416 lines
12 KiB
Bash
416 lines
12 KiB
Bash
#!/bin/bash
|
|
|
|
# Script de gestion des bannissements Fail2ban
|
|
# Version: 1.0
|
|
|
|
set -euo pipefail
|
|
|
|
# Couleurs
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
CYAN='\033[0;36m'
|
|
MAGENTA='\033[0;35m'
|
|
NC='\033[0m'
|
|
|
|
# Vérification root
|
|
check_root() {
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo -e "${RED}[ERREUR]${NC} Ce script doit être exécuté en tant que root"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Vérification Fail2ban
|
|
check_fail2ban() {
|
|
if ! command -v fail2ban-client > /dev/null 2>&1; then
|
|
echo -e "${RED}[ERREUR]${NC} Fail2ban n'est pas installé"
|
|
exit 1
|
|
fi
|
|
|
|
if ! systemctl is-active --quiet fail2ban; then
|
|
echo -e "${RED}[ERREUR]${NC} Fail2ban n'est pas actif"
|
|
echo "Démarrez-le avec: systemctl start fail2ban"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
# Afficher le header
|
|
show_header() {
|
|
clear
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
echo -e "${CYAN} Gestionnaire de Bannissements Fail2ban${NC}"
|
|
echo "════════════════════════════════════════════════════════════════"
|
|
echo ""
|
|
}
|
|
|
|
# Lister toutes les jails actives
|
|
list_jails() {
|
|
echo -e "${BLUE}[Jails actives]${NC}"
|
|
echo ""
|
|
|
|
local jails=$(fail2ban-client status | grep "Jail list" | sed 's/.*:\s*//' | tr ',' '\n' | xargs)
|
|
|
|
if [ -z "$jails" ]; then
|
|
echo -e "${YELLOW}Aucune jail active${NC}"
|
|
return 1
|
|
fi
|
|
|
|
local count=0
|
|
for jail in $jails; do
|
|
count=$((count + 1))
|
|
local banned=$(fail2ban-client status "$jail" | grep "Currently banned" | awk '{print $NF}')
|
|
local total=$(fail2ban-client status "$jail" | grep "Total banned" | awk '{print $NF}')
|
|
|
|
if [ "$banned" -gt 0 ]; then
|
|
echo -e " ${count}. ${GREEN}$jail${NC} - ${RED}$banned${NC} IP(s) bannies (Total: $total)"
|
|
else
|
|
echo -e " ${count}. ${GREEN}$jail${NC} - ${YELLOW}0${NC} IP bannie (Total: $total)"
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
return 0
|
|
}
|
|
|
|
# Lister les IPs bannies pour toutes les jails
|
|
list_all_banned() {
|
|
echo -e "${BLUE}[IPs actuellement bannies]${NC}"
|
|
echo ""
|
|
|
|
local jails=$(fail2ban-client status | grep "Jail list" | sed 's/.*:\s*//' | tr ',' '\n' | xargs)
|
|
local total_banned=0
|
|
|
|
for jail in $jails; do
|
|
local banned_ips=$(fail2ban-client status "$jail" | grep "Banned IP list" | sed 's/.*:\s*//')
|
|
|
|
if [ -n "$banned_ips" ] && [ "$banned_ips" != "" ]; then
|
|
echo -e "${CYAN}Jail: $jail${NC}"
|
|
for ip in $banned_ips; do
|
|
total_banned=$((total_banned + 1))
|
|
# Récupérer le pays si possible (via whois ou geoip)
|
|
echo -e " ${RED}•${NC} $ip"
|
|
done
|
|
echo ""
|
|
fi
|
|
done
|
|
|
|
if [ "$total_banned" -eq 0 ]; then
|
|
echo -e "${GREEN}✓ Aucune IP bannie actuellement${NC}"
|
|
echo ""
|
|
else
|
|
echo -e "${YELLOW}Total: $total_banned IP(s) bannie(s)${NC}"
|
|
echo ""
|
|
fi
|
|
}
|
|
|
|
# Débannir une IP spécifique
|
|
unban_ip() {
|
|
local ip="$1"
|
|
|
|
echo -e "${YELLOW}[Débannissement de $ip]${NC}"
|
|
echo ""
|
|
|
|
local jails=$(fail2ban-client status | grep "Jail list" | sed 's/.*:\s*//' | tr ',' '\n' | xargs)
|
|
local found=false
|
|
|
|
for jail in $jails; do
|
|
local banned_ips=$(fail2ban-client status "$jail" | grep "Banned IP list" | sed 's/.*:\s*//')
|
|
|
|
if echo "$banned_ips" | grep -qw "$ip"; then
|
|
echo -e " → Débannissement de ${CYAN}$ip${NC} dans la jail ${GREEN}$jail${NC}..."
