Skip to Content.
Sympa Menu

perfsonar-user - [perfsonar-user] Re: [Throughput-l] new fail2ban config -- Re: Anacron job 'cron.daily' on ps1.ochep.ou.edu

Subject: perfSONAR User Q&A and Other Discussion

List archive

[perfsonar-user] Re: [Throughput-l] new fail2ban config -- Re: Anacron job 'cron.daily' on ps1.ochep.ou.edu


Chronological Thread 
  • From: Horst Severini <>
  • To: Shawn McKee <>, "<>" <>
  • Cc:
  • Subject: [perfsonar-user] Re: [Throughput-l] new fail2ban config -- Re: Anacron job 'cron.daily' on ps1.ochep.ou.edu
  • Date: Fri, 17 Feb 2017 10:32:11 -0600
  • Ironport-phdr: 9a23:IvZBCh0mm0FQp90gsmDT+DRfVm0co7zxezQtwd8ZseMULvad9pjvdHbS+e9qxAeQG96KtrQc1aGG4ujJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhDexe69+IRS5oQjSssQdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LpwRRT2lCkIKSI28GDPisxxkq1bpg6hpwdiyILQeY2ZKeZycr/Ycd4cS2VBRMJRXDFfDI26YYUEEu4NMf9Fo4XholcDqwa1CwuxC+P10jJGm2H43aM63eoiHw/J0gMvENASv3nPqdX5KL0fXPqpwKTGzzjOae5d1zfn6IjPdxAsufOCXbVqccrK1UkkCh7LgUuOqYP7JTOV1+INs2mG5OdnVeKvkHUqqwdxojip3MssjZTJipgLxV/Z6CV02YA4LsC2Rk58ZN6rCppQtyeCOotxX8MuWX9ntzsnyrEeo567ZC0KyJI5yB/RcfCHdoiJ7gr4W+aXJTd0nn1leLWhhxu07EOuyfX8W9Gp3FpUqidJiMTAu3AX2xHd9sSLUOVx8lu51TuNyQzf8P9ILVwomabBNZIt3709moAcvEjfGCL9hV/4g7WMdko+/+il8+Tnbavipp+bL4J0kgH+M6Q0lcykHeQ0KA4OX2id+eim073j4Ff1T6tXgf0riqXZsZbaKtoHpqOhHgNZzIIu5wyiAzqmytgVk2ULIEhbdB6bl4TpPkvBIPH8DfexmVSslzJryujGPr36GZjNKHjDkLH7cbZ69k5Q0hQ8ws1C555MELEOPOrzWlPttNzfFhI5KxK7w/zpCNVm0YMeX3iAArWAPKPPql+H+PgvLvKIZI8Uozb9N+Ml6+D0gX84n18dYbem3YERaH+mAvRqPV+VbmTxjdccQi82uV8FTOX1jhWnWh1eaj7mRKc35Tw2IJ+jDIzDAI2hnerFlG3vBpBMaHtBDFmWVGrzep+sQ/oWZjmVJMZ71DoJSe7rA9s52Augrwj8wqAiM/HZ4AUAuIjtz99z7veVkxwuo29aFcOYhkGKVXpo1lgFWTIs3aZ+6Rh90X+F0a4+hOEeGNBOsaAaGjwmPILRmrQpQ+v5XRjMK5LQEQ6r

Hi Shawn,

did you not get your fail2ban updated this morning? This is what we got:

Feb 17 03:29:28 Updated: fail2ban-0.9.6-1.el6.noarch

The two are very different now. I've attached them both. The new one starts with this:

WARNING: heavily refactored in 0.9.0 release. Please review and customize settings for your setup.

Thanks,

Horst

On 2/17/17 9:54 AM, Shawn McKee wrote:
Hi Horst,

The quick answer is I don't know. I find that I don't have a
jail.conf.rpmnew. My jail.conf has 333 non-comment, non-empty lines:
[root@psum01 fail2ban]# grep -v "^#" jail.conf | grep -v "^$" | wc
333 908 10443

My guess would be there is new stuff being tracked if you use the new
.conf file. How different is the current one from the jail.conf.rpmnew
one?

I am adding the perfSONAR users list.

Shawn

On Fri, Feb 17, 2017 at 9:10 AM, Horst Severini
<
<mailto:>>
wrote:

Hi all,

I noticed that the new fail2ban jail.conf.rpmnew looks very different
from the current one. Is there some manual interaction required
in order to keep thing operating properly, or can we just ignore this
and fail2ban will still work fine with the old config file?

Thanks,

Horst

Anacron
<

<mailto:>>
wrote:

> /etc/cron.daily/0yum.cron:
>
> warning: /etc/fail2ban/jail.conf created as
/etc/fail2ban/jail.conf.rpmnew
_______________________________________________
Throughput-l mailing list



<mailto:>
https://lists.bnl.gov/mailman/listinfo/throughput-l
<https://lists.bnl.gov/mailman/listinfo/throughput-l>


# Fail2Ban jail base specification file
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwitten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local
file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [ssh-iptables]
# enabled = true



# Comments: use '#' for comment lines and ';' (following a space) for inline
comments

# The DEFAULT allows a global definition of the options. They can be
overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 3

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external
libraries.
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn


# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.

[ssh-iptables]

enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
# sendmail-whois[name=SSH, dest=root,
,
sendername="Fail2Ban"]
logpath = /var/log/secure
maxretry = 5

[proftpd-iptables]

enabled = false
filter = proftpd
action = iptables[name=ProFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=ProFTPD,
]
logpath = /var/log/proftpd/proftpd.log
maxretry = 6


# This jail forces the backend to "polling".
[sasl-iptables]

enabled = false
filter = postfix-sasl
backend = polling
action = iptables[name=sasl, port=smtp, protocol=tcp]
sendmail-whois[name=sasl,
]
logpath = /var/log/mail.log


# ASSP SMTP Proxy Jail
[assp]

enabled = false
filter = assp
action = iptables-multiport[name=assp,port="25,465,587"]
logpath = /root/path/to/assp/logs/maillog.txt


# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
# used to avoid banning the user "myuser".
[ssh-tcpwrapper]

enabled = false
filter = sshd
action = hostsdeny[daemon_list=sshd]
sendmail-whois[name=SSH,
]
ignoreregex = for myuser from
logpath = /var/log/sshd.log


# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
[ssh-route]

enabled = false
filter = sshd
action = route
logpath = /var/log/sshd.log
maxretry = 5


# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
#
# IPset comes in two versions. See ipset -V for which one to use
# requires the ipset package and kernel support.
[ssh-iptables-ipset4]

enabled = false
filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/sshd.log
maxretry = 5


[ssh-iptables-ipset6]

enabled = false
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp,
bantime=600]
logpath = /var/log/sshd.log
maxretry = 5


# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
# table number must be unique.
#
# This will create a deny rule for that table ONLY if a rule
# for the table doesn't ready exist.
#
[ssh-bsd-ipfw]

enabled = false
filter = sshd
action = bsd-ipfw[port=ssh,table=1]
logpath = /var/log/auth.log
maxretry = 5


# This jail demonstrates the use of wildcards in "logpath".
# Moreover, it is possible to give other files on a new line.
[apache-tcpwrapper]

enabled = false
filter = apache-auth
action = hostsdeny
logpath = /var/log/apache*/*error.log
/home/www/myhomepage/error.log
maxretry = 6


[nginx-http-auth]

enabled = false
filter = nginx-http-auth
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
logpath = /var/log/nginx/error.log


# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
[postfix-tcpwrapper]

enabled = false
filter = postfix
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail[name=Postfix,
]
logpath = /var/log/postfix.log
bantime = 300


# Do not ban anybody. Just report information about the remote host.
# A notification is sent at most every 600 seconds (bantime).
[vsftpd-notification]

enabled = false
filter = vsftpd
action = sendmail-whois[name=VSFTPD,
]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800


# Same as above but with banning the IP address.
[vsftpd-iptables]

enabled = false
filter = vsftpd
action = iptables[name=VSFTPD, port=ftp, protocol=tcp]
sendmail-whois[name=VSFTPD,
]
logpath = /var/log/vsftpd.log
maxretry = 5
bantime = 1800


# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
[apache-badbots]

enabled = false
filter = apache-badbots
action = iptables-multiport[name=BadBots, port="http,https"]
sendmail-buffered[name=BadBots, lines=5,
]
logpath = /var/www/*/logs/access_log
bantime = 172800
maxretry = 1


# Use shorewall instead of iptables.
[apache-shorewall]

enabled = false
filter = apache-noscript
action = shorewall
sendmail[name=Postfix,
]
logpath = /var/log/apache2/error_log


# Monitor roundcube server
[roundcube-iptables]

enabled = false
filter = roundcube-auth
action = iptables-multiport[name=RoundCube, port="http,https"]
logpath = /var/log/roundcube/userlogins


# Monitor SOGo groupware server
[sogo-iptables]

enabled = false
filter = sogo-auth
# without proxy this would be:
# port = 20000
action = iptables-multiport[name=SOGo, port="http,https"]
logpath = /var/log/sogo/sogo.log


# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]

enabled = false
action = iptables-multiport[name=php-url-open, port="http,https"]
filter = php-url-fopen
logpath = /var/www/*/logs/access_log
maxretry = 1


[suhosin]

enabled = false
filter = suhosin
action = iptables-multiport[name=suhosin, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2


[lighttpd-auth]

enabled = false
filter = lighttpd-auth
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 2


# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
# the variable "name" which contains a comma using "". The characters '' are
# valid too.
[ssh-ipfw]

enabled = false
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW",
]
logpath = /var/log/auth.log
ignoreip = 168.192.0.1


# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# enabled = false
# filter = named-refused
# action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
# sendmail-whois[name=Named,
]
# logpath = /var/log/named/security.log
# ignoreip = 168.192.0.1

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused-tcp]

enabled = false
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named,
]
logpath = /var/log/named/security.log
ignoreip = 168.192.0.1


[asterisk]

enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061",
protocol=tcp]
iptables-multiport[name=asterisk-udp, port="5060,5061",
protocol=udp]
sendmail-whois[name=Asterisk,
,

]
logpath = /var/log/asterisk/messages
maxretry = 10

# Historical support (before https://github.com/fail2ban/fail2ban/issues/37
was fixed )
# use [asterisk] for new jails
[asterisk-tcp]

enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061",
protocol=tcp]
sendmail-whois[name=Asterisk,
,

]
logpath = /var/log/asterisk/messages
maxretry = 10


# Historical support (before https://github.com/fail2ban/fail2ban/issues/37
was fixed )
# use [asterisk] for new jails
[asterisk-udp]

enabled = false
filter = asterisk
action = iptables-multiport[name=asterisk-udp, port="5060,5061",
protocol=udp]
sendmail-whois[name=Asterisk,
,

]
logpath = /var/log/asterisk/messages
maxretry = 10


[mysqld-iptables]

enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
sendmail-whois[name=MySQL, dest=root,
]
logpath = /var/log/mysqld.log
maxretry = 5


[mysqld-syslog-iptables]

enabled = false
filter = mysqld-auth
action = iptables[name=mysql, port=3306, protocol=tcp]
logpath = /var/log/daemon.log
maxretry = 5


# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]

enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5


# PF is a BSD based firewall
[ssh-pf]

enabled = false
filter = sshd
action = pf
logpath = /var/log/sshd.log
maxretry = 5


[3proxy]

enabled = false
filter = 3proxy
action = iptables[name=3proxy, port=3128, protocol=tcp]
logpath = /var/log/3proxy.log


[exim]

enabled = false
filter = exim
action = iptables-multiport[name=exim,port="25,465,587"]
logpath = /var/log/exim/mainlog


[exim-spam]

enabled = false
filter = exim-spam
action = iptables-multiport[name=exim-spam,port="25,465,587"]
logpath = /var/log/exim/mainlog


[perdition]

enabled = false
filter = perdition
action = iptables-multiport[name=perdition,port="110,143,993,995"]
logpath = /var/log/maillog


[uwimap-auth]

enabled = false
filter = uwimap-auth
action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
logpath = /var/log/maillog


[osx-ssh-ipfw]

enabled = false
filter = sshd
action = osx-ipfw
logpath = /var/log/secure.log
maxretry = 5


[ssh-apf]

enabled = false
filter = sshd
action = apf[name=SSH]
logpath = /var/log/secure
maxretry = 5


[osx-ssh-afctl]

enabled = false
filter = sshd
action = osx-afctl[bantime=600]
logpath = /var/log/secure.log
maxretry = 5


[webmin-auth]

enabled = false
filter = webmin-auth
action = iptables-multiport[name=webmin,port="10000"]
logpath = /var/log/auth.log


# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]

enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot,
port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/mail.log


[dovecot-auth]

enabled = false
filter = dovecot
action = iptables-multiport[name=dovecot-auth,
port="pop3,pop3s,imap,imaps,submission,smtps,sieve", protocol=tcp]
logpath = /var/log/secure


[selinux-ssh]
enabled = false
filter = selinux-ssh
action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
logpath = /var/log/audit/audit.log
maxretry = 5
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local
file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information



# Comments: use '#' for comment lines and ';' (following a space) for inline
comments


[INCLUDES]

#before = paths-distro.conf
before = paths-fedora.conf

# The DEFAULT allows a global definition of the options. They can be
overridden
# in each jail afterwards.

[DEFAULT]

#
# MISCELLANEOUS OPTIONS
#

# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will
not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =

# "bantime" is the number of seconds that a host is banned.
bantime = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external
libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some
other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See
https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto

# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host
filters/actions (example user)
usedns = warn

# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto

# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false


# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s


#
# ACTIONS
#

# Some options used for actions

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@localhost

# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s

#
# Action shortcuts. To be used to define action parameter

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s",
dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s",
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# See the IMPORTANT note in action.d/xarf-login-attack for when to use this
action
#
# ban & send a xarf e-mail to abuse contact of IP address and include
relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s",
port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s",
logpath=%(logpath)s, port="%(port)s"]

# ban IP on CloudFlare & send an e-mail with whois report and relevant log
lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s",
dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s,
apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s",
agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s",
agent="%(fail2ban_agent)s"]

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl,
etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s


#
# JAILS
#

#
# SSH servers
#

[sshd]

port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s


[dropbear]

port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s


[selinux-ssh]

port = ssh
logpath = %(auditd_log)s


#
# HTTP servers
#

[apache-auth]

port = http,https
logpath = %(apache_error_log)s


[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1


[apache-noscript]

port = http,https
logpath = %(apache_error_log)s


[apache-overflows]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2


[apache-nohome]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2


[apache-botsearch]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2


[apache-fakegooglebot]

port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>


[apache-modsecurity]

port = http,https
logpath = %(apache_error_log)s
maxretry = 2


[apache-shellshock]

port = http,https
logpath = %(apache_error_log)s
maxretry = 1


[openhab-auth]

filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log


[nginx-http-auth]

port = http,https
logpath = %(nginx_error_log)s

# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx
documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s

[nginx-botsearch]

port = http,https
logpath = %(nginx_error_log)s
maxretry = 2


# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.

[php-url-fopen]

port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s


[suhosin]

port = http,https
logpath = %(suhosin_log)s


[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s


#
# Webmail and groupware servers
#

[roundcube-auth]

port = http,https
logpath = %(roundcube_errors_log)s


[openwebmail]

port = http,https
logpath = /var/log/openwebmail.log


[horde]

port = http,https
logpath = /var/log/horde/horde.log


[groupoffice]

port = http,https
logpath = /home/groupoffice/log/info.log


[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log


[tine20]

logpath = /var/log/tine20/tine20.log
port = http,https


#
# Web Applications
#
#

[drupal-auth]

port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s

[guacamole]

port = http,https
logpath = /var/log/tomcat*/catalina.out

[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit


[webmin-auth]

port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[froxlor-auth]

port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


#
# HTTP Proxy servers
#
#

[squid]

port = 80,443,3128,8080
logpath = /var/log/squid/access.log


[3proxy]

port = 3128
logpath = /var/log/3proxy.log


#
# FTP servers
#


[proftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s


[pure-ftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s


[gssftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s


[wuftpd]

port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s


[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s


#
# Mail servers
#

# ASSP SMTP Proxy Jail
[assp]

port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt


[courier-smtp]

port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[postfix]

port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s


[postfix-rbl]

port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1


[sendmail-auth]

port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[sendmail-reject]

port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[qmail-rbl]

filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current


# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]

port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[sieve]

port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s


[solid-pop3d]

port = pop3,pop3s
logpath = %(solidpop3d_log)s


[exim]

port = smtp,465,submission
logpath = %(exim_main_log)s


[exim-spam]

port = smtp,465,submission
logpath = %(exim_main_log)s


[kerio]

port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courier-auth]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[postfix-sasl]

port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s


[perdition]

port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[squirrelmail]

port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log


[cyrus-imap]

port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


[uwimap-auth]

port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s


#
#
# DNS servers
#


# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log

# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.

[named-refused]

port = domain,953
logpath = /var/log/named/security.log


[nsd]

port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log


#
# Miscellaneous
#

[asterisk]

port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10


[freeswitch]

port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10


# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]

port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s


# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime
operation
port = 27017
logpath = /var/log/mongodb/mongodb.log


# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]

logpath = /var/log/messages
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day


# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall

[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s


[xinetd-fail]

banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2


# stunnel - need to set port for this
[stunnel]

logpath = /var/log/stunnel4/stunnel.log


[ejabberd-auth]

port = 5222
logpath = /var/log/ejabberd/ejabberd.log


[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport =
1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s",
protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s",
protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]

# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]

logpath = %(syslog_daemon)s ; nrpe.cfg may define a different
log_facility
backend = %(syslog_backend)s
maxretry = 1


[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6
and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s

[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222

[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1

[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP
authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1


[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s",
protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s",
protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log


[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8

[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log

[slapd]
port = ldap,ldaps
filter = slapd
logpath = /var/log/slapd.log



Archive powered by MHonArc 2.6.19.

Top of Page