Refactoring and restruct

ban-server/nginx.conf

-# load dynamic nginx modules
-include /etc/nginx/modules-enabled.d/*.conf;
-
-# see http://nginx.net for info & docs
-
-worker_processes  10;
-
-error_log   /var/log/nginx/error.log;
-
-events {
-	worker_connections  1024;
-}
-
-include /etc/nginx/conf-enabled.d/*.conf;
-
-http {
-	index index.html;
-	server {
-	
-	    location / {
-		root /var/www/html/eterban/;
-		}
-	    
-	    location ~ \.php$ {
-		try_files $uri =404;
-		root /var/www/html/eterban/;
-		include /etc/nginx/fastcgi.conf;
-		fastcgi_pass unix:/var/run/php7-fpm/php7-fpm.sock;
-		}
-	}
-}

eterban.spec

@@ -35,6 +35,7 @@ Etersoft ban service.
 %package web
 Summary: Etersoft ban service: web
 Group: Development/Other
+Requires: php-redis
 
 %description web
 Etersoft ban service.
@@ -43,7 +44,7 @@ Etersoft ban service.
 %package fail2ban
 Summary: Etersoft ban service: fail2ban
 Group: Development/Other
-
+Requires: redis
 %description fail2ban
 Etersoft ban service.
 
@@ -60,7 +61,7 @@ mkdir -p %buildroot/etc/%name/
 mkdir -p %buildroot/etc/fail2ban/action.d/
 mkdir -p %buildroot/etc/fail2ban/jail.d/
 mkdir -p %buildroot/etc/systemd/system/
-
+mkdir -p %buildroot/var/log/eterban/
 mkdir -p %buildroot%webserver_htdocsdir/%name/
 
 

gateway/etc/fail2ban/action.d/ban.conf

@@ -4,16 +4,19 @@ before = iptables-common.conf
 [Definition]
 # Notes.: create list blacklist at the start of Fail2Ban
 # Value: CMD (eterban-switcher.py)
+
 actionstart = ipset --create blacklist iphash
-              <iptables> -t nat -I PREROUTING -i brlocal -p tcp -m tcp --dport 80 -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
-			  <iptables> -I FORWARD -p tcp -m multiport ! --dport 80,443 -m set --match-set blacklist src -j REJECT
+              iptables -t nat -I PREROUTING -i brlocal -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
+              iptables -t nat -I PREROUTING -i brlocal -m set ! --match-set blacklist src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81
+              iptables -I FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set blacklist src -j REJECT
+#              iptables -t nat -I POSTROUTING -o breth0 -d 91.232.225.67 -j SNAT --to-source 91.232.225.1
 
-actionflush = ipset flush blacklist
 
-actionstop = <iptables> -t nat -D PREROUTING -i brlocal -p tcp -m tcp --dport 80 -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
-			 <iptables> -I FORWARD -p tcp -m multiport ! --dport 80,443 -m set --match-set blacklist src -j REJECT
-             <actionflush>
-             ipset destroy blacklist
+actionstop  = iptables -t nat -D PREROUTING -i brlocal -m set --match-set blacklist src -j DNAT --to-destination 91.232.225.67
+              iptables -t nat -D PREROUTING -i brlocal -m set ! --match-set blacklist src -d 91.232.225.67 -p tcp -m multiport --destination-port 80,443 -j DNAT --to-destination 91.232.225.67:81
+	      iptables -D FORWARD -i brlocal -p tcp -m multiport ! --dport 80,81,443 -m set --match-set blacklist src -j REJECT
+              ipset destroy blacklist
+#              iptables -t nat -D POSTROUTING -o breth0 -d 91.232.225.67 -j SNAT --to-source 91.232.225.1
 
 actionban = ipset -A blacklist <ip>
 actionunban = ipset -D blacklist <ip>

prod-server/etc/fail2ban/jail.d/eterban.conf → prod-server/etc/fail2ban/jail.d/eterban.conf.bak

 [eterban]
-enabled = true
+enabled = false
 filter = nginx-limit-req
 action = eterban

