Created
April 5, 2020 12:09
-
-
Save mgeeky/fc3a8d8e9cb06f31aac20fab7872d531 to your computer and use it in GitHub Desktop.
Some example fail2ban configuration
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# This supersedes the old and incorrect datepattern regex for older Apache2 instances to make | |
# it working against Apache 2.4+ ones. | |
# | |
# Mariusz B. / mgeeky | |
# | |
[DEFAULT] | |
datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# My fail2ban jail.local | |
# | |
# Mariusz B. / mgeeky | |
# | |
[DEFAULT] | |
bantime.increment = true | |
bantime = 15m | |
findtime = 30m | |
ignoreip = 127.0.0.1/8, ::1 | |
# | |
# JAILS | |
# | |
[sshd] | |
enabled = true | |
port = ssh | |
logpath = %(sshd_log)s | |
[apache-auth] | |
enabled = true | |
port = http,https | |
logpath = %(apache_error_log)s | |
maxretry = 3 | |
bantime = 600 | |
[apache-badbots] | |
# Ban hosts which agent identifies spammer robots crawling the web | |
# for email addresses. The mail outputs are buffered. | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
bantime = 172800 | |
maxretry = 1 | |
[apache-botsearch] | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 3 | |
bantime = 600 | |
[apache-noscript] | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 3 | |
bantime = 600 | |
[apache-modsecurity] | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 5 | |
bantime = 600 | |
# Ban attackers that try to use PHP's URL-fopen() functionality | |
# through GET/POST variables. - Experimental, with more than a year | |
# of usage in production environments. | |
[php-url-fopen] | |
enabled = true | |
port = http,https | |
logpath = %(nginx_access_log)s | |
%(apache_access_log)s | |
maxretry = 3 | |
[squid] | |
enabled = true | |
port = 80,443,3128,8080 | |
logpath = /var/log/squid/access.log | |
maxretry = 3 | |
[postfix] | |
# To use another modes set filter parameter "mode" in jail.local: | |
enabled = true | |
mode = more | |
port = smtp,465,submission | |
logpath = %(postfix_log)s | |
backend = %(postfix_backend)s | |
[postfix-rbl] | |
enabled = true | |
filter = postfix[mode=rbl] | |
port = smtp,465,submission | |
logpath = %(postfix_log)s | |
backend = %(postfix_backend)s | |
maxretry = 1 | |
[sendmail-auth] | |
enabled = true | |
port = submission,465,smtp | |
logpath = %(syslog_mail)s | |
backend = %(syslog_backend)s | |
[sendmail-reject] | |
# To use more aggressive modes set filter parameter "mode" in jail.local: | |
# normal (default), extra or aggressive | |
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. | |
#mode = normal | |
enabled = true | |
port = smtp,465,submission | |
logpath = %(syslog_mail)s | |
backend = %(syslog_backend)s | |
# dovecot defaults to logging to the mail syslog facility | |
# but can be set by syslog_facility in the dovecot configuration. | |
[dovecot] | |
enabled = true | |
port = pop3,pop3s,imap,imaps,submission,465,sieve | |
logpath = %(dovecot_log)s | |
backend = %(dovecot_backend)s | |
[sieve] | |
enabled = true | |
port = smtp,465,submission | |
logpath = %(dovecot_log)s | |
backend = %(dovecot_backend)s | |
[postfix-sasl] | |
enabled = true | |
filter = postfix[mode=auth] | |
port = smtp,465,submission,imap,imaps,pop3,pop3s | |
# You might consider monitoring /var/log/mail.warn instead if you are | |
# running postfix since it would provide the same log lines at the | |
# "warn" level but overall at the smaller filesize. | |
logpath = %(postfix_log)s | |
backend = %(postfix_backend)s | |
# Jail for more extended banning of persistent abusers | |
# !!! WARNINGS !!! | |
# 1. Make sure that your loglevel specified in fail2ban.conf/.local | |
# is not at DEBUG level -- which might then cause fail2ban to fall into | |
# an infinite loop constantly feeding itself with non-informative lines | |
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) | |
# to maintain entries for failed logins for sufficient amount of time | |
[recidive] | |
enabled = | |
logpath = /var/log/fail2ban.log | |
banaction = %(banaction_allports)s | |
bantime = 1w | |
findtime = 1d | |
# ------------------------------- | |
[mb-apache2-dos] | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 5 | |
[mb-wordpress-login] | |
enabled = true | |
port = http,https | |
logpath = %(apache_access_log)s | |
maxretry = 3 | |
# ------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fail2Ban filter to block repeated web requests ending up with 404 HTTP status. | |
# | |
# This matches classic forceful browsing attempts as well as automated crawlers. | |
# | |
# Author: Mariusz B. / mgeeky | |
# | |
[INCLUDES] | |
before = apache-common.conf | |
[Definition] | |
failregex = <HOST> .+\"(?:GET|POST|HEAD|PUT|DELETE).+HTTP\/\d\.\d\" (?:301|302|303|304|400|401|403|404|405|500) \d+ .+$ | |
ignoreregex = |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Fail2Ban filter to block repeated Wordpress login attempts. | |
# | |
# Author: Mariusz B. / mgeeky | |
# | |
[INCLUDES] | |
before = apache-common.conf | |
[Definition] | |
failregex = <HOST> .+\"POST \/wp-login\.php|xmlrpc\.php.+HTTP\/\d\.\d\" 200 \d+ .+$ | |
ignoreregex = |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment