#! /bin/bash ##-l: Licence ##-l: ------- ##-l: #================================================================= ##-l: # This program is Free Software; you can redistribute it and/or ##-l: # modify it under the terms of the GNU General Public License ##-l: # as published by the Free Software Foundation; either version 2 ##-l: # of the License, or (at your option) any later version. ##-l: # ##-l: # This program is distributed in the hope that it will be useful, ##-l: # but WITHOUT ANY WARRANTY; without even the implied warranty of ##-l: # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ##-l: # GNU General Public License for more details. ##-l: # ##-l: # You should have received a copy of the GNU General Public License ##-l: # along with this program; if not, write to the Free Software ##-l: # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ##-l: # ##-l: #================================================================= ##-l: # 2022 - Copyright SISalp www.sisalp.fr ##-l: # par dominique.chabord@sisalp.org Version="0.3 26-feb-2024" DownloadSource="http://download.sisalp.net/scripts/fail2ban-config" MyName=`basename $0` MyUser=`whoami` Option="$1" if [ -z "$Option" ] ; then Option="--help" ; fi shift SISALP_USER="sisalpuser" #------------------------------------------------------------------------- NEW_PASSWORD () #------------------------------------------------------------------------- { if [ -f /usr/local/bin/PW ] ; then NEW_PWD=`/usr/local/bin/PW $*` else if [ -z "$1" ] ; then pw_nb_digits="7 3 5 9" else pw_nb_digits="$*" fi pw_letters=(a b c d e f g h i j k m n o p q r s t u v w x y z A B C D E F G H I J K L M N P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 ) pw_range="${#pw_letters[*]}" NEW_PWD="" for nb_digit in $pw_nb_digits ; do if [ ! -z "$NEW_PWD" ] ; then NEW_PWD="${NEW_PWD}""_" ; fi for (( pw_digit = 1 ; pw_digit <= $nb_digit ; pw_digit++ )) ; do pw_index="$(($RANDOM%$pw_range))" NEW_PWD="${NEW_PWD}""${pw_letters[$pw_index]}" done done fi echo "$NEW_PWD" } #------------------------------------------------------------------------- case "$Option" in -h|help|--help) echo " Usage: ------ $MyName -h|help|--help print this help and exit $MyName -v|version|--version print version and exit $MyName -l|license|--license print license and exit $MyName -u|update|--update update this script $MyName -c|config|--config show configuration $MyName -d|details|--details show jail status $MyName -f|free|--free [IP] open jails and free all IPs or this particular IP $MyName -i|install|--install install fail2ban $MyName -s|set|--set set configuration of fail2ban $MyName -r|reset|--reset reset configuration of fail2ban to default $MyName -a|access-user|--access-user [user_name] create a mighty user for non-root connection, $SISALP_USER is default $MyName -nr|no-root|--no-root forbid root connection $MyName -np|no-root-password|--no-root-password forbid root password connection jail setup is configured in /usr/local/etc/fail2ban-config " exit 0 ;; -v|version|--version) echo "$MyName Version : $Version" exit 0 ;; -l|license|--license) cat $0 | grep "^##-l:" | cut -d: -f2- exit 0 ;; esac #All other options require root case "$MyUser" in root) ;; *) echo "$0 update: You must get administration priviledges root to succeed, trying sudo" sudo $0 $Option $* exit 0 ;; esac case "$Option" in -u|update|--update) OldVersion=`$0 --version` cd /usr/local/bin mv $0 $0.old if wget -q $DownloadSource ; then chmod 755 $0 diff $0.old $0 rm $0.old NewVersion=`$0 --version` case "$NewVersion" in $OldVersion) echo "$0 is uptodate $NewVersion" ;; *) echo "$0 downloaded new version from $DownloadSource" ;; esac else echo "cannot download new version of $0 from $DownloadSource" rm $0 mv $0.old $0 fi $MyName --version ;; #------------------------------------------------------------------------- #------------------------------------------------------------------------- -c|config|--config) cat /usr/local/etc/fail2ban-config/custom.conf /usr/local/etc/fail2ban-config/recidive.conf /etc/fail2ban/jail.d/custom.conf /usr/local/etc/fail2ban-config/recidive.conf echo "" echo "#-------------------------------------------------------------------------" ;; -d|details|--details) for jail in ssh sshd recidive ; do if fail2ban-client status $jail > /dev/null 2>&1 ; then fail2ban-client status $jail ; fi done ;; -f|free|--free|unban|--unban) IP="$1" if [ -z "$IP" ] ; then IP="--all" ; fi fail2ban-client unban $IP ;; #------------------------------------------------------------------------- #------------------------------------------------------------------------- -i|install|--install) apt-get update apt-get install fail2ban ;; -s|set|--set|-r|reset|--reset) case "$Option" in -r|reset|--reset) rm -f /usr/local/etc/fail2ban-config/custom.conf rm -f /usr/local/etc/fail2ban-config/recidive.conf ;; esac echo "$LINENO| Enforce fail2ban configuration" #old versions don't support time units d, w, h ... if [ ! -d /usr/local/etc ] ; then mkdir /usr/local/etc fi if [ ! -d /usr/local/etc/fail2ban-config ] ; then mkdir /usr/local/etc/fail2ban-config fi if [ ! -f /usr/local/etc/fail2ban-config/custom.conf ] ; then echo " # Default parameters of custom jail #------------------------------------------------------------------------- # set by $0 $Version on `date` # located at /usr/local/etc/fail2ban-config/custom.conf # 3600s=1h 600s=10mn custom_findtime=\"3600\" custom_bantime=\"600\" custom_maxretry=\"5\"" > /usr/local/etc/fail2ban-config/custom.conf fi if [ ! -f /usr/local/etc/fail2ban-config/recidive.conf ] ; then echo " # Default parameters of recidive jail #------------------------------------------------------------------------- # set by $0 $Version on `date` # located at /usr/local/etc/fail2ban-config/recidive.conf # 43200s=12h 3600s=1h recidive_findtime=\"43200\" recidive_bantime=\"3600\" recidive_maxretry=\"3"\" > /usr/local/etc/fail2ban-config/recidive.conf fi . /usr/local/etc/fail2ban-config/custom.conf . /usr/local/etc/fail2ban-config/recidive.conf #temp à supprimer après mise à jour if [ -f /etc/fail2ban/jail.d/xoe.conf ] ; then rm /etc/fail2ban/jail.d/xoe.conf ; fi if [ -f /etc/fail2ban/jail.d/xoe.recidive.conf ] ; then rm /etc/fail2ban/jail.d/xoe.recidive.conf ; fi # if [ ! -d /etc/fail2ban/jail.d ] ; then echo "This version seems too old, /etc/fail2ban/jail.d is not found" else echo " # Current fai2ban custom jail definition #------------------------------------------------------------------------- # generated by $0 $Version on `date` # located at /etc/fail2ban/jail.d/custom.conf [DEFAULT] findtime = $custom_findtime bantime = $custom_bantime maxretry = $custom_maxretry" > /etc/fail2ban/jail.d/custom.conf echo " # Current fai2ban recidive jail definition #------------------------------------------------------------------------- # generated by $0 $Version on `date` # located at /etc/fail2ban/jail.d/recidive.conf [recidive] enabled = true logpath = /var/log/fail2ban.log filter = recidive # find how many times it was banned last $recidive_findtime seconds findtime = $recidive_findtime # if it was banned $recidive_maxretry times maxretry = $recidive_maxretry # ban this user for $recidive_bantime seconds bantime = $recidive_bantime action = iptables-allports[name=recidive]" > /etc/fail2ban/jail.d/recidive.conf service fail2ban restart fi ;; -a|access-user|--access-user) if [ ! -z "$1" ] ; then SISALP_USER="$1" fi case "$SISALP_USER" in sisalpuser) if [ -f /usr/local/bin/xoe ] ; then echo "$0 Warning Creation of sisalpuser was /usr/local/bin/xoe's job" fi ;; esac if [ ! -d /home/$SISALP_USER ] ; then USER_PASSWD=`NEW_PASSWORD` echo "$USER_PASSWD" adduser $SISALP_USER > /dev/null << EOF $USER_PASSWD $USER_PASSWD Service Client SISalp 0622616438 0622616438 Autre Y EOF fi if [ ! -e /etc/sudoers ] ; then echo "$LINENO| /etc/sudoers is not found" else if ! cat /etc/sudoers | grep "^%$SISALP_USER" > /dev/null 2>&1 ; then echo "$LINENO| $SISALP_USER is now allowed to use unlimited sudo" cp /etc/sudoers /etc/sudoers.dist chmod 640 /etc/sudoers echo "%$SISALP_USER ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers chmod 440 /etc/sudoers else echo "$LINENO| $SISALP_USER sudo capabilities are already set" fi fi echo "$LINENO| User context of $SISALP_USER is set" ;; -nr|no-root|--no-root|-np|no-root-password|--no-root-password) cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config.save case "$Option" in -nr|no-root|--no-root) restriction="no" ;; *|-np|no-root-password|--no-root-password) restriction="prohibit-password" ;; esac if ! /etc/ssh/sshd_config.save | grep "^PermitRootLogin $restriction" > /dev/null 2>&1 ; then cat /etc/ssh/sshd_config.save | sed s/"^PermitRootLogin"/"#PermitRootLogin"/ > /etc/ssh/sshd_config echo "#modification on `date` by $0" >> /etc/ssh/sshd_config echo "PermitRootLogin $restriction" >> /etc/ssh/sshd_config service ssh restart echo "$0 $LINENO new restriction $restriction is set" else echo "$0 $LINENO restriction $restriction is already set" fi ;; esac exit 0