Subversion Repositories configs

Rev

Rev 34 | Rev 71 | Go to most recent revision | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
4 - 1
#
34 - 2
# WARNING: heavily refactored in 0.9.0 release.  Please review and
3
#          customize settings for your setup.
4
#
5
# Changes:  in most of the cases you should not modify this
6
#           file, but provide customizations in jail.local file,
7
#           or separate .conf files under jail.d/ directory, e.g.:
8
#
4 - 9
# HOW TO ACTIVATE JAILS:
10
#
11
# YOU SHOULD NOT MODIFY THIS FILE.
12
#
34 - 13
# It will probably be overwritten or improved in a distribution update.
4 - 14
#
15
# Provide customizations in a jail.local file or a jail.d/customisation.local.
16
# For example to change the default bantime for all jails and to enable the
17
# ssh-iptables jail the following (uncommented) would appear in the .local file.
18
# See man 5 jail.conf for details.
19
#
20
# [DEFAULT]
21
# bantime = 3600
22
#
34 - 23
# [sshd]
4 - 24
# enabled = true
34 - 25
#
26
# See jail.conf(5) man page for more information
4 - 27
 
28
 
29
 
30
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
31
 
34 - 32
 
33
[INCLUDES]
34
 
35
#before = paths-distro.conf
36
before = paths-fedora.conf
37
 
4 - 38
# The DEFAULT allows a global definition of the options. They can be overridden
39
# in each jail afterwards.
40
 
41
[DEFAULT]
42
 
34 - 43
#
44
# MISCELLANEOUS OPTIONS
45
#
46
 
4 - 47
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
48
# ban a host which matches an address in this list. Several addresses can be
49
# defined using space separator.
50
ignoreip = 127.0.0.1/8
51
 
5 - 52
# External command that will take an tagged arguments to ignore, e.g. <ip>,
53
# and return true if the IP is to be ignored. False otherwise.
54
#
55
# ignorecommand = /path/to/command <ip>
56
ignorecommand =
57
 
4 - 58
# "bantime" is the number of seconds that a host is banned.
59
bantime  = 600
60
 
61
# A host is banned if it has generated "maxretry" during the last "findtime"
62
# seconds.
63
findtime  = 600
64
 
65
# "maxretry" is the number of failures before a host get banned.
34 - 66
maxretry = 5
4 - 67
 
68
# "backend" specifies the backend used to get files modification.
34 - 69
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
4 - 70
# This option can be overridden in each jail as well.
71
#
72
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
73
#              If pyinotify is not installed, Fail2ban will use auto.
74
# gamin:     requires Gamin (a file alteration monitor) to be installed.
75
#              If Gamin is not installed, Fail2ban will use auto.
76
# polling:   uses a polling algorithm which does not require external libraries.
34 - 77
# systemd:   uses systemd python library to access the systemd journal.
78
#              Specifying "logpath" is not valid for this backend.
79
#              See "journalmatch" in the jails associated filter config
4 - 80
# auto:      will try to use the following backends, in order:
81
#              pyinotify, gamin, polling.
34 - 82
#
83
# Note: if systemd backend is choses as the default but you enable a jail
84
#       for which logs are present only in its own log files, specify some other
85
#       backend for that jail (e.g. polling) and provide empty value for
86
#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
4 - 87
backend = auto
88
 
89
# "usedns" specifies if jails should trust hostnames in logs,
90
#   warn when DNS lookups are performed, or ignore all hostnames in logs
91
#
92
# yes:   if a hostname is encountered, a DNS lookup will be performed.
93
# warn:  if a hostname is encountered, a DNS lookup will be performed,
94
#        but it will be logged as a warning.
95
# no:    if a hostname is encountered, will not be used for banning,
96
#        but it will be logged as info.
97
usedns = warn
98
 
34 - 99
# "logencoding" specifies the encoding of the log files handled by the jail
100
#   This is used to decode the lines from the log file.
101
#   Typical examples:  "ascii", "utf-8"
102
#
103
#   auto:   will use the system locale setting
104
logencoding = auto
4 - 105
 
34 - 106
# "enabled" enables the jails.
107
#  By default all jails are disabled, and it should stay this way.
108
#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
109
#
110
# true:  jail will be enabled and log files will get monitored for changes
111
# false: jail is not enabled
112
enabled = false
113
 
114
 
115
# "filter" defines the filter to use by the jail.
116
#  By default jails have names matching their filter name
117
#
118
filter = %(__name__)s
119
 
120
 
121
#
122
# ACTIONS
123
#
124
 
125
# Some options used for actions
126
 
127
# Destination email address used solely for the interpolations in
128
# jail.{conf,local,d/*} configuration files.
129
destemail = root@localhost
130
 
131
# Sender email address used solely for some actions
132
sender = root@localhost
133
 
134
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
135
# mailing. Change mta configuration parameter to mail if you want to
136
# revert to conventional 'mail'.
137
mta = sendmail
138
 
139
# Default protocol
140
protocol = tcp
141
 
142
# Specify chain where jumps would need to be added in iptables-* actions
143
chain = INPUT
144
 
145
# Ports to be banned
146
# Usually should be overridden in a particular jail
147
port = 0:65535
148
 
149
#
150
# Action shortcuts. To be used to define action parameter
151
 
152
# Default banning action (e.g. iptables, iptables-new,
153
# iptables-multiport, shorewall, etc) It is used to define
154
# action_* variables. Can be overridden globally or per
155
# section within jail.local file
156
banaction = iptables-multiport
157
 
158
# The simplest action to take: ban only
159
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
160
 
161
# ban & send an e-mail with whois report to the destemail.
162
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
163
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
164
 
165
# ban & send an e-mail with whois report and relevant log lines
166
# to the destemail.
167
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
168
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
169
 
170
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
171
#
172
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
173
# to the destemail.
174
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
175
             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
176
 
39 - 177
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
178
# to the destemail.
179
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
180
                %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
34 - 181
 
182
# Report block via blocklist.de fail2ban reporting service API
183
#
184
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
185
# use this action. Create a file jail.d/blocklist_de.local containing
186
# [Init]
187
# blocklist_de_apikey = {api key from registration]
188
#
189
action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
190
 
191
# Report ban via badips.com, and use as blacklist
192
#
193
# See BadIPsAction docstring in config/action.d/badips.py for
194
# documentation for this action.
195
#
196
# NOTE: This action relies on banaction being present on start and therefore
197
# should be last action defined for a jail.
198
#
199
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
200
 
201
# Choose default action.  To change, just override value of 'action' with the
202
# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
203
# globally (section [DEFAULT]) or per specific section
204
action = %(action_)s
205
 
206
 
207
#
208
# JAILS
209
#
210
 
211
#
212
# SSH servers
213
#
214
 
215
[sshd]
216
 
217
port    = ssh
218
logpath = %(sshd_log)s
219
 
220
 
221
[sshd-ddos]
4 - 222
# This jail corresponds to the standard configuration in Fail2ban.
223
# The mail-whois action send a notification e-mail with a whois request
224
# in the body.
34 - 225
port    = ssh
226
logpath = %(sshd_log)s
4 - 227
 
5 - 228
 
34 - 229
[dropbear]
5 - 230
 
34 - 231
port     = ssh
232
logpath  = %(dropbear_log)s
5 - 233
 
234
 
34 - 235
[selinux-ssh]
5 - 236
 
34 - 237
port     = ssh
238
logpath  = %(auditd_log)s
239
maxretry = 5
5 - 240
 
4 - 241
 
34 - 242
#
243
# HTTP servers
244
#
4 - 245
 
34 - 246
[apache-auth]
5 - 247
 
34 - 248
port     = http,https
249
logpath  = %(apache_error_log)s
5 - 250
 
34 - 251
 
252
[apache-badbots]
253
# Ban hosts which agent identifies spammer robots crawling the web
254
# for email addresses. The mail outputs are buffered.
255
port     = http,https
256
logpath  = %(apache_access_log)s
257
bantime  = 172800
258
maxretry = 1
259
 
