Service Fail2ban

De EjnTricks
Révision de 19 mars 2018 à 13:04 par Etienne (discussion | contributions)

(diff) ← Version précédente | Voir la version courante (diff) | Version suivante → (diff)

Fail2ban est un service qui permet de créer automatiquement des règles dans Iptables en focntion de règle de contrôle des fichiers trace.

Cet article présente quelques commandes utiles pour le gérer.

Hand-icon.png Votre avis

Nobody voted on this yet

 You need to enable JavaScript to vote


Process-icon.png Service Unix

Pour une installation sur une machine Ubuntu, le service est installé à l'aide de systemctl. Ainsi le service est disponible classiquement avec les arguments suivants.

  • start pour le démarrer;
  • stop pour l'arrêter;
  • status pour contrôler le statut;
  • reload pour le relancer.

L'étude de la configuration du service permet d'avoir des indications sur les commandes exécutées.

[Unit]
Description=Fail2Ban Service
Documentation=man:fail2ban(1)
After=network.target iptables.service firewalld.service
PartOf=iptables.service firewalld.service

[Service]
Type=forking
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
PIDFile=/var/run/fail2ban/fail2ban.pid
Restart=always

[Install]
WantedBy=multi-user.target


Command-icon.png Contrôle server

Même si le service est exposé classiquement, il est possible de gérer l'instance Fail2ban à l'aide de la commande fail2ban-client et des arguments spécifiques, comme cela est déclaré dans le service.

Stop-icon.png Arrêt

L'argument stop permet d'arrêter l'instance.

#sudo fail2ban-client stop
Shutdown successful

A noter que le service est automatiquement redémarré par systemctl, si celui-ci est utilisé.

Start-icon.png Démarrage

L'argument stop permet de démarrer l'instance.

#sudo fail2ban-client start
2018-03-17 19:40:28,524 fail2ban.server         [21940]: INFO    Starting Fail2ban v0.9.7
2018-03-17 19:40:28,524 fail2ban.server         [21940]: INFO    Starting in daemon mode

A noter qu'en cas de précédente erreur, le fichier socket peut être existant, empêchant le démarrage. Dans ce cas, il faut utiliser l'argument -x pour forcer la recréation du fichier.

#sudo fail2ban-client -x start
2018-03-17 19:40:28,524 fail2ban.server         [21940]: INFO    Starting Fail2ban v0.9.7
2018-03-17 19:40:28,524 fail2ban.server         [21940]: INFO    Starting in daemon mode

Process-Icon.png Statut

L'argument status de la commande fail2ban-clinet permet de contrôler le statut de l'instance. Attention, cela est différent du statut démarré / arrêté que la commande service peut retourner. Les indications fournies concernent le nombre et le nom des bannissements activés.

#sudo fail2ban-client status
Status
|- Number of jail:      1
`- Jail list:           ssh

Pour cet exemple, seul le bannissement avec la configuration sshd est activé.


Update icon.png Rafraîchissement

Lors de la modification des configurations ou pour les recharger, il suffit d'exécuter la commande fail2ban-client avec l'argument reload. Tous les bannissements configurés seront alors rechargés.

#sudo fail2ban-client reload

Attention, les bannissements en cours seront supprimés au niveau de Iptables. Mais cela n'a pas une grande importance, car si les attaques se reproduisent, elles seront automatiquement bannies.


Folder inspection icon.png Contrôle des configurations chargées

L'argument -d sur la commande fail2ban-client permet de visualiser les configurations actuellement actives. L'utilisation de cet argument est à but de debuggage, car il permet de visualiser toutes les informations sur toutes les règles chargées.

