# Fail2Ban configuration file## Author: Cyril Jaquier## $Revision: 747 $

1. # Fail2Ban configuration file
2. #
3. # Author: Cyril Jaquier
4. #
5. # $Revision: 747 $
6. #
7.  
8. # The DEFAULT allows a global definition of the options. They can be override
9. # in each jail afterwards.
10.  
11. [DEFAULT]
12.  
13. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
14. # ban a host which matches an address in this list. Several addresses can be
15. # defined using space separator.
16. ignoreip = 127.0.0.1
17.  
18. # "bantime" is the number of seconds that a host is banned.
19. bantime = 259200
20.  
21. # A host is banned if it has generated "maxretry" during the last "findtime"
22. # seconds.
23. findtime = 600
24.  
25. # "maxretry" is the number of failures before a host get banned.
26. maxretry = 3
27.  
28. # "backend" specifies the backend used to get files modification. Available
29. # options are "gamin", "polling" and "auto". This option can be overridden in
30. # each jail too (use "gamin" for a jail and "polling" for another).
31. #
32. # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
33. # is not installed, Fail2ban will use polling.
34. # polling: uses a polling algorithm which does not require external libraries.
35. # auto: will choose Gamin if available and polling otherwise.
36. backend = polling
37.  
38.  
39. # This jail corresponds to the standard configuration in Fail2ban 0.6.
40. # The mail-whois action send a notification e-mail with a whois request
41. # in the body.
42.  
43. [ssh-iptables]
44.  
45. enabled = false
46. filter = sshd
47. action = iptables[name=SSH, port=ssh, protocol=tcp]
48. sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
49. logpath = /var/log/sshd.log
50. maxretry = 5
51.  
52. [asterisk-iptables]
53.  
54. enabled = true
55. filter = asterisk
56. action = iptables-allports[name=ASTERISK, protocol=all]
57. sendmail-whois[name=ASTERISK, dest=root, sender=fail2ban@example.org]
58. logpath = /var/log/asterisk/full
59. maxretry = 5
60. bantime = 259200
61.  
62.  
63. [proftpd-iptables]
64.  
65. enabled = false
66. filter = proftpd
67. action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
68. sendmail-whois[name=ProFTPD, dest=you@mail.com]
69. logpath = /var/log/proftpd/proftpd.log
70. maxretry = 6
71.  
72. # This jail forces the backend to "polling".
73.  
74. [sasl-iptables]
75.  
76. enabled = false
77. filter = sasl
78. backend = polling
79. action = iptables[name=sasl, port=smtp, protocol=tcp]
80. sendmail-whois[name=sasl, dest=you@mail.com]
81. logpath = /var/log/mail.log
82.  
83. # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
84. # used to avoid banning the user "myuser".
85.  
86. [ssh-tcpwrapper]
87.  
88. enabled = false
89. filter = sshd
90. action = hostsdeny
91. sendmail-whois[name=SSH, dest=you@mail.com]
92. ignoreregex = for myuser from
93. logpath = /var/log/sshd.log
94.  
95. # This jail demonstrates the use of wildcards in "logpath".
96. # Moreover, it is possible to give other files on a new line.
97.  
98. [apache-tcpwrapper]
99.  
100. enabled = false
101. filter = apache-auth
102. action = hostsdeny
103. logpath = /var/log/apache*/*error.log
104. /home/www/myhomepage/error.log
105. maxretry = 6
106.  
107. # The hosts.deny path can be defined with the "file" argument if it is
108. # not in /etc.
109.  
110. [postfix-tcpwrapper]
111.  
112. enabled = false
113. filter = postfix
114. action = hostsdeny[file=/not/a/standard/path/hosts.deny]
115. sendmail[name=Postfix, dest=you@mail.com]
116. logpath = /var/log/postfix.log
117. bantime = 300
118.  
119. # Do not ban anybody. Just report information about the remote host.
120. # A notification is sent at most every 600 seconds (bantime).
121.  
122. [vsftpd-notification]
123.  
124. enabled = false
125. filter = vsftpd
126. action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
127. logpath = /var/log/vsftpd.log
128. maxretry = 5
129. bantime = 1800
130.  
131. # Same as above but with banning the IP address.
132.  
133. [vsftpd-iptables]
134.  
135. enabled = false
136. filter = vsftpd
137. action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
138. sendmail-whois[name=VSFTPD, dest=you@mail.com]
139. logpath = /var/log/vsftpd.log
140. maxretry = 5
141. bantime = 1800
142.  
143. # Ban hosts which agent identifies spammer robots crawling the web
144. # for email addresses. The mail outputs are buffered.
145.  
146. [apache-badbots]
147.  
148. enabled = false
149. filter = apache-badbots
150. action = iptables-multiport[name=BadBots, port="http,https"]
151. sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
152. logpath = /var/www/*/logs/access_log
153. bantime = 172800
154. maxretry = 1
155.  
156. # Use shorewall instead of iptables.
157.  
158. [apache-shorewall]
159.  
160. enabled = false
161. filter = apache-noscript
162. action = shorewall
163. sendmail[name=Postfix, dest=you@mail.com]
164. logpath = /var/log/apache2/error_log
165.  
166. # Ban attackers that try to use PHP's URL-fopen() functionality
167. # through GET/POST variables. - Experimental, with more than a year
168. # of usage in production environments.
169.  
170. [php-url-fopen]
171.  
172. enabled = false
173. port = http,https
174. filter = php-url-fopen
175. logpath = /var/www/*/logs/access_log
176. maxretry = 1
177.  
178. # A simple PHP-fastcgi jail which works with lighttpd.
179. # If you run a lighttpd server, then you probably will
180. # find these kinds of messages in your error_log:
181. # ALERT – tried to register forbidden variable ‘GLOBALS’
182. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
183. # This jail would block the IP 1.2.3.4.
184.  
185. [lighttpd-fastcgi]
186.  
187. enabled = false
188. port = http,https
189. filter = lighttpd-fastcgi
190. # adapt the following two items as needed
191. logpath = /var/log/lighttpd/error.log
192. maxretry = 2
193.  
194. # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
195. # option is overridden in this jail. Moreover, the action "mail-whois" defines
196. # the variable "name" which contains a comma using "". The characters '' are
197. # valid too.
198.  
199. [ssh-ipfw]
200.  
201. enabled = false
202. filter = sshd
203. action = ipfw[localhost=192.168.0.1]
204. sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
205. logpath = /var/log/auth.log
206. ignoreip = 168.192.0.1
207.  
208. # These jails block attacks against named (bind9). By default, logging is off
209. # with bind9 installation. You will need something like this:
210. #
211. # logging {
212. # channel security_file {
213. # file "/var/log/named/security.log" versions 3 size 30m;
214. # severity dynamic;
215. # print-time yes;
216. # };
217. # category security {
218. # security_file;
219. # };
220. # };
221. #
222. # in your named.conf to provide proper logging.
223. # This jail blocks UDP traffic for DNS requests.
224.  
225. [named-refused-udp]
226.  
227. enabled = false
228. filter = named-refused
229. action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
230. sendmail-whois[name=Named, dest=you@mail.com]
231. logpath = /var/log/named/security.log
232. ignoreip = 168.192.0.1
233.  
234. # This jail blocks TCP traffic for DNS requests.
235.  
236. [named-refused-tcp]
237.  
238. enabled = false
239. filter = named-refused
240. action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
241. sendmail-whois[name=Named, dest=you@mail.com]
242. logpath = /var/log/named/security.log
243. ignoreip = 168.192.0.1