Subversion Repositories configs

# Fail2Ban jail base specification file

#

# HOW TO ACTIVATE JAILS:

#

# YOU SHOULD NOT MODIFY THIS FILE.

#

# It will probably be overwitten or improved in a distribution update.

#

# Provide customizations in a jail.local file or a jail.d/customisation.local.

# For example to change the default bantime for all jails and to enable the

# ssh-iptables jail the following (uncommented) would appear in the .local file.

# See man 5 jail.conf for details.

#

# [DEFAULT]

# bantime = 3600

#

# [ssh-iptables]

# enabled = true

# Comments: use '#' for comment lines and ';' (following a space) for inline comments

# The DEFAULT allows a global definition of the options. They can be overridden

# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not

# ban a host which matches an address in this list. Several addresses can be

# defined using space separator.

ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,

# and return true if the IP is to be ignored. False otherwise.

#

# ignorecommand = /path/to/command <ip>

ignorecommand =

# "bantime" is the number of seconds that a host is banned.

bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"

# seconds.

findtime  = 600

# "maxretry" is the number of failures before a host get banned.

maxretry = 3

# "backend" specifies the backend used to get files modification.

# Available options are "pyinotify", "gamin", "polling" and "auto".

# This option can be overridden in each jail as well.

#

# pyinotify: requires pyinotify (a file alteration monitor) to be installed.

#              If pyinotify is not installed, Fail2ban will use auto.

# gamin:     requires Gamin (a file alteration monitor) to be installed.

#              If Gamin is not installed, Fail2ban will use auto.

# polling:   uses a polling algorithm which does not require external libraries.

# auto:      will try to use the following backends, in order:

#              pyinotify, gamin, polling.

backend = auto

# "usedns" specifies if jails should trust hostnames in logs,

#   warn when DNS lookups are performed, or ignore all hostnames in logs

#

# yes:   if a hostname is encountered, a DNS lookup will be performed.

# warn:  if a hostname is encountered, a DNS lookup will be performed,

#        but it will be logged as a warning.

# no:    if a hostname is encountered, will not be used for banning,

#        but it will be logged as info.

usedns = warn

# This jail corresponds to the standard configuration in Fail2ban.

# The mail-whois action send a notification e-mail with a whois request

# in the body.

[pam-generic]

enabled = false

filter  = pam-generic

action  = iptables-allports[name=pam,protocol=all]

logpath = /var/log/secure

[xinetd-fail]

enabled = false

filter  = xinetd-fail

action  = iptables-allports[name=xinetd,protocol=all]

logpath = /var/log/daemon*log

[ssh-iptables]

enabled  = true

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]

logpath  = /var/log/secure

maxretry = 5

[ssh-ddos]

enabled  = false

filter   = sshd-ddos

action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]

logpath  = /var/log/sshd.log

maxretry = 2

[dropbear]

enabled  = false

filter   = dropbear

action   = iptables[name=dropbear, port=ssh, protocol=tcp]

logpath  = /var/log/messages

maxretry = 5

[proftpd-iptables]

enabled  = false

filter   = proftpd

action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=ProFTPD, dest=you@example.com]

logpath  = /var/log/proftpd/proftpd.log

maxretry = 6

[gssftpd-iptables]

enabled  = false

filter   = gssftpd

action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]

           sendmail-whois[name=GSSFTPd, dest=you@example.com]

logpath  = /var/log/daemon.log

maxretry = 6

[pure-ftpd]

enabled  = false

filter   = pure-ftpd

action   = iptables[name=pureftpd, port=ftp, protocol=tcp]

logpath  = /var/log/pureftpd.log

maxretry = 6

[wuftpd]

enabled  = false

filter   = wuftpd

action   = iptables[name=wuftpd, port=ftp, protocol=tcp]

logpath  = /var/log/daemon.log

maxretry = 6

[sendmail-auth]

enabled  = false

filter   = sendmail-auth

action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]

logpath  = /var/log/mail.log

[sendmail-reject]

enabled  = false

filter   = sendmail-reject

action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]

logpath  = /var/log/mail.log

# This jail forces the backend to "polling".

[sasl-iptables]

enabled  = false

filter   = postfix-sasl

backend  = polling

action   = iptables[name=sasl, port=smtp, protocol=tcp]

           sendmail-whois[name=sasl, dest=you@example.com]

logpath  = /var/log/mail.log

# ASSP SMTP Proxy Jail

[assp]

enabled = false

filter  = assp

action  = iptables-multiport[name=assp,port="25,465,587"]

logpath = /root/path/to/assp/logs/maillog.txt

# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is

# used to avoid banning the user "myuser".

[ssh-tcpwrapper]

enabled     = false

filter      = sshd

action      = hostsdeny[daemon_list=sshd]

              sendmail-whois[name=SSH, dest=you@example.com]

ignoreregex = for myuser from

logpath     = /var/log/sshd.log

# Here we use blackhole routes for not requiring any additional kernel support

# to store large volumes of banned IPs

[ssh-route]

enabled  = false

filter   = sshd

action   = route

logpath  = /var/log/sshd.log

maxretry = 5

# Here we use a combination of Netfilter/Iptables and IPsets

# for storing large volumes of banned IPs

#

# IPset comes in two versions. See ipset -V for which one to use

# requires the ipset package and kernel support.

[ssh-iptables-ipset4]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]

logpath  = /var/log/sshd.log

maxretry = 5

[ssh-iptables-ipset6]

enabled  = false

filter   = sshd

action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]

logpath  = /var/log/sshd.log

maxretry = 5

# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.

# table number must be unique.

#

# This will create a deny rule for that table ONLY if a rule

# for the table doesn't ready exist.

#

[ssh-bsd-ipfw]

enabled  = false

filter   = sshd

action   = bsd-ipfw[port=ssh,table=1]

logpath  = /var/log/auth.log

maxretry = 5

# This jail demonstrates the use of wildcards in "logpath".

# Moreover, it is possible to give other files on a new line.

[apache-tcpwrapper]

enabled  = false

filter	 = apache-auth

action   = hostsdeny

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 6

[apache-modsecurity]

enabled  = false

filter	 = apache-modsecurity

action   = iptables-multiport[name=apache-modsecurity,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[apache-overflows]

enabled  = false

filter	 = apache-overflows

action   = iptables-multiport[name=apache-overflows,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[apache-nohome]

enabled  = false

filter	 = apache-nohome

action   = iptables-multiport[name=apache-nohome,port="80,443"]

logpath  = /var/log/apache*/*error.log

           /home/www/myhomepage/error.log

maxretry = 2

[nginx-http-auth]

enabled = false

filter  = nginx-http-auth

action  = iptables-multiport[name=nginx-http-auth,port="80,443"]

logpath = /var/log/nginx/error.log

[squid]

enabled = false

filter  = squid

action  = iptables-multiport[name=squid,port="80,443,8080"]

logpath = /var/log/squid/access.log

# The hosts.deny path can be defined with the "file" argument if it is

# not in /etc.

[postfix-tcpwrapper]

enabled  = false

filter   = postfix

action   = hostsdeny[file=/not/a/standard/path/hosts.deny]

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/postfix.log

bantime  = 300

[cyrus-imap]

enabled = false

filter  = cyrus-imap

action  = iptables-multiport[name=cyrus-imap,port="143,993"]

logpath = /var/log/mail*log

[courierlogin]

enabled = false

filter  = courierlogin

action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]

logpath = /var/log/mail*log

[couriersmtp]

enabled = false

filter  = couriersmtp

action  = iptables-multiport[name=couriersmtp,port="25,465,587"]

logpath = /var/log/mail*log

[qmail-rbl]

enabled = false

filter  = qmail

action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]

logpath = /service/qmail/log/main/current

[sieve]

enabled = false

filter  = sieve

action  = iptables-multiport[name=sieve,port="25,465,587"]

logpath = /var/log/mail*log

# Do not ban anybody. Just report information about the remote host.

# A notification is sent at most every 600 seconds (bantime).

[vsftpd-notification]

enabled  = false

filter   = vsftpd

action   = sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Same as above but with banning the IP address.

[vsftpd-iptables]

enabled  = false

filter   = vsftpd

action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]

           sendmail-whois[name=VSFTPD, dest=you@example.com]

logpath  = /var/log/vsftpd.log

maxretry = 5

bantime  = 1800

# Ban hosts which agent identifies spammer robots crawling the web

# for email addresses. The mail outputs are buffered.

[apache-badbots]

enabled  = false

filter   = apache-badbots

action   = iptables-multiport[name=BadBots, port="http,https"]

           sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]

logpath  = /var/www/*/logs/access_log

bantime  = 172800

maxretry = 1

# Use shorewall instead of iptables.

[apache-shorewall]

enabled  = false

filter   = apache-noscript

action   = shorewall

           sendmail[name=Postfix, dest=you@example.com]

logpath  = /var/log/apache2/error_log

# Monitor roundcube server

[roundcube-iptables]

enabled  = false

filter   = roundcube-auth

action   = iptables-multiport[name=RoundCube, port="http,https"]

logpath  = /var/log/roundcube/userlogins

# Monitor SOGo groupware server

[sogo-iptables]

enabled  = false

filter   = sogo-auth

# without proxy this would be:

# port    = 20000

action   = iptables-multiport[name=SOGo, port="http,https"]

logpath  = /var/log/sogo/sogo.log

[groupoffice]

enabled  = false

filter   = groupoffice

action   = iptables-multiport[name=groupoffice, port="http,https"]

logpath  = /home/groupoffice/log/info.log

[openwebmail]

enabled  = false

filter   = openwebmail

logpath  = /var/log/openwebmail.log

action   = ipfw

           sendmail-whois[name=openwebmail, dest=you@example.com]

maxretry = 5

[horde]

enabled  = false

filter   = horde

logpath  = /var/log/horde/horde.log

action   = iptables-multiport[name=horde, port="http,https"]

maxretry = 5

# Ban attackers that try to use PHP's URL-fopen() functionality

# through GET/POST variables. - Experimental, with more than a year

# of usage in production environments.

[php-url-fopen]

enabled  = false

action   = iptables-multiport[name=php-url-open, port="http,https"]

filter   = php-url-fopen

logpath  = /var/www/*/logs/access_log

maxretry = 1

[suhosin]

enabled  = false

filter   = suhosin

action   = iptables-multiport[name=suhosin, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

[lighttpd-auth]

enabled  = false

filter   = lighttpd-auth

action   = iptables-multiport[name=lighttpd-auth, port="http,https"]

# adapt the following two items as needed

logpath  = /var/log/lighttpd/error.log

maxretry = 2

# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"

# option is overridden in this jail. Moreover, the action "mail-whois" defines

# the variable "name" which contains a comma using "". The characters '' are

# valid too.

[ssh-ipfw]

enabled  = false

filter   = sshd

action   = ipfw[localhost=192.168.0.1]

           sendmail-whois[name="SSH,IPFW", dest=you@example.com]

logpath  = /var/log/auth.log

ignoreip = 168.192.0.1

# !!! WARNING !!!

#   Since UDP is connection-less protocol, spoofing of IP and imitation

#   of illegal actions is way too simple.  Thus enabling of this filter

#   might provide an easy way for implementing a DoS against a chosen

#   victim. See

#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html

#   Please DO NOT USE this jail unless you know what you are doing.

#

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks UDP traffic for DNS requests.

# [named-refused-udp]

#

# enabled  = false

# filter   = named-refused

# action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]

#            sendmail-whois[name=Named, dest=you@example.com]

# logpath  = /var/log/named/security.log

# ignoreip = 168.192.0.1

# IMPORTANT: see filter.d/named-refused for instructions to enable logging

# This jail blocks TCP traffic for DNS requests.

[named-refused-tcp]

enabled  = false

filter   = named-refused

action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]

           sendmail-whois[name=Named, dest=you@example.com]

logpath  = /var/log/named/security.log

ignoreip = 168.192.0.1

[nsd]

enabled = false

filter  = nsd

action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]

          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]

logpath = /var/log/nsd.log

[asterisk]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[freeswitch]

enabled  = false

filter   = freeswitch

logpath  = /var/log/freeswitch.log

maxretry = 10

action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]

           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]

[ejabberd-auth]

enabled = false

filter = ejabberd-auth

logpath = /var/log/ejabberd/ejabberd.log

action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )

#  use [asterisk] for new jails

[asterisk-tcp]

enabled  = false

filter   = asterisk

action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )

#  use [asterisk] for new jails

[asterisk-udp]

enabled  = false

filter	 = asterisk

action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]

           sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]

logpath  = /var/log/asterisk/messages

maxretry = 10

[mysqld-iptables]

enabled  = false

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

           sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]

logpath  = /var/log/mysqld.log

maxretry = 5

[mysqld-syslog]

enabled  = false

filter   = mysqld-auth

action   = iptables[name=mysql, port=3306, protocol=tcp]

logpath  = /var/log/daemon.log

maxretry = 5

# Jail for more extended banning of persistent abusers

# !!! WARNING !!!

#   Make sure that your loglevel specified in fail2ban.conf/.local

#   is not at DEBUG level -- which might then cause fail2ban to fall into

#   an infinite loop constantly feeding itself with non-informative lines

[recidive]

enabled  = false

filter   = recidive

logpath  = /var/log/fail2ban.log

action   = iptables-allports[name=recidive,protocol=all]

           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]

bantime  = 604800  ; 1 week

findtime = 86400   ; 1 day

maxretry = 5

# PF is a BSD based firewall

[ssh-pf]

enabled  = false

filter   = sshd

action   = pf

logpath  = /var/log/sshd.log

maxretry = 5

[3proxy]

enabled = false

filter  = 3proxy

action  = iptables[name=3proxy, port=3128, protocol=tcp]

logpath = /var/log/3proxy.log

[exim]

enabled = false

filter  = exim

action  = iptables-multiport[name=exim,port="25,465,587"]

logpath = /var/log/exim/mainlog

[exim-spam]

enabled = false

filter  = exim-spam

action  = iptables-multiport[name=exim-spam,port="25,465,587"]

logpath = /var/log/exim/mainlog

[perdition]

enabled = false

filter  = perdition

action  = iptables-multiport[name=perdition,port="110,143,993,995"]

logpath = /var/log/maillog

[uwimap-auth]

enabled = false

filter  = uwimap-auth

action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]

logpath = /var/log/maillog

[osx-ssh-ipfw]

enabled  = false

filter   = sshd

action   = osx-ipfw

logpath  = /var/log/secure.log

maxretry = 5

[ssh-apf]

enabled = false

filter  = sshd

action  = apf[name=SSH]

logpath = /var/log/secure

maxretry = 5

[osx-ssh-afctl]

enabled  = false

filter   = sshd

action   = osx-afctl[bantime=600]

logpath  = /var/log/secure.log

maxretry = 5

[webmin-auth]

enabled = false

filter  = webmin-auth

action  = iptables-multiport[name=webmin,port="10000"]

logpath = /var/log/auth.log

# dovecot defaults to logging to the mail syslog facility

# but can be set by syslog_facility in the dovecot configuration.

[dovecot]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]

logpath = /var/log/mail.log

[dovecot-auth]

enabled = false

filter  = dovecot

action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]

logpath = /var/log/secure

[solid-pop3d]

enabled = false

filter  = solid-pop3d

action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]

logpath = /var/log/mail.log

[selinux-ssh]

enabled  = false

filter   = selinux-ssh

action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]

logpath  = /var/log/audit/audit.log

maxretry = 5

# See the IMPORTANT note in action.d/blocklist_de.conf for when to

# use this action

#

# Report block via blocklist.de fail2ban reporting service API

# See action.d/blocklist_de.conf for more information

[ssh-blocklist]

enabled  = false

filter   = sshd

action   = iptables[name=SSH, port=ssh, protocol=tcp]

           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]

           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]

logpath  = /var/log/sshd.log

maxretry = 20

# consider low maxretry and a long bantime

# nobody except your own Nagios server should ever probe nrpe

[nagios]

enabled  = false

filter   = nagios

action   = iptables[name=Nagios, port=5666, protocol=tcp]

           sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]

logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility

maxretry = 1