Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

/etc/fail2ban/jail.conf

By: a guest on Mar 6th, 2011  |  syntax: None  |  size: 6.61 KB  |  views: 62  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. # cat /etc/fail2ban/jail.conf
  2. # Fail2Ban configuration file
  3. #
  4. # Author: Cyril Jaquier
  5. #
  6. # $Revision: 747 $
  7. #
  8.  
  9. # The DEFAULT allows a global definition of the options. They can be override
  10. # in each jail afterwards.
  11.  
  12. [DEFAULT]
  13.  
  14. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
  15. # ban a host which matches an address in this list. Several addresses can be
  16. # defined using space separator.
  17. ignoreip = 127.0.0.1
  18.  
  19. # "bantime" is the number of seconds that a host is banned.
  20. bantime  = 600
  21.  
  22. # A host is banned if it has generated "maxretry" during the last "findtime"
  23. # seconds.
  24. #findtime  = 600
  25. findtime  = 30
  26.  
  27. # "maxretry" is the number of failures before a host get banned.
  28. maxretry = 3
  29.  
  30. # "backend" specifies the backend used to get files modification. Available
  31. # options are "gamin", "polling" and "auto". This option can be overridden in
  32. # each jail too (use "gamin" for a jail and "polling" for another).
  33. #
  34. # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
  35. #          is not installed, Fail2ban will use polling.
  36. # polling: uses a polling algorithm which does not require external libraries.
  37. # auto:    will choose Gamin if available and polling otherwise.
  38. backend = auto
  39.  
  40.  
  41. # This jail corresponds to the standard configuration in Fail2ban 0.6.
  42. # The mail-whois action send a notification e-mail with a whois request
  43. # in the body.
  44.  
  45. [ssh-iptables]
  46.  
  47. enabled  = false
  48. filter   = sshd
  49. action   = iptables[name=SSH, port=ssh, protocol=tcp]
  50.            sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
  51. logpath  = /var/log/sshd.log
  52. maxretry = 5
  53.  
  54. [proftpd-iptables]
  55.  
  56. enabled  = false
  57. filter   = proftpd
  58. action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
  59.            sendmail-whois[name=ProFTPD, dest=you@mail.com]
  60. logpath  = /var/log/proftpd/proftpd.log
  61. maxretry = 6
  62.  
  63. # This jail forces the backend to "polling".
  64.  
  65. [sasl-iptables]
  66.  
  67. enabled  = false
  68. filter   = sasl
  69. backend  = polling
  70. action   = iptables[name=sasl, port=smtp, protocol=tcp]
  71.            sendmail-whois[name=sasl, dest=you@mail.com]
  72. logpath  = /var/log/mail.log
  73.  
  74. # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
  75. # used to avoid banning the user "myuser".
  76.  
  77. [ssh-tcpwrapper]
  78.  
  79. enabled     = false
  80. filter      = sshd
  81. action      = hostsdeny
  82.               sendmail-whois[name=SSH, dest=you@mail.com]
  83. ignoreregex = for myuser from
  84. logpath     = /var/log/sshd.log
  85.  
  86. # This jail demonstrates the use of wildcards in "logpath".
  87. # Moreover, it is possible to give other files on a new line.
  88.  
  89. [apache-tcpwrapper]
  90.  
  91. enabled  = false
  92. filter   = apache-auth
  93. action   = hostsdeny
  94. logpath  = /var/log/apache*/*error.log
  95.            /home/www/myhomepage/error.log
  96. maxretry = 6
  97.  
  98. # The hosts.deny path can be defined with the "file" argument if it is
  99. # not in /etc.
  100.  
  101. [postfix-tcpwrapper]
  102.  
  103. enabled  = false
  104. filter   = postfix
  105. action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
  106.            sendmail[name=Postfix, dest=you@mail.com]
  107. logpath  = /var/log/postfix.log
  108. bantime  = 300
  109.  
  110. # Do not ban anybody. Just report information about the remote host.
  111. # A notification is sent at most every 600 seconds (bantime).
  112.  
  113. [vsftpd-notification]
  114.  
  115. enabled  = false
  116. filter   = vsftpd
  117. action   = sendmail-whois[name=VSFTPD, dest=you@mail.com]
  118. logpath  = /var/log/vsftpd.log
  119. maxretry = 5
  120. bantime  = 1800
  121.  
  122. # Same as above but with banning the IP address.
  123.  
  124. [vsftpd-iptables]
  125.  
  126. enabled  = true
  127. filter   = vsftpd
  128. action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
  129.            sendmail-whois[name=VSFTPD, dest=you@mail.com]
  130. logpath  = /var/log/vsftpd.log
  131. maxretry = 5
  132. bantime  = 1800
  133.  
  134. # Ban hosts which agent identifies spammer robots crawling the web
  135. # for email addresses. The mail outputs are buffered.
  136.  
  137. [apache-badbots]
  138.  
  139. enabled  = false
  140. filter   = apache-badbots
  141. action   = iptables-multiport[name=BadBots, port="http,https"]
  142.            sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
  143. logpath  = /var/www/*/logs/access_log
  144. bantime  = 172800
  145. maxretry = 1
  146.  
  147. # Use shorewall instead of iptables.
  148.  
  149. [apache-shorewall]
  150.  
  151. enabled  = false
  152. filter   = apache-noscript
  153. action   = shorewall
  154.            sendmail[name=Postfix, dest=you@mail.com]
  155. logpath  = /var/log/apache2/error_log
  156.  
  157. # Ban attackers that try to use PHP's URL-fopen() functionality
  158. # through GET/POST variables. - Experimental, with more than a year
  159. # of usage in production environments.
  160.  
  161. [php-url-fopen]
  162.  
  163. enabled = false
  164. port    = http,https
  165. filter  = php-url-fopen
  166. logpath = /var/www/*/logs/access_log
  167. maxretry = 1
  168.  
  169. # A simple PHP-fastcgi jail which works with lighttpd.
  170. # If you run a lighttpd server, then you probably will
  171. # find these kinds of messages in your error_log:
  172. # ALERT – tried to register forbidden variable ‘GLOBALS’
  173. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
  174. # This jail would block the IP 1.2.3.4.
  175.  
  176. [lighttpd-fastcgi]
  177.  
  178. enabled = false
  179. port    = http,https
  180. filter  = lighttpd-fastcgi
  181. # adapt the following two items as needed
  182. logpath = /var/log/lighttpd/error.log
  183. maxretry = 2
  184.  
  185. # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
  186. # option is overridden in this jail. Moreover, the action "mail-whois" defines
  187. # the variable "name" which contains a comma using "". The characters '' are
  188. # valid too.
  189.  
  190. [ssh-ipfw]
  191.  
  192. enabled  = false
  193. filter   = sshd
  194. action   = ipfw[localhost=192.168.0.1]
  195.            sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
  196. logpath  = /var/log/auth.log
  197. ignoreip = 168.192.0.1
  198.  
  199. # These jails block attacks against named (bind9). By default, logging is off
  200. # with bind9 installation. You will need something like this:
  201. #
  202. # logging {
  203. #     channel security_file {
  204. #         file "/var/log/named/security.log" versions 3 size 30m;
  205. #         severity dynamic;
  206. #         print-time yes;
  207. #     };
  208. #     category security {
  209. #         security_file;
  210. #     };
  211. # };
  212. #
  213. # in your named.conf to provide proper logging.
  214. # This jail blocks UDP traffic for DNS requests.
  215.  
  216. [named-refused-udp]
  217.  
  218. enabled  = false
  219. filter   = named-refused
  220. action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
  221.            sendmail-whois[name=Named, dest=you@mail.com]
  222. logpath  = /var/log/named/security.log
  223. ignoreip = 168.192.0.1
  224.  
  225. # This jail blocks TCP traffic for DNS requests.
  226.  
  227. [named-refused-tcp]
  228.  
  229. enabled  = false
  230. filter   = named-refused
  231. action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
  232.            sendmail-whois[name=Named, dest=you@mail.com]
  233. logpath  = /var/log/named/security.log
  234. ignoreip = 168.192.0.1