jail.local

1. # Fail2Ban configuration file.
2. #
3. # This file was composed for Debian systems from the original one
4. # provided now under /usr/share/doc/fail2ban/examples/jail.conf
5. # for additional examples.
6. #
7. # Comments: use '#' for comment lines and ';' for inline comments
8. #
9. # To avoid merges during upgrades DO NOT MODIFY THIS FILE
10. # and rather provide your changes in /etc/fail2ban/jail.local
11. #
12.  
13. # The DEFAULT allows a global definition of the options. They can be overridden
14. # in each jail afterwards.
15.  
16. [DEFAULT]
17.  
18. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
19. # ban a host which matches an address in this list. Several addresses can be
20. # defined using space separator.
21. ignoreip = 127.0.0.1/8
22.  
23. # This will ignore connection coming from common private networks.
24. # Note that local connections can come from other than just 127.0.0.1, so
25. # this needs CIDR range too.
26. ignoreip = 199.27.128.0/21 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/12 172.64.0.0/13
27.  
28. # "bantime" is the number of seconds that a host is banned.
29. bantime = 86400
30.  
31. # A host is banned if it has generated "maxretry" during the last "findtime"
32. # seconds.
33. findtime = 600
34. maxretry = 3
35.  
36. # "backend" specifies the backend used to get files modification.
37. # Available options are "pyinotify", "gamin", "polling" and "auto".
38. # This option can be overridden in each jail as well.
39. #
40. # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
41. # If pyinotify is not installed, Fail2ban will use auto.
42. # gamin: requires Gamin (a file alteration monitor) to be installed.
43. # If Gamin is not installed, Fail2ban will use auto.
44. # polling: uses a polling algorithm which does not require external libraries.
45. # auto: will try to use the following backends, in order:
46. # pyinotify, gamin, polling.
47. backend = auto
48.  
49. # "usedns" specifies if jails should trust hostnames in logs,
50. # warn when reverse DNS lookups are performed, or ignore all hostnames in logs
51. #
52. # yes: if a hostname is encountered, a reverse DNS lookup will be performed.
53. # warn: if a hostname is encountered, a reverse DNS lookup will be performed,
54. # but it will be logged as a warning.
55. # no: if a hostname is encountered, will not be used for banning,
56. # but it will be logged as info.
57. usedns = warn
58.  
59. #
60. # Destination email address used solely for the interpolations in
61. # jail.{conf,local} configuration files.
62. destemail = [email protected]
63.  
64. #
65. # Name of the sender for mta actions
66. sendername = Fail2Ban
67.  
68. #
69. # ACTIONS
70. #
71.  
72. # Default banning action (e.g. iptables, iptables-new,
73. # iptables-multiport, shorewall, etc) It is used to define
74. # action_* variables. Can be overridden globally or per
75. # section within jail.local file
76. banaction = iptables-multiport
77.  
78. # email action. Since 0.8.1 upstream fail2ban uses sendmail
79. # MTA for the mailing. Change mta configuration parameter to mail
80. # if you want to revert to conventional 'mail'.
81. mta = mail
82.  
83. # Default protocol
84. protocol = tcp
85.  
86. # Specify chain where jumps would need to be added in iptables-* actions
87. chain = INPUT
88.  
89. #
90. # Action shortcuts. To be used to define action parameter
91.  
92. # The simplest action to take: ban only
93. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
94.  
95. # ban & send an e-mail with whois report to the destemail.
96. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
97. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
98.  
99. # ban & send an e-mail with whois report and relevant log lines
100. # to the destemail.
101. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
102. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
103.  
104. # Choose default action. To change, just override value of 'action' with the
105. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
106. # globally (section [DEFAULT]) or per specific section
107. action = %(action_mwl)s
108.  
109. #
110. # JAILS
111. #
112.  
113. # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
114. # was shipped in Debian. Enable any defined here jail by including
115. #
116. # [SECTION_NAME]
117. # enabled = true
118.  
119. #
120. # in /etc/fail2ban/jail.local.
121. #
122. # Optionally you may override any other parameter (e.g. banaction,
123. # action, port, logpath, etc) in that section within jail.local
124.  
125. [ssh]
126.  
127. enabled = true
128. port = 2200
129. filter = sshd
130. logpath = /var/log/auth.log
131. maxretry = 6
132.  
133. [dropbear]
134.  
135. enabled = false
136. port = ssh
137. filter = dropbear
138. logpath = /var/log/auth.log
139. maxretry = 6
140.  
141. # Generic filter for pam. Has to be used with action which bans all ports
142. # such as iptables-allports, shorewall
143. [pam-generic]
144.  
145. enabled = false
146. # pam-generic filter can be customized to monitor specific subset of 'tty's
147. filter = pam-generic
148. # port actually must be irrelevant but lets leave it all for some possible uses
149. port = all
150. banaction = iptables-allports
151. port = anyport
152. logpath = /var/log/auth.log
153. maxretry = 6
154.  
155. [xinetd-fail]
156.  
157. enabled = false
158. filter = xinetd-fail
159. port = all
160. banaction = iptables-multiport-log
161. logpath = /var/log/daemon.log
162. maxretry = 2
163.  
164.  
165. [ssh-ddos]
166.  
167. enabled = true
168. port = 2200
169. filter = sshd-ddos
170. logpath = /var/log/auth.log
171. maxretry = 6
172.  
173.  
174. # Here we use blackhole routes for not requiring any additional kernel support
175. # to store large volumes of banned IPs
176.  
177. [ssh-route]
178.  
179. enabled = true
180. filter = sshd
181. action = route
182. logpath = /var/log/sshd.log
183. maxretry = 6
184.  
185. # Here we use a combination of Netfilter/Iptables and IPsets
186. # for storing large volumes of banned IPs
187. #
188. # IPset comes in two versions. See ipset -V for which one to use
189. # requires the ipset package and kernel support.
190. [ssh-iptables-ipset4]
191.  
192. enabled = true
193. port = 2200
194. filter = sshd
195. banaction = iptables-ipset-proto4
196. logpath = /var/log/sshd.log
197. maxretry = 6
198.  
199. [ssh-iptables-ipset6]
200.  
201. enabled = true
202. port = 2200
203. filter = sshd
204. banaction = iptables-ipset-proto6
205. logpath = /var/log/sshd.log
206. maxretry = 6
207.  
208.  
209. #
210. # HTTP servers
211. #
212.  
213. [apache]
214.  
215. enabled = false
216. port = http,https
217. filter = apache-auth
218. logpath = /var/log/apache*/*error.log
219. maxretry = 6
220.  
221. # default action is now multiport, so apache-multiport jail was left
222. # for compatibility with previous (<0.7.6-2) releases
223. [apache-multiport]
224.  
225. enabled = false
226. port = http,https
227. filter = apache-auth
228. logpath = /var/log/apache*/*error.log
229. maxretry = 6
230.  
231. [apache-noscript]
232.  
233. enabled = false
234. port = http,https
235. filter = apache-noscript
236. logpath = /var/log/apache*/*error.log
237. maxretry = 6
238.  
239. [apache-overflows]
240.  
241. enabled = false
242. port = http,https
243. filter = apache-overflows
244. logpath = /var/log/apache*/*error.log
245. maxretry = 2
246.  
247. # Ban attackers that try to use PHP's URL-fopen() functionality
248. # through GET/POST variables. - Experimental, with more than a year
249. # of usage in production environments.
250.  
251. [php-url-fopen]
252.  
253. enabled = true
254. port = http,https
255. filter = php-url-fopen
256. logpath = /var/log/php-url-fopen.log
257. maxretry = 1
258.  
259. # A simple PHP-fastcgi jail which works with lighttpd.
