Embedded Files
Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP
Conf: jail.local
ll-------------------## WARNING: heavily refactored in 0.9.0 release. Please review and# customize settings for your setup.## Changes: in most of the cases you should not modify this# file, but provide customizations in jail.local file,# or separate .conf files under jail.d/ directory, e.g.:## HOW TO ACTIVATE JAILS:## YOU SHOULD NOT MODIFY THIS FILE.## It will probably be overwritten or improved in a distribution update.## Provide customizations in a jail.local file or a jail.d/customisation.local.# For example to change the default bantime for all jails and to enable the# ssh-iptables jail the following (uncommented) would appear in the .local file.# See man 5 jail.conf for details.## [DEFAULT]# bantime = 1h## [sshd]# enabled = true## See jail.conf(5) man page for more information# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.confbefore = paths-debian.conf
# The DEFAULT allows a global definition of the options. They can be overridden# in each jail afterwards.
[DEFAULT]
## MISCELLANEOUS OPTIONS#
# "ignorself" specifies whether the local resp. own IP addresses should be ignored# (default is true). Fail2ban will not ban a host which matches such addresses.#ignorself = true
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban# will not ban a host which matches an address in this list. Several addresses# can be defined using space (and/or comma) separator.ignoreip = 127.0.0.1/8 ::1 175.29.168.49 175.29.168.49/32 175.29.175.0/24 175.29.168.0/24 202.22.192.0/24
# External command that will take an tagged arguments to ignore, e.g. <ip>,# and return true if the IP is to be ignored. False otherwise.## ignorecommand = /path/to/command <ip>ignorecommand =
# "bantime" is the number of seconds that a host is banned.bantime = 72h
# A host is banned if it has generated "maxretry" during the last "findtime"# seconds.findtime = 10m
# "maxretry" is the number of failures before a host get banned.maxretry = 3
# "backend" specifies the backend used to get files modification.# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".# This option can be overridden in each jail as well.## pyinotify: requires pyinotify (a file alteration monitor) to be installed.# If pyinotify is not installed, Fail2ban will use auto.# gamin: requires Gamin (a file alteration monitor) to be installed.# If Gamin is not installed, Fail2ban will use auto.# polling: uses a polling algorithm which does not require external libraries.# systemd: uses systemd python library to access the systemd journal.# Specifying "logpath" is not valid for this backend.# See "journalmatch" in the jails associated filter config# auto: will try to use the following backends, in order:# pyinotify, gamin, polling.## Note: if systemd backend is chosen as the default but you enable a jail# for which logs are present only in its own log files, specify some other# backend for that jail (e.g. polling) and provide empty value for# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200backend = auto
# "usedns" specifies if jails should trust hostnames in logs,# warn when DNS lookups are performed, or ignore all hostnames in logs## yes: if a hostname is encountered, a DNS lookup will be performed.# warn: if a hostname is encountered, a DNS lookup will be performed,# but it will be logged as a warning.# no: if a hostname is encountered, will not be used for banning,# but it will be logged as info.# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail# This is used to decode the lines from the log file.# Typical examples: "ascii", "utf-8"## auto: will use the system locale settinglogencoding = auto
# "enabled" enables the jails.# By default all jails are disabled, and it should stay this way.# Enable only relevant to your setup jails in your .local or jail.d/*.conf## true: jail will be enabled and log files will get monitored for changes# false: jail is not enabledenabled = false
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).mode = aggressive
# "filter" defines the filter to use by the jail.# By default jails have names matching their filter name#filter = %(__name__)s[mode=%(mode)s]
## ACTIONS#
# Some options used for actions
# Destination email address used solely for the interpolations in# jail.{conf,local,d/*} configuration files.destemail = root@localhost
# Sender email address used solely for some actionssender = root@<fq-hostname>
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the# mailing. Change mta configuration parameter to mail if you want to# revert to conventional 'mail'.mta = sendmail
