Fail2Ban

Email Archive: fail2ban-commit (read-only)

2006:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul (1)	_Aug (1)	_Sep	_Oct	_Nov	_Dec (24)
2007:	_Jan (31)	_Feb (17)	_Mar (14)	_Apr (5)	_May (14)	_Jun (8)	_Jul (9)	_Aug (14)	_Sep (4)	_Oct (5)	_Nov (3)	_Dec (14)
2008:	_Jan (6)	_Feb (5)	_Mar (29)	_Apr (6)	_May (12)	_Jun	_Jul (5)	_Aug (7)	_Sep	_Oct (5)	_Nov	_Dec
2009:	_Jan (7)	_Feb (8)	_Mar	_Apr	_May	_Jun	_Jul	_Aug (17)	_Sep (6)	_Oct	_Nov	_Dec (2)
2010:	_Jan	_Feb	_Mar (1)	_Apr	_May (1)	_Jun (3)	_Jul	_Aug	_Sep (4)	_Oct	_Nov	_Dec
2011:	_Jan	_Feb	_Mar (10)	_Apr	_May (1)	_Jun (2)	_Jul (3)	_Aug (9)	_Sep (1)	_Oct	_Nov	_Dec

[Fail2ban-commit] SF.net SVN: fail2ban:[759] trunk/config

From: <buanzo@us...> - 2010-05-01 13:26

Revision: 759
          http://fail2ban.svn.sourceforge.net/fail2ban/?rev=759&view=rev
Author:   buanzo
Date:     2010-05-01 13:26:02 +0000 (Sat, 01 May 2010)

Log Message:
-----------
added psad filter and jail, needs some reviewing. works OK.

Modified Paths:
--------------
    trunk/config/jail.conf

Added Paths:
-----------
    trunk/config/filter.d/psad.conf

Added: trunk/config/filter.d/psad.conf
===================================================================
--- trunk/config/filter.d/psad.conf	                        (rev 0)
+++ trunk/config/filter.d/psad.conf	2010-05-01 13:26:02 UTC (rev 759)
@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@...>
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match psad "scan detected" line, example:
+#
+# Apr 30 23:35:06 mx4 psad: scan detected: 221.192.199.49 -> 85.13.200.90 tcp: [8000] flags: SYN tcp pkts: 1 DL: 2
+#
+failregex = ^.*\ psad\:\ scan\ detected\:\ <HOST>\ \-\>\ .*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 

Modified: trunk/config/jail.conf
===================================================================
--- trunk/config/jail.conf	2010-03-04 17:15:12 UTC (rev 758)
+++ trunk/config/jail.conf	2010-05-01 13:26:02 UTC (rev 759)
@@ -153,8 +153,9 @@
 logpath  = /var/log/apache2/error_log
 
 # Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
+# through GET/POST variables.
+# Make sure you edit the filter if you need to allow certain requests.
+# Adapt logpath as required!
 
 [php-url-fopen]
 
@@ -231,3 +232,16 @@
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 
+
+# PSAD support for fail2ban by Buanzo.
+# psad detects portscans, and logs the details to /var/log/messages
+# With this jail, you can ban attackers that portscan you (for example, with the excellent Nmap)
+# TODO: It needs a proper action, and decide on default port range/list
+
+[psad]
+
+enabled	= false
+port	= ssh,http,https,smtp,ftp
+filter	= psad
+logpath	= /var/log/messages
+maxretry = 1


This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.