From 928d221db06b94d16b2939ee9663e1d058eafbf7 Mon Sep 17 00:00:00 2001
From: ne20002 <ne20002@gmx.ch>
Date: Tue, 15 Nov 2022 19:19:06 +0100
Subject: [PATCH] Create crowdsec.conf

---
 config/action.d/crowdsec.conf | 115 ++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 config/action.d/crowdsec.conf

diff --git a/config/action.d/crowdsec.conf b/config/action.d/crowdsec.conf
new file mode 100644
index 0000000000..d945cb4345
--- /dev/null
+++ b/config/action.d/crowdsec.conf
@@ -0,0 +1,115 @@
+# Crowdsec configuration file
+#
+# Action to report IP address to Crowdsec local API
+#
+# NOTE: These reports may include sensitive Info.
+#
+# IMPORTANT: This action relies on a credentials being added to the above action conf,
+# and the appropriate categories set.
+#
+# Example, for ssh bruteforce (in section [sshd] of `jail.local`):
+#   action = %(known/action)s
+#            crowdsec[lapi_url="http://local-api:8080", machine_id="ReverseProxy", password="******"]
+#
+
+[INCLUDES]
+
+#before = mail-whois-common.conf
+
+[Definition]
+ 
+# bypass action for restored tickets
+norestored = 1
+ 
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+ 
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+ 
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+ 
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+#
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionban = WHOIS_RESULT=$(whois <ip>)
+            WHOIS_COUNTRY=$(echo "$WHOIS_RESULT" | grep -a -i -m 1 Country | sed -n -e 's/^.*[Cc]ountry:\s*//p')
+            WHOIS_ASN=$(echo "$WHOIS_RESULT" | grep -a -i Origin | tail -1 | sed -n -e 's/^.*[Oo]rigin.*:\s*AS//p')
+            WHOIS_ASNAME=$(echo "$WHOIS_RESULT" | grep -a netname | tail -1 | sed -n -e 's/^.*netname:\s*//p')
+            TIME=$(LC_ALL=C date -d "@<time>" +"%%Y-%%m-%%d, %%H:%%M:%%S")
+            JSON_STRING=$(/usr/bin/jq -s -R -n \
+                  --arg ip "<ip>" \
+                  --arg scenario "fail2ban/<name>" \
+                  --arg msg "Ip <ip> performed illegal connection attempt." \
+                  --arg bantime "<bantime>s" \
+                  --arg ti "$TIME" \
+                  --arg cn "$WHOIS_COUNTRY" \
+                  --arg an "$WHOIS_ASN" \
+                  --arg nm "$WHOIS_ASNAME" \
+ '[{
+    "scenario": $scenario,
+    "scenario_hash": "",
+    "scenario_version": "0.1",
+    "message": $msg,
+    "events_count": 1,
+    "start_at": $ti,
+    "stop_at": $ti,
+    "capacity": 0,
+    "leakspeed": "0s",
+    "simulated": false,
+    "events": [
+      {
+        "timestamp": $ti,
+        "meta": [
+          {
+            "key": "source_ip",
+            "value": $ip
+          }
+        ]
+     }
+    ],
+    "remediation": true,
+    "decisions": [
+      {
+        "origin": "fail2ban",
+        "type": "ban",
+        "scope": "Ip",
+        "value": $ip,
+        "duration": $bantime,
+        "scenario": $scenario
+      }
+    ],
+      "source": {
+        "scope": "Ip",
+        "value": $ip,
+        "ip": $ip,
+        "range": "",
+        "as_number": $an,
+        "as_name": $nm,
+        "cn": $cn }}]')
+    curl -H "Authorization: Bearer $(curl -s -X POST -H 'Content-Type: application/json' -d '{"machine_id": "<machine_id>","password": "<password>"}' <lapi_url>/v1/watchers/login | jq -r ".token")" -X POST <lapi_url>/v1/alerts -H 'Content-Type: application/json' -d "$JSON_STRING"
+
+ 
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    See jail.conf(5) man page
+# Values:  CMD
+#
+actionunban =
+ 
+[Init]