#! /bin/bash # Rocky9 compatible # Author: Nerijus # Company: Kolmisoft # Year: 2014 # About: This script configures fail2ban . /usr/src/m2/framework/bash_functions.sh . /usr/src/m2/framework/various_functions.sh VERSION="1.1.0" SCRIPT_NAME="Fail2Ban Configuration" k_start if [ ! -e /var/log/m2/core_fail2ban_ip.log ]; then touch /var/log/m2/core_fail2ban_ip.log chmod 777 /var/log/m2/core_fail2ban_ip.log fi fail2ban_enabled=$(sed 's/ //g' /etc/m2/system.conf | awk -F"=" '/fail2ban_enabled/{print $2}') if [ -n "$fail2ban_enabled" ] && [ "$fail2ban_enabled" -eq 0 ]; then report "fail2ban_enabled set to 0 in /etc/m2/system.conf. Exiting" 3 k_exit 0 fi if [ ! -d "/etc/fail2ban" ]; then report "Fail2ban is not installed. Trying to install" 2 /usr/src/m2/helpers/fail2ban/fail2ban_install.sh k_exit 0 fi NEED_RESTART_F2B=0 SSH_PORT=`netstat -tpln | grep ssh | grep -v ":::" | awk -F" " '{print $4}' | awk -F":" '{print $2}' | head -n 1` #we need to update config if ssh port is not 22 if [ "$SSH_PORT" != "22" ]; then #make sure that we got proper value before setting it if [ "$SSH_PORT" -gt "0" ] && [ "$SSH_PORT" -lt "65535" ]; then sed -i "s/port=ssh/port=$SSH_PORT/g" /usr/src/m2/helpers/fail2ban/configs/jail.local else report "fail2ban_update.sh: Failed to read SSH port. Will not set it on jail.local" 1 fi fi diff /usr/src/m2/helpers/fail2ban/configs/filter.d/hgc_301.conf /etc/fail2ban/filter.d/hgc_301.conf &> /dev/null if [ "$?" != "0" ]; then cp -fr /usr/src/m2/helpers/fail2ban/configs/filter.d/hgc_301.conf /etc/fail2ban/filter.d/ NEED_RESTART_F2B=1 fi diff /usr/src/m2/helpers/fail2ban/configs/action.d/iptables-allports.conf /etc/fail2ban/action.d/iptables-allports.conf &> /dev/null if [ "$?" != "0" ]; then cp -fr /usr/src/m2/helpers/fail2ban/configs/action.d/iptables-allports.conf /etc/fail2ban/action.d/ NEED_RESTART_F2B=1 fi diff /usr/src/m2/helpers/fail2ban/configs/action.d/iptables-blocktype.conf /etc/fail2ban/action.d/iptables-blocktype.conf &> /dev/null if [ "$?" != "0" ]; then cp -fr /usr/src/m2/helpers/fail2ban/configs/action.d/iptables-blocktype.conf /etc/fail2ban/action.d/ NEED_RESTART_F2B=1 fi if (( centos_version == 6 )); then diff /usr/src/m2/helpers/fail2ban/configs/jail.local /etc/fail2ban/jail.local &> /dev/null if [ "$?" != "0" ]; then cp -fr /usr/src/m2/helpers/fail2ban/configs/jail.local /etc/fail2ban/ NEED_RESTART_F2B=1 fi # correct log grep "logtarget = SYSLOG" /etc/fail2ban/fail2ban.conf &> /dev/null if [ "$?" == "0" ]; then replace_line /etc/fail2ban/fail2ban.conf "logtarget = SYSLOG" "logtarget = /var/log/fail2ban.log" NEED_RESTART_F2B=1 report "fail2ban log corrected" 4 fi chkconfig iptables on fi if (( centos_version != 6 )); then diff /usr/src/m2/helpers/fail2ban/configs_c7/jail.local /etc/fail2ban/jail.local &> /dev/null if [ "$?" != "0" ]; then cp -fr /usr/src/m2/helpers/fail2ban/configs_c7/jail.local /etc/fail2ban/ NEED_RESTART_F2B=1 fi systemctl stop firewalld systemctl disable firewalld systemctl mask --now firewalld systemctl enable fail2ban systemctl stop fail2ban systemctl enable iptables systemctl start iptables NEED_RESTART_F2B=1 fi k_config_details dynamic_op_active=$(MYSQL_PWD=$DB_PASSWORD /usr/bin/mysql -h "$DB_HOST" -u "$DB_USERNAME" $P_OPT "$DB_NAME" --disable-column-names -B -e "SELECT value FROM conflines WHERE name = 'Allow_Dynamic_Origination_Point_Authentication_with_Registration' LIMIT 1") if [ "$dynamic_op_active" == "1" ]; then if perl -0777 -nle '(m/enabled = false\nfilter = hgc_301/gm) ? exit 0 : exit 1' /etc/fail2ban/jail.local; then perl -i -p0e 's#enabled = false\nfilter = hgc_301#enabled = true\nfilter = hgc_301#igs' /etc/fail2ban/jail.local NEED_RESTART_F2B=1 fi fi if [ "$NEED_RESTART_F2B" == "1" ]; then if service fail2ban status | grep "is running"; then service fail2ban restart else service fail2ban start fi fi k_exit $EXIT_CODE