Package: fail2ban
Version: 0.8.1-3
Severity: wishlist
The xinetd daemon recognize some wrong conditions:
- deny_from and only_from directives to limit source IP
- tcp wrappers limitations
so is simply to recognize attacks on the host.
The attached files are:
jail.local = jail configuration
xinetd-fail.local = the filter file: match the FAIL status
iptables-nat-logdropall.local = the action file: LOG and DROP anything
from the bad IP in the PREROUTING chain of the nat table. Is simple to
block anything with raw table so also the tracked connections are
dropped.
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (560, 'testing'), (550, 'testing'), (540,
'testing-proposed-updates'), (260, 'stable'), (250, 'stable'), (240,
'proposed-updates'), (50, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.22-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=it_IT.ISO-8859-15, LC_CTYPE=ISO_8859_15 (charmap=ISO-8859-1)
(ignored: LC_ALL set to it_IT)
Shell: /bin/sh linked to /bin/bash
Versions of packages fail2ban depends on:
ii lsb-base 3.1-24 Linux Standard Base 3.1 init scrip
ii python 2.4.4-6 An interactive high-level object-o
ii python-central 0.5.15 register and build utility for Pyt
Versions of packages fail2ban recommends:
ii iptables 1.3.8.0debian1-1 administration tools for packet fi
-- no debconf information
[xinetd-fail]
enabled = true
filter = xinetd-fail
port = all
banaction = iptables-nat-logdropall
logpath = /var/log/daemon.log
maxretry = 1
# /etc/fail2ban/filter.d/xinetd.local
[Definition]
# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
# Cfr.: /var/log/(daemon\.|sys)log
# libwrap => tcp wrappers: hosts.(allow|deny)
# address => xinetd: deny_from|only_from
# load => xinetd: max_load (temporary problem)
failregex = xinetd(?:\[\d{1,5}\])?: FAIL: \S+ address from=<HOST>$
xinetd(?:\[\d{1,5}\])?: FAIL: \S+ libwrap from=<HOST>$
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
# fail2ban/action.d/iptables-nat-logdropall.local
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = /sbin/iptables -t nat -N fail2ban-<name>
/sbin/iptables -t nat -A fail2ban-<name> -j LOG --log-prefix
"$(expr fail2ban-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit
--limit 6/m --limit-burst 2
/sbin/iptables -t nat -A fail2ban-<name> -j DROP
# Option: actionend
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = /sbin/iptables -t nat -F fail2ban-<name>
/sbin/iptables -t nat -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = /sbin/iptables -t nat -n -L fail2ban-<name> >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = /sbin/iptables -t nat -I PREROUTING 1 -s <ip> -j fail2ban-<name>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = /sbin/iptables -t nat -D PREROUTING -s <ip> -j fail2ban-<name>
[Init]
# Defaut name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = anyport
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = all
