From: <los...@us...> - 2007-02-12 21:50:59
|
Revision: 549 http://svn.sourceforge.net/fail2ban/?rev=549&view=rev Author: lostcontrol Date: 2007-02-12 13:50:50 -0800 (Mon, 12 Feb 2007) Log Message: ----------- - Added new filter for spam bots - Added new action for buffered mails Modified Paths: -------------- trunk/CHANGELOG trunk/MANIFEST trunk/config/jail.conf Added Paths: ----------- trunk/config/action.d/mail-buffered.conf trunk/config/filter.d/apache-badbots.conf Modified: trunk/CHANGELOG =================================================================== --- trunk/CHANGELOG 2007-02-11 23:22:32 UTC (rev 548) +++ trunk/CHANGELOG 2007-02-12 21:50:50 UTC (rev 549) @@ -10,6 +10,7 @@ ver. 0.?.? (2007/??/??) - ??? ---------- - Fixed asctime pattern in datedetector.py +- Added new filters/actions. Thanks to Yaroslav Halchenko ver. 0.7.7 (2007/02/08) - release candidate ---------- Modified: trunk/MANIFEST =================================================================== --- trunk/MANIFEST 2007-02-11 23:22:32 UTC (rev 548) +++ trunk/MANIFEST 2007-02-12 21:50:50 UTC (rev 549) @@ -78,6 +78,7 @@ config/action.d/mail-whois.conf config/action.d/mail-whois-lines.conf config/action.d/mail.conf +config/action.d/mail-buffered.conf config/action.d/hostsdeny.conf config/action.d/shorewall.conf config/fail2ban.conf Added: trunk/config/action.d/mail-buffered.conf =================================================================== --- trunk/config/action.d/mail-buffered.conf (rev 0) +++ trunk/config/action.d/mail-buffered.conf 2007-02-12 21:50:50 UTC (rev 549) @@ -0,0 +1,88 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision: 510 $ +# + +[Definition] + +# Option: actionstart +# Notes.: command executed once at the start of Fail2Ban. +# Values: CMD +# +actionstart = echo -en "Hi,\n + The jail <name> has been started successfuly.\n + Output will be buffered until <lines> lines are available.\n + Regards,\n + Fail2Ban"|mail -s "[Fail2Ban] <name>: started" <dest> + +# Option: actionend +# Notes.: command executed once at the end of Fail2Ban +# Values: CMD +# +actionstop = if [ -d <tmpfile> ]; then + echo -en "Hi,\n + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + Regards,\n + Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> + rm <tmpfile> + fi + echo -en "Hi,\n + The jail <name> has been stopped.\n + Regards,\n + Fail2Ban"|mail -s "[Fail2Ban] <name>: stopped" <dest> + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +actionban = echo `date`": <ip> (<failures> failures)" >> <tmpfile> + LINE=$( wc -l <tmpfile> | awk '{ print $1 }' ) + if [ $LINE -eq <lines> ]; then + echo -en "Hi,\n + These hosts have been banned by Fail2Ban.\n + `cat <tmpfile>` + Regards,\n + Fail2Ban"|mail -s "[Fail2Ban] <name>: Summary" <dest> + rm <tmpfile> + fi + +# Option: actionunban +# Notes.: command executed when unbanning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: <ip> IP address +# <failures> number of failures +# <time> unix timestamp of the ban time +# Values: CMD +# +actionunban = + +[Init] + +# Default name of the chain +# +name = default + +# Default number of lines that are buffered +# +lines = 5 + +# Default temporary file +# +tmpfile = /tmp/fail2ban-mail.txt + +# Destination/Addressee of the mail +# +dest = root Added: trunk/config/filter.d/apache-badbots.conf =================================================================== --- trunk/config/filter.d/apache-badbots.conf (rev 0) +++ trunk/config/filter.d/apache-badbots.conf 2007-02-12 21:50:50 UTC (rev 549) @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# +# List of bad bots fetched from http://www.user-agents.org +# Generated on Sun Feb 11 01:09:15 EST 2007 by ./badbots.sh +# +# Author: Yaroslav Halchenko +# +# + +[Definition] +badbotscustom = EmailCollector|WebEMailExtrac +badbots = atSpider/1\.0|autoemailspider|China Local Browse 2\.6|ContentSmartz|DataCha0s/2\.0|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|MVAClient|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|sogou spider|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|WebVulnCrawl\.blogspot\.com/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 + +# Option: failregex +# Notes.: Regexp to catch known spambots and software alike. Please verify that +# it is your intent to block IPs which were driven by abovementioned bots +# Values: TEXT +# +failregex = ^(?P<host>\S*) -.*"GET.*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = Modified: trunk/config/jail.conf =================================================================== --- trunk/config/jail.conf 2007-02-11 23:22:32 UTC (rev 548) +++ trunk/config/jail.conf 2007-02-12 21:50:50 UTC (rev 549) @@ -117,6 +117,19 @@ maxretry = 5 bantime = 1800 +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. + +[apache-badbots] + +enabled = false +filter = apache-badbots +action = iptables-multiport[name=BadBots, port="http,https"] + mail-buffered[name=BadBots, lines=5, dest=you...@ma...] +logpath = /var/www/*/logs/access_log +bantime = 172800 +maxretry = 1 + # Use shorewall instead of iptables. [apache-shorewall] This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |