diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2015-12-09 10:38:12 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2015-12-09 10:38:29 +0000 |
commit | d0457a4cbde06be9e6fdf2203fd53b1b05225b98 (patch) | |
tree | bfdeb5914ab75a2bc107d355508e38d7213bebe5 | |
parent | b404e7bae39604847b17bf10a501146fe5d56d7c (diff) | |
download | alpine_aports-d0457a4cbde06be9e6fdf2203fd53b1b05225b98.tar.bz2 alpine_aports-d0457a4cbde06be9e6fdf2203fd53b1b05225b98.tar.xz alpine_aports-d0457a4cbde06be9e6fdf2203fd53b1b05225b98.zip |
main/fail2ban: add default SSH jail. Fixes #966
-rw-r--r-- | main/fail2ban/APKBUILD | 29 | ||||
-rw-r--r-- | main/fail2ban/alpine-ssh.jaild | 13 | ||||
-rw-r--r-- | main/fail2ban/alpine-sshd-ddos.filterd | 26 | ||||
-rw-r--r-- | main/fail2ban/alpine-sshd.filterd | 27 |
4 files changed, 90 insertions, 5 deletions
diff --git a/main/fail2ban/APKBUILD b/main/fail2ban/APKBUILD index dcfc2740d6..7e8b655516 100644 --- a/main/fail2ban/APKBUILD +++ b/main/fail2ban/APKBUILD | |||
@@ -3,7 +3,7 @@ | |||
3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 3 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
4 | pkgname=fail2ban | 4 | pkgname=fail2ban |
5 | pkgver=0.9.3 | 5 | pkgver=0.9.3 |
6 | pkgrel=0 | 6 | pkgrel=1 |
7 | pkgdesc="Scans log files for login failures then updates iptables to reject originating ip address" | 7 | pkgdesc="Scans log files for login failures then updates iptables to reject originating ip address" |
8 | url="http://www.fail2ban.org" | 8 | url="http://www.fail2ban.org" |
9 | arch="noarch" | 9 | arch="noarch" |
@@ -12,7 +12,11 @@ depends="python iptables logrotate" | |||
12 | makedepends="python-dev python-dev py-setuptools" | 12 | makedepends="python-dev python-dev py-setuptools" |
13 | source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/$pkgver.tar.gz | 13 | source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/$pkgver.tar.gz |
14 | fail2ban.confd | 14 | fail2ban.confd |
15 | fail2ban.logrotate" | 15 | fail2ban.logrotate |
16 | alpine-ssh.jaild | ||
17 | alpine-sshd.filterd | ||
18 | alpine-sshd-ddos.filterd | ||
19 | " | ||
16 | 20 | ||
17 | _builddir="$srcdir"/$pkgname-$pkgver | 21 | _builddir="$srcdir"/$pkgname-$pkgver |
18 | build() { | 22 | build() { |
@@ -29,14 +33,29 @@ package() { | |||
29 | || return 1 | 33 | || return 1 |
30 | install -Dm644 "$srcdir"/fail2ban.logrotate \ | 34 | install -Dm644 "$srcdir"/fail2ban.logrotate \ |
31 | "$pkgdir"/etc/logrotate.d/fail2ban || return 1 | 35 | "$pkgdir"/etc/logrotate.d/fail2ban || return 1 |
36 | install -Dm644 "$srcdir"/alpine-ssh.jaild \ | ||
37 | "$pkgdir"/etc/fail2ban/jail.d/alpine-ssh.conf | ||
38 | install -Dm644 "$srcdir"/alpine-sshd.filterd \ | ||
39 | "$pkgdir"/etc/fail2ban/filter.d/alpine-sshd.conf | ||
40 | install -Dm644 "$srcdir"/alpine-sshd-ddos.filterd \ | ||