|
|
fail2ban-client set "$jail" unbanip "$ip"
|
|
echo -e " ${GREEN}✓${NC} IP débannie de $jail"
|
|
found=true
|
|
fi
|
|
done
|
|
|
|
if [ "$found" = false ]; then
|
|
echo -e "${YELLOW}L'IP $ip n'est bannie dans aucune jail${NC}"
|
|
else
|
|
echo -e "\n${GREEN}✓ IP $ip complètement débannie${NC}"
|
|
fi
|
|
echo ""
|
|
}
|
|
|
|
# Débannir toutes les IPs d'une jail
|
|
unban_jail() {
|
|
local jail="$1"
|
|
|
|
echo -e "${YELLOW}[Débannissement de toutes les IPs de la jail: $jail]${NC}"
|
|
echo ""
|
|
|
|
local banned_ips=$(fail2ban-client status "$jail" | grep "Banned IP list" | sed 's/.*:\s*//')
|
|
|
|
if [ -z "$banned_ips" ] || [ "$banned_ips" = "" ]; then
|
|
echo -e "${YELLOW}Aucune IP bannie dans cette jail${NC}"
|
|
echo ""
|
|
return
|
|
fi
|
|
|
|
local count=0
|
|
for ip in $banned_ips; do
|
|
echo -e " → Débannissement de ${CYAN}$ip${NC}..."
|
|
fail2ban-client set "$jail" unbanip "$ip"
|
|
count=$((count + 1))
|
|
done
|
|
|
|
echo -e "\n${GREEN}✓ $count IP(s) débannie(s) de la jail $jail${NC}"
|
|
echo ""
|
|
}
|
|
|
|
# Débannir toutes les IPs de toutes les jails
|
|
unban_all() {
|
|
echo -e "${RED}[Débannissement de TOUTES les IPs]${NC}"
|
|
echo ""
|
|
|
|
read -p "Êtes-vous sûr? (oui/non): " confirm
|
|
|
|
if [ "$confirm" != "oui" ]; then
|
|
echo -e "${YELLOW}Opération annulée${NC}"
|
|
echo ""
|
|
return
|
|
fi
|
|
|
|
local jails=$(fail2ban-client status | grep "Jail list" | sed 's/.*:\s*//' | tr ',' '\n' | xargs)
|
|
local total_unbanned=0
|
|
|
|
for jail in $jails; do
|
|
local banned_ips=$(fail2ban-client status "$jail" | grep "Banned IP list" | sed 's/.*:\s*//')
|
|
|
|
if [ -n "$banned_ips" ] && [ "$banned_ips" != "" ]; then
|
|
echo -e "${CYAN}Jail: $jail${NC}"
|
|
for ip in $banned_ips; do
|
|
echo -e " → Débannissement de ${CYAN}$ip${NC}..."
|
|
fail2ban-client set "$jail" unbanip "$ip"
|
|
total_unbanned=$((total_unbanned + 1))
|
|
done
|
|
fi
|
|
done
|
|
|
|
echo ""
|
|
echo -e "${GREEN}✓ Total: $total_unbanned IP(s) débannie(s)${NC}"
|
|
echo ""
|
|
}
|
|
|
|
# Afficher les statistiques
|
|
show_stats() {
|
|
echo -e "${BLUE}[Statistiques Fail2ban]${NC}"
|
|
echo ""
|
|
|
|
local jails=$(fail2ban-client status | grep "Jail list" | sed 's/.*:\s*//' | tr ',' '\n' | xargs)
|
|
|
|
echo -e "${CYAN}Jail${NC} ${CYAN}Actuellement${NC} ${CYAN}Total${NC} ${CYAN}Tentatives${NC}"
|
|
echo "──────────────────── ───────────── ──────── ───────────"
|
|
|
|
for jail in $jails; do
|
|
local status=$(fail2ban-client status "$jail")
|
|
local currently=$(echo "$status" | grep "Currently banned" | awk '{print $NF}')
|
|
local total=$(echo "$status" | grep "Total banned" | awk '{print $NF}')
|
|
local failed=$(echo "$status" | grep "Currently failed" | awk '{print $NF}')
|
|
|
|
printf "%-20s " "$jail"
|
|
|
|
if [ "$currently" -gt 0 ]; then
|
|
printf "${RED}%-13s${NC} " "$currently"
|
|
else
|
|
printf "${GREEN}%-13s${NC} " "$currently"
|
|
fi
|
|
|
|
printf "%-8s %-10s\n" "$total" "$failed"
|
|
done
|
|
|
|
echo ""
|
|
}
|
|
|
|
# Voir les logs récents
|
|
show_logs() {
|
|
local jail="${1:-sshd}"
|
|
local lines="${2:-20}"
|
|
|
|
echo -e "${BLUE}[Logs récents - Jail: $jail]${NC}"
|
|
echo ""
|
|
|
|
if [ ! -f "/var/log/fail2ban.log" ]; then
|
|
echo -e "${YELLOW}Fichier de log non trouvé${NC}"
|
|
echo ""
|
|
return
|
|
fi
|
|
|
|
grep "\[$jail\]" /var/log/fail2ban.log | tail -n "$lines"
|
|
echo ""
|
|
}
|
|
|
|
# Menu interactif
|
|
show_menu() {
|
|
echo -e "${MAGENTA}[Menu]${NC}"
|
|
echo ""
|
|
echo " 1. Lister toutes les IPs bannies"
|
|
echo " 2. Lister les jails actives"
|
|
echo " 3. Débannir une IP spécifique"
|
|
echo " 4. Débannir toutes les IPs d'une jail"
|
|
echo " 5. Débannir TOUTES les IPs"
|
|
echo " 6. Afficher les statistiques"
|
|
echo " 7. Voir les logs récents"
|
|
echo " 8. Actualiser"
|
|
echo " 0. Quitter"
|
|
echo ""
|
|
echo -n "Votre choix: "
|
|
}
|
|
|
|
# Mode interactif
|
|
interactive_mode() {
|
|
while true; do
|
|
show_header
|
|
list_jails
|
|
list_all_banned
|
|
show_menu
|
|
|
|
read choice
|
|
echo ""
|
|
|
|
case $choice in
|
|
1)
|
|
show_header
|
|
list_all_banned
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
2)
|
|
show_header
|
|
list_jails
|
|
show_stats
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
3)
|
|
echo -n "IP à débannir: "
|
|
read ip
|
|
unban_ip "$ip"
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
4)
|
|
echo -n "Nom de la jail: "
|
|
read jail
|
|
unban_jail "$jail"
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
5)
|
|
unban_all
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
6)
|
|
show_header
|
|
show_stats
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
7)
|
|
echo -n "Jail (défaut: sshd): "
|
|
read jail
|
|
jail=${jail:-sshd}
|
|
echo -n "Nombre de lignes (défaut: 20): "
|
|
read lines
|
|
lines=${lines:-20}
|
|
show_header
|
|
show_logs "$jail" "$lines"
|
|
read -p "Appuyez sur Entrée pour continuer..."
|
|
;;
|
|
8)
|
|
continue
|
|
;;
|
|
0)
|
|
echo -e "${GREEN}Au revoir!${NC}"
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo -e "${RED}Choix invalide${NC}"
|
|
sleep 2
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
# Mode ligne de commande
|
|
usage() {
|
|
echo "Usage: $0 [option]"
|
|
echo ""
|
|
echo "Options:"
|
|
echo " -l, --list Lister toutes les IPs bannies"
|
|
echo " -j, --jails Lister les jails actives"
|
|
echo " -u, --unban <IP> Débannir une IP spécifique"
|
|
echo " -U, --unban-jail <jail> Débannir toutes les IPs d'une jail"
|
|
echo " -a, --unban-all Débannir toutes les IPs"
|
|
echo " -s, --stats Afficher les statistiques"
|
|
echo " -L, --logs [jail] Afficher les logs (défaut: sshd)"
|
|
echo " -i, --interactive Mode interactif (défaut)"
|
|
echo " -h, --help Afficher l'aide"
|
|
echo ""
|
|
exit 0
|
|
}
|
|
|
|
# Programme principal
|
|
main() {
|
|
check_root
|
|
check_fail2ban
|
|
|
|
# Si aucun argument, mode interactif
|
|
if [ $# -eq 0 ]; then
|
|
interactive_mode
|
|
exit 0
|
|
fi
|
|
|
|
# Mode ligne de commande
|
|
case "$1" in
|
|
-l|--list)
|
|
show_header
|
|
list_all_banned
|
|
;;
|
|
-j|--jails)
|
|
show_header
|
|
list_jails
|
|
show_stats
|
|
;;
|
|
-u|--unban)
|
|
if [ -z "${2:-}" ]; then
|
|
echo -e "${RED}Erreur: IP manquante${NC}"
|
|
echo "Usage: $0 --unban <IP>"
|
|
exit 1
|
|
fi
|
|
show_header
|
|
unban_ip "$2"
|
|
;;
|
|
-U|--unban-jail)
|
|
if [ -z "${2:-}" ]; then
|
|
echo -e "${RED}Erreur: Nom de jail manquant${NC}"
|
|
echo "Usage: $0 --unban-jail <jail>"
|
|
exit 1
|
|
fi
|
|
show_header
|
|
unban_jail "$2"
|
|
;;
|
|
-a|--unban-all)
|
|
show_header
|
|
unban_all
|
|
;;
|
|
-s|--stats)
|
|
show_header
|
|
show_stats
|
|
;;
|
|
-L|--logs)
|
|
show_header
|
|
show_logs "${2:-sshd}" "${3:-20}"
|
|
;;
|
|
-i|--interactive)
|
|
interactive_mode
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
;;
|
|
*)
|
|
echo -e "${RED}Option invalide: $1${NC}"
|
|
echo ""
|
|
usage
|
|
;;
|
|
esac
|
|
}
|
|
|
|
main "$@" |