Last active
August 16, 2016 13:37
-
-
Save arush-sal/332d9910cadbd89f0e0f49f6d274520f to your computer and use it in GitHub Desktop.
fail2ban basic config for port 22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# WARNING: heavily refactored in 0.9.0 release. Please review and | |
# customize settings for your setup. | |
# | |
# Changes: in most of the cases you should not modify this | |
# file, but provide customizations in jail.local file, | |
# or separate .conf files under jail.d/ directory, e.g.: | |
# | |
# HOW TO ACTIVATE JAILS: | |
# | |
# YOU SHOULD NOT MODIFY THIS FILE. | |
# | |
# It will probably be overwritten or improved in a distribution update. | |
# | |
# Provide customizations in a jail.local file or a jail.d/customisation.local. | |
# For example to change the default bantime for all jails and to enable the | |
# ssh-iptables jail the following (uncommented) would appear in the .local file. | |
# See man 5 jail.conf for details. | |
# | |
# [DEFAULT] | |
# bantime = 3600 | |
# | |
# [sshd] | |
# enabled = true | |
# | |
# See jail.conf(5) man page for more information | |
# Comments: use '#' for comment lines and ';' (following a space) for inline comments | |
[INCLUDES] | |
#before = paths-distro.conf | |
before = paths-debian.conf | |
# The DEFAULT allows a global definition of the options. They can be overridden | |
# in each jail afterwards. | |
[DEFAULT] | |
# | |
# MISCELLANEOUS OPTIONS | |
# | |
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not | |
# ban a host which matches an address in this list. Several addresses can be | |
# defined using space separator. | |
ignoreip = 127.0.0.1/8 123.201.118.6 123.252.233.82 | |
# External command that will take an tagged arguments to ignore, e.g. <ip>, | |
# and return true if the IP is to be ignored. False otherwise. | |
# | |
# ignorecommand = /path/to/command <ip> | |
ignorecommand = | |
# "bantime" is the number of seconds that a host is banned. | |
bantime = 600 | |
# A host is banned if it has generated "maxretry" during the last "findtime" | |
# seconds. | |
findtime = 600 | |
maxretry = 3 | |
# "backend" specifies the backend used to get files modification. | |
# Available options are "pyinotify", "gamin", "polling" and "auto". | |
# This option can be overridden in each jail as well. | |
# | |
# pyinotify: requires pyinotify (a file alteration monitor) to be installed. | |
# If pyinotify is not installed, Fail2ban will use auto. | |
# gamin: requires Gamin (a file alteration monitor) to be installed. | |
# If Gamin is not installed, Fail2ban will use auto. | |
# polling: uses a polling algorithm which does not require external libraries. | |
# auto: will try to use the following backends, in order: | |
# pyinotify, gamin, polling. | |
backend = auto | |
# "usedns" specifies if jails should trust hostnames in logs, | |
# warn when reverse DNS lookups are performed, or ignore all hostnames in logs | |
# | |
# yes: if a hostname is encountered, a reverse DNS lookup will be performed. | |
# warn: if a hostname is encountered, a reverse DNS lookup will be performed, | |
# but it will be logged as a warning. | |
# no: if a hostname is encountered, will not be used for banning, | |
# | |
# Name of the sender for mta actions | |
sendername = Fail2Ban | |
# | |
# ACTIONS | |
# | |
# Default banning action (e.g. iptables, iptables-new, | |
# iptables-multiport, shorewall, etc) It is used to define | |
# action_* variables. Can be overridden globally or per | |
# section within jail.local file | |
banaction = iptables-multiport | |
# email action. Since 0.8.1 upstream fail2ban uses sendmail | |
# MTA for the mailing. Change mta configuration parameter to mail | |
# if you want to revert to conventional 'mail'. | |
mta = sendmail | |
# Default protocol | |
protocol = tcp | |
# Specify chain where jumps would need to be added in iptables-* actions | |
chain = INPUT | |
# | |
# Action shortcuts. To be used to define action parameter | |
# The simplest action to take: ban only | |
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
# ban & send an e-mail with whois report to the destemail. | |
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] | |
# ban & send an e-mail with whois report and relevant log lines | |
# to the destemail. | |
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] | |
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action | |
# | |
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines | |
# to the destemail. | |
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] | |
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines | |
# to the destemail. | |
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] | |
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] | |
# Report block via blocklist.de fail2ban reporting service API | |
# | |
# See the IMPORTANT note in action.d/blocklist_de.conf for when to | |
# use this action. Create a file jail.d/blocklist_de.local containing | |
# [Init] | |
# blocklist_de_apikey = {api key from registration] | |
# | |
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"] | |
# Report ban via badips.com, and use as blacklist | |
# | |
# See BadIPsAction docstring in config/action.d/badips.py for | |
# documentation for this action. | |
# | |
# NOTE: This action relies on banaction being present on start and therefore | |
# should be last action defined for a jail. | |
# | |
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"] | |
# Choose default action. To change, just override value of 'action' with the | |
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local | |
# globally (section [DEFAULT]) or per specific section | |
action = %(action_)s | |
# | |
# JAILS | |
# | |
# | |
# SSH servers | |
# | |
[ssh] | |
enabled = true | |
port = ssh | |
filter = sshd | |
logpath = /var/log/auth.log | |
maxretry = 6 | |
[sshd-ddos] | |
# This jail corresponds to the standard configuration in Fail2ban. | |
# The mail-whois action send a notification e-mail with a whois request | |
# in the body. | |
port = ssh | |
logpath = %(sshd_log)s | |
[dropbear] | |
port = ssh | |
logpath = %(dropbear_log)s | |
[selinux-ssh] | |
port = ssh | |
logpath = %(auditd_log)s | |
maxretry = 5 | |
# | |
# HTTP servers | |
# | |
[apache-auth] | |
port = http,https | |
logpath = %(apache_error_log)s | |
[apache-badbots] | |
# Ban hosts which agent identifies spammer robots crawling the web | |
# for email addresses. The mail outputs are buffered. | |
port = http,https | |
logpath = %(apache_access_log)s | |
bantime = 172800 | |
maxretry = 1 | |
[apache-noscript] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 6 | |
[apache-overflows] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 2 | |
[apache-nohome] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 2 | |
[apache-botsearch] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 2 | |
[apache-fakegooglebot] | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 1 | |
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> | |
[apache-modsecurity] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 2 | |
[apache-shellshock] | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 1 | |
[nginx-http-auth] | |
port = http,https | |
logpath = %(nginx_error_log)s | |
[nginx-botsearch] | |
port = http,https | |
logpath = %(nginx_error_log)s | |
maxretry = 2 | |
# Ban attackers that try to use PHP's URL-fopen() functionality | |
# through GET/POST variables. - Experimental, with more than a year | |
# of usage in production environments. | |
[php-url-fopen] | |
port = http,https | |
logpath = %(nginx_access_log)s | |
%(apache_access_log)s | |
[suhosin] | |
port = http,https | |
logpath = %(suhosin_log)s | |
[lighttpd-auth] | |
# Same as above for Apache's mod_auth | |
# It catches wrong authentifications | |
port = http,https | |
logpath = %(lighttpd_error_log)s | |
# | |
# Webmail and groupware servers | |
# | |
[roundcube-auth] | |
port = http,https | |
logpath = logpath = %(roundcube_errors_log)s | |
[openwebmail] | |
port = http,https | |
logpath = /var/log/openwebmail.log | |
[horde] | |
port = http,https | |
logpath = /var/log/horde/horde.log | |
[groupoffice] | |
port = http,https | |
logpath = /home/groupoffice/log/info.log | |
[sogo-auth] | |
# Monitor SOGo groupware server | |
# without proxy this would be: | |
# port = 20000 | |
port = http,https | |
logpath = /var/log/sogo/sogo.log | |
[tine20] | |
logpath = /var/log/tine20/tine20.log | |
port = http,https | |
maxretry = 5 | |
# | |
# Web Applications | |
# | |
# | |
[drupal-auth] | |
port = http,https | |
logpath = %(syslog_daemon)s | |
[guacamole] | |
port = http,https | |
logpath = /var/log/tomcat*/catalina.out | |
[monit] | |
#Ban clients brute-forcing the monit gui login | |
filter = monit | |
port = 2812 | |
logpath = /var/log/monit | |
[webmin-auth] | |
port = 10000 | |
logpath = %(syslog_authpriv)s | |
[froxlor-auth] | |
port = http,https | |
logpath = %(syslog_authpriv)s | |
# | |
# HTTP Proxy servers | |
# | |
# | |
[squid] | |
port = 80,443,3128,8080 | |
logpath = /var/log/squid/access.log | |
[3proxy] | |
port = 3128 | |
logpath = /var/log/3proxy.log | |
# | |
# FTP servers | |
# | |
[proftpd] | |
port = ftp,ftp-data,ftps,ftps-data | |
logpath = %(proftpd_log)s | |
[pure-ftpd] | |
port = ftp,ftp-data,ftps,ftps-data | |
logpath = %(pureftpd_log)s | |
maxretry = 6 | |
[gssftpd] | |
port = ftp,ftp-data,ftps,ftps-data | |
logpath = %(syslog_daemon)s | |
maxretry = 6 | |
[wuftpd] | |
port = ftp,ftp-data,ftps,ftps-data | |
logpath = %(wuftpd_log)s | |
maxretry = 6 | |
[vsftpd] | |
# or overwrite it in jails.local to be | |
# logpath = %(syslog_authpriv)s | |
# if you want to rely on PAM failed login attempts | |
# vsftpd's failregex should match both of those formats | |
port = ftp,ftp-data,ftps,ftps-data | |
logpath = %(vsftpd_log)s | |
# | |
# Mail servers | |
# | |
# ASSP SMTP Proxy Jail | |
[assp] | |
port = smtp,465,submission | |
logpath = /root/path/to/assp/logs/maillog.txt | |
[courier-smtp] | |
port = smtp,465,submission | |
logpath = %(syslog_mail)s | |
[postfix] | |
port = smtp,465,submission | |
logpath = %(postfix_log)s | |
[postfix-rbl] | |
port = smtp,465,submission | |
logpath = %(syslog_mail)s | |
maxretry = 1 | |
[sendmail-auth] | |
port = submission,465,smtp | |
logpath = %(syslog_mail)s | |
[sendmail-reject] | |
port = smtp,465,submission | |
logpath = %(syslog_mail)s | |
[qmail-rbl] | |
filter = qmail | |
port = smtp,465,submission | |
logpath = /service/qmail/log/main/current | |
# dovecot defaults to logging to the mail syslog facility | |
# but can be set by syslog_facility in the dovecot configuration. | |
[dovecot] | |
port = pop3,pop3s,imap,imaps,submission,465,sieve | |
logpath = %(dovecot_log)s | |
[sieve] | |
port = smtp,465,submission | |
logpath = %(dovecot_log)s | |
[solid-pop3d] | |
port = pop3,pop3s | |
logpath = %(solidpop3d_log)s | |
[exim] | |
port = smtp,465,submission | |
logpath = %(exim_main_log)s | |
[exim-spam] | |
port = smtp,465,submission | |
logpath = %(exim_main_log)s | |
[kerio] | |
port = imap,smtp,imaps,465 | |
logpath = /opt/kerio/mailserver/store/logs/security.log | |
# | |
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so | |
# all relevant ports get banned | |
# | |
[courier-auth] | |
port = smtp,465,submission,imap3,imaps,pop3,pop3s | |
logpath = %(syslog_mail)s | |
[postfix-sasl] | |
port = smtp,465,submission,imap3,imaps,pop3,pop3s | |
# You might consider monitoring /var/log/mail.warn instead if you are | |
# running postfix since it would provide the same log lines at the | |
# "warn" level but overall at the smaller filesize. | |
logpath = %(postfix_log)s | |
[perdition] | |
port = imap3,imaps,pop3,pop3s | |
logpath = %(syslog_mail)s | |
[squirrelmail] | |
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks | |
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log | |
[cyrus-imap] | |
port = imap3,imaps | |
logpath = %(syslog_mail)s | |
[uwimap-auth] | |
port = imap3,imaps | |
logpath = %(syslog_mail)s | |
# | |
# | |
# DNS servers | |
# | |
# !!! WARNING !!! | |
# Since UDP is connection-less protocol, spoofing of IP and imitation | |
# of illegal actions is way too simple. Thus enabling of this filter | |
# might provide an easy way for implementing a DoS against a chosen | |
# victim. See | |
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html | |
# Please DO NOT USE this jail unless you know what you are doing. | |
# | |
# IMPORTANT: see filter.d/named-refused for instructions to enable logging | |
# This jail blocks UDP traffic for DNS requests. | |
# [named-refused-udp] | |
# | |
# filter = named-refused | |
# port = domain,953 | |
# protocol = udp | |
# logpath = /var/log/named/security.log | |
# IMPORTANT: see filter.d/named-refused for instructions to enable logging | |
# This jail blocks TCP traffic for DNS requests. | |
[named-refused] | |
port = domain,953 | |
logpath = /var/log/named/security.log | |
[nsd] | |
port = 53 | |
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] | |
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] | |
logpath = /var/log/nsd.log | |
# | |
# Miscellaneous | |
# | |
[asterisk] | |
port = 5060,5061 | |
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] | |
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] | |
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] | |
logpath = /var/log/asterisk/messages | |
maxretry = 10 | |
[freeswitch] | |
port = 5060,5061 | |
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] | |
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] | |
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] | |
logpath = /var/log/freeswitch.log | |
maxretry = 10 | |
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or | |
# equivalent section: | |
# log-warning = 2 | |
# | |
# for syslog (daemon facility) | |
# [mysqld_safe] | |
# syslog | |
# | |
# for own logfile | |
# [mysqld] | |
# log-error=/var/log/mysqld.log | |
[mysqld-auth] | |
port = 3306 | |
logpath = %(mysql_log)s | |
maxretry = 5 | |
# Jail for more extended banning of persistent abusers | |
# !!! WARNINGS !!! | |
# 1. Make sure that your loglevel specified in fail2ban.conf/.local | |
# is not at DEBUG level -- which might then cause fail2ban to fall into | |
# an infinite loop constantly feeding itself with non-informative lines | |
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) | |
# to maintain entries for failed logins for sufficient amount of time | |
[recidive] | |
logpath = /var/log/fail2ban.log | |
banaction = iptables-allports | |
bantime = 604800 ; 1 week | |
findtime = 86400 ; 1 day | |
maxretry = 5 | |
# Generic filter for PAM. Has to be used with action which bans all | |
# ports such as iptables-allports, shorewall | |
[pam-generic] | |
# pam-generic filter can be customized to monitor specific subset of 'tty's | |
banaction = iptables-allports | |
logpath = %(syslog_authpriv)s | |
[xinetd-fail] | |
banaction = iptables-multiport-log | |
logpath = %(syslog_daemon)s | |
maxretry = 2 | |
# stunnel - need to set port for this | |
[stunnel] | |
logpath = /var/log/stunnel4/stunnel.log | |
[ejabberd-auth] | |
port = 5222 | |
logpath = /var/log/ejabberd/ejabberd.log | |
[counter-strike] | |
logpath = /opt/cstrike/logs/L[0-9]*.log | |
# Firewall: http://www.cstrike-planet.com/faq/6 | |
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 | |
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 | |
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] | |
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] | |
# consider low maxretry and a long bantime | |
# nobody except your own Nagios server should ever probe nrpe | |
[nagios] | |
enabled = false | |
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility | |
maxretry = 1 | |
[oracleims] | |
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above | |
enabled = false | |
logpath = /opt/sun/comms/messaging64/log/mail.log_current | |
maxretry = 6 | |
banaction = iptables-allports | |
[directadmin] | |
enabled = false | |
logpath = /var/log/directadmin/login.log | |
port = 2222 | |
[portsentry] | |
enabled = false | |
logpath = /var/lib/portsentry/portsentry.history | |
maxretry = 1 | |
[pass2allow-ftp] | |
# this pass2allow example allows FTP traffic after successful HTTP authentication | |
port = ftp,ftp-data,ftps,ftps-data | |
# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local | |
filter = apache-pass | |
# access log of the website with HTTP auth | |
logpath = %(apache_access_log)s | |
blocktype = RETURN | |
returntype = DROP | |
bantime = 3600 | |
maxretry = 1 | |
findtime = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment