API tools faq
paste
Advertisement
mhammett

Fail2Ban Config

mhammett
Apr 26th, 2020
110
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.74 KB | None | 0 0
raw download clone embed print report
  1. [root@ip22 fail2ban]# fail2ban-client -d
  2. ['set', 'syslogsocket', 'auto']
  3. ['set', 'loglevel', 'DEBUG']
  4. ['set', 'logtarget', '/var/log/fail2ban.log']
  5. ['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
  6. ['set', 'dbpurgeage', 86400]
  7. ['add', 'sshd', 'auto']
  8. ['set', 'sshd', 'usedns', 'warn']
  9. ['set', 'sshd', 'addlogpath', '/var/log/secure', 'head']
  10. ['set', 'sshd', 'maxretry', 5]
  11. ['set', 'sshd', 'addignoreip', '65.182.164.0/23']
  12. ['set', 'sshd', 'logencoding', 'auto']
  13. ['set', 'sshd', 'bantime', 2592000]
  14. ['set', 'sshd', 'ignorecommand', '']
  15. ['set', 'sshd', 'findtime', 2592000]
  16. ['set', 'sshd', 'maxlines', '10']
  17. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \\S+)?\\s*$']
  18. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\\s*$']
  19. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?Failed \\S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \\d+)?(?: ssh\\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)']
  20. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?ROOT LOGIN REFUSED.* FROM <HOST>\\s*$']
  21. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \\d+)?\\s*$']
  22. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because not listed in AllowUsers\\s*$']
  23. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because listed in DenyUsers\\s*$']
  24. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because not in any group\\s*$']
  25. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?refused connect from \\S+ \\(<HOST>\\)\\s*$']
  26. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \\[preauth\\])?$']
  27. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because a group is listed in DenyGroups\\s*$']
  28. ['set', 'sshd', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?User .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\\s*$"]
  29. ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \\[preauth\\]$']
  30. ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)Disconnecting: Too many authentication failures for .+? \\[preauth\\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \\[preauth\\]$']
  31. ['set', 'sshd', 'addfailregex', '^(?P<__prefix>(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?)Connection from <HOST> port \\d+(?: on \\S+ port \\d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \\[preauth\\]$']
  32. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \\d*)?(?: ssh\\d*)? \\[preauth\\]$']
  33. ['set', 'sshd', 'addfailregex', '^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel: \\[ *\\d+\\.\\d+\\]\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?sshd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?pam_unix\\(sshd:auth\\):\\s+authentication failure;\\s*logname=\\S*\\s*uid=\\d*\\s*euid=\\d*\\s*tty=\\S*\\s*ruser=\\S*\\s*rhost=<HOST>\\s.*$']
  34. ['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
  35. ['set', 'sshd', 'addaction', 'apf']
  36. ['set', 'sshd', 'action', 'apf', 'actionban', '/usr/local/sbin/apf --deny <ip> "banned by Fail2Ban <name>"']
  37. ['set', 'sshd', 'action', 'apf', 'actionstop', '']
  38. ['set', 'sshd', 'action', 'apf', 'actionstart', '']
  39. ['set', 'sshd', 'action', 'apf', 'actionunban', '/usr/local/sbin/apf --remove <ip>']
  40. ['set', 'sshd', 'action', 'apf', 'actioncheck', '']
  41. ['set', 'sshd', 'action', 'apf', 'known/name', 'default']
  42. ['set', 'sshd', 'action', 'apf', 'protocol', 'tcp']
  43. ['set', 'sshd', 'action', 'apf', 'name', 'sshd']
  44. ['set', 'sshd', 'addaction', 'sendmail-whois-lines']
  45. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionban', 'printf %b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<failures> attempts against <name>.\\n\\n\nHere is more information about <ip> :\\n\n`/usr/bin/whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<ip> in <logpath>\\n\n`grep -E <grepopts> \'(^|[^0-9])<ip>([^0-9]|$)\' <logpath>`\\n\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
  46. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionstop', 'printf %b "Subject: [Fail2Ban] <name>: stopped on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been stopped.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
  47. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionstart', 'printf %b "Subject: [Fail2Ban] <name>: started on `uname -n`\nDate: `LC_ALL=C date +"%a, %d %h %Y %T %z"`\nFrom: <sendername> <<sender>>\nTo: <dest>\\n\nHi,\\n\nThe jail <name> has been started successfully.\\n\nRegards,\\n\nFail2Ban" | /usr/sbin/sendmail -f <sender> <dest>']
  48. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actionunban', '']
  49. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'actioncheck', '']
  50. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/sendername', 'Fail2Ban']
  51. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/grepopts', '-m 1000']
  52. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'sender', 'admin@ics-il.net']
  53. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/sender', 'admin@ics-il.net']
  54. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'dest', 'admin@ics-il.net']
  55. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/dest', 'admin@ics-il.net']
  56. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/__name__', 'Init']
  57. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'logpath', '/var/log/secure']
  58. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/dest', 'admin@ics-il.net']
  59. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/sender', 'admin@ics-il.net']
  60. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'grepopts', '-m 1000']
  61. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/name', 'default']
  62. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/logpath', '/dev/null']
  63. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/sendername', 'Fail2Ban']
  64. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'known/known/__name__', 'Init']
  65. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'sendername', 'Fail2Ban']
  66. ['set', 'sshd', 'action', 'sendmail-whois-lines', 'name', 'sshd']
  67. ['start', 'sshd']
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!