added fail2ban, sshd verbose logging, more handlers

1 files changed, 46 insertions, 0 deletions

diff --git a/attackbox/templates/jail.local.j2 b/attackbox/templates/jail.local.j2
new file mode 100644
index 0000000..dd548df
--- /dev/null
+++ b/attackbox/templates/jail.local.j2
@@ -0,0 +1,46 @@
+[INCLUDES]
+#before = paths-distro.conf
+before = paths-debian.conf
+
+[DEFAULT]
+#ignoreself = true
+#ignoreip = 127.0.0.1/8 ::1
+ignorecommand =
+bantime  = 1h
+findtime  = 10m
+maxretry = 3
+maxmatches = %(maxretry)s
+backend = auto
+usedns = warn
+logencoding = auto
+enabled = false
+mode = normal
+filter = %(__name__)s[mode=%(mode)s]
+destemail = root@localhost
+sender = root@<fq-hostname>
+mta = sendmail
+protocol = tcp
+chain = <known/chain>
+port = 0:65535
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mw = %(action_)s
+            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mwl = %(action_)s
+             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+action_xarf = %(action_)s
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+action_abuseipdb = abuseipdb
+action = %(action_)s
+
+[sshd]
+mode = aggressive
+enabled = true
+port = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s