First version

action.d/sshd-action.conf

@@ -0,0 +1,16 @@
+# Fail2Ban custom action configuration file
+#
+# Created By    : cybergavin
+# Created On    : 27-FEB-2020
+#
+########################################################################################################
+[Definition]
+actionstart =
+actionstop =
+actioncheck =
+actionban = /etc/fail2ban/banaction.sh -i "<ip>" -u <F-USER> -f <failures>
+actionunban =
+
+[Init]
+name = default
+########################################################################################################

banaction.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+# Author           : cybergavin
+# Date             : 28-FEB-2020
+# Description      : This script is executed when Fail2Ban takes action to ban an IP. The script
+#                    logs the time, IP being banned and the reason for banning and such data will
+#                    facilitate decisions on permanent blacklisting of IPs.
+#
+######################################################################################################
+#
+# Variables
+#
+sender_name="cybergavin"
+sender_email="mail@cybergav.in"
+rec_email=""   # Multiple email adddresses may be used and separated with commas
+valid_user_bantime=`fail2ban-client get sshd-valid bantime`
+#
+# Determine Script Location
+#
+if [ -n "`dirname $0 | grep '^/'`" ]; then
+   SCRIPT_LOCATION=`dirname $0`
+elif [ -n "`dirname $0 | grep '^..'`" ]; then
+     cd `dirname $0`
+     SCRIPT_LOCATION=$PWD
+     cd - > /dev/null
+else
+     SCRIPT_LOCATION=`echo ${PWD}/\`dirname $0\` | sed 's#\/\.$##g'`
+fi
+#
+# Log stderr and stdout
+#
+exec 1> ${SCRIPT_LOCATION}/banaction.stdout
+exec 2> ${SCRIPT_LOCATION}/banaction.stderr
+#
+# Parse input
+#
+unset myip myuser
+if [ $# -eq 0 ]; then
+   printf "ERROR : Invalid script usage.\nUSAGE: /etc/fail2ban/banaction.sh -i <ip> -u <user> -f <failures>"
+   exit 1
+else
+   while getopts ":i:u:f:" opt; do
+    case $opt in
+        i )  myip=${OPTARG}
+             ;;
+        u )  myuser=${OPTARG}
+             ;;
+        f )  myfails=${OPTARG}
+             ;;
+        : )  printf "\n$0: Missing argument for -$OPTARG option\n"
+             exit 2
+             ;;
+        \? ) printf "ERROR : Invalid script usage.\nUSAGE: /etc/fail2ban/banaction.sh -i <ip> -u <user> -f <failures>"
+             exit 1
+             ;;
+    esac
+  done
+shift $(($OPTIND - 1))
+fi
+#
+# Send email alert if the user is valid
+#
+if [ -n "`id -un $myuser`" ]; then
+cat <<EOF | /usr/sbin/sendmail -f $sender_email $rec_email
+Subject: $sender_name : Blocked SSH connectivity from $myip
+Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+From: $sender_name <$sender_email>
+To: $rec_email
+Content-Type: text/html
+<html>
+<head>
+<style>
+.datagrid1 table { border: 1px solid black; border-collapse: collapse; text-align: justify; width: 40%; font: normal 12px/150% Verdana, Arial, Helvetica, sans-serif; }
+.datagrid1 td {border: 1px solid black;}
+</style>
+</head>
+<body>
+The XXXYYY Application has been protected by Fail2Ban as per the following:<br /><br />
+<div class="datagrid1">
+<table>
+        <tr>
+                <td width="20%" style="background-color:#BDBDBD;"><b>Hostname</b></td>
+                <td width="20%">$HOSTNAME</td>
+        </tr>
+        <tr>
+                <td width="20%" style="background-color:#BDBDBD;"><b>Banned IP</b></td>
+                <td width="20%">$myip</td>
+        </tr>
+        <tr>
+                <td width="20%" style="background-color:#BDBDBD;"><b>User</b></td>
+                <td width="20%">$myuser</td>
+        </tr>
+        <tr>
+                <td width="20%" style="background-color:#BDBDBD;"><b>#Failures</b></td>
+                <td width="20%">$myfails</td>
+        </tr>
+        <tr>
+                <td width="20%" style="background-color:#BDBDBD;"><b>Ban Duration</b></td>
+                <td width="20%">$(( valid_user_bantime/60 )) minutes</td>
+        </tr>
+</table>
+</div>
+<br /><br />
+<b>NOTE:</b>To unban the above IP address, login on <b>$HOSTNAME</b> as <b>esuser</b> and execute the following command: <br /><br />
+<font size="2" face="Courier New" >sudo fail2ban-client set sshd-valid unbanip $myip</font>
+</body>
+</html>
+EOF
+fi
+#
+# Log Fail2Ban data
+#
+if [ ! -d ${SCRIPT_LOCATION}/data ]; then
+   mkdir ${SCRIPT_LOCATION}/data
+fi
+DATAFILE=${SCRIPT_LOCATION}/data/banaction_`date '+%b%Y'`.csv
+TDATE=`date '+%Y-%m-%d'`
+TTIME=`date '+%H:%M:%S'`
+if [ ! -f $DATAFILE ]; then
+   echo "DATE,TIME,BANNED IP,USER" > $DATAFILE
+   echo "${TDATE},${TTIME},${myip},${myuser}" >> $DATAFILE
+else
+   echo "${TDATE},${TTIME},${myip},${myuser}" >> $DATAFILE
+fi
+#
+# Housekeep
+#
+if [ -d ${SCRIPT_LOCATION}/data ]; then
+   find ${SCRIPT_LOCATION}/data -type f -name "banaction*.csv" -mtime +180 | xargs rm -f
+fi

filter.d/sshd-invalid.conf

@@ -0,0 +1,16 @@
+# Fail2Ban customized filter for ssh connections for invalid (non-existent) users
+# Created By    : cybergavin
+# Created On    : 28-FEB-2020
+#
+##########################################################################################
+[INCLUDES]
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+_daemon = sshd
+
+[Definition]
+failregex = Invalid user <F-USER>\S*</F-USER> from <HOST>$
+ignoreregex =

filter.d/sshd-valid.conf

@@ -0,0 +1,14 @@
+# Fail2Ban customized filter for ssh connections for valid (existing) users
+# Created By    : cybergavin
+# Created On    : 28-FEB-2020
+#
+##########################################################################################
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = sshd
+
+[Definition]
+failregex = ssh:auth.*authentication failure;.*rhost=<HOST>.*user=<F-USER>\S*</F-USER>
+ignoreregex =

jail.d/sshd-invalid.local

@@ -0,0 +1,11 @@
+[sshd-invalid]
+enabled  = true
+filter   = sshd-invalid
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sshd-action[name=SSH]
+logpath  = /var/log/messages
+maxretry = 3
+findtime = 60
+bantime = 600
+backend = pyinotify
+journalmatch =

jail.d/sshd-valid.local

@@ -0,0 +1,11 @@
+[sshd-valid]
+enabled  = true
+filter   = sshd-valid
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sshd-action[name=SSH]
+logpath  = /var/log/messages
+maxretry = 5
+findtime = 60
+bantime = 300
+backend = pyinotify
+journalmatch =

secOpsReport.sh

@@ -0,0 +1,94 @@
+#!/bin/bash
+# Created By       : cybergavin
+# Created On       : 17-MAR-2020
+# Description      : This script sends an email with the TOP 5 most frequently banned IPs to the IT Security Operations
+#                    team for further analysis and action (e.g. submit a request to Infrastructure Services for the
+#                    permanent ban of "bad" IPs on the frontend firewalls.
+#
+######################################################################################################
+#
+# Variables
+#
+sender_name="cybergavin"
+sender_email="mail@cybergav.in"
+rec_email=""  # Multiple email adddresses may be used and separated with commas
+#
+# Determine Script Location
+#
+if [ -n "`dirname $0 | grep '^/'`" ]; then
+   SCRIPT_LOCATION=`dirname $0`
+elif [ -n "`dirname $0 | grep '^..'`" ]; then
+     cd `dirname $0`
+     SCRIPT_LOCATION=$PWD
+     cd - > /dev/null
+else
+     SCRIPT_LOCATION=`echo ${PWD}/\`dirname $0\` | sed 's#\/\.$##g'`
+fi
+SCRIPT_NAME=`basename $0`
+#
+# Log stderr and stdout
+#
+exec 1> ${SCRIPT_LOCATION}/${SCRIPT_NAME%%.*}.stdout
+exec 2> ${SCRIPT_LOCATION}/${SCRIPT_NAME%%.*}.stderr
+#
+# Generate report and send email
+#
+if [ ! -d ${SCRIPT_LOCATION}/data ]; then
+   mkdir ${SCRIPT_LOCATION}/data
+fi
+my_report=${SCRIPT_LOCATION}/data/${SCRIPT_NAME%%.*}_`date '+%b%Y'`.txt
+my_report_html=${my_report%%.*}.html
+cat <<EOF > $my_report_html
+<html>
+<head>
+<style>
+.datagrid1 table { border: 1px solid black; border-collapse: collapse; text-align: justify; width: 30%; font: normal 12px/150% Verdana, Arial, Helvetica, sans-serif; }
+.datagrid1 td,th {border: 1px solid black;}
+</style>
+</head>
+<body>
+        Security Operations <br /><br />
+        Here are the <b>TOP 5 MOST FREQUENTLY BANNED IPs</b> in $(date '+%B %Y' --date="last month") on $HOSTNAME :<br /><br />
+<div class="datagrid1">
+<table>
+<tr>
+        <th width="20%">IP ADDRESS</th>
+        <th width="10%">#BANS</th>
+</tr>
+EOF
+awk -F, '$3 != "BANNED IP" {print $3}' ${SCRIPT_LOCATION}/data/banaction*.csv | sort | uniq -c | sort -rk 1 | head -5 | sed 's/^ *//g;s/ /,/g' > $my_report
+for f2b in `cat $my_report`
+do
+my_ip=`echo $f2b | cut -d, -f2`
+my_bc=`echo $f2b | cut -d, -f1`
+cat <<EOF >> $my_report_html
+<tr>
+        <td width="20%">$my_ip</td>
+        <td width="10%" align="center">$my_bc</td>
+</tr>
+EOF
+done
+cat <<EOF >> $my_report_html
+</table>
+</div>
+<br /><br />
+<p align="justify">Based on your analysis of the above IP addresses, you may opt to request the Network Admins to implement a permanent ban of one or more of the above IP addresses on the PAN firewalls.</p>
+</body>
+</html>
+EOF
+cat <<EOF | /usr/sbin/sendmail -f $sender_email $rec_email
+Subject: $sender_name : $(date '+%B %Y' --date="last month") BANNED IP Report
+Date: `LC_TIME=C date -u +"%%a, %%d %%h %%Y %%T +0000"`
+From: $sender_name <$sender_email>
+To: $rec_email
+Content-Type: text/html
+
+`cat $my_report_html`
+
+EOF
+#
+# Housekeep
+#
+if [ -d ${SCRIPT_LOCATION}/data ]; then
+   find ${SCRIPT_LOCATION}/data -type f -name "${SCRIPT_NAME%%.*}*.txt" -mtime +180 | xargs rm -f
+fi