260. # If you run a lighttpd server, then you probably will
261. # find these kinds of messages in your error_log:
262. # ALERT – tried to register forbidden variable ‘GLOBALS’
263. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
264.  
265. [lighttpd-fastcgi]
266.  
267. enabled = false
268. port = http,https
269. filter = lighttpd-fastcgi
270. logpath = /var/log/lighttpd/error.log
271.  
272. # Same as above for mod_auth
273. # It catches wrong authentifications
274.  
275. [lighttpd-auth]
276.  
277. enabled = false
278. port = http,https
279. filter = suhosin
280. logpath = /var/log/lighttpd/error.log
281.  
282. [nginx-http-auth]
283.  
284. enabled = true
285. filter = nginx-http-auth
286. port = http,https
287. logpath = /var/log/nginx/error.log
288.  
289. # Monitor roundcube server
290.  
291. [roundcube-auth]
292.  
293. enabled = false
294. filter = roundcube-auth
295. port = http,https
296. logpath = /var/log/roundcube/userlogins
297.  
298.  
299. [sogo-auth]
300.  
301. enabled = false
302. filter = sogo-auth
303. port = http, https
304. # without proxy this would be:
305. # port = 20000
306. logpath = /var/log/sogo/sogo.log
307.  
308.  
309. #
310. # FTP servers
311. #
312.  
313. [vsftpd]
314.  
315. enabled = true
316. port = ftp,ftp-data,ftps,ftps-data,2200
317. filter = vsftpd
318. logpath = /var/log/vsftpd.log
319. # or overwrite it in jails.local to be
320. # logpath = /var/log/auth.log
321. # if you want to rely on PAM failed login attempts
322. # vsftpd's failregex should match both of those formats
323. maxretry = 6
324.  
325.  
326. [proftpd]
327.  
328. enabled = false
329. port = ftp,ftp-data,ftps,ftps-data
330. filter = proftpd
331. logpath = /var/log/proftpd/proftpd.log
332. maxretry = 6
333.  
334.  
335. [pure-ftpd]
336.  
337. enabled = false
338. port = ftp,ftp-data,ftps,ftps-data
339. filter = pure-ftpd
340. logpath = /var/log/syslog
341. maxretry = 6
342.  
343.  
344. [wuftpd]
345.  
346. enabled = false
347. port = ftp,ftp-data,ftps,ftps-data
348. filter = wuftpd
349. logpath = /var/log/syslog
350. maxretry = 6
351.  
352.  
353. #
354. # Mail servers
355. #
356.  
357. [postfix]
358.  
359. enabled = true
360. port = smtp,ssmtp,submission
361. filter = postfix
362. logpath = /var/log/mail.log
363.  
364.  
365. [couriersmtp]
366.  
367. enabled = false
368. port = smtp,ssmtp,submission
369. filter = couriersmtp
370. logpath = /var/log/mail.log
371.  
372.  
373. #
374. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
375. # all relevant ports get banned
376. #
377.  
378. [courierauth]
379.  
380. enabled = false
381. port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
382. filter = courierlogin
383. logpath = /var/log/mail.log
384.  
385.  
386. [sasl]
387.  
388. enabled = false
389. port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
390. filter = postfix-sasl
391. # You might consider monitoring /var/log/mail.warn instead if you are
392. # running postfix since it would provide the same log lines at the
393. # "warn" level but overall at the smaller filesize.
394. logpath = /var/log/mail.log
395.  
396. [dovecot]
397.  
398. enabled = false
399. port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
400. filter = dovecot
401. logpath = /var/log/mail.log
402.  
403. # To log wrong MySQL access attempts add to /etc/my.cnf:
404. # log-error=/var/log/mysqld.log
405. # log-warning = 2
406. [mysqld-auth]
407.  
408. enabled = true
409. filter = mysqld-auth
410. port = 3306
411. logpath = /var/log/mysqld.log
412.  
413.  
414. # DNS Servers
415.  
416.  
417. # These jails block attacks against named (bind9). By default, logging is off
418. # with bind9 installation. You will need something like this:
419. #
420. # logging {
421. # channel security_file {
422. # file "/var/log/named/security.log" versions 3 size 30m;
423. # severity dynamic;
424. # print-time yes;
425. # };
426. # category security {
427. # security_file;
428. # };
429. # };
430. #
431. # in your named.conf to provide proper logging
432.  
433. # !!! WARNING !!!
434. # Since UDP is connection-less protocol, spoofing of IP and imitation
435. # of illegal actions is way too simple. Thus enabling of this filter
436. # might provide an easy way for implementing a DoS against a chosen
437. # victim. See
438. # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
439. # Please DO NOT USE this jail unless you know what you are doing.
440. #[named-refused-udp]
441. #
442. #enabled = false
443. #port = domain,953
444. #protocol = udp
445. #filter = named-refused
446. #logpath = /var/log/named/security.log
447.  
448. [named-refused-tcp]
449.  
450. enabled = false
451. port = domain,953
452. protocol = tcp
453. filter = named-refused
454. logpath = /var/log/named/security.log
455.  
456. # Multiple jails, 1 per protocol, are necessary ATM:
457. # see https://github.com/fail2ban/fail2ban/issues/37
458. [asterisk-tcp]
459.  
460. enabled = false
461. filter = asterisk
462. port = 5060,5061
463. protocol = tcp
464. logpath = /var/log/asterisk/messages
465.  
466. [asterisk-udp]
467.  
468. enabled = false
469. filter = asterisk
470. port = 5060,5061
471. protocol = udp
472. logpath = /var/log/asterisk/messages
473.  
474.  
475. # Jail for more extended banning of persistent abusers
476. # !!! WARNING !!!
477. # Make sure that your loglevel specified in fail2ban.conf/.local
478. # is not at DEBUG level -- which might then cause fail2ban to fall into
479. # an infinite loop constantly feeding itself with non-informative lines
480. [recidive]
481.  
482. enabled = false
483. filter = recidive
484. logpath = /var/log/fail2ban.log
485. action = iptables-allports[name=recidive]
486. sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
487. bantime = 604800 ; 1 week
488. findtime = 86400 ; 1 day
489. maxretry = 5
490.  
491. #additional protections.
492.  
493. [nginx-req-limit]
494.  
495. enabled = true
496. filter = nginx-req-limit
497. action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
498. logpath = /var/log/nginx/*error.log
499. findtime = 600
500. bantime = 7200
501. maxretry = 10
502.  
503.  
504.  
505. [nginx-auth]
506. enabled = true
507. filter = nginx-auth
508. port = http,https
509. logpath = /var/log/nginx*/*error*.log
510. bantime = 7200
511. maxretry = 6
512.  
513. [nginx-login]
514. enabled = true
515. filter = nginx-login
516. port = http,https
517. logpath = /var/log/nginx*/*access*.log
518. bantime = 7200
519. maxretry = 6
520.  
521. [nginx-badbots]
522. enabled = true
523. filter = apache-badbots
524. port = http,https
525. logpath = /var/log/nginx*/*access*.log
526. bantime = 86400
527. maxretry = 1
528.  
529. [nginx-noscript]
530. enabled = true
531. port = http,https
532. filter = nginx-noscript
533. logpath = /var/log/nginx*/*access*.log
534. axretry = 6
535. bantime = 86400
536.  
537. [nginx-proxy]
538. enabled = true
539. port = http,https
540. filter = nginx-proxy
541. logpath = /var/log/nginx*/*access*.log
542. maxretry = 0
543. bantime = 86400
544.  
545. [wordpress]
546. enabled = true
547. filter = wordpress
548. logpath = /var/log/auth.log
549. port = http,https
550. findtime = 7200
551. bantime = 86400
552. maxretry = 5