From source

.gitignore

@@ -0,0 +1,4 @@
+trigger-build.sh
+run.sh
+vars
+tests/

Dockerfile

@@ -1,19 +1,31 @@
-FROM neomediatech/ubuntu-base:latest
+FROM neomediatech/ubuntu-base:20.04
 
-ENV VERSION=0.10.2-2 \
-    SERVICE=fail2ban
+ENV VERSION=0.11.2 \
+    SERVICE=fail2ban \
+    FAIL2BAN_VERSION=0.11.2
 
 LABEL maintainer="docker-dario@neomediatech.it" \ 
       org.label-schema.version=$VERSION \
       org.label-schema.vcs-type=Git \
       org.label-schema.vcs-url=https://github.com/Neomediatech/${SERVICE} \
       org.label-schema.maintainer=Neomediatech
 
-RUN apt update && apt-get -y dist-upgrade && \
-    apt-get install -y --no-install-recommends fail2ban ipset iptables ssmtp redis-tools curl whois && \
+RUN apt-get update && apt-get -y dist-upgrade && \
+    apt-get install -y --no-install-recommends --no-install-suggests ca-certificates python3 python3-setuptools \
+    python3-pycurl wget ipset iptables ssmtp redis-tools curl whois && \
     rm -rf /var/lib/apt/lists* && \
     rm -rf /etc/fail2ban/jail.d && \
-    mkdir -p /var/run/fail2ban
+    mkdir -p /var/run/fail2ban && \
+    cd /tmp && \
+    wget https://github.com/fail2ban/fail2ban/archive/${FAIL2BAN_VERSION}.tar.gz -O fail2ban-${FAIL2BAN_VERSION}.tar.gz && \
+    tar xvzf fail2ban-${FAIL2BAN_VERSION}.tar.gz && \
+    cd fail2ban-${FAIL2BAN_VERSION} && \
+    python3 setup.py install && \
+    cd / && \
+    mkdir -p /usr/local/etc/fail2ban && \
+    cp -rp /etc/fail2ban /usr/local/etc && \
+    rm -rfv /tmp/*
+
 
 COPY entrypoint.sh /entrypoint.sh
 

Dockerfile.22.04

@@ -0,0 +1,38 @@
+FROM neomediatech/ubuntu-base:22.04
+
+ENV SERVICE=fail2ban \
+    APP_VERSION=1.0.1
+
+LABEL maintainer="docker-dario@neomediatech.it" \ 
+      org.label-schema.version=$APP_VERSION \
+      org.label-schema.vcs-type=Git \
+      org.label-schema.vcs-url=https://github.com/Neomediatech/${SERVICE} \
+      org.label-schema.maintainer=Neomediatech
+
+RUN apt-get update && apt-get -y dist-upgrade && \
+    apt-get install -y --no-install-recommends --no-install-suggests \
+                    libexpat1 libmpdec3 libpython3-stdlib libpython3.10-minimal libpython3.10-stdlib \
+                    libreadline8 libsqlite3-0 media-types python3 python3-minimal python3.10 python3.10-minimal \
+                    readline-common wget ipset iptables ssmtp redis-tools curl whois ca-certificates && \
+    rm -rf /var/lib/apt/lists* && \
+    rm -rf /etc/fail2ban/jail.d && \
+    mkdir -p /var/run/fail2ban && \
+    cd /tmp && \
+    wget https://github.com/fail2ban/fail2ban/releases/download/1.0.1/fail2ban_${APP_VERSION}-1.upstream1_all.deb && \
+    dpkg -i fail2ban_${APP_VERSION}-1.upstream1_all.deb && \
+    cd / && \
+    #mkdir -p /usr/local/etc/fail2ban && \
+    #cp -rp /etc/fail2ban /usr/local/etc && \
+    rm -rfv /tmp/*
+
+
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chmod a+x /entrypoint.sh
+
+VOLUME [ "/data" ]
+
+ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ]
+CMD [ "fail2ban-server", "-f", "-x", "-v", "start" ]
+
+HEALTHCHECK --interval=30s --timeout=5s CMD fail2ban-client ping

README.md

@@ -25,10 +25,10 @@ Clone this repo if you want to use configs already set by me.
 ```
 BASE_DIR="/srv/data/docker/containers/fail2ban/"
 NAME="fail2ban"
-docker run -d --privileged --net=host --name $NAME --hostname $NAME -v $BASED_DIR/confs:/data neomediatech/$NAME
+docker run -d --privileged --net=host --name $NAME --hostname $NAME -v $BASE_DIR/confs:/data neomediatech/$NAME
 ```
 Add a bind mount where to point your logs that f2b need to monitor for ex:
-`-v $BASED_DIR/logs:/var/log`
+`-v $BASE_DIR/logs:/var/log`
 
 ## Warning
 Portainer doesn't understand `env_file` parameter (at least for now, 27 feb 2019).

confs/action.d/manual-blacklist.local

@@ -0,0 +1,48 @@
+# Fail2Ban configuration file
+#
+
+[INCLUDES]
+
+before = iptables-common.conf
+
+[Definition]
+
+actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt> maxelem 4294967295
+              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
+
+actionflush = ipset flush <ipmset>
+
+actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
+             <actionflush>
+             ipset destroy <ipmset>
+
+actionban = ipset add <ipmset> <ip><F-MASK> timeout <ipsettime> -exist
+
+# actionprolong = %(actionban)s
+
+actionunban = ipset del <ipmset> <ip><F-MASK> -exist
+
+[Init]
+
+# Option: default-ipsettime
+# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
+default-ipsettime = 0
+
+# Option: ipsettime
+# Notes:  specifies ticket timeout (handled ipset timeout only)
+# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
+ipsettime = 0
+
+# expresion to caclulate timeout from bantime, example:
+# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
+timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
+
+ipmset = f2b-<name>
+familyopt =
+
+
+[Init?family=inet6]
+
+ipmset = f2b-<name>6
+familyopt = family inet6

confs/filter.d/manual-blacklist.conf

@@ -0,0 +1,21 @@
+# Fail2Ban filter for manual blacklisting IP addresses
+#
+# Write every IP addresses or networks in CIDR format you want in a file,
+# one per line, then point this filter to that file.
+#
+
+[INCLUDES]
+
+before = 
+
+[Definition]
+
+failregex = <HOST><F-MASK>\/(.*)</F-MASK>
+	    <HOST>$
+
+ignoreregex = 
+
+[Init]
+
+# var = val
+

confs/jail.d/10-defaults.conf

@@ -4,7 +4,7 @@ nodename = honey-node
 abusemsg = brute force auth on honeypot
 
 #
-ignoreip = 127.0.0.1/8
+ignoreip = 127.0.0.0/8
 
 bantime  = 7200
 findtime = 3600

confs/jail.d/neo.conf → confs/jail.d/honeypot.conf

@@ -2,29 +2,29 @@
 enabled  = true
 port     = 25,465,587,143,993,110,995
 filter   = exim-auth
-logpath  = /var/log/mainlog
+logpath  = /var/log/honeypot/exim4/mainlog
 findtime = 7200
 bantime  = 86400
 maxretry = 2
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (SMTP auth)", key="bad:deny:%(__name__)s:%(nodename)s:0"]
+           ipblock[port="%(port)s",msg="Trying SMTP Auth on honeypot (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [exim-bad-sender]
 enabled  = true
 port     = smtp,ssmtp,587
 filter   = exim-bad-sender-neo
-logpath  = /var/log/mainlog
+logpath  = /var/log/honeypot/exim4/mainlog
 findtime = 3600
 bantime  = 3600
 maxretry = 1
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s", key="bad:deny:%(__name__)s:%(nodename)s:0"]
+           ipblock[category="smtp-bad-sender",port="%(port)s",msg="BAD senders. From (%(nodename)s)",bantime="%(bantime)s",db=neo]
 
 [exim-defer]
 enabled  = true
 port     = smtp,ssmtp,587
 filter   = exim-defer-neo
-logpath  = /var/log/mainlog
+logpath  = /var/log/honeypot/exim4/mainlog
 findtime = 3600
 bantime  = 3600
 maxretry = 1
@@ -37,115 +37,129 @@ bantime  = 3600
 findtime = 3600
 maxretry = 3
 filter   = exim-redis-neo
-logpath  = /var/log/mainlog
+logpath  = /var/log/honeypot/exim4/mainlog
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
 
 [mail-cbl]
 enabled  = true
 port     = 25,465,587
 filter   = exim-cbl
-logpath  = /var/log/mainlog
+logpath  = /var/log/honeypot/exim4/mainlog
 bantime  = 7200
 findtime = 3600
 maxretry = 1
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="REJECTED - see https://www.abuseat.org/lookup.cgi for details ", key="bad:deny:cbl:%(nodename)s:1"]
+           ipblock[category="cbl",port="%(port)s",msg=" Access on SMTP ports, found on CBL.abuseat (%(nodename)s)", bantime=%(bantime)s, db=cbl]
 
