Created
August 3, 2013 09:40
-
-
Save wcypierre/6145891 to your computer and use it in GitHub Desktop.
[Fail2ban] /etc/fail2ban/jail.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/fail2ban/jail.conf | |
| # Fail2Ban configuration file. | |
| # | |
| # This file was composed for Debian systems from the original one | |
| # provided now under /usr/share/doc/fail2ban/examples/jail.conf | |
| # for additional examples. | |
| # | |
| # To avoid merges during upgrades DO NOT MODIFY THIS FILE | |
| # and rather provide your changes in /etc/fail2ban/jail.local | |
| # | |
| # Author: Yaroslav O. Halchenko <debian@onerussian.com> | |
| # | |
| # $Revision$ | |
| # | |
| # The DEFAULT allows a global definition of the options. They can be overridden | |
| # in each jail afterwards. | |
| [DEFAULT] | |
| # "ignoreip" can be an IP address, a CIDR mask or a DNS host | |
| ignoreip = 127.0.0.1/8 | |
| bantime = 3600 | |
| maxretry = 3 | |
| # "backend" specifies the backend used to get files modification. Available | |
| # options are "gamin", "polling" and "auto". | |
| # yoh: For some reason Debian shipped python-gamin didn't work as expected | |
| # This issue left ToDo, so polling is default backend for now | |
| backend = auto | |
| # | |
| # Destination email address used solely for the interpolations in | |
| # jail.{conf,local} configuration files. | |
| destemail = wcypierre@gmail.com | |
| # | |
| # ACTIONS | |
| # | |
| # Default banning action (e.g. iptables, iptables-new, | |
| # iptables-multiport, shorewall, etc) It is used to define | |
| # action_* variables. Can be overridden globally or per | |
| # section within jail.local file | |
| banaction = iptables-multiport | |
| # email action. Since 0.8.1 upstream fail2ban uses sendmail | |
| # MTA for the mailing. Change mta configuration parameter to mail | |
| # if you want to revert to conventional 'mail'. | |
| mta = sendmail | |
| # Default protocol | |
| protocol = tcp | |
| # Specify chain where jumps would need to be added in iptables-* actions | |
| chain = INPUT | |
| # | |
| # Action shortcuts. To be used to define action parameter | |
| # The simplest action to take: ban only | |
| action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| # ban & send an e-mail with whois report to the destemail. | |
| action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| # ban & send an e-mail with whois report and relevant log lines | |
| # to the destemail. | |
| action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] | |
| %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] | |
| # Choose default action. To change, just override value of 'action' with the | |
| # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local | |
| # globally (section [DEFAULT]) or per specific section | |
| action = %(action_)s | |
| # | |
| # JAILS | |
| # | |
| # Next jails corresponds to the standard configuration in Fail2ban 0.6 which | |
| # was shipped in Debian. Enable any defined here jail by including | |
| # | |
| # [SECTION_NAME] | |
| # enabled = true | |
| # | |
| # in /etc/fail2ban/jail.local. | |
| # | |
| # Optionally you may override any other parameter (e.g. banaction, | |
| # action, port, logpath, etc) in that section within jail.local | |
| [ssh] | |
| enabled = true | |
| port = ssh | |
| filter = sshd | |
| logpath = /var/log/auth.log | |
| maxretry = 6 | |
| [dropbear] | |
| enabled = false | |
| port = ssh | |
| filter = sshd | |
| logpath = /var/log/dropbear | |
| maxretry = 6 | |
| # Generic filter for pam. Has to be used with action which bans all ports | |
| # such as iptables-allports, shorewall | |
| [pam-generic] | |
| enabled = false | |
| # pam-generic filter can be customized to monitor specific subset of 'tty's | |
| filter = pam-generic | |
| # port actually must be irrelevant but lets leave it all for some possible uses | |
| port = all | |
| banaction = iptables-allports | |
| port = anyport | |
| logpath = /var/log/auth.log | |
| maxretry = 6 | |
| [xinetd-fail] | |
| enabled = false | |
| filter = xinetd-fail | |
| port = all | |
| banaction = iptables-multiport-log | |
| logpath = /var/log/daemon.log | |
| maxretry = 2 | |
| [ssh-ddos] | |
| enabled = false | |
| port = ssh | |
| filter = sshd-ddos | |
| logpath = /var/log/auth.log | |
| maxretry = 6 | |
| # | |
| # HTTP servers | |
| # | |
| [apache] | |
| enabled = false | |
| port = http,https | |
| filter = apache-auth | |
| logpath = /var/log/apache*/*error.log | |
| maxretry = 6 | |
| # default action is now multiport, so apache-multiport jail was left | |
| # for compatibility with previous (<0.7.6-2) releases | |
| [apache-multiport] | |
| enabled = false | |
| port = http,https | |
| filter = apache-auth | |
| logpath = /var/log/apache*/*error.log | |
| maxretry = 6 | |
| [apache-noscript] | |
| enabled = false | |
| port = http,https | |
| filter = apache-noscript | |
| logpath = /var/log/apache*/*error.log | |
| maxretry = 6 | |
| [apache-overflows] | |
| enabled = false | |
| port = http,https | |
| filter = apache-overflows | |
| logpath = /var/log/apache*/*error.log | |
| maxretry = 2 | |
| # | |
| # FTP servers | |
| # | |
| [vsftpd] | |
| enabled = false | |
| port = ftp,ftp-data,ftps,ftps-data | |
| filter = vsftpd | |
| logpath = /var/log/vsftpd.log | |
| # or overwrite it in jails.local to be | |
| # logpath = /var/log/auth.log | |
| # if you want to rely on PAM failed login attempts | |
| # vsftpd's failregex should match both of those formats | |
| maxretry = 6 | |
| [proftpd] | |
| enabled = false | |
| port = ftp,ftp-data,ftps,ftps-data | |
| filter = proftpd | |
| logpath = /var/log/proftpd/proftpd.log | |
| maxretry = 6 | |
| [pure-ftpd] | |
| enabled = false | |
| port = ftp,ftp-data,ftps,ftps-data | |
| filter = pure-ftpd | |
| logpath = /var/log/auth.log | |
| maxretry = 6 | |
| [wuftpd] | |
| enabled = false | |
| port = ftp,ftp-data,ftps,ftps-data | |
| filter = wuftpd | |
| logpath = /var/log/auth.log | |
| maxretry = 6 | |
| # | |
| # Mail servers | |
| # | |
| [postfix] | |
| enabled = false | |
| port = smtp,ssmtp | |
| filter = postfix | |
| logpath = /var/log/mail.log | |
| [couriersmtp] | |
| enabled = false | |
| port = smtp,ssmtp | |
| filter = couriersmtp | |
| logpath = /var/log/mail.log | |
| # | |
| # Mail servers authenticators: might be used for smtp,ftp,imap servers, so | |
| # all relevant ports get banned | |
| # | |
| [courierauth] | |
| enabled = false | |
| port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s | |
| filter = courierlogin | |
| logpath = /var/log/mail.log | |
| [sasl] | |
| enabled = false | |
| port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s | |
| filter = sasl | |
| # You might consider monitoring /var/log/mail.warn instead if you are | |
| # running postfix since it would provide the same log lines at the | |
| # "warn" level but overall at the smaller filesize. | |
| logpath = /var/log/mail.log | |
| [dovecot] | |
| enabled = false | |
| port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s | |
| filter = dovecot | |
| logpath = /var/log/mail.log | |
| # DNS Servers | |
| # These jails block attacks against named (bind9). By default, logging is off | |
| # with bind9 installation. You will need something like this: | |
| # | |
| # logging { | |
| # channel security_file { | |
| # file "/var/log/named/security.log" versions 3 size 30m; | |
| # severity dynamic; | |
| # print-time yes; | |
| # }; | |
| # category security { | |
| # security_file; | |
| # }; | |
| # }; | |
| # | |
| # in your named.conf to provide proper logging | |
| # !!! WARNING !!! | |
| # Since UDP is connection-less protocol, spoofing of IP and imitation | |
| # of illegal actions is way too simple. Thus enabling of this filter | |
| # might provide an easy way for implementing a DoS against a chosen | |
| # victim. See | |
| # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html | |
| # Please DO NOT USE this jail unless you know what you are doing. | |
| #[named-refused-udp] | |
| # | |
| #enabled = false | |
| #port = domain,953 | |
| #protocol = udp | |
| #filter = named-refused | |
| #logpath = /var/log/named/security.log | |
| [named-refused-tcp] | |
| enabled = false | |
| port = domain,953 | |
| protocol = tcp | |
| filter = named-refused | |
| logpath = /var/log/named/security.log | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment