DROP ALL am ende hinzufügen und entfernen nach bzw. vor dem hinzufügen von gebannten IPs!
Beiträge von josch
-
-
Ich hab auch gern am anfang die erlaupten ports und am ende ein DROP all.
Dafür hab ich jetz einfach folgende config:Code
Alles anzeigen# Fail2Ban configuration file # # Author: Cyril Jaquier # # $Revision: 661 $ # # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = firewall alle del # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = firewall alle add # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionban = firewall <ip> add # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: <ip> IP address # <failures> number of failures # <time> unix timestamp of the ban time # Values: CMD # actionunban = firewall <ip> del
Und das Script so angepasst:
Bash
Alles anzeigen#!/bin/bash # # Script um IPs ueber OpenVCP zu bannen # # Dieses Script empfaengt über den ersten Parameter die IP. # # Der zweite ist add fürs hinzufügen oder del fürs löschen der IP. # # Copyright (C) 2008 Michael Geiger - tux1337 - www.geigers-site.de # Copyright (C) 2009 stachi # # This program is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 3 of the License, or (at your # option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, see <http://www.gnu.org/licenses/>. # # ########################################################################## # # Please let me know if you modify something. Maybe I can include it - # and you can help to make the script better. Contact me with this form: # http://contact.geigers-site.de - Thank you! # Please give feedback over this form, too. # # ########################################################################## # #warten bis alle aktionen abgeschlossen sind while [ -e /tmp/ovcp/openvcpcookie.txt ]; do sleep 5 done ###init bereich #openvcp login user="Benutzername" password="Passwort" servername="vxxxxxxxx" ####init end # DO NOT CHANGE ANYTHING UNDER THIS LINE! ############################################## #parameter direction="INPUT" protokoll="tcp" sourceip="$1" sourceport="any" destinationip="any" destinationport="any" policy="DROP" match="STATE" new="NEW" established="ESTABLISHED" related="RELATED" addrule="Regel hinzufügen" delrule="submit changes" #tmp ordner (cookie) mkdir /tmp/ovcp chmod 700 /tmp/ovcp cd /tmp/ovcp #login curl -b openvcpcookie.txt -c openvcpcookie.txt -d "loginname=$user&password=$password" --url https://www.vservercontrolpanel.de/index.php/auth/submit if [ $2 = add ] then #regeln definieren und setzen curl -b openvcpcookie.txt -d "proto=$protokoll&srcip=$sourceip&srcport=$sourceport&destip=$destinationip&destport=$destinationport&target=$policy&match=$match&match_value[NEW]=$new&match_value[ESTABLISHED]=$established&match_value[RELATED]=$related&direction=$direction&add_rule=$addrule" --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername/submit protokoll="udp" curl -b openvcpcookie.txt -d "proto=$protokoll&srcip=$sourceip&srcport=$sourceport&destip=$destinationip&destport=$destinationport&target=$policy&match=$match&match_value[NEW]=$new&match_value[ESTABLISHED]=$established&match_value[RELATED]=$related&direction=$direction&add_rule=$addrule" --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername/submit protokoll="icmp" curl -b openvcpcookie.txt -d "proto=$protokoll&srcip=$sourceip&srcport=$sourceport&destip=$destinationip&destport=$destinationport&target=$policy&match=$match&match_value[NEW]=$new&match_value[ESTABLISHED]=$established&match_value[RELATED]=$related&direction=$direction&add_rule=$addrule" --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername/submit elif [ $2 = del ] then #regeln löschen curl -b openvcpcookie.txt -o openvcpfirewall.txt --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername if [ $1 = alle ] then grep -C "1" -e "alle" openvcpfirewall.txt | grep -o -e "alle</td><td [^>]*>DROP</td><td [^>]*>STATE</td><td [^>]*>NEW,ESTABLISHED,RELATED</td><td [^>]*><input [^>]*rule\[[[:digit:]]*\]" | grep -o -e "[[:digit:]]*" | while read; do ID="$REPLY" curl -b openvcpcookie.txt -d "rule[$ID]=$ID&submit=$delrule" --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername/submit done else grep -C "1" -e "$1" openvcpfirewall.txt | grep -o -e "rule\[[[:digit:]]*\]" | grep -o -e "[[:digit:]]*" | while read; do ID="$REPLY" curl -b openvcpcookie.txt -d "rule[$ID]=$ID&submit=$delrule" --url https://www.vservercontrolpanel.de/index.php/user/firewall/$servername/submit done fi fi #logout curl -b openvcpcookie.txt --url https://www.vservercontrolpanel.de/index.php/user/logout rm -R /tmp/ovcp
Hässlich, aber scheint zu funktionieren wie gewünscht!
ACHTUNG: Wenn ihr das übernehmt ohne die nötigen allow-regeln (besonders ssh) kommt ihr u.U. so nicht mehr auf den Server! Dann einfach im Webinterface entfernen!