main/fail2ban: add default SSH jail. Fixes #966

4 files changed, 90 insertions, 5 deletions

diff --git a/main/fail2ban/APKBUILD b/main/fail2ban/APKBUILD
index dcfc2740d..7e8b65551 100644
--- a/main/fail2ban/APKBUILD
+++ b/main/fail2ban/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=fail2ban
 pkgver=0.9.3
-pkgrel=0
+pkgrel=1
 pkgdesc="Scans log files for login failures then updates iptables to reject originating ip address"
 url="http://www.fail2ban.org"
 arch="noarch"
@@ -12,7 +12,11 @@ depends="python iptables logrotate"
 makedepends="python-dev python-dev py-setuptools"
 source="$pkgname-$pkgver.tar.gz::https://github.com/$pkgname/$pkgname/archive/$pkgver.tar.gz
 		fail2ban.confd
-		fail2ban.logrotate"
+		fail2ban.logrotate
+		alpine-ssh.jaild
+		alpine-sshd.filterd
+		alpine-sshd-ddos.filterd
+		"
 
 _builddir="$srcdir"/$pkgname-$pkgver
 build() {
@@ -29,14 +33,29 @@ package() {
 		|| return 1
 	install -Dm644 "$srcdir"/fail2ban.logrotate \
 		"$pkgdir"/etc/logrotate.d/fail2ban || return 1
+	install -Dm644 "$srcdir"/alpine-ssh.jaild \
+		"$pkgdir"/etc/fail2ban/jail.d/alpine-ssh.conf
+	install -Dm644 "$srcdir"/alpine-sshd.filterd \
+		"$pkgdir"/etc/fail2ban/filter.d/alpine-sshd.conf
+	install -Dm644 "$srcdir"/alpine-sshd-ddos.filterd \
+		"$pkgdir"/etc/fail2ban/filter.d/alpine-sshd-ddos.conf
 }
 
 md5sums="73c87c545cc6474de984b5a05e64ecab  fail2ban-0.9.3.tar.gz
 b209a04f9314dd064a4aa0ee505c8a4d  fail2ban.confd
-6d1af6ceebd15c8ae3938bc675efe553  fail2ban.logrotate"
+6d1af6ceebd15c8ae3938bc675efe553  fail2ban.logrotate
+d79129324ec8710989be0d631362b1ab  alpine-ssh.jaild
+16637b4f207bc9bd68812d02cc06cfad  alpine-sshd.filterd
+d2634b4646276e5f9e4e3855e16725de  alpine-sshd-ddos.filterd"
 sha256sums="b3a0793d9ed3b4e341e568388c65bb07a904f77ac8044186376cab3e58e5b2c9  fail2ban-0.9.3.tar.gz
 e35f1f820bfe5ecaac2696d60155c348d84af428e8c615e97b900c24a587d233  fail2ban.confd
-4cfe274ec9c71dd0ae0575298f5327230f6e67b2f8fc1a616c645d0f6b3ce02f  fail2ban.logrotate"
+4cfe274ec9c71dd0ae0575298f5327230f6e67b2f8fc1a616c645d0f6b3ce02f  fail2ban.logrotate
+e0d03b972bb90053be53c7dc8d2711a57a569dbb956b40cb0026676cdc5b47db  alpine-ssh.jaild
+948e9b598a9242eb8bfef911c38d8af25c66554fd9c770e3017d636e59b98e16  alpine-sshd.filterd
+1015ff0831970e2f42863b5d5c33635de69ccdae184df72f6be1792cd67f6df8  alpine-sshd-ddos.filterd"
 sha512sums="0a6c1a51f6b5eefc09d2d946c34cd935c36ad23f72bd7d3fe78e060d0cd03d63b7403069adfa26c303ef65069caf68230bc580765dc6093fe14b798c5c6ec39c  fail2ban-0.9.3.tar.gz
 1e7581dd04e7777d6fd5c40cc842a7ec5f4e6a0374673d020d89dd61bf4093d48934844bee89bcac9084f9ae44f3beb66e714cf3c2763d79c3e8feb790c5e43b  fail2ban.confd
-60c80dcf8ced5a0323daef2df702f862d99ac45f56b91015ce39be8471cf9d6a3bb45d776df0330692f40db37638dc3ef2004cfc65f26d50dd67c94fbfdf4ec2  fail2ban.logrotate"
+60c80dcf8ced5a0323daef2df702f862d99ac45f56b91015ce39be8471cf9d6a3bb45d776df0330692f40db37638dc3ef2004cfc65f26d50dd67c94fbfdf4ec2  fail2ban.logrotate
+84915967ae1276f1e14a5813680ee2ebf081af1ff452a688ae5f9ac3363f4aff90e39f8e6456b5c33d5699917d28a16308797095fd1ef9bb1fbcb46d4cea3def  alpine-ssh.jaild
+672762f513e14a29c0183fbab0f7acfa45e8e3e6d25f98d443bf82cad03d15af21b14789a223aeb5642806fa7c2092caede99593059b68230165c311b1eb7fea  alpine-sshd.filterd
+36a81b771be0b36fe0dfb5ee4c72c9cb5b504e110618a8eb6f0f241b4e57d92df01dc5cc04b6b68d5bc6a5e6d68de1000092770285d7a328e5937e50b4b226a3  alpine-sshd-ddos.filterd"
diff --git a/main/fail2ban/alpine-ssh.jaild b/main/fail2ban/alpine-ssh.jaild
new file mode 100644
index 000000000..3afcedf27
--- /dev/null
+++ b/main/fail2ban/alpine-ssh.jaild
@@ -0,0 +1,13 @@
+[sshd]
+enabled  = true
+filter   = alpine-sshd
+port     = ssh
+logpath	 = /var/log/messages
+maxretry = 10
+
+[sshd-ddos]
+enabled  = true
+filter   = alpine-sshd-ddos
+port     = ssh
+logpath  = /var/log/messages
+maxretry = 10
diff --git a/main/fail2ban/alpine-sshd-ddos.filterd b/main/fail2ban/alpine-sshd-ddos.filterd
new file mode 100644
index 000000000..ae4056947
--- /dev/null
+++ b/main/fail2ban/alpine-sshd-ddos.filterd
@@ -0,0 +1,26 @@
+# Fail2Ban ssh filter for at attempted exploit
+#
+# The regex here also relates to a exploit:
+#
+#  http://www.securityfocus.com/bid/17958/exploit
+#  The example code here shows the pushing of the exploit straight after
+#  reading the server version. This is where the client version string normally
+#  pushed. As such the server will read this unparsible information as
+#  "Did not receive identification string".
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = Did not receive identification string from <HOST>\s*$
+
+ignoreregex = 
+
+[Init]
+
diff --git a/main/fail2ban/alpine-sshd.filterd b/main/fail2ban/alpine-sshd.filterd
new file mode 100644
index 000000000..87718a963
--- /dev/null
+++ b/main/fail2ban/alpine-sshd.filterd
@@ -0,0 +1,27 @@
+# Fail2Ban filter for openssh for Alpine
+#
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd_config.
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = Failed [-/\w]+ for .* from <HOST> port \d* ssh2
+
+ignoreregex = 
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+