Created
April 27, 2014 20:25
-
-
Save xurizaemon/11354903 to your computer and use it in GitHub Desktop.
drupal honeypot fail2ban
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author: Chris Burgess <chris@fuzion.co.nz> | |
Date: Sun Apr 27 20:52:39 2014 +0100 | |
Fail2ban rules for Drupal + honeypot. | |
diff --git a/.etckeeper b/.etckeeper | |
index 813fd3c..e705732 100755 | |
--- a/.etckeeper | |
+++ b/.etckeeper | |
@@ -471,6 +471,8 @@ maybe chmod 0644 './fail2ban/filter.d/couriersmtp.conf' | |
maybe chmod 0644 './fail2ban/filter.d/cyrus-imap.conf' | |
maybe chmod 0644 './fail2ban/filter.d/dovecot.conf' | |
maybe chmod 0644 './fail2ban/filter.d/dropbear.conf' | |
+maybe chmod 0644 './fail2ban/filter.d/drupal-honeypot-b.conf' | |
+maybe chmod 0644 './fail2ban/filter.d/drupal-nodeadd-d.conf' | |
maybe chmod 0644 './fail2ban/filter.d/exim.conf' | |
maybe chmod 0644 './fail2ban/filter.d/gssftpd.conf' | |
maybe chmod 0644 './fail2ban/filter.d/lighttpd-fastcgi.conf' | |
@@ -968,6 +970,7 @@ maybe chmod 0755 './rmt' | |
maybe chmod 0644 './rpc' | |
maybe chmod 0644 './rsyslog.conf' | |
maybe chmod 0755 './rsyslog.d' | |
+maybe chmod 0644 './rsyslog.d/drupal.conf' | |
maybe chmod 0644 './rsyslog.d/postfix.conf' | |
maybe chmod 0644 './screenrc' | |
maybe chmod 0644 './securetty' | |
diff --git a/fail2ban/filter.d/drupal-honeypot-b.conf b/fail2ban/filter.d/drupal-honeypot-b.conf | |
new file mode 100644 | |
index 0000000..33113cd | |
--- /dev/null | |
+++ b/fail2ban/filter.d/drupal-honeypot-b.conf | |
@@ -0,0 +1,20 @@ | |
+# Fail2Ban configuration file | |
+ | |
+[Definition] | |
+ | |
+# Option: failregex | |
+# Notes.: regex to match the password failures messages in the logfile. The | |
+# host must be matched by a group named "host". The tag "<HOST>" can | |
+# be used for standard IP/hostname matching and is only an alias for | |
+# (?:::f{4,6}:)?(?P<host>\S+) | |
+# Values: TEXT$ | |
+ | |
+ | |
+# Grab spammer IP address. | |
+failregex = \|honeypot\|<HOST>\|.*\|Blocked | |
+ | |
+# Option: ignoreregex | |
+# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
+# Values: TEXT | |
+# | |
+ignoreregex = | |
diff --git a/fail2ban/filter.d/drupal-nodeadd-d.conf b/fail2ban/filter.d/drupal-nodeadd-d.conf | |
new file mode 100644 | |
index 0000000..3522c9d | |
--- /dev/null | |
+++ b/fail2ban/filter.d/drupal-nodeadd-d.conf | |
@@ -0,0 +1,20 @@ | |
+# Fail2Ban configuration file | |
+ | |
+[Definition] | |
+ | |
+# Option: failregex | |
+# Notes.: regex to match the password failures messages in the logfile. The | |
+# host must be matched by a group named "host". The tag "<HOST>" can | |
+# be used for standard IP/hostname matching and is only an alias for | |
+# (?:::f{4,6}:)?(?P<host>\S+) | |
+# Values: TEXT$ | |
+ | |
+ | |
+# Grab spammer IP address. | |
+failregex = \|access denied\|<HOST>\|.*\|node/add | |
+ | |
+# Option: ignoreregex | |
+# Notes.: regex to ignore. If this regex matches, the line is ignored. | |
+# Values: TEXT | |
+# | |
+ignoreregex = | |
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf | |
index 92882d0..7bbe64c 100644 | |
--- a/fail2ban/jail.conf | |
+++ b/fail2ban/jail.conf | |
@@ -312,3 +312,23 @@ protocol = tcp | |
filter = named-refused | |
logpath = /var/log/named/security.log | |
+# Custom jails. | |
+ | |
+[drupal-honeypot-b] | |
+enabled = true | |
+port = http,https | |
+filter = drupal-honeypot-b | |
+logpath = /var/log/drupal/drupal.log | |
+ignoreip = 127.0.0.1 | |
+bantime = 86400 | |
+maxretry = 3 | |
+ | |
+[drupal-nodeadd-d] | |
+enabled = true | |
+port = http,https | |
+filter = drupal-nodeadd-d | |
+logpath = /var/log/drupal/drupal.log | |
+ignoreip = 127.0.0.1 | |
+bantime = 86400 | |
+maxretry = 5 | |
+ | |
diff --git a/rsyslog.d/drupal.conf b/rsyslog.d/drupal.conf | |
new file mode 100644 | |
index 0000000..1594910 | |
--- /dev/null | |
+++ b/rsyslog.d/drupal.conf | |
@@ -0,0 +1,5 @@ | |
+# Log drupal messages to file, so fail2ban can act on them. | |
+# | |
+local0.crit;local0.err -/var/log/drupal/drupal.err | |
+local0.info -/var/log/drupal/drupal.info | |
+local0.* -/var/log/drupal/drupal.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
28 char limit on iptables rules, fail2ban prepends
fail2ban-
(9), thus truncated filter names