prod-server/etc/fail2ban/jail.d/jail.conf

+# Fail2Ban jail specifications file
+#
+# Comments: use '#' for comment lines and ';' for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in jail.local file, e.g.:
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [ssh-iptables]
+# enabled = true
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8 87.249.47.42/29 89.104.102.10/28 212.176.200.18/28 62.16.105.243/28 10.20.30.10/24 91.232.225.0/24
+
+# "bantime" is the number of seconds that a host is banned.
+#bantime  = 600
+bantime   = 1
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 3
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+#              If pyinotify is not installed, Fail2ban will use auto.
+# gamin:     requires Gamin (a file alteration monitor) to be installed.
+#              If Gamin is not installed, Fail2ban will use auto.
+# polling:   uses a polling algorithm which does not require external libraries.
+# auto:      will try to use the following backends, in order:
+#              pyinotify, gamin, polling.
+backend = polling
+
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when reverse DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a reverse DNS lookup will be performed.
+# warn:  if a hostname is encountered, a reverse DNS lookup will be performed, 
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+usedns = warn
+
+
+# This jail corresponds to the standard configuration in Fail2ban 0.6.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+
+[ssh-iptables]
+
+enabled  = true
+filter   = sshd
+#action   = iptables[name=SSH, protocol=tcp]
+#           sendmail-whois[name=server-SSH, dest=lav@etersoft.ru, sender=sysadm@etersoft.ru]
+action   = eterban
+logpath  = /var/log/messages
+maxretry = 5
+findtime = 4000
+#bantime = 7200
+bantime  = 1
+
+[ssh-ddos-iptables]
+
+enabled  = true
+filter   = sshd-ddos
+#action   = iptables-allports[name=SSHDDOS, protocol=tcp]
+#           sendmail-whois[name=server-SSHDDOS, dest=lav@etersoft.ru, sender=sysadm@etersoft.ru]
+action   = eterban
+logpath  = /var/log/messages
+maxretry = 4
+findtime = 60
+#bantime = 72000
+bantime  = 1
+
+[proftpd-iptables]
+
+enabled  = false
+filter   = proftpd
+action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
+           sendmail-whois[name=ProFTPD, dest=you@example.com]
+logpath  = /var/log/proftpd/proftpd.log
+maxretry = 6
+
+# This jail forces the backend to "polling".
+
+[sasl-iptables]
+
+enabled  = false
+filter   = sasl
+backend  = polling
+action   = iptables[name=sasl, port=smtp, protocol=tcp]
+           sendmail-whois[name=sasl, dest=you@example.com]
+logpath  = /var/log/mail.log
+
+# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
+# used to avoid banning the user "myuser".
+
+[ssh-tcpwrapper]
+
+enabled     = false
+filter      = sshd
+action      = hostsdeny
+              sendmail-whois[name=SSH, dest=you@example.com]
+ignoreregex = for myuser from
+logpath     = /var/log/sshd.log
+
+# This jail demonstrates the use of wildcards in "logpath".
+# Moreover, it is possible to give other files on a new line.
+
+[apache-tcpwrapper]
+
+enabled  = false
+filter	 = apache-auth
+action   = hostsdeny
+logpath  = /var/log/apache*/*error.log
+           /home/www/myhomepage/error.log
+maxretry = 6
+
+# The hosts.deny path can be defined with the "file" argument if it is
+# not in /etc.
+
+[postfix-tcpwrapper]
+
+enabled  = false
+filter   = postfix
+action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
+           sendmail[name=Postfix, dest=you@example.com]
+logpath  = /var/log/postfix.log
+bantime  = 300
+
+[vsftpd-iptables]
+
+enabled  = true
+filter   = vsftpd
+#action   = iptables[name=VSFTPD, protocol=tcp]
+#           sendmail-whois[name=server-SSH, dest=lav@etersoft.ru, sender=sysadm@etersoft.ru]
+action   = eterban
+logpath  = /var/log/vsftpd.log
+findtime = 60
+maxretry = 5
+#bantime  = 3600
+bantime  = 1
+
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+
+[apache-badbots]
+
+enabled  = false
+filter   = apache-badbots
+action   = iptables-multiport[name=BadBots, port="http,https"]
+           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
+logpath  = /var/www/*/logs/access_log
+bantime  = 172800
+maxretry = 1
+
+# Use shorewall instead of iptables.
+
+[apache-shorewall]
+
+enabled  = false
+filter   = apache-noscript
+action   = shorewall
+           sendmail[name=Postfix, dest=you@example.com]
+logpath  = /var/log/apache2/error_log
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+enabled = false
+port    = http,https
+filter  = php-url-fopen
+logpath = /var/www/*/logs/access_log
+maxretry = 1
+
+# A simple PHP-fastcgi jail which works with lighttpd.
+# If you run a lighttpd server, then you probably will
+# find these kinds of messages in your error_log:
+# ALERT – tried to register forbidden variable ‘GLOBALS’
+# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
+# This jail would block the IP 1.2.3.4.
+
+[lighttpd-fastcgi]
+
+enabled = false
+port    = http,https
+filter  = lighttpd-fastcgi
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
+# Same as above for mod_auth
+# It catches wrong authentifications
+
+[lighttpd-auth]
+
+enabled = false
+port    = http,https
+filter  = lighttpd-auth
+# adapt the following two items as needed
+logpath = /var/log/lighttpd/error.log
+maxretry = 2
+
+# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
+# option is overridden in this jail. Moreover, the action "mail-whois" defines
+# the variable "name" which contains a comma using "". The characters '' are
+# valid too.
+
+[ssh-ipfw]
+
+enabled  = false
+filter   = sshd
+action   = ipfw[localhost=192.168.0.1]
+           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
+logpath  = /var/log/auth.log
+ignoreip = 168.192.0.1
+
+# These jails block attacks against named (bind9). By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+#
+# in your named.conf to provide proper logging.
+# This jail blocks UDP traffic for DNS requests.
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# [named-refused-udp]
+#
+# enabled  = false
+# filter   = named-refused
+# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
+#            sendmail-whois[name=Named, dest=you@example.com]
+# logpath  = /var/log/named/security.log
+# ignoreip = 168.192.0.1
+
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused-tcp]
+
+enabled  = false
+filter   = named-refused
+action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
+           sendmail-whois[name=Named, dest=you@example.com]
+logpath  = /var/log/named/security.log
+ignoreip = 168.192.0.1
+
+# Multiple jails, 1 per protocol, are necessary ATM:
+# see https://github.com/fail2ban/fail2ban/issues/37
+[asterisk-tcp]
+
+enabled  = false
+filter   = asterisk
+action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
+           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+[asterisk-udp]
+
+enabled  = false
+filter	 = asterisk
+action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
+           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNING !!!
+#   Make sure that your loglevel specified in fail2ban.conf/.local
+#   is not at DEBUG level -- which might then cause fail2ban to fall into
+#   an infinite loop constantly feeding itself with non-informative lines
+[recidive]
+
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+action   = iptables-allports[name=recidive]
+           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
+bantime  = 604800  ; 1 week
+findtime = 86400   ; 1 day
+maxretry = 5

prod-server/just_do_it

-
-В jail.local (либо в конкретных rules.conf) изменить действие на 
-action = eterban
-bantime = 1 
\ No newline at end of file