mgeeky/apache-common.local

## apache-common.local
#
# This supersedes the old and incorrect datepattern regex for older Apache2 instances to make
# it working against Apache 2.4+ ones.
#
# Mariusz B. / mgeeky
#

[DEFAULT]

datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\]

## jail.local
#
# My fail2ban jail.local
#
# Mariusz B. / mgeeky
#

[DEFAULT]

bantime.increment = true
bantime = 15m
findtime = 30m
ignoreip = 127.0.0.1/8, ::1


#
# JAILS
#

[sshd]
enabled = true
port    = ssh
logpath = %(sshd_log)s

[apache-auth]
enabled  = true
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 3
bantime = 600

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 172800
maxretry = 1

[apache-botsearch]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 3
bantime = 600

[apache-noscript]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 3
bantime = 600

[apache-modsecurity]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 5
bantime = 600

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]
enabled = true
port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s
maxretry = 3


[squid]
enabled  = true
port     = 80,443,3128,8080
logpath  = /var/log/squid/access.log
maxretry = 3


[postfix]
# To use another modes set filter parameter "mode" in jail.local:
enabled  = true
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s


[postfix-rbl]
enabled  = true
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1


[sendmail-auth]
enabled = true
port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode    = normal
enabled  = true
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s

# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
enabled = true
port    = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[sieve]
enabled = true
port    = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s

[postfix-sasl]
enabled  = true
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]
enabled  =
logpath  = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime  = 1w
findtime = 1d


# -------------------------------

[mb-apache2-dos]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 5

[mb-wordpress-login]
enabled  = true
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 3


# -------------------------------

## mb-apache2-dos.conf
# Fail2Ban filter to block repeated web requests ending up with 404 HTTP status.
#
# This matches classic forceful browsing attempts as well as automated crawlers.
#
# Author: Mariusz B. / mgeeky
#

[INCLUDES]

before = apache-common.conf

[Definition]

failregex = <HOST> .+\"(?:GET|POST|HEAD|PUT|DELETE).+HTTP\/\d\.\d\" (?:301|302|303|304|400|401|403|404|405|500) \d+ .+$

ignoreregex =

## mb-wordpress-login.conf
# Fail2Ban filter to block repeated Wordpress login attempts.
#
# Author: Mariusz B. / mgeeky
#

[INCLUDES]

before = apache-common.conf

[Definition]

failregex = <HOST> .+\"POST \/wp-login\.php|xmlrpc\.php.+HTTP\/\d\.\d\" 200 \d+ .+$

ignoreregex =
	#
	# This supersedes the old and incorrect datepattern regex for older Apache2 instances to make
	# it working against Apache 2.4+ ones.
	#
	# Mariusz B. / mgeeky
	#

	[DEFAULT]

	datepattern = \[(%%d/%%b/%%Y:%%H:%%M:%%S %%z)\]
	#
	# My fail2ban jail.local
	#
	# Mariusz B. / mgeeky
	#

	[DEFAULT]

	bantime.increment = true
	bantime = 15m
	findtime = 30m
	ignoreip = 127.0.0.1/8, ::1


	#
	# JAILS
	#

	[sshd]
	enabled = true
	port = ssh
	logpath = %(sshd_log)s

	[apache-auth]
	enabled = true
	port = http,https
	logpath = %(apache_error_log)s
	maxretry = 3
	bantime = 600

	[apache-badbots]
	# Ban hosts which agent identifies spammer robots crawling the web
	# for email addresses. The mail outputs are buffered.
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	bantime = 172800
	maxretry = 1

	[apache-botsearch]
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	maxretry = 3
	bantime = 600

	[apache-noscript]
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	maxretry = 3
	bantime = 600

	[apache-modsecurity]
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	maxretry = 5
	bantime = 600

	# Ban attackers that try to use PHP's URL-fopen() functionality
	# through GET/POST variables. - Experimental, with more than a year
	# of usage in production environments.

	[php-url-fopen]
	enabled = true
	port = http,https
	logpath = %(nginx_access_log)s
	%(apache_access_log)s
	maxretry = 3


	[squid]
	enabled = true
	port = 80,443,3128,8080
	logpath = /var/log/squid/access.log
	maxretry = 3


	[postfix]
	# To use another modes set filter parameter "mode" in jail.local:
	enabled = true
	mode = more
	port = smtp,465,submission
	logpath = %(postfix_log)s
	backend = %(postfix_backend)s


	[postfix-rbl]
	enabled = true
	filter = postfix[mode=rbl]
	port = smtp,465,submission
	logpath = %(postfix_log)s
	backend = %(postfix_backend)s
	maxretry = 1


	[sendmail-auth]
	enabled = true
	port = submission,465,smtp
	logpath = %(syslog_mail)s
	backend = %(syslog_backend)s


	[sendmail-reject]
	# To use more aggressive modes set filter parameter "mode" in jail.local:
	# normal (default), extra or aggressive
	# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
	#mode = normal
	enabled = true
	port = smtp,465,submission
	logpath = %(syslog_mail)s
	backend = %(syslog_backend)s

	# dovecot defaults to logging to the mail syslog facility
	# but can be set by syslog_facility in the dovecot configuration.
	[dovecot]
	enabled = true
	port = pop3,pop3s,imap,imaps,submission,465,sieve
	logpath = %(dovecot_log)s
	backend = %(dovecot_backend)s


	[sieve]
	enabled = true
	port = smtp,465,submission
	logpath = %(dovecot_log)s
	backend = %(dovecot_backend)s

	[postfix-sasl]
	enabled = true
	filter = postfix[mode=auth]
	port = smtp,465,submission,imap,imaps,pop3,pop3s
	# You might consider monitoring /var/log/mail.warn instead if you are
	# running postfix since it would provide the same log lines at the
	# "warn" level but overall at the smaller filesize.
	logpath = %(postfix_log)s
	backend = %(postfix_backend)s

	# Jail for more extended banning of persistent abusers
	# !!! WARNINGS !!!
	# 1. Make sure that your loglevel specified in fail2ban.conf/.local
	# is not at DEBUG level -- which might then cause fail2ban to fall into
	# an infinite loop constantly feeding itself with non-informative lines
	# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
	# to maintain entries for failed logins for sufficient amount of time
	[recidive]
	enabled =
	logpath = /var/log/fail2ban.log
	banaction = %(banaction_allports)s
	bantime = 1w
	findtime = 1d


	# -------------------------------

	[mb-apache2-dos]
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	maxretry = 5

	[mb-wordpress-login]
	enabled = true
	port = http,https
	logpath = %(apache_access_log)s
	maxretry = 3


	# -------------------------------
	# Fail2Ban filter to block repeated web requests ending up with 404 HTTP status.
	#
	# This matches classic forceful browsing attempts as well as automated crawlers.
	#
	# Author: Mariusz B. / mgeeky
	#

	[INCLUDES]

	before = apache-common.conf

	[Definition]

	failregex = <HOST> .+\"(?:GET\|POST\|HEAD\|PUT\|DELETE).+HTTP\/\d\.\d\" (?:301\|302\|303\|304\|400\|401\|403\|404\|405\|500) \d+ .+$

	ignoreregex =
	# Fail2Ban filter to block repeated Wordpress login attempts.
	#
	# Author: Mariusz B. / mgeeky
	#

	[INCLUDES]

	before = apache-common.conf

	[Definition]

	failregex = <HOST> .+\"POST \/wp-login\.php\|xmlrpc\.php.+HTTP\/\d\.\d\" 200 \d+ .+$

	ignoreregex =