API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Feb 7th, 2014
410
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.52 KB | None | 0 0
raw download clone embed print report
  1. # Fail2Ban configuration file.
  2. #
  3. # This file was composed for Debian systems from the original one
  4. # provided now under /usr/share/doc/fail2ban/examples/jail.conf
  5. # for additional examples.
  6. #
  7. # To avoid merges during upgrades DO NOT MODIFY THIS FILE
  8. # and rather provide your changes in /etc/fail2ban/jail.local
  9. #
  10. # Author: Yaroslav O. Halchenko <debian@onerussian.com>
  11. #
  12. # $Revision$
  13. #
  14.  
  15. # The DEFAULT allows a global definition of the options. They can be overridden
  16. # in each jail afterwards.
  17.  
  18. [DEFAULT]
  19.  
  20. # "ignoreip" can be an IP address, a CIDR mask or a DNS host
  21. ignoreip = 46.218.167.43
  22. ignoreip = 127.0.0.1/8
  23. bantime = 604800
  24. findtime = 3600
  25. maxretry = 3
  26.  
  27. # "backend" specifies the backend used to get files modification. Available
  28. # options are "gamin", "polling" and "auto".
  29. # yoh: For some reason Debian shipped python-gamin didn't work as expected
  30. # This issue left ToDo, so polling is default backend for now
  31. backend = auto
  32.  
  33. #
  34. # Destination email address used solely for the interpolations in
  35. # jail.{conf,local} configuration files.
  36. destemail = root@localhost
  37.  
  38. #
  39. # ACTIONS
  40. #
  41.  
  42. # Default banning action (e.g. iptables, iptables-new,
  43. # iptables-multiport, shorewall, etc) It is used to define
  44. # action_* variables. Can be overridden globally or per
  45. # section within jail.local file
  46. banaction = iptables-multiport
  47.  
  48. # email action. Since 0.8.1 upstream fail2ban uses sendmail
  49. # MTA for the mailing. Change mta configuration parameter to mail
  50. # if you want to revert to conventional 'mail'.
  51. mta = sendmail
  52.  
  53. # Default protocol
  54. protocol = tcp
  55.  
  56. # Specify chain where jumps would need to be added in iptables-* actions
  57. chain = INPUT
  58.  
  59. #
  60. # Action shortcuts. To be used to define action parameter
  61.  
  62. # The simplest action to take: ban only
  63. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  64.  
  65. # ban & send an e-mail with whois report to the destemail.
  66. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  67. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
  68.  
  69. # ban & send an e-mail with whois report and relevant log lines
  70. # to the destemail.
  71. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  72. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
  73.  
  74. # Choose default action. To change, just override value of 'action' with the
  75. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
  76. # globally (section [DEFAULT]) or per specific section
  77. action = %(action_)s
  78.  
  79. #
  80. # JAILS
  81. #
  82.  
  83. # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
  84. # was shipped in Debian. Enable any defined here jail by including
  85. #
  86. # [SECTION_NAME]
  87. # enabled = true
  88.  
  89. #
  90. # in /etc/fail2ban/jail.local.
  91. #
  92. # Optionally you may override any other parameter (e.g. banaction,
  93. # action, port, logpath, etc) in that section within jail.local
  94.  
  95. [ssh]
  96.  
  97. enabled = true
  98. port = ssh
  99. filter = sshd
  100. logpath = /var/log/auth.log
  101. maxretry = 3
  102.  
  103. [dropbear]
  104.  
  105. enabled = false
  106. port = ssh
  107. filter = sshd
  108. logpath = /var/log/dropbear
  109. maxretry = 6
  110.  
  111. # Generic filter for pam. Has to be used with action which bans all ports
  112. # such as iptables-allports, shorewall
  113. [pam-generic]
  114.  
  115. enabled = false
  116. # pam-generic filter can be customized to monitor specific subset of 'tty's
  117. filter = pam-generic
  118. # port actually must be irrelevant but lets leave it all for some possible uses
  119. port = all
  120. banaction = iptables-allports
  121. port = anyport
  122. logpath = /var/log/auth.log
  123. maxretry = 6
  124.  
  125. [xinetd-fail]
  126.  
  127. enabled = false
  128. filter = xinetd-fail
  129. port = all
  130. banaction = iptables-multiport-log
  131. logpath = /var/log/daemon.log
  132. maxretry = 2
  133.  
  134.  
  135. [ssh-ddos]
  136.  
  137. enabled = true
  138. port = ssh
  139. filter = sshd-ddos
  140. logpath = /var/log/auth.log
  141. maxretry = 3
  142.  
  143. #
  144. # HTTP servers
  145. #
  146.  
  147. [apache]
  148.  
  149. enabled = true
  150. port = http,https
  151. filter = apache-auth
  152. logpath = /var/log/apache*/*error.log
  153. maxretry = 3
  154.  
  155. # default action is now multiport, so apache-multiport jail was left
  156. # for compatibility with previous (<0.7.6-2) releases
  157. [apache-multiport]
  158.  
  159. enabled = true
  160. port = http,https
  161. filter = apache-auth
  162. logpath = /var/log/apache*/*error.log
  163. maxretry = 3
  164.  
  165. [apache-noscript]
  166.  
  167. enabled = true
  168. port = http,https
  169. filter = apache-noscript
  170. logpath = /var/log/apache*/*error.log
  171. maxretry = 3
  172.  
  173. [apache-overflows]
  174.  
  175. enabled = true
  176. port = http,https
  177. filter = apache-overflows
  178. logpath = /var/log/apache*/*error.log
  179. maxretry = 2
  180.  
  181. #
  182. # FTP servers
  183. #
  184.  
  185. [vsftpd]
  186.  
  187. enabled = true
  188. port = ftp,ftp-data,ftps,ftps-data
  189. filter = vsftpd
  190. logpath = /var/log/vsftpd.log
  191. # or overwrite it in jails.local to be
  192. # logpath = /var/log/auth.log
  193. # if you want to rely on PAM failed login attempts
  194. # vsftpd's failregex should match both of those formats
  195. maxretry = 2
  196.  
  197.  
  198. [proftpd]
  199.  
  200. enabled = true
  201. port = ftp,ftp-data,ftps,ftps-data
  202. filter = proftpd
  203. logpath = /var/log/proftpd/proftpd.log
  204. maxretry = 3
  205.  
  206.  
  207. [pure-ftpd]
  208.  
  209. enabled = true
  210. port = ftp,ftp-data,ftps,ftps-data
  211. filter = pure-ftpd
  212. logpath = /var/log/auth.log
  213. maxretry = 4
  214.  
  215.  
  216. [wuftpd]
  217.  
  218. enabled = false
  219. port = ftp,ftp-data,ftps,ftps-data
  220. filter = wuftpd
  221. logpath = /var/log/auth.log
  222. maxretry = 6
  223.  
  224.  
  225. #
  226. # Mail servers
  227. #
  228.  
  229. [postfix]
  230.  
  231. enabled = false
  232. port = smtp,ssmtp
  233. filter = postfix
  234. logpath = /var/log/mail.log
  235.  
  236.  
  237. [couriersmtp]
  238.  
  239. enabled = false
  240. port = smtp,ssmtp
  241. filter = couriersmtp
  242. logpath = /var/log/mail.log
  243.  
  244.  
  245. #
  246. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
  247. # all relevant ports get banned
  248. #
  249.  
  250. [courierauth]
  251.  
  252. enabled = false
  253. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  254. filter = courierlogin
  255. logpath = /var/log/mail.log
  256.  
  257.  
  258. [sasl]
  259.  
  260. enabled = false
  261. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  262. filter = sasl
  263. # You might consider monitoring /var/log/mail.warn instead if you are
  264. # running postfix since it would provide the same log lines at the
  265. # "warn" level but overall at the smaller filesize.
  266. logpath = /var/log/mail.log
  267.  
  268. [dovecot]
  269.  
  270. enabled = false
  271. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  272. filter = dovecot
  273. logpath = /var/log/mail.log
  274.  
  275. # DNS Servers
  276.  
  277.  
  278. # These jails block attacks against named (bind9). By default, logging is off
  279. # with bind9 installation. You will need something like this:
  280. #
  281. # logging {
  282. # channel security_file {
  283. # file "/var/log/named/security.log" versions 3 size 30m;
  284. # severity dynamic;
  285. # print-time yes;
  286. # };
  287. # category security {
  288. # security_file;
  289. # };
  290. # };
  291. #
  292. # in your named.conf to provide proper logging
  293.  
  294. # !!! WARNING !!!
  295. # Since UDP is connection-less protocol, spoofing of IP and imitation
  296. # of illegal actions is way too simple. Thus enabling of this filter
  297. # might provide an easy way for implementing a DoS against a chosen
  298. # victim. See
  299. # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
  300. # Please DO NOT USE this jail unless you know what you are doing.
  301. #[named-refused-udp]
  302. #
  303. #enabled = false
  304. #port = domain,953
  305. #protocol = udp
  306. #filter = named-refused
  307. #logpath = /var/log/named/security.log
  308.  
  309. [named-refused-tcp]
  310.  
  311. enabled = false
  312. port = domain,953
  313. protocol = tcp
  314. filter = named-refused
  315. logpath = /var/log/named/security.log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!