# Fail2Ban configuration file## Author: Cyril Jaquier## $Revision: 747 $

1. # Fail2Ban configuration file
2. #
3. # Author: Cyril Jaquier
4. #
5. # $Revision: 747 $
6. #
7.  
8. # The DEFAULT allows a global definition of the options. They can be override
9. # in each jail afterwards.
10.  
11. [DEFAULT]
12.  
13. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
14. # ban a host which matches an address in this list. Several addresses can be
15. # defined using space separator.
16. ignoreip = 127.0.0.1 89.93.37.26
17.  
18. # "bantime" is the number of seconds that a host is banned.
19. bantime = 600
20.  
21. # A host is banned if it has generated "maxretry" during the last "findtime"
22. # seconds.
23. findtime = 600
24.  
25. # "maxretry" is the number of failures before a host get banned.
26. maxretry = 3
27.  
28. # "backend" specifies the backend used to get files modification. Available
29. # options are "gamin", "polling" and "auto". This option can be overridden in
30. # each jail too (use "gamin" for a jail and "polling" for another).
31. #
32. # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
33. # is not installed, Fail2ban will use polling.
34. # polling: uses a polling algorithm which does not require external libraries.
35. # auto: will choose Gamin if available and polling otherwise.
36. backend = auto
37.  
38.  
39. # This jail corresponds to the standard configuration in Fail2ban 0.6.
40. # The mail-whois action send a notification e-mail with a whois request
41. # in the body.
42.  
43. [ssh-iptables]
44.  
45. enabled = true
46. filter = sshd
47. action = iptables[name=SSH, port=ssh, protocol=tcp]
48. sendmail-whois[name=SSH, dest=root, [email protected]]
49. logpath = /var/log/secure
50. maxretry = 5
51.  
52. [proftpd-iptables]
53.  
54. enabled = false
55. filter = proftpd
56. action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
57. sendmail-whois[name=ProFTPD, [email protected]]
58. logpath = /var/log/proftpd/proftpd.log
59. maxretry = 6
60.  
61. # This jail forces the backend to "polling".
62.  
63. [sasl-iptables]
64.  
65. enabled = false
66. filter = sasl
67. backend = polling
68. action = iptables[name=sasl, port=smtp, protocol=tcp]
69. sendmail-whois[name=sasl, [email protected]]
70. logpath = /var/log/mail.log
71.  
72. # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
73. # used to avoid banning the user "myuser".
74.  
75. [ssh-tcpwrapper]
76.  
77. enabled = false
78. filter = sshd
79. action = hostsdeny
80. sendmail-whois[name=SSH, [email protected]]
81. ignoreregex = for myuser from
82. logpath = /var/log/sshd.log
83.  
84. # This jail demonstrates the use of wildcards in "logpath".
85. # Moreover, it is possible to give other files on a new line.
86.  
87. [apache-tcpwrapper]
88.  
89. enabled = false
90. filter = apache-auth
91. action = hostsdeny
92. logpath = /var/log/apache*/*error.log
93. /home/www/myhomepage/error.log
94. maxretry = 6
95.  
96. # The hosts.deny path can be defined with the "file" argument if it is
97. # not in /etc.
98.  
99. [postfix-tcpwrapper]
100.  
101. enabled = false
102. filter = postfix
103. action = hostsdeny[file=/not/a/standard/path/hosts.deny]
104. sendmail[name=Postfix, [email protected]]
105. logpath = /var/log/postfix.log
106. bantime = 300
107.  
108. # Do not ban anybody. Just report information about the remote host.
109. # A notification is sent at most every 600 seconds (bantime).
110.  
111. [vsftpd-notification]
112.  
113. enabled = false
114. filter = vsftpd
115. action = sendmail-whois[name=VSFTPD, [email protected]]
116. logpath = /var/log/vsftpd.log
117. maxretry = 5
118. bantime = 1800
119.  
120. # Same as above but with banning the IP address.
121.  
122. [vsftpd-iptables]
123.  
124. enabled = false
125. filter = vsftpd
126. action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
127. sendmail-whois[name=VSFTPD, [email protected]]
128. logpath = /var/log/vsftpd.log
129. maxretry = 5
130. bantime = 1800
131.  
132. # Ban hosts which agent identifies spammer robots crawling the web
133. # for email addresses. The mail outputs are buffered.
134.  
135. [apache-badbots]
136.  
137. enabled = false
138. filter = apache-badbots
139. action = iptables-multiport[name=BadBots, port="http,https"]
140. sendmail-buffered[name=BadBots, lines=5, [email protected]]
141. logpath = /var/www/*/logs/access_log
142. bantime = 172800
143. maxretry = 1
144.  
145. # Use shorewall instead of iptables.
146.  
147. [apache-shorewall]
148.  
149. enabled = false
150. filter = apache-noscript
151. action = shorewall
152. sendmail[name=Postfix, [email protected]]
153. logpath = /var/log/apache2/error_log
154.  
155. # Ban attackers that try to use PHP's URL-fopen() functionality
156. # through GET/POST variables. - Experimental, with more than a year
157. # of usage in production environments.
158.  
159. [php-url-fopen]
160.  
161. enabled = false
162. port = http,https
163. filter = php-url-fopen
164. logpath = /var/www/*/logs/access_log
165. maxretry = 1
166.  
167. # A simple PHP-fastcgi jail which works with lighttpd.
168. # If you run a lighttpd server, then you probably will
169. # find these kinds of messages in your error_log:
170. # ALERT – tried to register forbidden variable ‘GLOBALS’
171. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
172. # This jail would block the IP 1.2.3.4.
173.  
174. [lighttpd-fastcgi]
175.  
176. enabled = true
177. port = http,https
178. filter = lighttpd-fastcgi
179. # adapt the following two items as needed
180. logpath = /var/log/lighttpd/error.log
181. maxretry = 2
182.  
183. # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
184. # option is overridden in this jail. Moreover, the action "mail-whois" defines
185. # the variable "name" which contains a comma using "". The characters '' are
186. # valid too.
187.  
188. [ssh-ipfw]
189.  
190. enabled = false
191. filter = sshd
192. action = ipfw[localhost=192.168.0.1]
193. sendmail-whois[name="SSH,IPFW", [email protected]]
194. logpath = /var/log/auth.log
195. ignoreip = 168.192.0.1
196.  
197. # These jails block attacks against named (bind9). By default, logging is off
198. # with bind9 installation. You will need something like this:
199. #
200. # logging {
201. # channel security_file {
202. # file "/var/log/named/security.log" versions 3 size 30m;
203. # severity dynamic;
204. # print-time yes;
205. # };
206. # category security {
207. # security_file;
208. # };
209. # };
210. #
211. # in your named.conf to provide proper logging.
212. # This jail blocks UDP traffic for DNS requests.
213.  
214. [named-refused-udp]
215.  
216. enabled = false
217. filter = named-refused
218. action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
219. sendmail-whois[name=Named, [email protected]]
220. logpath = /var/log/named/security.log
221. ignoreip = 168.192.0.1
222.  
223. # This jail blocks TCP traffic for DNS requests.
224.  
225. [named-refused-tcp]
226.  
227. enabled = false
228. filter = named-refused
229. action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
230. sendmail-whois[name=Named, [email protected]]
231. logpath = /var/log/named/security.log
232. ignoreip = 168.192.0.1
233.