| 87 |
- |
1 |
# Fail2Ban configuration file
|
|
|
2 |
#
|
|
|
3 |
# Author: Donald Yandt
|
|
|
4 |
#
|
|
|
5 |
# Because of the rich rule commands requires firewalld-0.3.1+
|
|
|
6 |
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
|
|
|
7 |
# by chain. So for an example all deny rules will be listed under <zone>_deny and all log rules under <zone>_log.
|
|
|
8 |
#
|
|
|
9 |
# Also this action logs banned access attempts so you can filter that and increase ban time for offenders.
|
|
|
10 |
#
|
|
|
11 |
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
|
|
|
12 |
#
|
|
|
13 |
# Example commands to view rules:
|
|
|
14 |
# firewall-cmd [--zone=<zone>] --list-rich-rules
|
|
|
15 |
# firewall-cmd [--zone=<zone>] --list-all
|
|
|
16 |
# firewall-cmd [--zone=zone] --query-rich-rule='rule'
|
|
|
17 |
|
|
|
18 |
[Definition]
|
|
|
19 |
|
|
|
20 |
actionstart =
|
|
|
21 |
|
|
|
22 |
actionstop =
|
|
|
23 |
|
|
|
24 |
actioncheck =
|
|
|
25 |
|
|
|
26 |
# you can also use zones and/or service names.
|
|
|
27 |
#
|
|
|
28 |
# zone example:
|
|
|
29 |
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
|
|
|
30 |
# service name example:
|
|
|
31 |
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
|
|
|
32 |
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp
|
|
|
33 |
|
|
|
34 |
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
|
|
|
35 |
|
|
|
36 |
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
|
|
|
37 |
|
|
|
38 |
[Init]
|
|
|
39 |
|
|
|
40 |
name = default
|
|
|
41 |
|
|
|
42 |
# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
|
|
|
43 |
level = info
|
|
|
44 |
|
|
|
45 |
# log rate per minute
|
|
|
46 |
rate = 1
|
|
|
47 |
|
|
|
48 |
zone = public
|
|
|
49 |
|
|
|
50 |
# use command firewall-cmd --get-services to see a list of services available
|
|
|
51 |
#
|
|
|
52 |
# Examples:
|
|
|
53 |
#
|
|
|
54 |
# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
|
|
|
55 |
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
|
|
|
56 |
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
|
|
|
57 |
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
|
|
|
58 |
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
|
|
|
59 |
|
|
|
60 |
service = ssh
|
|
|
61 |
|
|
|
62 |
# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
|
|
|
63 |
# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
|
|
|
64 |
|
|
|
65 |
blocktype = reject type='icmp-port-unreachable'
|