Advertisement
Guest User

Untitled

a guest
Feb 23rd, 2012
203
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.61 KB | None | 0 0
  1. # Fail2Ban configuration file.
  2. #
  3. # This file was composed for Debian systems from the original one
  4. # provided now under /usr/share/doc/fail2ban/examples/jail.conf
  5. # for additional examples.
  6. #
  7. # To avoid merges during upgrades DO NOT MODIFY THIS FILE
  8. # and rather provide your changes in /etc/fail2ban/jail.local
  9. #
  10. # Author: Yaroslav O. Halchenko <debian@onerussian.com>
  11. #
  12. # $Revision: 281 $
  13. #
  14.  
  15. # The DEFAULT allows a global definition of the options. They can be override
  16. # in each jail afterwards.
  17.  
  18. [DEFAULT]
  19.  
  20. # "ignoreip" can be an IP address, a CIDR mask or a DNS host
  21. ignoreip = 127.0.0.1
  22. bantime = 600
  23. maxretry = 3
  24. findtime = 600
  25. action = action_
  26.  
  27. # "backend" specifies the backend used to get files modification. Available
  28. # options are "gamin", "polling" and "auto".
  29. # yoh: For some reason Debian shipped python-gamin didn't work as expected
  30. # This issue left ToDo, so polling is default backend for now
  31. backend = polling
  32.  
  33. #
  34. # Destination email address used solely for the interpolations in
  35. # jail.{conf,local} configuration files.
  36. destemail = root@localhost
  37.  
  38. #
  39. # ACTIONS
  40. #
  41.  
  42. # Default banning action (e.g. iptables, iptables-new,
  43. # iptables-multiport, shorewall, etc) It is used to define
  44. # action_* variables. Can be overriden globally or per
  45. # section within jail.local file
  46. banaction = iptables-multiport
  47.  
  48. # email action. Since 0.8.1 upstream fail2ban uses sendmail
  49. # MTA for the mailing. Change mta configuration parameter to mail
  50. # if you want to revert to conventional 'mail'.
  51. mta = sendmail
  52.  
  53. # Default protocol
  54. protocol = tcp
  55.  
  56. #
  57. # Action shortcuts. To be used to define action parameter
  58.  
  59. # The simplest action to take: ban only
  60. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
  61.  
  62. # ban & send an e-mail with whois report to the destemail.
  63. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
  64. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s]
  65.  
  66. # ban & send an e-mail with whois report and relevant log lines
  67. # to the destemail.
  68. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s]
  69. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s]
  70.  
  71. # Choose default action. To change, just override value of 'action' with the
  72. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
  73. # globally (section [DEFAULT]) or per specific section
  74. action = %(action_)s
  75.  
  76. #
  77. # JAILS
  78. #
  79.  
  80. # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
  81. # was shipped in Debian. Enable any defined here jail by including
  82. #
  83. # [SECTION_NAME]
  84. # enabled = true
  85.  
  86. #
  87. # in /etc/fail2ban/jail.local.
  88. #
  89. # Optionally you may override any other parameter (e.g. banaction,
  90. # action, port, logpath, etc) in that section within jail.local
  91.  
  92. [ssh]
  93.  
  94. enabled = true
  95. port = 443
  96. filter = sshd
  97. logpath = /var/log/auth.log
  98. maxretry = 4
  99.  
  100. # Generic filter for pam. Has to be used with action which bans all ports
  101. # such as iptables-allports, shorewall
  102. [pam-generic]
  103.  
  104. enabled = false
  105. # pam-generic filter can be customized to monitor specific subset of 'tty's
  106. filter = pam-generic
  107. # port actually must be irrelevant but lets leave it all for some possible uses
  108. port = all
  109. banaction = iptables-allports
  110. port = anyport
  111. logpath = /var/log/auth.log
  112. maxretry = 6
  113.  
  114. [xinetd-fail]
  115.  
  116. enabled = false
  117. filter = xinetd-fail
  118. port = all
  119. banaction = iptables-multiport-log
  120. logpath = /var/log/daemon.log
  121. maxretry = 2
  122.  
  123.  
  124. [ssh-ddos]
  125.  
  126. enabled = false
  127. port = ssh
  128. filter = sshd-ddos
  129. logpath = /var/log/auth.log
  130. maxretry = 6
  131.  
  132. #
  133. # HTTP servers
  134. #
  135.  
  136. [apache]
  137.  
  138. enabled = false
  139. port = http,https
  140. filter = apache-auth
  141. logpath = /var/log/apache*/*error.log
  142. maxretry = 6
  143.  
  144. # default action is now multiport, so apache-multiport jail was left
  145. # for compatibility with previous (<0.7.6-2) releases
  146. [apache-multiport]
  147.  
  148. enabled = false
  149. port = http,https
  150. filter = apache-auth
  151. logpath = /var/log/apache*/*error.log
  152. maxretry = 6
  153.  
  154. [apache-noscript]
  155.  
  156. enabled = false
  157. port = http,https
  158. filter = apache-noscript
  159. logpath = /var/log/apache*/*error.log
  160. maxretry = 6
  161.  
  162. [apache-overflows]
  163.  
  164. enabled = false
  165. port = http,https
  166. filter = apache-overflows
  167. logpath = /var/log/apache*/*error.log
  168. maxretry = 2
  169.  
  170. #
  171. # FTP servers
  172. #
  173.  
  174. [vsftpd]
  175.  
  176. enabled = false
  177. port = ftp,ftp-data,ftps,ftps-data
  178. filter = vsftpd
  179. logpath = /var/log/vsftpd.log
  180. # or overwrite it in jails.local to be
  181. # logpath = /var/log/auth.log
  182. # if you want to rely on PAM failed login attempts
  183. # vsftpd's failregex should match both of those formats
  184. maxretry = 6
  185.  
  186.  
  187. [proftpd]
  188.  
  189. enabled = false
  190. port = ftp,ftp-data,ftps,ftps-data
  191. filter = proftpd
  192. logpath = /var/log/proftpd/proftpd.log
  193. maxretry = 6
  194.  
  195.  
  196. [wuftpd]
  197.  
  198. enabled = false
  199. port = ftp,ftp-data,ftps,ftps-data
  200. filter = wuftpd
  201. logpath = /var/log/auth.log
  202. maxretry = 6
  203.  
  204.  
  205. #
  206. # Mail servers
  207. #
  208.  
  209. [postfix]
  210.  
  211. enabled = false
  212. port = smtp,ssmtp
  213. filter = postfix
  214. logpath = /var/log/mail.log
  215.  
  216.  
  217. [couriersmtp]
  218.  
  219. enabled = false
  220. port = smtp,ssmtp
  221. filter = couriersmtp
  222. logpath = /var/log/mail.log
  223.  
  224.  
  225. #
  226. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
  227. # all relevant ports get banned
  228. #
  229.  
  230. [courierauth]
  231.  
  232. enabled = false
  233. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  234. filter = courierlogin
  235. logpath = /var/log/mail.log
  236.  
  237.  
  238. [sasl]
  239.  
  240. enabled = false
  241. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  242. filter = sasl
  243. # You might consider monitoring /var/log/warn.log instead
  244. # if you are running postfix. See http://bugs.debian.org/507990
  245. logpath = /var/log/mail.log
  246.  
  247.  
  248. # DNS Servers
  249.  
  250.  
  251. # These jails block attacks against named (bind9). By default, logging is off
  252. # with bind9 installation. You will need something like this:
  253. #
  254. # logging {
  255. # channel security_file {
  256. # file "/var/log/named/security.log" versions 3 size 30m;
  257. # severity dynamic;
  258. # print-time yes;
  259. # };
  260. # category security {
  261. # security_file;
  262. # };
  263. # };
  264. #
  265. # in your named.conf to provide proper logging
  266.  
  267. # Word of Caution:
  268. # Given filter can lead to DoS attack against your DNS server
  269. # since there is no way to assure that UDP packets come from the
  270. # real source IP
  271. [named-refused-udp]
  272.  
  273. enabled = false
  274. port = domain,953
  275. protocol = udp
  276. filter = named-refused
  277. logpath = /var/log/named/security.log
  278.  
  279. [named-refused-tcp]
  280.  
  281. enabled = false
  282. port = domain,953
  283. protocol = tcp
  284. filter = named-refused
  285. logpath = /var/log/named/security.log
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement