File Content: mynetwatchman.conf # Fail2Ban configuration file # # Author: Russell Odom <russ@gloomytrousers.co.uk> # Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/) # # You MUST configure at least: # <port> (the port that's being attacked - use number not name). # <mnwlogin> (your mNW login). # <mnwpass> (your mNW password). # # You SHOULD also provide: # <myip> (your public IP address, if it's not the address of eth0) # <protocol> (the protocol in use - defaults to tcp) # # Best practice is to provide <port> and <protocol> in jail.conf like this: # action = mynetwatchman[port=1234,protocol=udp] # # ...and create "mynetwatchman.local" with contents something like this: # [Init] # mnwlogin = me@example.com # mnwpass = SECRET # myip = 10.0.0.1 # # Another useful configuration value is <getcmd>, if you don't have wget # installed (an example config for curl is given below) # [Definition] # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # # # Note: We are currently using <time> for the timestamp because no tag is # available to indicate the timestamp of the log message(s) which triggered the # ban. Therefore the timestamps we are using in the report, whilst often only a # few seconds out, are incorrect. See # http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047 # actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'` MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'` PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols` if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = [Init] # Option: port # Notes.: The target port for the attack (numerical). MUST be provided in # the jail config, as it cannot be detected here. # Values: [ NUM ] Default: ??? # port = 0 # Option: mnwlogin # Notes.: Your mNW login e-mail address. MUST be provided either in the jail # config or in a .local file. # Register at http://www.mynetwatchman.com/reg.asp # Values: [ STRING ] Default: (empty) # mnwlogin = # Option: mnwpass # Notes.: The password corresponding to your mNW login e-mail address. MUST be # provided either in the jail config or in a .local file. # Values: [ STRING ] Default: (empty) # mnwpass = # Option: myip # Notes.: The target IP for the attack (your public IP). Should be overridden # either in the jail config or in a .local file unless your PUBLIC IP # is the first IP assigned to eth0 # Values: [ an IP address ] Default: Tries to find the IP address of eth0, # which in most cases will be a private IP, and therefore incorrect # myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'` # Option: protocol # Notes.: The protocol over which the attack is happening # Values: [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp # protocol = tcp # Option: agent # Default: Fail2ban agent = Fail2ban # Option: getcmd # Notes.: A command to fetch a URL. Should output page to STDOUT # Values: CMD Default: wget # getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=<agent> # Alternative value: # getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent <agent> # Option: srcport # Notes.: The source port of the attack. You're unlikely to have this info, so # you can leave the default # Values: [ NUM ] Default: 0 # srcport = 0 # Option: mnwurl # Notes.: The report service URL on the mNW site # Values: STRING Default: http://mynetwatchman.com/insertwebreport.asp # mnwurl = http://mynetwatchman.com/insertwebreport.asp # Option: tmpfile # Notes.: Base name of temporary files # Values: [ STRING ] Default: /var/run/fail2ban/tmp-mynetwatchman # tmpfile = /var/run/fail2ban/tmp-mynetwatchman Submit