Fail2Ban 通过 cURL 发布 POST
kyo*_*kyo 3 post curl http request fail2ban
我在 Ubuntu 虚拟机上安装了 Fail2Ban。\n我已成功配置,并且在检测到禁令时收到电子邮件。
\n\n
是否可以配置Fail2Ban在发送邮件后触发curl POST请求?
\n\nFail2Ban 允许这样的事情吗?
\n\n猫监狱.conf
\n\n# Fail2Ban configuration file.\n#\n# This file was composed for Debian systems from the original one\n# provided now under /usr/share/doc/fail2ban/examples/jail.conf\n# for additional examples.\n#\n# Comments: use \'#\' for comment lines and \';\' for inline comments\n#\n# To avoid merges during upgrades DO NOT MODIFY THIS FILE\n# and rather provide your changes in /etc/fail2ban/jail.local\n#\n\n# The DEFAULT allows a global definition of the options. They can be overridden\n# in each jail afterwards.\n\n[DEFAULT]\n\n# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not\n# ban a host which matches an address in this list. Several addresses can be\n# defined using space separator.\nignoreip = 127.0.0.1/8\n\n# "bantime" is the number of seconds that a host is banned.\nbantime = 600\n\n# A host is banned if it has generated "maxretry" during the last "findtime"\n# seconds.\nfindtime = 600\nmaxretry = 3\n\n# "backend" specifies the backend used to get files modification.\n# Available options are "pyinotify", "gamin", "polling" and "auto".\n# This option can be overridden in each jail as well.\n#\n# pyinotify: requires pyinotify (a file alteration monitor) to be installed.\n# If pyinotify is not installed, Fail2ban will use auto.\n# gamin: requires Gamin (a file alteration monitor) to be installed.\n# If Gamin is not installed, Fail2ban will use auto.\n# polling: uses a polling algorithm which does not require external libraries.\n# auto: will try to use the following backends, in order:\n# pyinotify, gamin, polling.\nbackend = auto\n\n# "usedns" specifies if jails should trust hostnames in logs,\n# warn when reverse DNS lookups are performed, or ignore all hostnames in logs\n#\n# yes: if a hostname is encountered, a reverse DNS lookup will be performed.\n# warn: if a hostname is encountered, a reverse DNS lookup will be performed,\n# but it will be logged as a warning.\n# no: if a hostname is encountered, will not be used for banning,\n# but it will be logged as info.\nusedns = warn\n\n#\n# Destination email address used solely for the interpolations in\n# jail.{conf,local} configuration files.\ndestemail = rajacse10@gmail.com\n\n#\n# Name of the sender for mta actions\nsendername = Fail2Ban\n\n#\n# ACTIONS\n#\n\n# Default banning action (e.g. iptables, iptables-new,\n# iptables-multiport, shorewall, etc) It is used to define\n# action_* variables. Can be overridden globally or per\n# section within jail.local file\nbanaction = iptables-multiport\n\n# email action. Since 0.8.1 upstream fail2ban uses sendmail\n# MTA for the mailing. Change mta configuration parameter to mail\n# if you want to revert to conventional \'mail\'.\nmta = sendmail\n\n# Default protocol\nprotocol = tcp\n\n# Specify chain where jumps would need to be added in iptables-* actions\nchain = INPUT\n\n#\n# Action shortcuts. To be used to define action parameter\n\n# The simplest action to take: ban only\naction_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]\n\n# ban & send an e-mail with whois report to the destemail.\naction_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]\n %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]\n\n# ban & send an e-mail with whois report and relevant log lines\n# to the destemail.\naction_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]\n %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]\n\n# Choose default action. To change, just override value of \'action\' with the\n# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local\n# globally (section [DEFAULT]) or per specific section\naction = %(action_mwl)s\n\n#\n# JAILS\n#\n\n# Next jails corresponds to the standard configuration in Fail2ban 0.6 which\n# was shipped in Debian. Enable any defined here jail by including\n#\n# [SECTION_NAME]\n# enabled = true\n\n#\n# in /etc/fail2ban/jail.local.\n#\n# Optionally you may override any other parameter (e.g. banaction,\n# action, port, logpath, etc) in that section within jail.local\n\n[ssh]\n\nenabled = true\nport = ssh\nfilter = sshd\nlogpath = /var/log/auth.log\nmaxretry = 6\n\n[dropbear]\n\nenabled = false\nport = ssh\nfilter = dropbear\nlogpath = /var/log/auth.log\nmaxretry = 6\n\n# Generic filter for pam. Has to be used with action which bans all ports\n# such as iptables-allports, shorewall\n[pam-generic]\n\nenabled = false\n# pam-generic filter can be customized to monitor specific subset of \'tty\'s\nfilter = pam-generic\n# port actually must be irrelevant but lets leave it all for some possible uses\nport = all\nbanaction = iptables-allports\nport = anyport\nlogpath = /var/log/auth.log\nmaxretry = 6\n\n[xinetd-fail]\n\nenabled = false\nfilter = xinetd-fail\nport = all\nbanaction = iptables-multiport-log\nlogpath = /var/log/daemon.log\nmaxretry = 2\n\n\n[ssh-ddos]\n\nenabled = false\nport = ssh\nfilter = sshd-ddos\nlogpath = /var/log/auth.log\nmaxretry = 6\n\n\n# Here we use blackhole routes for not requiring any additional kernel support\n# to store large volumes of banned IPs\n\n[ssh-route]\n\nenabled = false\nfilter = sshd\naction = route\nlogpath = /var/log/sshd.log\nmaxretry = 6\n\n# Here we use a combination of Netfilter/Iptables and IPsets\n# for storing large volumes of banned IPs\n#\n# IPset comes in two versions. See ipset -V for which one to use\n# requires the ipset package and kernel support.\n[ssh-iptables-ipset4]\n\nenabled = false\nport = ssh\nfilter = sshd\nbanaction = iptables-ipset-proto4\nlogpath = /var/log/sshd.log\nmaxretry = 6\n\n[ssh-iptables-ipset6]\n\nenabled = false\nport = ssh\nfilter = sshd\nbanaction = iptables-ipset-proto6\nlogpath = /var/log/sshd.log\nmaxretry = 6\n\n\n#\n# HTTP servers\n#\n\n[apache]\n\nenabled = false\nport = http,https\nfilter = apache-auth\nlogpath = /var/log/apache*/*error.log\nmaxretry = 6\n\n# default action is now multiport, so apache-multiport jail was left\n# for compatibility with previous (<0.7.6-2) releases\n[apache-multiport]\n\nenabled = false\nport = http,https\nfilter = apache-auth\nlogpath = /var/log/apache*/*error.log\nmaxretry = 6\n\n[apache-noscript]\n\nenabled = false\nport = http,https\nfilter = apache-noscript\nlogpath = /var/log/apache*/*error.log\nmaxretry = 6\n\n[apache-overflows]\n\nenabled = false\nport = http,https\nfilter = apache-overflows\nlogpath = /var/log/apache*/*error.log\nmaxretry = 2\n\n# Ban attackers that try to use PHP\'s URL-fopen() functionality\n# through GET/POST variables. - Experimental, with more than a year\n# of usage in production environments.\n\n[php-url-fopen]\n\nenabled = false\nport = http,https\nfilter = php-url-fopen\nlogpath = /var/www/*/logs/access_log\n\n# A simple PHP-fastcgi jail which works with lighttpd.\n# If you run a lighttpd server, then you probably will\n# find these kinds of messages in your error_log:\n# ALERT \xe2\x80\x93 tried to register forbidden variable \xe2\x80\x98GLOBALS\xe2\x80\x99\n# through GET variables (attacker \'1.2.3.4\', file \'/var/www/default/htdocs/index.php\')\n\n[lighttpd-fastcgi]\n\nenabled = false\nport = http,https\nfilter = lighttpd-fastcgi\nlogpath = /var/log/lighttpd/error.log\n\n# Same as above for mod_auth\n# It catches wrong authentifications\n\n[lighttpd-auth]\n\nenabled = false\nport = http,https\nfilter = suhosin\nlogpath = /var/log/lighttpd/error.log\n\n[nginx-http-auth]\n\nenabled = false\nfilter = nginx-http-auth\nport = http,https\nlogpath = /var/log/nginx/error.log\n\n# Monitor roundcube server\n\n[roundcube-auth]\n\nenabled = false\nfilter = roundcube-auth\nport = http,https\nlogpath = /var/log/roundcube/userlogins\n\n\n[sogo-auth]\n\nenabled = false\nfilter = sogo-auth\nport = http, https\n# without proxy this would be:\n# port = 20000\nlogpath = /var/log/sogo/sogo.log\n\n\n#\n# FTP servers\n#\n\n[vsftpd]\n\nenabled = false\nport = ftp,ftp-data,ftps,ftps-data\nfilter = vsftpd\nlogpath = /var/log/vsftpd.log\n# or overwrite it in jails.local to be\n# logpath = /var/log/auth.log\n# if you want to rely on PAM failed login attempts\n# vsftpd\'s failregex should match both of those formats\nmaxretry = 6\n\n\n[proftpd]\n\nenabled = false\nport = ftp,ftp-data,ftps,ftps-data\nfilter = proftpd\nlogpath = /var/log/proftpd/proftpd.log\nmaxretry = 6\n\n\n[pure-ftpd]\n\nenabled = false\nport = ftp,ftp-data,ftps,ftps-data\nfilter = pure-ftpd\nlogpath = /var/log/syslog\nmaxretry = 6\n\n\n[wuftpd]\n\nenabled = false\nport = ftp,ftp-data,ftps,ftps-data\nfilter = wuftpd\nlogpath = /var/log/syslog\nmaxretry = 6\n\n\n#\n# Mail servers\n#\n\n[postfix]\n\nenabled = false\nport = smtp,ssmtp,submission\nfilter = postfix\nlogpath = /var/log/mail.log\n\n\n[couriersmtp]\n\nenabled = false\nport = smtp,ssmtp,submission\nfilter = couriersmtp\nlogpath = /var/log/mail.log\n\n\n#\n# Mail servers authenticators: might be used for smtp,ftp,imap servers, so\n# all relevant ports get banned\n#\n\n[courierauth]\n\nenabled = false\nport = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s\nfilter = courierlogin\nlogpath = /var/log/mail.log\n\n\n[sasl]\n\nenabled = false\nport = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s\nfilter = postfix-sasl\n# You might consider monitoring /var/log/mail.warn instead if you are\n# running postfix since it would provide the same log lines at the\n# "warn" level but overall at the smaller filesize.\nlogpath = /var/log/mail.log\n\n[dovecot]\n\nenabled = false\nport = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s\nfilter = dovecot\nlogpath = /var/log/mail.log\n\n# To log wrong MySQL access attempts add to /etc/my.cnf:\n# log-error=/var/log/mysqld.log\n# log-warning = 2\n[mysqld-auth]\n\nenabled = false\nfilter = mysqld-auth\nport = 3306\nlogpath = /var/log/mysqld.log\n\n\n# DNS Servers\n\n\n# These jails block attacks against named (bind9). By default, logging is off\n# with bind9 installation. You will need something like this:\n#\n# logging {\n# channel security_file {\n# file "/var/log/named/security.log" versions 3 size 30m;\n# severity dynamic;\n# print-time yes;\n# };\n# category security {\n# security_file;\n# };\n# };\n#\n# in your named.conf to provide proper logging\n\n# !!! WARNING !!!\n# Since UDP is connection-less protocol, spoofing of IP and imitation\n# of illegal actions is way too simple. Thus enabling of this filter\n# might provide an easy way for implementing a DoS against a chosen\n# victim. See\n# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html\n# Please DO NOT USE this jail unless you know what you are doing.\n#[named-refused-udp]\n#\n#enabled = false\n#port = domain,953\n#protocol = udp\n#filter = named-refused\n#logpath = /var/log/named/security.log\n\n[named-refused-tcp]\n\nenabled = false\nport = domain,953\nprotocol = tcp\nfilter = named-refused\nlogpath = /var/log/named/security.log\n\n# Multiple jails, 1 per protocol, are necessary ATM:\n# see https://github.com/fail2ban/fail2ban/issues/37\n[asterisk-tcp]\n\nenabled = false\nfilter = asterisk\nport = 5060,5061\nprotocol = tcp\nlogpath = /var/log/asterisk/messages\n\n[asterisk-udp]\n\nenabled = false\nfilter = asterisk\nport = 5060,5061\nprotocol = udp\nlogpath = /var/log/asterisk/messages\n\n\n# Jail for more extended banning of persistent abusers\n# !!! WARNING !!!\n# Make sure that your loglevel specified in fail2ban.conf/.local\n# is not at DEBUG level -- which might then cause fail2ban to fall into\n# an infinite loop constantly feeding itself with non-informative lines\n[recidive]\n\nenabled = false\nfilter = recidive\nlogpath = /var/log/fail2ban.log\naction = iptables-allports[name=recidive]\n sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]\nbantime = 604800 ; 1 week\nfindtime = 86400 ; 1 day\nmaxretry = 5\n对于自定义操作,您需要在/etc/fail2ban/action.d/<your_config_file>.conf (或.local)
它必须具有以下结构:
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban =
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban =
curlAction.conf(删除注释以节省一些空间)(curlAction.local如果.conf已经定义,则可以)
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = curl -d '{"ip":"<ip>"}' -H "Content-Type: application/json" -X POST http://localhost:3000/data
actionunban =
jail.conf接下来通过复制到jail.local并添加需要覆盖的内容来配置 Fail2ban (有关差异,请参阅serverfault 答案- 简而言之,.conf首先加载并.local重载它)
如果您命名 the那么您需要在该部分中curlAction.conf添加指令 a
例如,它会是这样的:/etc/fail2ban/jail.local[ssh]actioncurlAction
[ssh]
enabled = true
port = ssh
filter = sshd
action = curlAction
logpath = /var/log/auth.log
maxretry = 6
使用的文档:fail2ban-sms github 存储库和手册。