 [dovecot]
 enabled = true
 port    = 110,143,993,995
 filter  = dovecot
-logpath = /var/log/dovecot.log
+logpath = /var/log/honeypot/dovecot.log
 bantime = 3600
+maxretry = 1
 action  = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-          redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (IMAP/POP auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
           abuseipdb[category="18",port="pop,imap,pops,imaps",msg=" POP/IMAP %(abusemsg)s server (%(nodename)s)"]
+          ipblock[port="%(port)s",msg=" POP/IMAP %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [mysqld]
 enabled  = true
-port     = 3306
+port     = 7200
 #filter   = mysql-auth-neo
 #logpath  = /var/log/mysql.log
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 filter   = opencanary-neo[port="%(port)s"]
 findtime = 3600
 bantime  = 14400
 maxretry = 2
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (SQL auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18",port="%(port)s",msg=" SQL %(abusemsg)s MySQL/MariaDB server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg=" SQL %(abusemsg)s MySQL/MariaDB server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [ssh]
 enabled  = true
 port     = 22
 #filter   = sshd
 #logpath  = /var/log/messages
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 filter   = opencanary-neo[port="%(port)s",find=".*PASSWORD"]
-bantime  = 3600
-maxretry = 3
+bantime  = 7200
+maxretry = 2
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (SSH auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18,22",port="ssh",msg=" SSH %(abusemsg)s server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg=" SSH %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [telnet]
 enabled  = true
 port     = 23
 #logpath  = /var/log/telnet.log
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 #filter   = telnet-neo
 filter   = opencanary-neo[port="%(port)s"]
 bantime  = 28800
 findtime = 3600
 maxretry = 2
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (TELNET auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18",port="telnet",msg=" Telnet %(abusemsg)s server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg="Telnet %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [mssql]
 enabled  = true
 port     = 1433
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 filter   = opencanary-neo[port="%(port)s"]
 bantime  = 360000
 findtime = 3600
 maxretry = 3
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (MSSQL auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18",port="%(port)s",msg=" MSSQL %(abusemsg)s server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg="MSSQL %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [vnc]
 enabled  = true
 port     = 5900
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 filter   = opencanary-neo[port="%(port)s"]
 bantime  = 360000
-findtime = 3600
-maxretry = 3
+findtime = 14400
+maxretry = 2
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (VNC auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18",port="%(port)s",msg=" VNC %(abusemsg)s server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg="VNC %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=auth]
 
 [redis]
 enabled  = true
 port     = 6379
-logpath  = /var/log/opencanary.log
+logpath  = /var/log/honeypot/opencanary.log
 filter   = opencanary-neo[port="%(port)s"]
 bantime  = 360000
 findtime = 3600
 maxretry = 3
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s (REDIS auth)", key="bad:deny:%(__name__)s-auth:%(nodename)s:0"]
            abuseipdb[category="18",port="%(port)s",msg=" REDIS %(abusemsg)s server (%(nodename)s)"]
+           ipblock[port="%(port)s",msg="REDIS %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=neo]
+
+#################
+# il filtro "find" non sta funzionando, non so come mai
+##################
+[rdp-mstshash]
+enabled  = true
+port     = random
+logpath  = /var/log/honeypot/opencanary.log
+filter   = opencanary-neo[port="%(port)s",find=".*mstshash.*FUNCTION.*DATA_RECEIVED.*"]
+bantime  = 7200
+maxretry = 2
+action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
+           ipblock[port="%(port)s",msg="RDP abuse with mstshash pattern %(abusemsg)s server (%(nodename)s)", bantime=%(bantime)s, db=neo]
 
 [dnsbl]
 enabled  = yes
 maxretry = 1
 findtime = 1200
 bantime  = 3600
 filter   = dnsbl-neo
-logpath  = /dnsbl-log/dnsbl-for-fail2ban.log
+logpath  = /var/log/honeypot/dnsbl-ipset/dnsbl-for-fail2ban.log
 action   = iptables-ipset-proto6-allports[name=%(__name__)s, port="%(port)s", protocol="tcp", chain="%(chain)s", bantime=%(bantime)s]
-           redis[ttl="%(bantime)s", msg="From:%(nodename)s-%(__name__)s", key="bad:deny:%(__name__)s:%(nodename)s:0"]
-
+           ipblock[category="dnsbl_ipset",port="to be done",msg=" From (%(nodename)s) with dnsbl_ipset",bantime="%(bantime)s",db=dnsbl_ipset]
+	   dnsbl-ipset
 

confs/jail.d/manual-blacklist.conf

@@ -0,0 +1,9 @@
+[manual-blacklisted]
+enabled = true
+maxretry = 1
+action = manual-blacklist
+filter = manual-blacklist
+logpath = /var/log/honeypot/manual-blacklisted-ip.log
+bantime  = -1
+findtime = 86400
+