Start working on Ubuntu

ubuntu/resources/fail2ban/auth-challenge-ip.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'\w+\' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/freeswitch-ip.conf

@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#2014-12-01 00:47:54.331821 [WARNING] sofia_reg.c:2752 Can't find user [1000@xxx.xxx.xxx.xxx] from 62.210.151.162
+failregex = \[WARNING\] sofia_reg.c:\d+ Can't find user \[.*@\d+.\d+.\d+.\d+\] from <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/freeswitch.conf

@@ -0,0 +1,18 @@
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
+            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+

ubuntu/resources/fail2ban/fusionpbx-404.conf

@@ -0,0 +1,27 @@
+# Fail2Ban configuration file
+# inbound route - 404 not found
+
+
+[Definition]
+
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed
+#[hostname] variable doesn't seem to work in every case. Do this instead:
+failregex = 404 not found <HOST>
+
+
+#EXECUTE sofia/external/8888888888888@example.fusionpbx.com log([inbound routes] 404 not found 82.68.115.62)
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/fusionpbx-mac.conf

@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#Oct  9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000
+failregex = \[<HOST>\] invalid mac address 
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/fusionpbx.conf

@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#failregex = [hostname] FusionPBX: \[<HOST>\] authentication failed
+#[hostname] variable doesn't seem to work in every case. Do this instead:
+failregex = .* FusionPBX: \[<HOST>\] authentication failed for
+          = .* FusionPBX: \[<HOST>\] provision attempt bad password for
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+

ubuntu/resources/fail2ban/jail.local

@@ -0,0 +1,131 @@
+[ssh]
+enabled  = true
+port     = 22
+protocol = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+action   = iptables-allports[name=sshd, protocol=all]
+maxretry = 5
+findtime = 7200
+bantime  = 86400
+
+[freeswitch]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = freeswitch
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch, protocol=all]
+maxretry = 5
+findtime = 600
+bantime  = 3600
+#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
+
+[freeswitch-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = freeswitch-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch-ip, protocol=all]
+maxretry = 1
+findtime = 30
+bantime  = 86400
+
+[auth-challenge-ip]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = auth-challenge-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=auth-challenge-ip, protocol=all]
+maxretry = 1
+findtime = 30
+bantime  = 86400
+
+[sip-auth-challenge]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-challenge
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-challenge, protocol=all]
+maxretry = 50
+findtime = 30
+bantime  = 7200
+
+[sip-auth-failure]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-failure
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-failure, protocol=all]
+maxretry = 3
+findtime = 30
+bantime  = 7200
+
+[fusionpbx-404]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = fusionpbx-404
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=fusionpbx-404, protocol=all]
+maxretry = 3
+findtime = 300
+bantime  = 86400
+
+[fusionpbx]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx
+logpath  = /var/log/auth.log
+action   = iptables-allports[name=fusionpbx, protocol=all]
+#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 10
+findtime = 600
+bantime  = 3600
+
+[fusionpbx-mac]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx-mac
+logpath  = /var/log/syslog
+action   = iptables-allports[name=fusionpbx-mac, protocol=all]
+#          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 5
+findtime = 300
+bantime  = 86400
+
+[nginx-404]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-404
+logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-404, protocol=all]
+bantime  = 3600
+findtime = 60
+maxretry = 120
+
+[nginx-dos]
+# Based on apache-badbots but a simple IP check (any IP requesting more than
+# 300 pages in 60 seconds, or 5p/s average, is suspicious)
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-dos
+logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-dos, protocol=all]
+findtime = 60
+bantime  = 86400
+maxretry = 300

ubuntu/resources/fail2ban/nginx-404.conf

@@ -0,0 +1,5 @@
+# Fail2Ban configuration file
+#
+[Definition]
+failregex = <HOST> - - \[.*\] "(GET|POST).*HTTP[^ ]* 404
+ignoreregex =

ubuntu/resources/fail2ban/nginx-dos.conf

@@ -0,0 +1,14 @@
+# Fail2Ban configuration file
+ 
+[Definition]
+# Option: failregex
+# Notes.: Regexp to catch a generic call from an IP address.
+# Values: TEXT
+#
+failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"$
+ 
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/sip-auth-challenge.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

ubuntu/resources/fail2ban/sip-auth-failure.conf

@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'\w+\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =