jail.local 22 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995
  1. # See jail.conf(5) man page for more information
  2. # Comments: use '#' for comment lines and ';' (following a space) for inline comments
  3. [INCLUDES]
  4. #before = paths-distro.conf
  5. before = paths-debian.conf
  6. # The DEFAULT allows a global definition of the options. They can be overridden
  7. # in each jail afterwards.
  8. ### Default ### {{{
  9. [DEFAULT]
  10. ### Misc Options ### {{{
  11. #
  12. # MISCELLANEOUS OPTIONS
  13. #
  14. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
  15. # ban a host which matches an address in this list. Several addresses can be
  16. # defined using space separator.
  17. ## Local host, and MA
  18. ignoreip = 127.0.0.1 205.166.94.31 2600:3c03::f03c:91ff:fe56:c573
  19. # External command that will take an tagged arguments to ignore, e.g. <ip>,
  20. # and return true if the IP is to be ignored. False otherwise.
  21. #
  22. # ignorecommand = /path/to/command <ip>
  23. ignorecommand =
  24. # "bantime" is the number of seconds that a host is banned.
  25. ## Three days
  26. bantime = 259200
  27. # A host is banned if it has generated "maxretry" during the last "findtime"
  28. ## one day
  29. findtime = 86400
  30. # "maxretry" is the number of failures before a host get banned.
  31. maxretry = 5
  32. # "backend" specifies the backend used to get files modification.
  33. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
  34. # This option can be overridden in each jail as well.
  35. #
  36. # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
  37. # If pyinotify is not installed, Fail2ban will use auto.
  38. # gamin: requires Gamin (a file alteration monitor) to be installed.
  39. # If Gamin is not installed, Fail2ban will use auto.
  40. # polling: uses a polling algorithm which does not require external libraries.
  41. # systemd: uses systemd python library to access the systemd journal.
  42. # Specifying "logpath" is not valid for this backend.
  43. # See "journalmatch" in the jails associated filter config
  44. # auto: will try to use the following backends, in order:
  45. # pyinotify, gamin, polling.
  46. backend = auto
  47. # "usedns" specifies if jails should trust hostnames in logs,
  48. # warn when DNS lookups are performed, or ignore all hostnames in logs
  49. #
  50. # yes: if a hostname is encountered, a DNS lookup will be performed.
  51. # warn: if a hostname is encountered, a DNS lookup will be performed,
  52. # but it will be logged as a warning.
  53. # no: if a hostname is encountered, will not be used for banning,
  54. # but it will be logged as info.
  55. usedns = warn
  56. # "logencoding" specifies the encoding of the log files handled by the jail
  57. # This is used to decode the lines from the log file.
  58. # Typical examples: "ascii", "utf-8"
  59. #
  60. # auto: will use the system locale setting
  61. logencoding = auto
  62. # "enabled" enables the jails.
  63. # By default all jails are disabled, and it should stay this way.
  64. # Enable only relevant to your setup jails in your .local or jail.d/*.conf
  65. #
  66. # true: jail will be enabled and log files will get monitored for changes
  67. # false: jail is not enabled
  68. enabled = false
  69. # "filter" defines the filter to use by the jail.
  70. # By default jails have names matching their filter name
  71. #
  72. filter = %(__name__)s
  73. ### End Misc Options ### }}}
  74. ### Actions ### {{{
  75. #
  76. # ACTIONS
  77. #
  78. # Some options used for actions
  79. # Destination email address used solely for the interpolations in
  80. # jail.{conf,local,d/*} configuration files.
  81. destemail = root@localhost
  82. # Sender email address used solely for some actions
  83. sender = root@localhost
  84. # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
  85. # mailing. Change mta configuration parameter to mail if you want to
  86. # revert to conventional 'mail'.
  87. mta = mail
  88. #mta = sendmail
  89. # Default protocol
  90. protocol = tcp
  91. # Specify chain where jumps would need to be added in iptables-* actions
  92. chain = INPUT
  93. # Ports to be banned
  94. # Usually should be overridden in a particular jail
  95. port = 0:65535
  96. #
  97. # Action shortcuts. To be used to define action parameter
  98. # Default banning action (e.g. iptables, iptables-new,
  99. # iptables-multiport, shorewall, etc) It is used to define
  100. # action_* variables. Can be overridden globally or per
  101. # section within jail.local file
  102. banaction = iptables-multiport
  103. # The simplest action to take: ban only
  104. action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  105. # ban & send an e-mail with whois report to the destemail.
  106. action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  107. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
  108. # ban & send an e-mail with whois report and relevant log lines
  109. # to the destemail.
  110. action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  111. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
  112. # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
  113. #
  114. # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
  115. # to the destemail.
  116. action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  117. xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
  118. # Report block via blocklist.de fail2ban reporting service API
  119. #
  120. # See the IMPORTANT note in action.d/blocklist_de.conf for when to
  121. # use this action. Create a file jail.d/blocklist_de.local containing
  122. # [Init]
  123. # blocklist_de_apikey = {api key from registration]
  124. #
  125. action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
  126. # Report ban via badips.com, and use as blacklist
  127. #
  128. # See BadIPsAction docstring in config/action.d/badips.py for
  129. # documentation for this action.
  130. #
  131. # NOTE: This action relies on banaction being present on start and therefore
  132. # should be last action defined for a jail.
  133. #
  134. action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
  135. # Choose default action. To change, just override value of 'action' with the
  136. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
  137. # globally (section [DEFAULT]) or per specific section
  138. action = %(action_)s
  139. ### End Actions ### }}}
  140. ### End Default ### }}}
  141. ### Jails ### {{{
  142. #
  143. # JAILS
  144. #
  145. ### WeeChat Relay ### {{{
  146. [weechat-relay]
  147. enabled = true
  148. maxretry = 5
  149. ## 12 hour
  150. bantime = 43200
  151. ## 20 min
  152. findtime = 2400
  153. port = 0:21,23:499,501:65535
  154. logpath = /home/demure/.weechat/logs/core.weechat.weechatlog
  155. ### End WeeChat Relay ### }}}
  156. ### SSH Servers ### {{{
  157. #
  158. # SSH servers
  159. #
  160. ### ssh ### {{{
  161. [sshd]
  162. enabled = true
  163. maxretry = 3
  164. ## One Week
  165. bantime = 604800
  166. ## Four days
  167. findtime = 345600
  168. #port = 500,8080
  169. port = 0:21,23:65535
  170. logpath = %(sshd_log)s
  171. [sshd-bad-protocol]
  172. enabled = true
  173. maxretry = 1
  174. ## One week
  175. bantime = 604800
  176. ## Four days
  177. findtime = 345600
  178. #port = 500,8080
  179. port = 0:21,23:65535
  180. logpath = %(sshd_log)s
  181. [sshd-bad-users]
  182. enabled = true
  183. maxretry = 5
  184. ## One week
  185. bantime = 604800
  186. ## Four days
  187. findtime = 345600
  188. #port = 500,8080
  189. port = 0:21,23:65535
  190. logpath = %(sshd_log)s
  191. [sshd-bad-users-known]
  192. enabled = true
  193. maxretry = 1
  194. ## One week
  195. bantime = 604800
  196. ## Four days
  197. findtime = 345600
  198. #port = 500,8080
  199. port = 0:21,23:65535
  200. logpath = %(sshd_log)s
  201. ### End ssh ### }}}
  202. ### endlessh ### {{{
  203. [endlessh]
  204. enabled = true
  205. maxretry = 1000
  206. ## One month
  207. bantime = 2419200
  208. ## five days
  209. findtime = 432000
  210. port = 0:65535
  211. logpath = /var/log/endlessh.log
  212. ### End endlessh ### }}}
  213. ### dropbear ### {{{
  214. [dropbear]
  215. port = ssh
  216. logpath = %(dropbear_log)s
  217. ### End dropbear ### }}}
  218. ### selinux ### {{{
  219. [selinux-ssh]
  220. port = ssh
  221. logpath = %(auditd_log)s
  222. maxretry = 5
  223. ### End selinux ### }}}
  224. ### End SSH Servers ### }}}
  225. ### HTTP Servers ### {{{
  226. #
  227. # HTTP servers
  228. #
  229. ### apache ### {{{
  230. [apache-auth]
  231. port = http,https
  232. logpath = %(apache_error_log)s
  233. [apache-badbots]
  234. # Ban hosts which agent identifies spammer robots crawling the web
  235. # for email addresses. The mail outputs are buffered.
  236. port = http,https
  237. logpath = %(apache_access_log)s
  238. bantime = 172800
  239. maxretry = 1
  240. [apache-noscript]
  241. port = http,https
  242. logpath = %(apache_error_log)s
  243. maxretry = 6
  244. [apache-overflows]
  245. port = http,https
  246. logpath = %(apache_error_log)s
  247. maxretry = 2
  248. [apache-nohome]
  249. port = http,https
  250. logpath = %(apache_error_log)s
  251. maxretry = 2
  252. [apache-botsearch]
  253. port = http,https
  254. logpath = %(apache_error_log)s
  255. maxretry = 2
  256. [apache-modsecurity]
  257. port = http,https
  258. logpath = %(apache_error_log)s
  259. maxretry = 2
  260. [apache-shellshock]
  261. port = http,https
  262. logpath = $(apache_error_log)s
  263. maxretry = 1
  264. ### End apache ### }}}
  265. ### nginx ### {{{
  266. [nginx-http-auth]
  267. enabled = true
  268. filter = nginx-http-auth
  269. ports = http,https
  270. #logpath = %(nginx_error_log)s
  271. logpath = /var/log/nginx/error.log
  272. [nginx-noscript]
  273. enabled = true
  274. #port = http,https
  275. port = 0:21,23:499,501:65535
  276. filter = nginx-noscript
  277. logpath = /var/log/nginx/access.log
  278. maxretry = 4
  279. ## One week
  280. bantime = 604800
  281. ## Four days
  282. findtime = 345600
  283. [nginx-badbots]
  284. enabled = true
  285. #port = http,https
  286. port = 0:21,23:499,501:65535
  287. filter = nginx-badbots
  288. logpath = /var/log/nginx/access.log
  289. maxretry = 1
  290. ## One week
  291. bantime = 604800
  292. ## Four days
  293. findtime = 345600
  294. [nginx-botsearch]
  295. enabled = true
  296. port = http,https
  297. filter = nginx-botsearch
  298. logpath = /var/log/nginx/access.log
  299. maxretry = 2
  300. ## One week
  301. bantime = 604800
  302. ## Four days
  303. findtime = 345600
  304. [nginx-nohome]
  305. enabled = true
  306. port = http,https
  307. filter = nginx-nohome
  308. logpath = /var/log/nginx/access.log
  309. maxretry = 2
  310. ## One week
  311. bantime = 604800
  312. ## Four days
  313. findtime = 345600
  314. [nginx-noproxy]
  315. enabled = false
  316. port = http,https
  317. filter = nginx-noproxy
  318. logpath = /var/log/nginx/access.log
  319. maxretry = 2
  320. ## One week
  321. bantime = 604800
  322. ## Four days
  323. findtime = 345600
  324. [nginx-lurkers]
  325. enabled = true
  326. #port = http,https
  327. port = 0:21,23:499,501:65535
  328. filter = nginx-lurkers
  329. logpath = /var/log/nginx/access.log
  330. /var/log/nginx/ttrss_access.log
  331. /var/log/nginx/piwik_access.log
  332. /var/log/nginx/irpg_access.log
  333. /var/log/nginx/pit_access.log
  334. /var/log/nginx/shaarli_access.log
  335. /var/log/nginx/glow_access.log
  336. /var/log/nginx/up.log
  337. maxretry = 1
  338. ## One Month
  339. bantime = 2628002
  340. ## Four days
  341. findtime = 345600
  342. [nginx-bbb-sent]
  343. enabled = true
  344. #port = http,https
  345. port = 0:21,23:499,501:65535
  346. filter = nginx-bbb-sent
  347. logpath = /var/log/nginx/access.log
  348. maxretry = 1
  349. ## One Month
  350. bantime = 2628002
  351. ## Four days
  352. findtime = 345600
  353. [nginx-req-limit]
  354. enabled = false
  355. port = http,https
  356. filter = nginx-limit-req
  357. logpath = /var/log/nginx/*error.log
  358. ## One week
  359. bantime = 604800
  360. ## Four days
  361. findtime = 345600
  362. maxretry = 10
  363. [nginx-rss-over-scrape]
  364. enabled = false
  365. port = = http,https
  366. filter = nginx-rss-over-scrape
  367. logpath = /var/log/nginx/access.log
  368. maxretry = 3
  369. ## thirty-six hours
  370. bantime = 129600
  371. ## Six hours
  372. findtime = 21600
  373. ### End nginx ### }}}
  374. ### php-url-fopen ### {{{
  375. # Ban attackers that try to use PHP's URL-fopen() functionality
  376. # through GET/POST variables. - Experimental, with more than a year
  377. # of usage in production environments.
  378. [php-url-fopen]
  379. port = http,https
  380. logpath = %(nginx_access_log)s %(apache_access_log)s
  381. ### end php-url-fopen ### }}}
  382. ### suhosin ### {{{
  383. [suhosin]
  384. port = http,https
  385. logpath = %(suhosin_log)s
  386. ### End suhosin ### }}}
  387. ### lighttpd ### {{{
  388. [lighttpd-auth]
  389. # Same as above for Apache's mod_auth
  390. # It catches wrong authentifications
  391. port = http,https
  392. logpath = %(lighttpd_error_log)s
  393. ### End lighttpd ### }}}
  394. ### End HTTP Servers ### }}}
  395. ### Webmail ### {{{
  396. #
  397. # Webmail and groupware servers
  398. #
  399. ### roundcube ### {{{
  400. [roundcube-auth]
  401. port = http,https
  402. logpath = /var/log/roundcube/userlogins
  403. ### End roundcube ### }}}
  404. ### openwebmail ### {{{
  405. [openwebmail]
  406. port = http,https
  407. logpath = /var/log/openwebmail.log
  408. ### End openwebmail ### }}}
  409. ### horde ### {{{
  410. [horde]
  411. port = http,https
  412. logpath = /var/log/horde/horde.log
  413. ### End horde ### }}}
  414. ### groupoffice ### {{{
  415. [groupoffice]
  416. port = http,https
  417. logpath = /home/groupoffice/log/info.log
  418. ### End groupoffice ### }}}
  419. ### sogo ### {{{
  420. [sogo-auth]
  421. # Monitor SOGo groupware server
  422. # without proxy this would be:
  423. # port = 20000
  424. port = http,https
  425. logpath = /var/log/sogo/sogo.log
  426. ### End sogo ### }}}
  427. ### tine20 ### {{{
  428. [tine20]
  429. logpath = /var/log/tine20/tine20.log
  430. port = http,https
  431. maxretry = 5
  432. ### End tine20 ### }}}
  433. ### End Webmail ### }}}
  434. ### Web Apps ### {{{
  435. #
  436. # Web Applications
  437. #
  438. #
  439. ### guacamole ### {{{
  440. [guacamole]
  441. port = http,https
  442. logpath = /var/log/tomcat*/catalina.out
  443. ### End quacamole ### }}}
  444. ### monit ### {{{
  445. [monit]
  446. #Ban clients brute-forcing the monit gui login
  447. filter = monit
  448. port = 2812
  449. logpath = /var/log/monit
  450. ### End monit ### }}}
  451. ### webmin ### {{{
  452. [webmin-auth]
  453. port = 10000
  454. logpath = %(syslog_authpriv)s
  455. ### End webmin ### }}}
  456. ### End Web Apps ### }}}
  457. ### HTTP Proxy Servers ### {{{
  458. #
  459. # HTTP Proxy servers
  460. #
  461. #
  462. ### squid ### {{{
  463. [squid]
  464. port = 80,443,3128,8080
  465. logpath = /var/log/squid/access.log
  466. ### End squid ### }}}
  467. ### 3proxy ### {{{
  468. [3proxy]
  469. port = 3128
  470. logpath = /var/log/3proxy.log
  471. ### End 3proxy ### }}}
  472. ### End HTTP Proxy Servers ### }}}
  473. ### FTP Servers ### {{{
  474. #
  475. # FTP servers
  476. #
  477. ### proftpd ### {{{
  478. [proftpd]
  479. port = ftp,ftp-data,ftps,ftps-data
  480. logpath = %(proftpd_log)s
  481. ### End proftpd ### }}}
  482. ### pure ### {{{
  483. [pure-ftpd]
  484. port = ftp,ftp-data,ftps,ftps-data
  485. logpath = %(pureftpd_log)s
  486. maxretry = 6
  487. ### End pure ### }}}
  488. ### gssftpd ### {{{
  489. [gssftpd]
  490. port = ftp,ftp-data,ftps,ftps-data
  491. logpath = %(syslog_daemon)s
  492. maxretry = 6
  493. ### End gssftpd ### }}}
  494. ### wuftpd ### {{{
  495. [wuftpd]
  496. port = ftp,ftp-data,ftps,ftps-data
  497. logpath = %(wuftpd_log)s
  498. maxretry = 6
  499. ### End wuftpd ### }}}
  500. ### End vsftpd ### {{{
  501. [vsftpd]
  502. # or overwrite it in jails.local to be
  503. # logpath = %(syslog_authpriv)s
  504. # if you want to rely on PAM failed login attempts
  505. # vsftpd's failregex should match both of those formats
  506. port = ftp,ftp-data,ftps,ftps-data
  507. logpath = %(vsftpd_log)s
  508. ### End vsftpd ### }}}
  509. ### End FTP Servers ### }}}
  510. ### Mail Servers ### {{{
  511. #
  512. # Mail servers
  513. #
  514. ### assp ### ### {{{
  515. # ASSP SMTP Proxy Jail
  516. [assp]
  517. port = smtp,465,submission
  518. logpath = /root/path/to/assp/logs/maillog.txt
  519. ### End assp ### }}}
  520. ### courier ### {{{
  521. [courier-smtp]
  522. port = smtp,465,submission
  523. logpath = %(syslog_mail)s
  524. ### End courier ### }}}
  525. ### postfix ### {{{
  526. [postfix]
  527. port = smtp,465,submission
  528. logpath = %(postfix_log)s
  529. ### End postfix ### }}}
  530. ### sendmail ### {{{
  531. [sendmail-auth]
  532. port = submission,465,smtp
  533. logpath = %(syslog_mail)s
  534. [sendmail-reject]
  535. port = smtp,465,submission
  536. logpath = %(syslog_mail)s
  537. ### End send mail ### }}}
  538. ### qmail ### {{{
  539. [qmail-rbl]
  540. filter = qmail
  541. port = smtp,465,submission
  542. logpath = /service/qmail/log/main/current
  543. ### End qmail ### }}}
  544. ### davecot ### {{{
  545. # dovecot defaults to logging to the mail syslog facility
  546. # but can be set by syslog_facility in the dovecot configuration.
  547. [dovecot]
  548. port = pop3,pop3s,imap,imaps,submission,465,sieve
  549. logpath = %(dovecot_log)s
  550. ### End davecot ### }}}
  551. ### sieve ### {{{
  552. [sieve]
  553. port = smtp,465,submission
  554. logpath = %(dovecot_log)s
  555. ### End sieve ### }}}
  556. ### solid ### {{{
  557. [solid-pop3d]
  558. port = pop3,pop3s
  559. logpath = %(solidpop3d_log)s
  560. ### End solid ### }}}
  561. ### exim ### {{{
  562. [exim]
  563. port = smtp,465,submission
  564. logpath = %(exim_main_log)s
  565. [exim-spam]
  566. port = smtp,465,submission
  567. logpath = %(exim_main_log)s
  568. ### End exim ### }}}
  569. ### kerio ### {{{
  570. [kerio]
  571. port = imap,smtp,imaps,465
  572. logpath = /opt/kerio/mailserver/store/logs/security.log
  573. ### End kerio ### }}}
  574. ### End Mail Servers ### }}}
  575. ### Mail Authenticators ### {{{
  576. #
  577. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
  578. # all relevant ports get banned
  579. #
  580. ### courier ### {{{
  581. [courier-auth]
  582. port = smtp,465,submission,imap3,imaps,pop3,pop3s
  583. logpath = %(syslog_mail)s
  584. ### End courier ### }}}
  585. ### postfix ### {{{
  586. [postfix-sasl]
  587. port = smtp,465,submission,imap3,imaps,pop3,pop3s
  588. # You might consider monitoring /var/log/mail.warn instead if you are
  589. # running postfix since it would provide the same log lines at the
  590. # "warn" level but overall at the smaller filesize.
  591. logpath = %(postfix_log)s
  592. ### End postfix ### }}}
  593. ### perdition ### {{{
  594. [perdition]
  595. port = imap3,imaps,pop3,pop3s
  596. logpath = %(syslog_mail)s
  597. ### End perdition ### }}}
  598. ### squirrelmail ### {{{
  599. [squirrelmail]
  600. port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
  601. logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
  602. ### End squirrelmail ### }}}
  603. ### cyrus ### {{{
  604. [cyrus-imap]
  605. port = imap3,imaps
  606. logpath = %(syslog_mail)s
  607. ### End cyrus ### }}}
  608. ### uwimap ### {{{
  609. [uwimap-auth]
  610. port = imap3,imaps
  611. logpath = %(syslog_mail)s
  612. ### End uwimap ### }}}
  613. ### End Mail Authenticators ### }}}
  614. ### DNS Servers ### {{{
  615. #
  616. #
  617. # DNS servers
  618. #
  619. ### named ### {{{
  620. # !!! WARNING !!!
  621. # Since UDP is connection-less protocol, spoofing of IP and imitation
  622. # of illegal actions is way too simple. Thus enabling of this filter
  623. # might provide an easy way for implementing a DoS against a chosen
  624. # victim. See
  625. # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
  626. # Please DO NOT USE this jail unless you know what you are doing.
  627. #
  628. # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  629. # This jail blocks UDP traffic for DNS requests.
  630. # [named-refused-udp]
  631. #
  632. # filter = named-refused
  633. # port = domain,953
  634. # protocol = udp
  635. # logpath = /var/log/named/security.log
  636. # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  637. # This jail blocks TCP traffic for DNS requests.
  638. [named-refused]
  639. port = domain,953
  640. logpath = /var/log/named/security.log
  641. ### End named ### }}}
  642. ### nsd ### {{{
  643. [nsd]
  644. port = 53
  645. action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  646. %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  647. logpath = /var/log/nsd.log
  648. ### End nds ### }}}
  649. ### End DNS Servers ### }}}
  650. ### Misc Jails ### {{{
  651. #
  652. # Miscellaneous
  653. #
  654. ### fail2ban Multiple Bans ### {{{
  655. [fail2ban]
  656. enabled = false
  657. filter = fail2ban
  658. action = iptables-allports[name=fail2ban]
  659. logpath = /var/log/fail2ban*
  660. maxretry = 3
  661. # findtime: 5 days
  662. findtime = 432000
  663. # bantime: FOREVER
  664. bantime = -1
  665. ### End fail2ban Multiple ### }}}
  666. ### asterisk ### {{{
  667. [asterisk]
  668. port = 5060,5061
  669. action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  670. %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  671. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
  672. logpath = /var/log/asterisk/messages
  673. maxretry = 10
  674. ### End asterisk ### }}}
  675. ### freeswitch ### {{{
  676. [freeswitch]
  677. port = 5060,5061
  678. action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  679. %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  680. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
  681. logpath = /var/log/freeswitch.log
  682. maxretry = 10
  683. ### End freeswitch ### }}}
  684. ### mysqld ### {{{
  685. # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
  686. # equivalent section:
  687. # log-warning = 2
  688. #
  689. # for syslog (daemon facility)
  690. # [mysqld_safe]
  691. # syslog
  692. #
  693. # for own logfile
  694. # [mysqld]
  695. # log-error=/var/log/mysqld.log
  696. [mysqld-auth]
  697. port = 3306
  698. logpath = %(mysql_log)s
  699. maxretry = 5
  700. ### End mysgld ### }}}
  701. ### recidive ### {{{
  702. # Jail for more extended banning of persistent abusers
  703. # !!! WARNING !!!
  704. # Make sure that your loglevel specified in fail2ban.conf/.local
  705. # is not at DEBUG level -- which might then cause fail2ban to fall into
  706. # an infinite loop constantly feeding itself with non-informative lines
  707. [recidive]
  708. logpath = /var/log/fail2ban.log
  709. port = all
  710. protocol = all
  711. bantime = 604800 ; 1 week
  712. findtime = 86400 ; 1 day
  713. maxretry = 5
  714. ### End recidive ### }}}
  715. ### pam-generic ### {{{
  716. # Generic filter for PAM. Has to be used with action which bans all
  717. # ports such as iptables-allports, shorewall
  718. [pam-generic]
  719. # pam-generic filter can be customized to monitor specific subset of 'tty's
  720. banaction = iptables-allports
  721. logpath = %(syslog_authpriv)s
  722. ### End pam-generic ### }}}
  723. ### xinetd-fail ### {{{
  724. [xinetd-fail]
  725. banaction = iptables-multiport-log
  726. logpath = %(syslog_daemon)s
  727. maxretry = 2
  728. ### End xinetd-fail ### }}}
  729. ### stunnel ### {{{
  730. # stunnel - need to set port for this
  731. [stunnel]
  732. logpath = /var/log/stunnel4/stunnel.log
  733. [ejabberd-auth]
  734. port = 5222
  735. logpath = /var/log/ejabberd/ejabberd.log
  736. ### End stunnel ### }}}
  737. ### counter-strike ### {{{
  738. [counter-strike]
  739. logpath = /opt/cstrike/logs/L[0-9]*.log
  740. # Firewall: http://www.cstrike-planet.com/faq/6
  741. tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
  742. udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
  743. action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  744. %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  745. ### End couter-strike ### }}}
  746. ### nagios ### {{{
  747. # consider low maxretry and a long bantime
  748. # nobody except your own Nagios server should ever probe nrpe
  749. [nagios]
  750. enabled = false
  751. logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
  752. maxretry = 1
  753. ### End nagios ### }}}
  754. ### oracleims ### {{{
  755. [oracleims]
  756. # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
  757. enabled = false
  758. logpath = /opt/sun/comms/messaging64/log/mail.log_current
  759. maxretry = 6
  760. banaction = iptables-allports
  761. ### End oracleims ### }}}
  762. ### directadmin ### {{{
  763. [directadmin]
  764. enabled = false
  765. logpath = /var/log/directadmin/login.log
  766. port = 2222
  767. ### End directadmin ### }}}
  768. ### portsentry ### {{{
  769. [portsentry]
  770. enabled = false
  771. logpath = /var/lib/portsentry/portsentry.history
  772. maxretry = 1
  773. ### End portsentry ### }}}
  774. ### End Misc Jails ### }}}
  775. ### End Jails ### }}}