.conf
[Definition]
# bypass ban/unban for restored tickets
norestored = 1
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n
Regards,\n
Fail2Ban" | <mailcmd>
[Init]
# Default name of the chain
#
name = default

93
fail2ban/action.d/shorewall-ipset-proto6.conf Normal file
View File

@ -0,0 +1,93 @@
# Fail2Ban configuration file
#
# Author: Eduardo Diaz
#
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
# for shorewall
#
# Use this setting in jail.conf to modify use this action instead of a
# default one
#
# banaction = shorewall-ipset-proto6
#
# This requires the program ipset which is normally in package called ipset.
#
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
# kernels, and you need Shorewall >= 4.5.5 to use this action.
#
# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
# new shorewall rule to ban an IP address, that rule will affect only new
# connections. So if the attacker goes on trying using the same connection
# he could even log in. In order to get the same behavior of the iptable
# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
# file should me modified with "BLACKLISTNEWONLY=No".
#
#
# Enable shorewall to use a blacklist using iptables creating a file
# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and
# similar lines for every jail. To enable restoring you ipset you
# must set SAVE_IPSETS=Yes in shorewall.conf . You can read more
# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html
#
# To force creation of the ipset in the case that somebody deletes the
# ipset create a file /etc/shorewall/initdone and add one line for
# every ipset (this files are in Perl) and add 1 at the end of the file.
# The example:
# system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 ");
# 1;
#
# To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped
# # One line of every ipset
# system("/usr/sbin/ipset -quiet destroy f2b-ssh ");
# 1; # This must go to the end of the file if not shorewall compilation fails
#
[Definition]
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
fi
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = ipset flush f2b-<name>
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = ipset add f2b-<name> <ip> timeout <ipsettime> -exist
# actionprolong = %(actionban)s
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = ipset del f2b-<name> <ip> -exist
# Option: default-ipsettime
# Notes: specifies default timeout in seconds (handled default ipset timeout only)
# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban)
default-ipsettime = 0
# Option: ipsettime
# Notes: specifies ticket timeout (handled ipset timeout only)
# Values: [ NUM ] Default: 0 (managed by fail2ban by unban)
ipsettime = 0
# expresion to caclulate timeout from bantime, example:
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)

Some files were not shown because too many files have changed in this diff Show More