jail.conf

1. # Fail2Ban jail specifications file
2. #
3. # Comments: use '#' for comment lines and ';' (following a space) for inline comments
4. #
5. # Changes:  in most of the cases you should not modify this
6. #           file, but provide customizations in jail.local file, e.g.:
7. #
8. # [DEFAULT]
9. # bantime = 3600
10. #
11. # [ssh-iptables]
12. # enabled = true
13. #
14.  
15. # The DEFAULT allows a global definition of the options. They can be overridden
16. # in each jail afterwards.
17.  
18. [DEFAULT]
19.  
20. ignoreip = 127.0.0.1/8
21.  
22. bantime  = 86400
23.  
24. findtime  = 300
25.  
26. maxretry = 3
27.  
28. backend = gamin
29.  
30. # "usedns" specifies if jails should trust hostnames in logs,
31. #   warn when DNS lookups are performed, or ignore all hostnames in logs
32. #
33. # yes:   if a hostname is encountered, a DNS lookup will be performed.
34. # warn:  if a hostname is encountered, a DNS lookup will be performed,
35. #        but it will be logged as a warning.
36. # no:    if a hostname is encountered, will not be used for banning,
37. #        but it will be logged as info.
38. usedns = warn
39.  
40.  
41. # This jail corresponds to the standard configuration in Fail2ban 0.6.
42. # The mail-whois action send a notification e-mail with a whois request
43. # in the body.
44.  
45. [ssh-iptables]
46.  
47. enabled  = true
48. filter   = sshd
49. action   = iptables[name=SSH, port=ssh, protocol=tcp]
50. logpath  = /var/log/sshd.log
51. maxretry = 3
52.  
53. [proftpd-iptables]
54.  
55. enabled  = false
56. filter   = proftpd
57. action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
58.            sendmail-whois[name=ProFTPD, dest=you@example.com]
59. logpath  = /var/log/proftpd/proftpd.log
60. maxretry = 3
61.  
62. # This jail forces the backend to "polling".
63.  
64. [sasl-iptables]
65.  
66. enabled  = false
67. filter   = sasl
68. backend  = polling
69. action   = iptables[name=sasl, port=smtp, protocol=tcp]
70.            sendmail-whois[name=sasl, dest=you@example.com]
71. logpath  = /var/log/mail.log
72.  
73. # ASSP SMTP Proxy Jail
74. [assp]
75. enabled  = false
76. filter   = assp
77. action = iptables-multiport[name=assp,port="25,465,587"]
78. logpath  = /root/path/to/assp/logs/maillog.txt
79.  
80. # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
81. # used to avoid banning the user "myuser".
82.  
83. [ssh-tcpwrapper]
84.  
85. enabled     = false
86. filter      = sshd
87. action      = hostsdeny
88.               sendmail-whois[name=SSH, dest=you@example.com]
89. ignoreregex = for myuser from
90. logpath     = /var/log/sshd.log
91.  
92. # Here we use blackhole routes for not requiring any additional kernel support
93. # to store large volumes of banned IPs
94.  
95. [ssh-route]
96.  
97. enabled = true
98. filter = sshd
99. action = route
100. logpath = /var/log/sshd.log
101. maxretry = 5
102.  
103. # Here we use a combination of Netfilter/Iptables and IPsets
104. # for storing large volumes of banned IPs
105. #
106. # IPset comes in two versions. See ipset -V for which one to use
107. # requires the ipset package and kernel support.
108. [ssh-iptables-ipset4]
109.  
110. enabled  = false
111. filter   = sshd
112. action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
113. logpath  = /var/log/sshd.log
114. maxretry = 5
115.  
116. [ssh-iptables-ipset6]
117. enabled  = false
118. filter   = sshd
119. action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
120. logpath  = /var/log/sshd.log
121. maxretry = 5
122.  
123. # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
124. # table number must be unique.
125. #
126. # This will create a deny rule for that table ONLY if a rule
127. # for the table doesn't ready exist.
128. #
129. [ssh-bsd-ipfw]
130. enabled  = false
131. filter   = sshd
132. action   = bsd-ipfw[port=ssh,table=1]
133. logpath  = /var/log/auth.log
134. maxretry = 5
135.  
136. # This jail demonstrates the use of wildcards in "logpath".
137. # Moreover, it is possible to give other files on a new line.
138.  
139. [apache-tcpwrapper]
140.  
141. enabled  = false
142. filter   = apache-auth
143. action   = hostsdeny
144. logpath  = /var/log/apache*/*error.log
145.            /home/www/myhomepage/error.log
146. maxretry = 6
147.  
148. # The hosts.deny path can be defined with the "file" argument if it is
149. # not in /etc.
150.  
151. [postfix-tcpwrapper]
152.  
153. enabled  = false
154. filter   = postfix
155. action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
156.            sendmail[name=Postfix, dest=you@example.com]
157. logpath  = /var/log/postfix.log
158. bantime  = 300
159.  
160. # Do not ban anybody. Just report information about the remote host.
161. # A notification is sent at most every 600 seconds (bantime).
162.  
163. [vsftpd-notification]
164.  
165. enabled  = false
166. filter   = vsftpd
167. action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
168. logpath  = /var/log/vsftpd.log
169. maxretry = 5
170. bantime  = 1800
171.  
172. # Same as above but with banning the IP address.
173.  
174. [vsftpd-iptables]
175.  
176. enabled  = true
177. filter   = vsftpd
178. action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
179.            sendmail-whois[name=VSFTPD, dest=you@example.com]
180. logpath  = /var/log/vsftpd.log
181. maxretry = 5
182. bantime  = 1800
183.  
184. # Ban hosts which agent identifies spammer robots crawling the web
185. # for email addresses. The mail outputs are buffered.
186.  
187. [apache-badbots]
188.  
189. enabled  = false
190. filter   = apache-badbots
191. action   = iptables-multiport[name=BadBots, port="http,https"]
192.            sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
193. logpath  = /var/www/*/logs/access_log
194. bantime  = 172800
195. maxretry = 1
196.  
197. # Use shorewall instead of iptables.
198.  
199. [apache-shorewall]
200.  
201. enabled  = false
202. filter   = apache-noscript
203. action   = shorewall
204.            sendmail[name=Postfix, dest=you@example.com]
205. logpath  = /var/log/apache2/error_log
206.  
207. # Monitor roundcube server
208.  
209. [roundcube-iptables]
210.  
211. enabled  = false
212. filter   = roundcube-auth
213. action   = iptables[name=RoundCube, port="http,https"]
214. logpath  = /var/log/roundcube/userlogins
215.  
216.  
217. # Monitor SOGo groupware server
218.  
219. [sogo-iptables]
220.  
221. enabled  = false
222. filter   = sogo-auth
223. # without proxy this would be:
224. # port    = 20000
225. action   = iptables[name=SOGo, port="http,https"]
226. logpath  = /var/log/sogo/sogo.log
227.  
228. # Ban attackers that try to use PHP's URL-fopen() functionality
229. # through GET/POST variables. - Experimental, with more than a year
230. # of usage in production environments.
231.  
232. [php-url-fopen]
233.  
234. enabled = false
235. action  = iptables[name=php-url-open, port="http,https"]
236. filter  = php-url-fopen
237. logpath = /var/www/*/logs/access_log
238. maxretry = 1
239.  
240. # A simple PHP-fastcgi jail which works with lighttpd.
241. # If you run a lighttpd server, then you probably will
242. # find these kinds of messages in your error_log:
243. # ALERT – tried to register forbidden variable ‘GLOBALS’
244. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
245. # This jail would block the IP 1.2.3.4.
246.  
247. [lighttpd-fastcgi]
248.  
249. enabled = false
250. filter  = lighttpd-fastcgi
251. action  = iptables[name=lighttpd-fastcgi, port="http,https"]
252. # adapt the following two items as needed
253. logpath = /var/log/lighttpd/error.log
254. maxretry = 2
255.  
256. # Same as above for mod_auth
257. # It catches wrong authentications
258.  
259. [lighttpd-auth]
260.  
261. enabled = false
262. filter  = lighttpd-auth
263. action  = iptables[name=lighttpd-auth, port="http,https"]
264. # adapt the following two items as needed
265. logpath = /var/log/lighttpd/error.log
266. maxretry = 2
267.  
268. # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
269. # option is overridden in this jail. Moreover, the action "mail-whois" defines
270. # the variable "name" which contains a comma using "". The characters '' are
271. # valid too.
272.  
273. [ssh-ipfw]
274.  
275. enabled  = false
276. filter   = sshd
277. action   = ipfw[localhost=192.168.0.1]
278.            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
279. logpath  = /var/log/auth.log
280. ignoreip = 168.192.0.1
281.  
282. # These jails block attacks against named (bind9). By default, logging is off
283. # with bind9 installation. You will need something like this:
284. #
285. # logging {
286. #     channel security_file {
287. #         file "/var/log/named/security.log" versions 3 size 30m;
288. #         severity dynamic;
289. #         print-time yes;
290. #     };
291. #     category security {
292. #         security_file;
293. #     };
294. # };
295. #
296. # in your named.conf to provide proper logging.
297. # This jail blocks UDP traffic for DNS requests.
298.  
299. # !!! WARNING !!!
300. #   Since UDP is connection-less protocol, spoofing of IP and imitation
301. #   of illegal actions is way too simple.  Thus enabling of this filter
302. #   might provide an easy way for implementing a DoS against a chosen
303. #   victim. See
304. #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
305. #   Please DO NOT USE this jail unless you know what you are doing.
306. #
307. # [named-refused-udp]
308. #
309. # enabled  = false
310. # filter   = named-refused
311. # action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
312. #            sendmail-whois[name=Named, [email protected]]
313. # logpath  = /var/log/named/security.log
314. # ignoreip = 168.192.0.1
315.  
316. # This jail blocks TCP traffic for DNS requests.
317.  
318. [named-refused-tcp]
319.  
320. enabled  = false
321. filter   = named-refused
322. action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
323.            sendmail-whois[name=Named, dest=you@example.com]
324. logpath  = /var/log/named/security.log
325. ignoreip = 168.192.0.1
326.  
327. # Multiple jails, 1 per protocol, are necessary ATM:
328. # see https://github.com/fail2ban/fail2ban/issues/37
329. [asterisk-tcp]
330.  
331. enabled  = false
332. filter   = asterisk
333. action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
334.            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
335. logpath  = /var/log/asterisk/messages
336. maxretry = 10
337.  
338. [asterisk-udp]
339.  
340. enabled  = false
341. filter   = asterisk
342. action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
343.            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
344. logpath  = /var/log/asterisk/messages
345. maxretry = 10
346.  
347. # To log wrong MySQL access attempts add to /etc/my.cnf:
348. # log-error=/var/log/mysqld.log
349. # log-warning = 2
350. [mysqld-iptables]
351.  
352. enabled  = false
353. filter   = mysqld-auth
354. action   = iptables[name=mysql, port=3306, protocol=tcp]
355.            sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
356. logpath  = /var/log/mysqld.log
357. maxretry = 5
358.  
359.  
360. # Jail for more extended banning of persistent abusers
361. # !!! WARNING !!!
362. #   Make sure that your loglevel specified in fail2ban.conf/.local
363. #   is not at DEBUG level -- which might then cause fail2ban to fall into
364. #   an infinite loop constantly feeding itself with non-informative lines
365. [recidive]
366.  
367. enabled  = false
368. filter   = recidive
369. logpath  = /var/log/fail2ban.log
370. action   = iptables-allports[name=recidive]
371.            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
372. bantime  = 604800  ; 1 week
373. findtime = 86400   ; 1 day
374. maxretry = 5
375.  
376. # PF is a BSD based firewall
377. [ssh-pf]
378.  
379. enabled=false
380. filter = sshd
381. action = pf
382. logpath  = /var/log/sshd.log
383. maxretry=5