#sudo fail2ban-client -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbpurgeage', 86400]
['add', 'sshd', 'auto']
['set', 'sshd', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'findtime', 600]
['set', 'sshd', 'bantime', 3600]
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'ignorecommand', ]
['set', 'sshd', 'addignoreip', '127.0.0.1/8']
['set', 'sshd', 'maxlines', '10']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User not known to the underlying authentication module for .* from <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because not in any group\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?refused connect from \\S+ \\(<HOST>\\)\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?:\\s*3: .*: Auth fail(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*(?: \\[preauth\\])?\\s*$"]
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)? \\[preauth\\]$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?User .+ not allowed because account is locked(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Received disconnect from <HOST>: 11: .+(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Connection closed by <HOST>(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)(?:(?:error|fatal): (?:PAM: )?)?Connection from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: \\[preauth\\])?\\s*$<SKIPLINES>^(?P=__prefix)(?:(?:error|fatal): (?:PAM: )?)?Disconnecting: Too many authentication failures for .+(?: \\[preauth\\])?\\s*$']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'addaction', 'iptables-multiport']
['set', 'sshd', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'sshd', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'sshd', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'sshd', 'action', 'iptables-multiport', 'name', 'sshd']
['set', 'sshd', 'action', 'iptables-multiport', 'bantime', '3600']
['set', 'sshd', 'action', 'iptables-multiport', 'port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'sshd', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'sshd', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'apache-badbots', 'auto']
['set', 'apache-badbots', 'addlogpath', '/var/log/apache2/access.log', 'head']
['set', 'apache-badbots', 'logencoding', 'auto']
['set', 'apache-badbots', 'maxretry', 1]
['set', 'apache-badbots', 'findtime', 600]
['set', 'apache-badbots', 'bantime', 172800]
['set', 'apache-badbots', 'usedns', 'warn']
['set', 'apache-badbots', 'ignorecommand', ]
['set', 'apache-badbots', 'addignoreip', '127.0.0.1/8']
['set', 'apache-badbots', 'addfailregex', '^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:Atomic_Email_Hunter/4\\.0|atSpider/1\\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\\.6|ContactBot/0\\.2|ContentSmartz|DataCha0s/2\\.0|DBrowse 1\\.4b|DBrowse 1\\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\\.0\\.x|ISC Systems iRc Search 2\\.1|IUPUI Research Bot v 1\\.9a|LARBIN-EXPERIMENTAL \\(efp@gmx\\.net\\)|LetsCrawl\\.com/1\\.0 \\+http\\://letscrawl\\.com/|Lincoln State Web Browser|LMQueueBot/0\\.2|LWP\\:\\:Simple/5\\.803|Mac Finder 1\\.0\\.xx|MFC Foundation Class Library 4\\.0|Microsoft URL Control - 6\\.00\\.8xxx|Missauga Locate 1\\.0\\.0|Missigua Locator 1\\.9|Missouri College Browse|Mizzu Labs 2\\.2|Mo College 1\\.9|MVAClient|Mozilla/2\\.0 \\(compatible; NEWT ActiveX; Win32\\)|Mozilla/3\\.0 \\(compatible; Indy Library\\)|Mozilla/3\\.0 \\(compatible; scan4mail \\(advanced version\\) http\\://www\\.peterspages\\.net/?scan4mail\\)|Mozilla/4\\.0 \\(compatible; Advanced Email Extractor v2\\.xx\\)|Mozilla/4\\.0 \\(compatible; Iplexx Spider/1\\.0 http\\://www\\.iplexx\\.at\\)|Mozilla/4\\.0 \\(compatible; MSIE 5\\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\\.0 efp@gmx\\.net|Mozilla/5\\.0 \\(Version\\: xxxx Type\\:xx\\)|NameOfAgent \\(CMS Spider\\)|NASA Search 1\\.0|Nsauditor/1\\.x|PBrowse 1\\.4b|PEval 1\\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\\.0\\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\\.com|ShablastBot 1\\.0|snap\\.com beta crawler v0|Snapbot/1\\.0|Snapbot/1\\.0 \\(Snap Shots, \\+http\\://www\\.snap\\.com\\)|sogou develop spider|Sogou Orion spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sogou spider|Sogou web spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\\.2|User-Agent\\: Mozilla/4\\.0 \\(compatible; MSIE 6\\.0; Windows NT 5\\.1\\)|VadixBot|WebVulnCrawl\\.unknown/1\\.0 libwww-perl/5\\.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1\\.02|sogou music spider)"$']
['set', 'apache-badbots', 'addaction', 'iptables-multiport']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'name', 'apache-badbots']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'bantime', '172800']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'port', 'http,https']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'apache-badbots', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'apache-try-url', 'auto']
['set', 'apache-try-url', 'addlogpath', '/var/log/apache2/access.log', 'head']
['set', 'apache-try-url', 'logencoding', 'auto']
['set', 'apache-try-url', 'maxretry', 1]
['set', 'apache-try-url', 'findtime', 600]
['set', 'apache-try-url', 'bantime', 600]
['set', 'apache-try-url', 'usedns', 'warn']
['set', 'apache-try-url', 'ignorecommand', ]
['set', 'apache-try-url', 'addignoreip', '127.0.0.1/8']
['set', 'apache-try-url', 'addfailregex', '^<HOST> -.*"GET /wp-login.php HTTP.*" 404 .*$']
['set', 'apache-try-url', 'addfailregex', '^<HOST> -.*"GET /wp/wp-admin/ HTTP.*" 404 .*$']
['set', 'apache-try-url', 'addfailregex', '^<HOST> -.*"GET /cgi-(bin|sys)/.* HTTP.*" 404 .*$']
['set', 'apache-try-url', 'addaction', 'iptables-multiport']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'apache-try-url', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'name', 'apache-try-url']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'bantime', '600']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'port', 'http,https']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'apache-try-url', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'apache-scan', 'auto']
['set', 'apache-scan', 'addlogpath', '/var/log/apache2/error.log', 'head']
['set', 'apache-scan', 'logencoding', 'auto']
['set', 'apache-scan', 'maxretry', 1]
['set', 'apache-scan', 'findtime', 600]
['set', 'apache-scan', 'bantime', 600]
['set', 'apache-scan', 'usedns', 'warn']
['set', 'apache-scan', 'ignorecommand', ]
['set', 'apache-scan', 'addignoreip', '127.0.0.1/8']
['set', 'apache-scan', 'addfailregex', '[[]client <HOST>[]] (File does not exist|script not found or unable to stat): \\/var\\/www\\/.*(?:admin|db|dbadmin|myadmin|mysql|mysqladmin|typo3|phpadmin|phpMyAdmin|phpmyadmin|phpmyadmin1|phpmyadmin2|pma|web|xampp|php\\-my\\-admin|websql|phpmyadmin|phpMyAdmin\\-2|php\\-my\\-admin|phpMyAdmin\\-2\\.2\\.3|phpMyAdmin\\-2\\.2\\.6|phpMyAdmin\\-2\\.5\\.1|phpMyAdmin\\-2\\.5\\.4|phpMyAdmin\\-2\\.5\\.5\\-rc1|phpMyAdmin\\-2\\.5\\.5\\-rc2|phpMyAdmin\\-2\\.5\\.5|phpMyAdmin\\-2\\.5\\.5\\-pl1|phpMyAdmin\\-2\\.5\\.6\\-rc1|phpMyAdmin\\-2\\.5\\.6\\-rc2|phpMyAdmin\\-2\\.5\\.6|phpMyAdmin\\-2\\.5.7|phpMyAdmin\\-2\\.5\\.7\\-pl1|pp).*']
['set', 'apache-scan', 'addfailregex', "[[]client <HOST>[]] script '\\/var\\/www\\/.*(?:judge.*\\.php|proxyheader\\.php)' not found or unable to stat"]
['set', 'apache-scan', 'addaction', 'iptables-multiport']
['set', 'apache-scan', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'apache-scan', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'name', 'apache-scan']
['set', 'apache-scan', 'action', 'iptables-multiport', 'bantime', '600']
['set', 'apache-scan', 'action', 'iptables-multiport', 'port', 'http,https']
['set', 'apache-scan', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'apache-scan', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-scan', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'apache-scan', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'apache-scan', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'apache-scan', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['add', 'sshd-invalid-user', 'auto']
['set', 'sshd-invalid-user', 'addlogpath', '/var/log/auth.log', 'head']
['set', 'sshd-invalid-user', 'logencoding', 'auto']
['set', 'sshd-invalid-user', 'maxretry', 1]
['set', 'sshd-invalid-user', 'findtime', 600]
['set', 'sshd-invalid-user', 'bantime', 21600]
['set', 'sshd-invalid-user', 'usedns', 'warn']
['set', 'sshd-invalid-user', 'ignorecommand', ]
['set', 'sshd-invalid-user', 'addignoreip', '127.0.0.1/8']
['set', 'sshd-invalid-user', 'maxlines', '10']
['set', 'sshd-invalid-user', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)']
['set', 'sshd-invalid-user', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:error|fatal): (?:PAM: )?)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?(?: on \\S+(?: port \\d+)?)?\\s*$']
['set', 'sshd-invalid-user', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd-invalid-user', 'addaction', 'iptables-multiport']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'actionstart', '<iptables> -N f2b-<name>\n<iptables> -A f2b-<name> -j <returntype>\n<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'actionstop', '<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>\n<iptables> -F f2b-<name>\n<iptables> -X f2b-<name>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'actioncheck', "<iptables> -n -L <chain> | grep -q 'f2b-<name>[ \\t]'"]
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'actionban', '<iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'actionunban', '<iptables> -D f2b-<name> -s <ip> -j <blocktype>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'name', 'sshd-invalid-user']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'bantime', '21600']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'port', 'ssh']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'protocol', 'tcp']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'chain', 'INPUT']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/chain', 'INPUT']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/name', 'default']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/port', 'ssh']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/protocol', 'tcp']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/returntype', 'RETURN']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'returntype', 'RETURN']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/lockingopt', '-w']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'lockingopt', '-w']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/iptables', 'iptables <lockingopt>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'iptables', 'iptables <lockingopt>']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/chain', 'INPUT']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/name', 'default']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/port', 'ssh']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/protocol', 'tcp']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/blocktype', 'REJECT --reject-with icmp-port-unreachable']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/returntype', 'RETURN']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/lockingopt', '-w']
['set', 'sshd-invalid-user', 'action', 'iptables-multiport', 'known/known/iptables', 'iptables <lockingopt>']
['start', 'sshd']
['start', 'apache-badbots']
['start', 'apache-try-url']
['start', 'apache-scan']
['start', 'sshd-invalid-user']