Subversion Repositories configs

# Fail2Ban jail specifications file

#

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

#

# Changes:  in most of the cases you should not modify this

#           file, but provide customizations in jail.local file, e.g.:

#

# [DEFAULT]

# bantime = 3600

#

# [ssh-iptables]

# enabled = true

#

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.

bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

# "backend" specifies the backend used to get files modification.

# Available options are "pyinotify", "gamin", "polling" and "auto".

# This option can be overridden in each jail as well.

#

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.

#              If pyinotify is not installed, Fail2ban will use auto.

# gamin:     requires Gamin (a file alteration monitor) to be installed.

#              If Gamin is not installed, Fail2ban will use auto.

# polling:   uses a polling algorithm which does not require external libraries.

# auto:      will try to use the following backends, in order:

#              pyinotify, gamin, polling.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

#   warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes:   if a hostname is encountered, a DNS lookup will be performed.

# warn:  if a hostname is encountered, a DNS lookup will be performed,

#        but it will be logged as a warning.

# no:    if a hostname is encountered, will not be used for banning,

#        but it will be logged as info.

usedns = warn

# This jail corresponds to the standard configuration in Fail2ban 0.6.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/secure

maxretry = 5

[proftpd-iptables]

enabled  = false

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=ProFTPD, dest=root]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false

filter   = sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

           sendmail-whois[name=sasl, dest=root]

logpath  = /var/log/mail.log

# ASSP SMTP Proxy Jail

[assp]

enabled  = false

filter   = assp

action = iptables-multiport[name=assp,port="25,465,587"]

logpath  = /root/path/to/assp/logs/maillog.txt

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is

# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false

filter      = sshd

action      = hostsdeny

              sendmail-whois[name=SSH, dest=root]

ignoreregex = for myuser from

logpath     = /var/log/sshd.log

# Here we use blackhole routes for not requiring any additional kernel support

# to store large volumes of banned IPs

[ssh-route]

enabled = false

filter = sshd

action = route

logpath = /var/log/sshd.log

maxretry = 5

# Here we use a combination of Netfilter/Iptables and IPsets

# for storing large volumes of banned IPs

#

# IPset comes in two versions. See ipset -V for which one to use

# requires the ipset package and kernel support.

[ssh-iptables-ipset4]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/sshd.log

maxretry = 5

[ssh-iptables-ipset6]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]

logpath  = /var/log/sshd.log

maxretry = 5

# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.

# table number must be unique.

#

# This will create a deny rule for that table ONLY if a rule

# for the table doesn't ready exist.

#

[ssh-bsd-ipfw]

enabled  = false

filter   = sshd

action   = bsd-ipfw[port=ssh,table=1]

logpath  = /var/log/auth.log

maxretry = 5

# This jail demonstrates the use of wildcards in "logpath".

# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false

filter	 = apache-auth

action   = hostsdeny

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 6

# The hosts.deny path can be defined with the "file" argument if it is

# not in /etc.

[postfix-tcpwrapper]

enabled  = false

filter   = postfix

action   = hostsdeny[file=/not/a/standard/path/hosts.deny]

           sendmail[name=Postfix, dest=root]

logpath  = /var/log/postfix.log

bantime  = 300

# Do not ban anybody. Just report information about the remote host.

# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=root]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=VSFTPD, dest=root]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

           sendmail-buffered[name=BadBots, lines=5, dest=root]

logpath  = /var/www/*/logs/access_log

bantime  = 172800

maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false

filter   = apache-noscript

action   = shorewall

           sendmail[name=Postfix, dest=root]

logpath  = /var/log/apache2/error_log

# Monitor roundcube server

[roundcube-iptables]

enabled  = false

filter   = roundcube-auth

action   = iptables[name=RoundCube, port="http,https"]

logpath  = /var/log/roundcube/userlogins

# Monitor SOGo groupware server

[sogo-iptables]

enabled  = false

filter   = sogo-auth

# without proxy this would be:

# port    = 20000

action   = iptables[name=SOGo, port="http,https"]

logpath  = /var/log/sogo/sogo.log

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled = false

action  = iptables[name=php-url-open, port="http,https"]

filter  = php-url-fopen

logpath = /var/www/*/logs/access_log

maxretry = 1

# A simple PHP-fastcgi jail which works with lighttpd.

# If you run a lighttpd server, then you probably will

# find these kinds of messages in your error_log:

# ALERT – tried to register forbidden variable ‘GLOBALS’

# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')

# This jail would block the IP 1.2.3.4.

[lighttpd-fastcgi]

enabled = false

filter  = lighttpd-fastcgi

action  = iptables[name=lighttpd-fastcgi, port="http,https"]

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

# Same as above for mod_auth

# It catches wrong authentications

[lighttpd-auth]

enabled = false

filter  = lighttpd-auth

action  = iptables[name=lighttpd-auth, port="http,https"]

# adapt the following two items as needed

logpath = /var/log/lighttpd/error.log

maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"

# option is overridden in this jail. Moreover, the action "mail-whois" defines

# the variable "name" which contains a comma using "". The characters '' are

# valid too.

[ssh-ipfw]

enabled  = false

filter   = sshd

action   = ipfw[localhost=192.168.0.1]

           sendmail-whois[name="SSH,IPFW", dest=root]

logpath  = /var/log/auth.log

ignoreip = 168.192.0.1

# These jails block attacks against named (bind9). By default, logging is off

# with bind9 installation. You will need something like this:

#

# logging {

#     channel security_file {

#         file "/var/log/named/security.log" versions 3 size 30m;

#         severity dynamic;

#         print-time yes;

#     };

#     category security {

#         security_file;

#     };

# };

#

# in your named.conf to provide proper logging.

# This jail blocks UDP traffic for DNS requests.

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# [named-refused-udp]

#

# enabled  = false

# filter   = named-refused

# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]

#            sendmail-whois[name=Named, dest=root]

# logpath  = /var/log/named/security.log

# ignoreip = 168.192.0.1

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false

filter   = named-refused

action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

           sendmail-whois[name=Named, dest=root]

logpath  = /var/log/named/security.log

ignoreip = 168.192.0.1

# Multiple jails, 1 per protocol, are necessary ATM:

# see https://github.com/fail2ban/fail2ban/issues/37

[asterisk-tcp]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           sendmail-whois[name=Asterisk, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[asterisk-udp]

enabled  = false

filter	 = asterisk

action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

# To log wrong MySQL access attempts add to /etc/my.cnf:

# log-error=/var/log/mysqld.log

# log-warning = 2

[mysqld-iptables]

enabled  = false

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/mysqld.log

maxretry = 5

# Jail for more extended banning of persistent abusers

# !!! WARNING !!!

#   Make sure that your loglevel specified in fail2ban.conf/.local

#   is not at DEBUG level -- which might then cause fail2ban to fall into

#   an infinite loop constantly feeding itself with non-informative lines

[recidive]

enabled  = false

filter   = recidive

logpath  = /var/log/fail2ban.log

action   = iptables-allports[name=recidive]

           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime  = 604800  ; 1 week

findtime = 86400   ; 1 day

maxretry = 5

# PF is a BSD based firewall

[ssh-pf]

enabled=false

filter = sshd

action = pf

logpath  = /var/log/sshd.log

maxretry=5

[3proxy]

enabled = false

filter  = 3proxy

action  = iptables[name=3proxy, port=3128, protocol=tcp]

logpath = /var/log/3proxy.log

[exim]

enabled = false

filter  = exim

action  = iptables-multiport[name=exim,port="25,465,587"]

logpath = /var/log/exim/mainlog

[exim-spam]

enabled = false

filter  = exim-spam

action  = iptables-multiport[name=exim-spam,port="25,465,587"]

logpath = /var/log/exim/mainlog

[perdition]

enabled = false

filter  = perdition

action  = iptables-multiport[name=perdition,port="110,143,993,995"]

logpath = /var/log/maillog

[uwimap-auth]

enabled = false

filter  = uwimap-auth

action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath = /var/log/maillog

[osx-ssh-ipfw]

enabled  = false

filter   = sshd

action   = osx-ipfw

logpath  = /var/log/secure.log

maxretry = 5

[ssh-apf]

enabled = false

filter  = sshd

action  = apf[name=SSH]

logpath = /var/log/secure

maxretry = 5

[osx-ssh-afctl]

enabled  = false

filter   = sshd

action   = osx-afctl[bantime=600]

logpath  = /var/log/secure.log

maxretry = 5

[webmin-auth]

enabled = false

filter  = webmin-auth

action  = iptables-multiport[name=webmin,port="10000"]

logpath = /var/log/auth.log

# dovecot defaults to logging to the mail syslog facility

# but can be set by syslog_facility in the dovecot configuration.

[dovecot]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath = /var/log/mail.log

[dovecot-auth]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]

logpath = /var/log/secure

[selinux-ssh]

enabled = false

filter  = selinux-ssh

action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath  = /var/log/audit/audit.log

maxretry = 5