[trojan]

moinmoin

mit folgendem regex kann man anfragen direkt aus dem ispconfig_access_log rausfiltern.
da ispconfig ein eigenes logformat nutzt, funzt es mit der standardeinstellung für zB das w00t.w00t-script nicht

/etc/fail2ban/filter.d/ispconfig-w00tw00t.conf

Code:

[Definition]
failregex =  www\.ts-onlyfree\.org\|\|\|\|\d*\|\|\|\|<HOST> -.*"GET \/w00tw00t\.at\.ISC\.SANS\.DFind\:\).*".*

ignoreregex =

- gezielt wird auf den w00t.w00t vuln-scanner
- jeder aufruf wird mit einem 1d-ban gestraft

testen kann mans ganz einfach. Ein klick auf diesen Link wird mit 600 Sec ban bestraft

der passende eintrag in der /etc/fail2ban/jail.conf

Code:

[ispconfig-w00tw00t]
enabled  = true
filter   = ispconfig-w00tw00t
action   = iptables-complete[name=ispconfig-w00tw00t]
           mail-whois[name=ispconfig-w00tw00t, dest=<YOUR@MAIL.HERE>]
logpath  = /var/log/httpd/ispconfig_access_log
maxretry = 1
bantime  = 86400

und hier die action-file
/etc/fail2ban/action.d/iptables-complete.conf

Code:

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I INPUT -j fail2ban-<name>

# Option:  actionend
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-<name>

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP

[Init]

# Defaut name of the chain
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all