jail.local

1. # Fail2Ban configuration file.
2. #
3. # This file was composed for Debian systems from the original one
4. # provided now under /usr/share/doc/fail2ban/examples/jail.conf
5. # for additional examples.
6. #
7. # To avoid merges during upgrades DO NOT MODIFY THIS FILE
8. # and rather provide your changes in /etc/fail2ban/jail.local
9. #
10. # Author: Yaroslav O. Halchenko <debian@onerussian.com>
11. #
12. # $Revision: 281 $
13. #
14.  
15. # The DEFAULT allows a global definition of the options. They can be override
16. # in each jail afterwards.
17.  
18. [DEFAULT]
19.  
20. # "ignoreip" can be an IP address, a CIDR mask or a DNS host
21. ignoreip = 127.0.0.1
22. bantime = 600
23. maxretry = 4
24.  
25. # "backend" specifies the backend used to get files modification. Available
26. # options are "gamin", "polling" and "auto".
27. # yoh: For some reason Debian shipped python-gamin didn't work as expected
28. # This issue left ToDo, so polling is default backend for now
29. backend = polling
30.  
31. #
32. # Destination email address used solely for the interpolations in
33. # jail.{conf,local} configuration files.
34. destemail = root@royal-streets.de
35.  
36. #
37. # ACTIONS
38. #
39.  
40. # Default banning action (e.g. iptables, iptables-new,
41. # iptables-multiport, shorewall, etc) It is used to define
42. # action_* variables. Can be overriden globally or per
43. # section within jail.local file
44. banaction = iptables-multiport
45.  
46. # email action. Since 0.8.1 upstream fail2ban uses sendmail
47. # MTA for the mailing. Change mta configuration parameter to mail
48. # if you want to revert to conventional 'mail'.
49. mta = sendmail
50.  
51. # Default protocol
52. protocol = tcp
53.  
54. #
55. # Action shortcuts. To be used to define action parameter
56.  
57. # The simplest action to take: ban only
58. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
59.  
60. # ban & send an e-mail with whois report to the destemail.
61. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
62. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
63.  
64. # ban & send an e-mail with whois report and relevant log lines
65. # to the destemail.
66. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
67. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
68.  
69. # Choose default action. To change, just override value of 'action' with the
70. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
71. # globally (section [DEFAULT]) or per specific section
72. action = %(action_)s
73.  
74. #
75. # JAILS
76. #
77.  
78. # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
79. # was shipped in Debian. Enable any defined here jail by including
80. #
81. # [SECTION_NAME]
82. # enabled = true
83.  
84. #
85. # in /etc/fail2ban/jail.local.
86. #
87. # Optionally you may override any other parameter (e.g. banaction,
88. # action, port, logpath, etc) in that section within jail.local
89.  
90. [ssh]
91.  
92. enabled = true
93. port = ssh
94. filter = sshd
95. logpath = /var/log/auth.log
96. maxretry = 6
97.  
98. # Generic filter for pam. Has to be used with action which bans all ports
99. # such as iptables-allports, shorewall
100. [pam-generic]
101.  
102. enabled = false
103. # pam-generic filter can be customized to monitor specific subset of 'tty's
104. filter = pam-generic
105. # port actually must be irrelevant but lets leave it all for some possible uses
106. port = all
107. banaction = iptables-allports
108. port = anyport
109. logpath = /var/log/auth.log
110. maxretry = 6
111.  
112. [xinetd-fail]
113.  
114. enabled = false
115. filter = xinetd-fail
116. port = all
117. banaction = iptables-multiport-log
118. logpath = /var/log/daemon.log
119. maxretry = 2
120.  
121.  
122. [ssh-ddos]
123.  
124. enabled = true
125. port = ssh
126. filter = sshd-ddos
127. logpath = /var/log/auth.log
128. maxretry = 10
129.  
130. #
131. # HTTP servers
132. #
133.  
134. [apache]
135.  
136. enabled = true
137. port = http,https
138. filter = apache-auth
139. logpath = /var/log/apache*/*error.log
140. maxretry = 10
141.  
142. # default action is now multiport, so apache-multiport jail was left
143. # for compatibility with previous (<0.7.6-2) releases
144. [apache-multiport]
145.  
146. enabled = false
147. port = http,https
148. filter = apache-auth
149. logpath = /var/log/apache*/*error.log
150. maxretry = 6
151.  
152. [apache-noscript]
153.  
154. enabled = false
155. port = http,https
156. filter = apache-noscript
157. logpath = /var/log/apache*/*error.log
158. maxretry = 6
159.  
160. [apache-overflows]
161.  
162. enabled = false
163. port = http,https
164. filter = apache-overflows
165. logpath = /var/log/apache*/*error.log
166. maxretry = 2
167.  
168. #
169. # FTP servers
170. #
171.  
172. [vsftpd]
173.  
174. enabled = true
175. port = ftp,ftp-data,ftps,ftps-data
176. filter = vsftpd
177. logpath = /var/log/vsftpd.log
178. # or overwrite it in jails.local to be
179. # logpath = /var/log/auth.log
180. # if you want to rely on PAM failed login attempts
181. # vsftpd's failregex should match both of those formats
182. maxretry = 6
183.  
184.  
185. [proftpd]
186.  
187. enabled = true
188. port = ftp,ftp-data,ftps,ftps-data
189. filter = proftpd
190. logpath = /var/log/proftpd/proftpd.log
191. maxretry = 6
192.  
193.  
194. [wuftpd]
195.  
196. enabled = true
197. port = ftp,ftp-data,ftps,ftps-data
198. filter = wuftpd
199. logpath = /var/log/auth.log
200. maxretry = 6
201.  
202.  
203. #
204. # Mail servers
205. #
206.  
207. [postfix]
208.  
209. enabled = true
210. port = smtp,ssmtp
211. filter = postfix
212. logpath = /var/log/mail.log
213.  
214.  
215. [couriersmtp]
216.  
217. enabled = true
218. port = smtp,ssmtp
219. filter = couriersmtp
220. logpath = /var/log/mail.log
221.  
222.  
223. #
224. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
225. # all relevant ports get banned
226. #
227.  
228. [courierauth]
229.  
230. enabled = true
231. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
232. filter = courierlogin
233. logpath = /var/log/mail.log
234.  
235.  
236. [sasl]
237.  
238. enabled = true
239. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
240. filter = sasl
241. # You might consider monitoring /var/log/warn.log instead
242. # if you are running postfix. See http://bugs.debian.org/507990
243. logpath = /var/log/mail.log
244.  
245.  
246. # DNS Servers
247.  
248.  
249. # These jails block attacks against named (bind9). By default, logging is off
250. # with bind9 installation. You will need something like this:
251. #
252. # logging {
253. # channel security_file {
254. # file "/var/log/named/security.log" versions 3 size 30m;
255. # severity dynamic;
256. # print-time yes;
257. # };
258. # category security {
259. # security_file;
260. # };
261. # };
262. #
263. # in your named.conf to provide proper logging
264.  
265. # !!! WARNING !!!
266. # Since UDP is connectionless protocol, spoofing of IP and immitation
267. # of illegal actions is way too simple. Thus enabling of this filter
268. # might provide an easy way for implementing a DoS against a chosen
269. # victim. See
270. # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
271. # Please DO NOT USE this jail unless you know what you are doing.
272. #[named-refused-udp]
273. #
274. #enabled = false
275. #port = domain,953
276. #protocol = udp
277. #filter = named-refused
278. #logpath = /var/log/named/security.log
279.  
280. [named-refused-tcp]
281.  
282. enabled = false
283. port = domain,953
284. protocol = tcp
285. filter = named-refused
286. logpath = /var/log/named/security.log