260
 
261
[apache-noscript]
262
 
263
port     = http,https
264
logpath  = %(apache_error_log)s
265
maxretry = 6
266
 
267
 
268
[apache-overflows]
269
 
270
port     = http,https
271
logpath  = %(apache_error_log)s
5 - 272
maxretry = 2
273
 
274
 
34 - 275
[apache-nohome]
5 - 276
 
34 - 277
port     = http,https
278
logpath  = %(apache_error_log)s
279
maxretry = 2
5 - 280
 
281
 
34 - 282
[apache-botsearch]
4 - 283
 
34 - 284
port     = http,https
285
logpath  = %(apache_error_log)s
286
maxretry = 2
4 - 287
 
288
 
34 - 289
[apache-fakegooglebot]
5 - 290
 
34 - 291
port     = http,https
292
logpath  = %(apache_access_log)s
293
maxretry = 1
294
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
5 - 295
 
296
 
34 - 297
[apache-modsecurity]
5 - 298
 
34 - 299
port     = http,https
300
logpath  = %(apache_error_log)s
301
maxretry = 2
5 - 302
 
34 - 303
[apache-shellshock]
5 - 304
 
34 - 305
port    = http,https
306
logpath = %(apache_error_log)s
307
maxretry = 1
5 - 308
 
34 - 309
[nginx-http-auth]
5 - 310
 
34 - 311
port    = http,https
312
logpath = %(nginx_error_log)s
5 - 313
 
34 - 314
[nginx-botsearch]
5 - 315
 
34 - 316
port     = http,https
317
logpath  = %(nginx_error_log)s
318
maxretry = 2
5 - 319
 
34 - 320
# Ban attackers that try to use PHP's URL-fopen() functionality
321
# through GET/POST variables. - Experimental, with more than a year
322
# of usage in production environments.
5 - 323
 
34 - 324
[php-url-fopen]
5 - 325
 
34 - 326
port    = http,https
327
logpath = %(nginx_access_log)s
328
          %(apache_access_log)s
5 - 329
 
330
 
34 - 331
[suhosin]
4 - 332
 
34 - 333
port    = http,https
334
logpath = %(suhosin_log)s
4 - 335
 
336
 
34 - 337
[lighttpd-auth]
338
# Same as above for Apache's mod_auth
339
# It catches wrong authentifications
340
port    = http,https
341
logpath = %(lighttpd_error_log)s
4 - 342
 
343
 
34 - 344
#
345
# Webmail and groupware servers
346
#
4 - 347
 
34 - 348
[roundcube-auth]
4 - 349
 
34 - 350
port     = http,https
39 - 351
logpath  = logpath = %(roundcube_errors_log)s
4 - 352
 
353
 
34 - 354
[openwebmail]
4 - 355
 
34 - 356
port     = http,https
357
logpath  = /var/log/openwebmail.log
358
 
359
 
360
[horde]
361
 
362
port     = http,https
363
logpath  = /var/log/horde/horde.log
364
 
365
 
366
[groupoffice]
367
 
368
port     = http,https
369
logpath  = /home/groupoffice/log/info.log
370
 
371
 
372
[sogo-auth]
373
# Monitor SOGo groupware server
374
# without proxy this would be:
375
# port    = 20000
376
port     = http,https
377
logpath  = /var/log/sogo/sogo.log
378
 
379
 
380
[tine20]
381
 
382
logpath  = /var/log/tine20/tine20.log
383
port     = http,https
4 - 384
maxretry = 5
385
 
386
 
387
#
34 - 388
# Web Applications
389
#
390
#
4 - 391
 
34 - 392
[drupal-auth]
4 - 393
 
34 - 394
port     = http,https
395
logpath  = %(syslog_daemon)s
4 - 396
 
34 - 397
[guacamole]
4 - 398
 
34 - 399
port     = http,https
400
logpath  = /var/log/tomcat*/catalina.out
4 - 401
 
34 - 402
[monit]
403
#Ban clients brute-forcing the monit gui login
404
filter   = monit
405
port = 2812
406
logpath  = /var/log/monit
4 - 407
 
34 - 408
 
409
[webmin-auth]
410
 
411
port    = 10000
412
logpath = %(syslog_authpriv)s
413
 
414
 
39 - 415
[froxlor-auth]
416
 
417
port    = http,https
418
logpath  = %(syslog_authpriv)s
419
 
420
 
4 - 421
#
34 - 422
# HTTP Proxy servers
423
#
424
#
4 - 425
 
34 - 426
[squid]
4 - 427
 
34 - 428
port     =  80,443,3128,8080
429
logpath = /var/log/squid/access.log
4 - 430
 
431
 
34 - 432
[3proxy]
433
 
434
port    = 3128
435
logpath = /var/log/3proxy.log
436
 
39 - 437
 
34 - 438
#
439
# FTP servers
440
#
441
 
442
 
443
[proftpd]
444
 
445
port     = ftp,ftp-data,ftps,ftps-data
446
logpath  = %(proftpd_log)s
447
 
448
 
449
[pure-ftpd]
450
 
451
port     = ftp,ftp-data,ftps,ftps-data
452
logpath  = %(pureftpd_log)s
4 - 453
maxretry = 6
454
 
455
 
34 - 456
[gssftpd]
5 - 457
 
34 - 458
port     = ftp,ftp-data,ftps,ftps-data
459
logpath  = %(syslog_daemon)s
460
maxretry = 6
5 - 461
 
462
 
34 - 463
[wuftpd]
5 - 464
 
34 - 465
port     = ftp,ftp-data,ftps,ftps-data
466
logpath  = %(wuftpd_log)s
467
maxretry = 6
5 - 468
 
469
 
34 - 470
[vsftpd]
471
# or overwrite it in jails.local to be
472
# logpath = %(syslog_authpriv)s
473
# if you want to rely on PAM failed login attempts
474
# vsftpd's failregex should match both of those formats
475
port     = ftp,ftp-data,ftps,ftps-data
476
logpath  = %(vsftpd_log)s
5 - 477
 
478
 
34 - 479
#
480
# Mail servers
481
#
5 - 482
 
34 - 483
# ASSP SMTP Proxy Jail
484
[assp]
4 - 485
 
34 - 486
port     = smtp,465,submission
487
logpath  = /root/path/to/assp/logs/maillog.txt
4 - 488
 
489
 
34 - 490
[courier-smtp]
5 - 491
 
34 - 492
port     = smtp,465,submission
493
logpath  = %(syslog_mail)s
5 - 494
 
495
 
34 - 496
[postfix]
4 - 497
 
34 - 498
port     = smtp,465,submission
499
logpath  = %(postfix_log)s
4 - 500
 
501
 
34 - 502
[postfix-rbl]
5 - 503
 
34 - 504
port     = smtp,465,submission
505
logpath  = %(syslog_mail)s
506
maxretry = 1
5 - 507
 
508
 
34 - 509
[sendmail-auth]
5 - 510
 
34 - 511
port    = submission,465,smtp
512
logpath = %(syslog_mail)s
5 - 513
 
514
 
34 - 515
[sendmail-reject]
5 - 516
 
34 - 517
port     = smtp,465,submission
518
logpath  = %(syslog_mail)s
5 - 519
 
520
 
521
[qmail-rbl]
522
 
523
filter  = qmail
34 - 524
port    = smtp,465,submission
5 - 525
logpath = /service/qmail/log/main/current
526
 
527
 
34 - 528
# dovecot defaults to logging to the mail syslog facility
529
# but can be set by syslog_facility in the dovecot configuration.
530
[dovecot]
5 - 531
 
34 - 532
port    = pop3,pop3s,imap,imaps,submission,465,sieve
533
logpath = %(dovecot_log)s
5 - 534
 
535
 
34 - 536
[sieve]
4 - 537
 
34 - 538
port   = smtp,465,submission
539
logpath = %(dovecot_log)s
4 - 540
 
541
 
34 - 542
[solid-pop3d]
4 - 543
 
34 - 544
port    = pop3,pop3s
545
logpath = %(solidpop3d_log)s
4 - 546
 
547
 
34 - 548
[exim]
4 - 549
 
34 - 550
port   = smtp,465,submission
551
logpath = %(exim_main_log)s
4 - 552
 
553
 
34 - 554
[exim-spam]
4 - 555
 
34 - 556
port   = smtp,465,submission
557
logpath = %(exim_main_log)s
4 - 558
 
559
 
34 - 560
[kerio]
4 - 561
 
34 - 562
port    = imap,smtp,imaps,465
563
logpath = /opt/kerio/mailserver/store/logs/security.log
4 - 564
 
565
 
34 - 566
#
567
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
568
# all relevant ports get banned
569
#
4 - 570
 
34 - 571
[courier-auth]
4 - 572
 
34 - 573
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
574
logpath  = %(syslog_mail)s
4 - 575
 
5 - 576
 
34 - 577
[postfix-sasl]
5 - 578
 
34 - 579
port     = smtp,465,submission,imap3,imaps,pop3,pop3s
580
# You might consider monitoring /var/log/mail.warn instead if you are
581
# running postfix since it would provide the same log lines at the
582
# "warn" level but overall at the smaller filesize.
583
logpath  = %(postfix_log)s
5 - 584
 
585
 
34 - 586
[perdition]
5 - 587
 
34 - 588
port   = imap3,imaps,pop3,pop3s
589
logpath = %(syslog_mail)s
5 - 590
 
591
 
34 - 592
[squirrelmail]
5 - 593
 
34 - 594
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
595
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
5 - 596
 
4 - 597
 
34 - 598
[cyrus-imap]
4 - 599
 
34 - 600
port   = imap3,imaps
601
logpath = %(syslog_mail)s
4 - 602
 
603
 
34 - 604
[uwimap-auth]
4 - 605
 
34 - 606
port   = imap3,imaps
607
logpath = %(syslog_mail)s
4 - 608
 
609
 
34 - 610
#
611
#
612
# DNS servers
613
#
4 - 614
 
615
 
616
# !!! WARNING !!!
617
#   Since UDP is connection-less protocol, spoofing of IP and imitation
618
#   of illegal actions is way too simple.  Thus enabling of this filter
619
#   might provide an easy way for implementing a DoS against a chosen
620
#   victim. See
621
#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
622
#   Please DO NOT USE this jail unless you know what you are doing.
623
#
624
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
625
# This jail blocks UDP traffic for DNS requests.
626
# [named-refused-udp]
627
#
628
# filter   = named-refused
34 - 629
# port     = domain,953
630
# protocol = udp
4 - 631
# logpath  = /var/log/named/security.log
632
 
633
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
634
# This jail blocks TCP traffic for DNS requests.
635
 
34 - 636
[named-refused]
637
 
638
port     = domain,953
4 - 639
logpath  = /var/log/named/security.log
640
 
641
 
5 - 642
[nsd]
643
 
34 - 644
port     = 53
645
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
646
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
5 - 647
logpath = /var/log/nsd.log
648
 
649
 
34 - 650
#
651
# Miscellaneous
652
#
653
 
4 - 654
[asterisk]
655
 
34 - 656
port     = 5060,5061
657
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
658
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
659
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
4 - 660
logpath  = /var/log/asterisk/messages
661
maxretry = 10
662
 