41 | "$pkgdir"/etc/fail2ban/filter.d/alpine-sshd-ddos.conf | ||
32 | } | 42 | } |
33 | 43 | ||
34 | md5sums="73c87c545cc6474de984b5a05e64ecab fail2ban-0.9.3.tar.gz | 44 | md5sums="73c87c545cc6474de984b5a05e64ecab fail2ban-0.9.3.tar.gz |
35 | b209a04f9314dd064a4aa0ee505c8a4d fail2ban.confd | 45 | b209a04f9314dd064a4aa0ee505c8a4d fail2ban.confd |
36 | 6d1af6ceebd15c8ae3938bc675efe553 fail2ban.logrotate" | 46 | 6d1af6ceebd15c8ae3938bc675efe553 fail2ban.logrotate |
47 | d79129324ec8710989be0d631362b1ab alpine-ssh.jaild | ||
48 | 16637b4f207bc9bd68812d02cc06cfad alpine-sshd.filterd | ||
49 | d2634b4646276e5f9e4e3855e16725de alpine-sshd-ddos.filterd" | ||
37 | sha256sums="b3a0793d9ed3b4e341e568388c65bb07a904f77ac8044186376cab3e58e5b2c9 fail2ban-0.9.3.tar.gz | 50 | sha256sums="b3a0793d9ed3b4e341e568388c65bb07a904f77ac8044186376cab3e58e5b2c9 fail2ban-0.9.3.tar.gz |
38 | e35f1f820bfe5ecaac2696d60155c348d84af428e8c615e97b900c24a587d233 fail2ban.confd | 51 | e35f1f820bfe5ecaac2696d60155c348d84af428e8c615e97b900c24a587d233 fail2ban.confd |
39 | 4cfe274ec9c71dd0ae0575298f5327230f6e67b2f8fc1a616c645d0f6b3ce02f fail2ban.logrotate" | 52 | 4cfe274ec9c71dd0ae0575298f5327230f6e67b2f8fc1a616c645d0f6b3ce02f fail2ban.logrotate |
53 | e0d03b972bb90053be53c7dc8d2711a57a569dbb956b40cb0026676cdc5b47db alpine-ssh.jaild | ||
54 | 948e9b598a9242eb8bfef911c38d8af25c66554fd9c770e3017d636e59b98e16 alpine-sshd.filterd | ||
55 | 1015ff0831970e2f42863b5d5c33635de69ccdae184df72f6be1792cd67f6df8 alpine-sshd-ddos.filterd" | ||
40 | sha512sums="0a6c1a51f6b5eefc09d2d946c34cd935c36ad23f72bd7d3fe78e060d0cd03d63b7403069adfa26c303ef65069caf68230bc580765dc6093fe14b798c5c6ec39c fail2ban-0.9.3.tar.gz | 56 | sha512sums="0a6c1a51f6b5eefc09d2d946c34cd935c36ad23f72bd7d3fe78e060d0cd03d63b7403069adfa26c303ef65069caf68230bc580765dc6093fe14b798c5c6ec39c fail2ban-0.9.3.tar.gz |
41 | 1e7581dd04e7777d6fd5c40cc842a7ec5f4e6a0374673d020d89dd61bf4093d48934844bee89bcac9084f9ae44f3beb66e714cf3c2763d79c3e8feb790c5e43b fail2ban.confd | 57 | 1e7581dd04e7777d6fd5c40cc842a7ec5f4e6a0374673d020d89dd61bf4093d48934844bee89bcac9084f9ae44f3beb66e714cf3c2763d79c3e8feb790c5e43b fail2ban.confd |
42 | 60c80dcf8ced5a0323daef2df702f862d99ac45f56b91015ce39be8471cf9d6a3bb45d776df0330692f40db37638dc3ef2004cfc65f26d50dd67c94fbfdf4ec2 fail2ban.logrotate" | 58 | 60c80dcf8ced5a0323daef2df702f862d99ac45f56b91015ce39be8471cf9d6a3bb45d776df0330692f40db37638dc3ef2004cfc65f26d50dd67c94fbfdf4ec2 fail2ban.logrotate |
59 | 84915967ae1276f1e14a5813680ee2ebf081af1ff452a688ae5f9ac3363f4aff90e39f8e6456b5c33d5699917d28a16308797095fd1ef9bb1fbcb46d4cea3def alpine-ssh.jaild | ||
60 | 672762f513e14a29c0183fbab0f7acfa45e8e3e6d25f98d443bf82cad03d15af21b14789a223aeb5642806fa7c2092caede99593059b68230165c311b1eb7fea alpine-sshd.filterd | ||
61 | 36a81b771be0b36fe0dfb5ee4c72c9cb5b504e110618a8eb6f0f241b4e57d92df01dc5cc04b6b68d5bc6a5e6d68de1000092770285d7a328e5937e50b4b226a3 alpine-sshd-ddos.filterd" | ||
diff --git a/main/fail2ban/alpine-ssh.jaild b/main/fail2ban/alpine-ssh.jaild new file mode 100644 index 0000000000..3afcedf276 --- /dev/null +++ b/main/fail2ban/alpine-ssh.jaild | |||
@@ -0,0 +1,13 @@ | |||
1 | [sshd] | ||
2 | enabled = true | ||
3 | filter = alpine-sshd | ||
4 | port = ssh | ||
5 | logpath = /var/log/messages | ||
6 | maxretry = 10 | ||
7 | |||
8 | [sshd-ddos] | ||
9 | enabled = true | ||
10 | filter = alpine-sshd-ddos | ||
11 | port = ssh | ||
12 | logpath = /var/log/messages | ||
13 | maxretry = 10 | ||
diff --git a/main/fail2ban/alpine-sshd-ddos.filterd b/main/fail2ban/alpine-sshd-ddos.filterd new file mode 100644 index 0000000000..ae40569473 --- /dev/null +++ b/main/fail2ban/alpine-sshd-ddos.filterd | |||
@@ -0,0 +1,26 @@ | |||
1 | # Fail2Ban ssh filter for at attempted exploit | ||
2 | # | ||
3 | # The regex here also relates to a exploit: | ||
4 | # | ||
5 | # http://www.securityfocus.com/bid/17958/exploit | ||
6 | # The example code here shows the pushing of the exploit straight after | ||
7 | # reading the server version. This is where the client version string normally | ||
8 | # pushed. As such the server will read this unparsible information as | ||
9 | # "Did not receive identification string". | ||
10 | |||
11 | [INCLUDES] | ||
12 | |||
13 | # Read common prefixes. If any customizations available -- read them from | ||
14 | # common.local | ||
15 | before = common.conf | ||
16 | |||
17 | [Definition] | ||
18 | |||
19 | _daemon = sshd | ||
20 | |||
21 | failregex = Did not receive identification string from <HOST>\s*$ | ||
22 | |||
23 | ignoreregex = | ||
24 | |||
25 | [Init] | ||
26 | |||
diff --git a/main/fail2ban/alpine-sshd.filterd b/main/fail2ban/alpine-sshd.filterd new file mode 100644 index 0000000000..87718a963e --- /dev/null +++ b/main/fail2ban/alpine-sshd.filterd | |||
@@ -0,0 +1,27 @@ | |||
1 | # Fail2Ban filter for openssh for Alpine | ||
2 | # | ||
3 | # If you want to protect OpenSSH from being bruteforced by password | ||
4 | # authentication then get public key authentication working before disabling | ||
5 | # PasswordAuthentication in sshd_config. | ||
6 | # | ||
7 | |||
8 | [INCLUDES] | ||
9 | |||
10 | # Read common prefixes. If any customizations available -- read them from | ||
11 | # common.local | ||
12 | before = common.conf | ||
13 | |||
14 | [Definition] | ||
15 | |||
16 | _daemon = sshd | ||
17 | |||
18 | failregex = Failed [-/\w]+ for .* from <HOST> port \d* ssh2 | ||
19 | |||
20 | ignoreregex = | ||
21 | |||
22 | [Init] | ||
23 | |||
24 | # "maxlines" is number of log lines to buffer for multi-line regex searches | ||
25 | maxlines = 10 | ||
26 | |||
27 | |||