# cat /etc/fail2ban/jail.conf # Fail2Ban configuration file## Author: Cyri

1. # cat /etc/fail2ban/jail.conf
2. # Fail2Ban configuration file
3. #
4. # Author: Cyril Jaquier
5. #
6. # $Revision: 747 $
7. #
8.  
9. # The DEFAULT allows a global definition of the options. They can be override
10. # in each jail afterwards.
11.  
12. [DEFAULT]
13.  
14. # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
15. # ban a host which matches an address in this list. Several addresses can be
16. # defined using space separator.
17. ignoreip = 127.0.0.1
18.  
19. # "bantime" is the number of seconds that a host is banned.
20. bantime = 600
21.  
22. # A host is banned if it has generated "maxretry" during the last "findtime"
23. # seconds.
24. #findtime = 600
25. findtime = 30
26.  
27. # "maxretry" is the number of failures before a host get banned.
28. maxretry = 3
29.  
30. # "backend" specifies the backend used to get files modification. Available
31. # options are "gamin", "polling" and "auto". This option can be overridden in
32. # each jail too (use "gamin" for a jail and "polling" for another).
33. #
34. # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin
35. # is not installed, Fail2ban will use polling.
36. # polling: uses a polling algorithm which does not require external libraries.
37. # auto: will choose Gamin if available and polling otherwise.
38. backend = auto
39.  
40.  
41. # This jail corresponds to the standard configuration in Fail2ban 0.6.
42. # The mail-whois action send a notification e-mail with a whois request
43. # in the body.
44.  
45. [ssh-iptables]
46.  
47. enabled = false
48. filter = sshd
49. action = iptables[name=SSH, port=ssh, protocol=tcp]
50. sendmail-whois[name=SSH, dest=you@mail.com, sender=fail2ban@mail.com]
51. logpath = /var/log/sshd.log
52. maxretry = 5
53.  
54. [proftpd-iptables]
55.  
56. enabled = false
57. filter = proftpd
58. action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
59. sendmail-whois[name=ProFTPD, dest=you@mail.com]
60. logpath = /var/log/proftpd/proftpd.log
61. maxretry = 6
62.  
63. # This jail forces the backend to "polling".
64.  
65. [sasl-iptables]
66.  
67. enabled = false
68. filter = sasl
69. backend = polling
70. action = iptables[name=sasl, port=smtp, protocol=tcp]
71. sendmail-whois[name=sasl, dest=you@mail.com]
72. logpath = /var/log/mail.log
73.  
74. # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
75. # used to avoid banning the user "myuser".
76.  
77. [ssh-tcpwrapper]
78.  
79. enabled = false
80. filter = sshd
81. action = hostsdeny
82. sendmail-whois[name=SSH, dest=you@mail.com]
83. ignoreregex = for myuser from
84. logpath = /var/log/sshd.log
85.  
86. # This jail demonstrates the use of wildcards in "logpath".
87. # Moreover, it is possible to give other files on a new line.
88.  
89. [apache-tcpwrapper]
90.  
91. enabled = false
92. filter = apache-auth
93. action = hostsdeny
94. logpath = /var/log/apache*/*error.log
95. /home/www/myhomepage/error.log
96. maxretry = 6
97.  
98. # The hosts.deny path can be defined with the "file" argument if it is
99. # not in /etc.
100.  
101. [postfix-tcpwrapper]
102.  
103. enabled = false
104. filter = postfix
105. action = hostsdeny[file=/not/a/standard/path/hosts.deny]
106. sendmail[name=Postfix, dest=you@mail.com]
107. logpath = /var/log/postfix.log
108. bantime = 300
109.  
110. # Do not ban anybody. Just report information about the remote host.
111. # A notification is sent at most every 600 seconds (bantime).
112.  
113. [vsftpd-notification]
114.  
115. enabled = false
116. filter = vsftpd
117. action = sendmail-whois[name=VSFTPD, dest=you@mail.com]
118. logpath = /var/log/vsftpd.log
119. maxretry = 5
120. bantime = 1800
121.  
122. # Same as above but with banning the IP address.
123.  
124. [vsftpd-iptables]
125.  
126. enabled = true
127. filter = vsftpd
128. action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
129. sendmail-whois[name=VSFTPD, dest=you@mail.com]
130. logpath = /var/log/vsftpd.log
131. maxretry = 5
132. bantime = 1800
133.  
134. # Ban hosts which agent identifies spammer robots crawling the web
135. # for email addresses. The mail outputs are buffered.
136.  
137. [apache-badbots]
138.  
139. enabled = false
140. filter = apache-badbots
141. action = iptables-multiport[name=BadBots, port="http,https"]
142. sendmail-buffered[name=BadBots, lines=5, dest=you@mail.com]
143. logpath = /var/www/*/logs/access_log
144. bantime = 172800
145. maxretry = 1
146.  
147. # Use shorewall instead of iptables.
148.  
149. [apache-shorewall]
150.  
151. enabled = false
152. filter = apache-noscript
153. action = shorewall
154. sendmail[name=Postfix, dest=you@mail.com]
155. logpath = /var/log/apache2/error_log
156.  
157. # Ban attackers that try to use PHP's URL-fopen() functionality
158. # through GET/POST variables. - Experimental, with more than a year
159. # of usage in production environments.
160.  
161. [php-url-fopen]
162.  
163. enabled = false
164. port = http,https
165. filter = php-url-fopen
166. logpath = /var/www/*/logs/access_log
167. maxretry = 1
168.  
169. # A simple PHP-fastcgi jail which works with lighttpd.
170. # If you run a lighttpd server, then you probably will
171. # find these kinds of messages in your error_log:
172. # ALERT – tried to register forbidden variable ‘GLOBALS’
173. # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php')
174. # This jail would block the IP 1.2.3.4.
175.  
176. [lighttpd-fastcgi]
177.  
178. enabled = false
179. port = http,https
180. filter = lighttpd-fastcgi
181. # adapt the following two items as needed
182. logpath = /var/log/lighttpd/error.log
183. maxretry = 2
184.  
185. # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
186. # option is overridden in this jail. Moreover, the action "mail-whois" defines
187. # the variable "name" which contains a comma using "". The characters '' are
188. # valid too.
189.  
190. [ssh-ipfw]
191.  
192. enabled = false
193. filter = sshd
194. action = ipfw[localhost=192.168.0.1]
195. sendmail-whois[name="SSH,IPFW", dest=you@mail.com]
196. logpath = /var/log/auth.log
197. ignoreip = 168.192.0.1
198.  
199. # These jails block attacks against named (bind9). By default, logging is off
200. # with bind9 installation. You will need something like this:
201. #
202. # logging {
203. # channel security_file {
204. # file "/var/log/named/security.log" versions 3 size 30m;
205. # severity dynamic;
206. # print-time yes;
207. # };
208. # category security {
209. # security_file;
210. # };
211. # };
212. #
213. # in your named.conf to provide proper logging.
214. # This jail blocks UDP traffic for DNS requests.
215.  
216. [named-refused-udp]
217.  
218. enabled = false
219. filter = named-refused
220. action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
221. sendmail-whois[name=Named, dest=you@mail.com]
222. logpath = /var/log/named/security.log
223. ignoreip = 168.192.0.1
224.  
225. # This jail blocks TCP traffic for DNS requests.
226.  
227. [named-refused-tcp]
228.  
229. enabled = false
230. filter = named-refused
231. action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
232. sendmail-whois[name=Named, dest=you@mail.com]
233. logpath = /var/log/named/security.log
234. ignoreip = 168.192.0.1