drupal honeypot fail2ban

gistfile1.diff

Author: Chris Burgess <chris@fuzion.co.nz>
Date:   Sun Apr 27 20:52:39 2014 +0100

    Fail2ban rules for Drupal + honeypot.

diff --git a/.etckeeper b/.etckeeper
index 813fd3c..e705732 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -471,6 +471,8 @@ maybe chmod 0644 './fail2ban/filter.d/couriersmtp.conf'
 maybe chmod 0644 './fail2ban/filter.d/cyrus-imap.conf'
 maybe chmod 0644 './fail2ban/filter.d/dovecot.conf'
 maybe chmod 0644 './fail2ban/filter.d/dropbear.conf'
+maybe chmod 0644 './fail2ban/filter.d/drupal-honeypot-b.conf'
+maybe chmod 0644 './fail2ban/filter.d/drupal-nodeadd-d.conf'
 maybe chmod 0644 './fail2ban/filter.d/exim.conf'
 maybe chmod 0644 './fail2ban/filter.d/gssftpd.conf'
 maybe chmod 0644 './fail2ban/filter.d/lighttpd-fastcgi.conf'
@@ -968,6 +970,7 @@ maybe chmod 0755 './rmt'
 maybe chmod 0644 './rpc'
 maybe chmod 0644 './rsyslog.conf'
 maybe chmod 0755 './rsyslog.d'
+maybe chmod 0644 './rsyslog.d/drupal.conf'
 maybe chmod 0644 './rsyslog.d/postfix.conf'
 maybe chmod 0644 './screenrc'
 maybe chmod 0644 './securetty'
diff --git a/fail2ban/filter.d/drupal-honeypot-b.conf b/fail2ban/filter.d/drupal-honeypot-b.conf
new file mode 100644
index 0000000..33113cd
--- /dev/null
+++ b/fail2ban/filter.d/drupal-honeypot-b.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT$
+
+
+# Grab spammer IP address.
+failregex = \|honeypot\|<HOST>\|.*\|Blocked
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/fail2ban/filter.d/drupal-nodeadd-d.conf b/fail2ban/filter.d/drupal-nodeadd-d.conf
new file mode 100644
index 0000000..3522c9d
--- /dev/null
+++ b/fail2ban/filter.d/drupal-nodeadd-d.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT$
+
+
+# Grab spammer IP address.
+failregex = \|access denied\|<HOST>\|.*\|node/add
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf
index 92882d0..7bbe64c 100644
--- a/fail2ban/jail.conf
+++ b/fail2ban/jail.conf
@@ -312,3 +312,23 @@ protocol = tcp
 filter   = named-refused
 logpath  = /var/log/named/security.log

+# Custom jails.
+
+[drupal-honeypot-b]
+enabled  = true
+port     = http,https
+filter   = drupal-honeypot-b
+logpath  = /var/log/drupal/drupal.log
+ignoreip = 127.0.0.1
+bantime  = 86400
+maxretry = 3
+
+[drupal-nodeadd-d]
+enabled  = true
+port     = http,https
+filter   = drupal-nodeadd-d
+logpath  = /var/log/drupal/drupal.log
+ignoreip = 127.0.0.1
+bantime  = 86400
+maxretry = 5
+
diff --git a/rsyslog.d/drupal.conf b/rsyslog.d/drupal.conf
new file mode 100644
index 0000000..1594910
--- /dev/null
+++ b/rsyslog.d/drupal.conf
@@ -0,0 +1,5 @@
+# Log drupal messages to file, so fail2ban can act on them.
+#
+local0.crit;local0.err       -/var/log/drupal/drupal.err
+local0.info                  -/var/log/drupal/drupal.info
+local0.*                     -/var/log/drupal/drupal.log

28 char limit on iptables rules, fail2ban prepends fail2ban- (9), thus truncated filter names