5 - 663
 
664
[freeswitch]
665
 
34 - 666
port     = 5060,5061
667
action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
668
           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
669
           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
5 - 670
logpath  = /var/log/freeswitch.log
671
maxretry = 10
672
 
673
 
34 - 674
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
675
# equivalent section:
676
# log-warning = 2
677
#
678
# for syslog (daemon facility)
679
# [mysqld_safe]
680
# syslog
681
#
682
# for own logfile
683
# [mysqld]
684
# log-error=/var/log/mysqld.log
685
[mysqld-auth]
5 - 686
 
34 - 687
port     = 3306
688
logpath  = %(mysql_log)s
4 - 689
maxretry = 5
690
 
691
 
692
# Jail for more extended banning of persistent abusers
34 - 693
# !!! WARNINGS !!!
694
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
695
#    is not at DEBUG level -- which might then cause fail2ban to fall into
696
#    an infinite loop constantly feeding itself with non-informative lines
697
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
698
#    to maintain entries for failed logins for sufficient amount of time
4 - 699
[recidive]
700
 
30 - 701
logpath  = /var/log/messages
34 - 702
banaction = iptables-allports
4 - 703
bantime  = 604800  ; 1 week
704
findtime = 86400   ; 1 day
705
maxretry = 5
706
 
707
 
34 - 708
# Generic filter for PAM. Has to be used with action which bans all
709
# ports such as iptables-allports, shorewall
4 - 710
 
34 - 711
[pam-generic]
712
# pam-generic filter can be customized to monitor specific subset of 'tty's
713
banaction = iptables-allports
714
logpath  = %(syslog_authpriv)s
4 - 715
 
716
 
34 - 717
[xinetd-fail]
4 - 718
 
34 - 719
banaction = iptables-multiport-log
720
logpath   = %(syslog_daemon)s
721
maxretry  = 2
4 - 722
 
723
 
34 - 724
# stunnel - need to set port for this
725
[stunnel]
4 - 726
 
34 - 727
logpath = /var/log/stunnel4/stunnel.log
4 - 728
 
729
 
34 - 730
[ejabberd-auth]
4 - 731
 
34 - 732
port    = 5222
733
logpath = /var/log/ejabberd/ejabberd.log
4 - 734
 
735
 
34 - 736
[counter-strike]
4 - 737
 
34 - 738
logpath = /opt/cstrike/logs/L[0-9]*.log
739
# Firewall: http://www.cstrike-planet.com/faq/6
740
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
741
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
742
action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
743
           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
4 - 744
 
34 - 745
# consider low maxretry and a long bantime
746
# nobody except your own Nagios server should ever probe nrpe
747
[nagios]
4 - 748
 
749
enabled  = false
34 - 750
logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
751
maxretry = 1
4 - 752
 
753
 
34 - 754
[oracleims]
755
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
4 - 756
enabled = false
34 - 757
logpath = /opt/sun/comms/messaging64/log/mail.log_current
758
maxretry = 6
759
banaction = iptables-allports
4 - 760
 
34 - 761
[directadmin]
4 - 762
enabled = false
34 - 763
logpath = /var/log/directadmin/login.log
764
port = 2222
4 - 765
 
34 - 766
[portsentry]
5 - 767
enabled  = false
34 - 768
logpath  = /var/lib/portsentry/portsentry.history
5 - 769
maxretry = 1
39 - 770
 
771
[pass2allow-ftp]
772
# this pass2allow example allows FTP traffic after successful HTTP authentication
773
port         = ftp,ftp-data,ftps,ftps-data
774
# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
775
filter       = apache-pass
776
# access log of the website with HTTP auth
777
logpath      = %(apache_access_log)s
778
blocktype    = RETURN
779
returntype   = DROP
780
bantime      = 3600
781
maxretry     = 1
782
findtime     = 1