# Default protocolprotocol = tcp
# Specify chain where jumps would need to be added in ban-actions expecting parameter chainchain = <known/chain>
# Ports to be banned# Usually should be overridden in a particular jailport = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3fail2ban_agent = Fail2Ban/%(fail2ban_version)s
## Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,# iptables-multiport, shorewall, etc) It is used to define# action_* variables. Can be overridden globally or per# section within jail.local filebanaction = iptables-multiportbanaction_allports = iptables-allports
# The simplest action to take: ban onlyaction_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines# to the destemail.action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action## ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines# to the destemail.action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines# to the destemail.action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API# # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in # corresponding jail.d/my-jail.local file).#action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist## See BadIPsAction docstring in config/action.d/badips.py for# documentation for this action.## NOTE: This action relies on banaction being present on start and therefore# should be last action defined for a jail.#action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]## Report ban via badips.com (uses action.d/badips.conf for reporting only)#action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Report ban via abuseipdb.com.## See action.d/abuseipdb.conf for usage example and details.#action_abuseipdb = abuseipdb
# Choose default action. To change, just override value of 'action' with the# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local# globally (section [DEFAULT]) or per specific sectionaction = %(action_)s
## JAILS#
## SSH servers#
[sshd]enabled = false# To use more aggressive sshd modes set filter parameter "mode" in jail.local:# normal (default), ddos, extra or aggressive (combines all).# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.#mode = normalport = sshlogpath = %(sshd_log)sbackend = %(sshd_backend)s
[dropbear]
port = sshlogpath = %(dropbear_log)sbackend = %(dropbear_backend)s
[selinux-ssh]
port = sshlogpath = %(auditd_log)s
## HTTP servers#
[apache-auth]
port = http,httpslogpath = %(apache_error_log)s
[apache-badbots]# Ban hosts which agent identifies spammer robots crawling the web# for email addresses. The mail outputs are buffered.port = http,httpslogpath = %(apache_access_log)sbantime = 48hmaxretry = 1
[apache-noscript]
port = http,httpslogpath = %(apache_error_log)s
[apache-overflows]
port = http,httpslogpath = %(apache_error_log)smaxretry = 2
[apache-nohome]
port = http,httpslogpath = %(apache_error_log)smaxretry = 2
[apache-botsearch]
port = http,httpslogpath = %(apache_error_log)smaxretry = 2
[apache-fakegooglebot]
port = http,httpslogpath = %(apache_access_log)smaxretry = 1ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,httpslogpath = %(apache_error_log)smaxretry = 2
[apache-shellshock]
port = http,httpslogpath = %(apache_error_log)smaxretry = 1
[openhab-auth]
filter = openhabaction = iptables-allports[name=NoAuthFailures]logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,httpslogpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html# or for example see in 'config/filter.d/nginx-limit-req.conf'[nginx-limit-req]port = http,httpslogpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,httpslogpath = %(nginx_error_log)smaxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality# through GET/POST variables. - Experimental, with more than a year# of usage in production environments.
[php-url-fopen]
port = http,httpslogpath = %(nginx_access_log)s %(apache_access_log)s
[suhosin]
port = http,httpslogpath = %(suhosin_log)s
[lighttpd-auth]# Same as above for Apache's mod_auth# It catches wrong authentificationsport = http,httpslogpath = %(lighttpd_error_log)s
## Webmail and groupware servers#
[roundcube-auth]
port = http,httpslogpath = %(roundcube_errors_log)s# Use following line in your jail.local if roundcube logs to journal.#backend = %(syslog_backend)s
[openwebmail]
port = http,httpslogpath = /var/log/openwebmail.log
[horde]
port = http,httpslogpath = /var/log/horde/horde.log
[groupoffice]
port = http,httpslogpath = /home/groupoffice/log/info.log
[sogo-auth]# Monitor SOGo groupware server# without proxy this would be:# port = 20000port = http,httpslogpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.logport = http,https
## Web Applications##
[drupal-auth]
port = http,httpslogpath = %(syslog_daemon)sbackend = %(syslog_backend)s
[guacamole]
port = http,httpslogpath = /var/log/tomcat*/catalina.out
[monit]#Ban clients brute-forcing the monit gui loginport = 2812logpath = /var/log/monit
[webmin-auth]
port = 10000logpath = %(syslog_authpriv)sbackend = %(syslog_backend)s
[froxlor-auth]
port = http,httpslogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s
## HTTP Proxy servers##
[squid]
port = 80,443,3128,8080logpath = /var/log/squid/access.log
[3proxy]
port = 3128logpath = /var/log/3proxy.log
## FTP servers#
[proftpd]
port = ftp,ftp-data,ftps,ftps-datalogpath = %(proftpd_log)sbackend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-datalogpath = %(pureftpd_log)sbackend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-datalogpath = %(syslog_daemon)sbackend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-datalogpath = %(wuftpd_log)sbackend = %(wuftpd_backend)s
[vsftpd]# or overwrite it in jails.local to be# logpath = %(syslog_authpriv)s# if you want to rely on PAM failed login attempts# vsftpd's failregex should match both of those formatsport = ftp,ftp-data,ftps,ftps-datalogpath = %(vsftpd_log)s
## Mail servers#
# ASSP SMTP Proxy Jail[assp]
port = smtp,465,submissionlogpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submissionlogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[postfix]# To use another modes set filter parameter "mode" in jail.local:enabled = truemode = aggressiveport = smtp,465,submissionlogpath = %(postfix_log)sbackend = %(postfix_backend)s
[postfix-rbl]
filter = postfix[mode=rbl]port = smtp,465,submissionlogpath = %(postfix_log)sbackend = %(postfix_backend)smaxretry = 1
[sendmail-auth]
port = submission,465,smtplogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[sendmail-reject]# To use more aggressive modes set filter parameter "mode" in jail.local:# normal (default), extra or aggressive# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.#mode = normalport = smtp,465,submissionlogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[qmail-rbl]
filter = qmailport = smtp,465,submissionlogpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility# but can be set by syslog_facility in the dovecot configuration.[dovecot]enabled = truemode = aggressiveport = pop3,pop3s,imap,imaps,submission,465,sievelogpath = %(dovecot_log)sbackend = %(dovecot_backend)s
[sieve]
port = smtp,465,submissionlogpath = %(dovecot_log)sbackend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3slogpath = %(solidpop3d_log)s
[exim]# see filter.d/exim.conf for further modes supported from filter:#mode = normalport = smtp,465,submissionlogpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submissionlogpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465logpath = /opt/kerio/mailserver/store/logs/security.log
## Mail servers authenticators: might be used for smtp,ftp,imap servers, so# all relevant ports get banned#
[courier-auth]
port = smtp,465,submission,imap,imaps,pop3,pop3slogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[postfix-sasl]enabled = truemode = aggressivefilter = postfix[mode=auth]port = smtp,465,submission,imap,imaps,pop3,pop3s# You might consider monitoring /var/log/mail.warn instead if you are# running postfix since it would provide the same log lines at the# "warn" level but overall at the smaller filesize.logpath = %(postfix_log)sbackend = %(postfix_backend)s
[perdition]
port = imap,imaps,pop3,pop3slogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,sockslogpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap,imapslogpath = %(syslog_mail)sbackend = %(syslog_backend)s
[uwimap-auth]
port = imap,imapslogpath = %(syslog_mail)sbackend = %(syslog_backend)s
### DNS servers#
# !!! WARNING !!!# Since UDP is connection-less protocol, spoofing of IP and imitation# of illegal actions is way too simple. Thus enabling of this filter# might provide an easy way for implementing a DoS against a chosen# victim. See# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html# Please DO NOT USE this jail unless you know what you are doing.## IMPORTANT: see filter.d/named-refused for instructions to enable logging# This jail blocks UDP traffic for DNS requests.# [named-refused-udp]## filter = named-refused# port = domain,953# protocol = udp# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953logpath = /var/log/named/security.log
[nsd]
port = 53action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]logpath = /var/log/nsd.log
## Miscellaneous#
[asterisk]
port = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /var/log/asterisk/messagesmaxretry = 10
[freeswitch]
port = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /var/log/freeswitch.logmaxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or# equivalent section:# log-warning = 2## for syslog (daemon facility)# [mysqld_safe]# syslog## for own logfile# [mysqld]# log-error=/var/log/mysqld.log[mysqld-auth]
port = 3306logpath = %(mysql_log)sbackend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')[mongodb-auth]# change port when running with "--shardsvr" or "--configsvr" runtime operationport = 27017logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers# !!! WARNINGS !!!# 1. Make sure that your loglevel specified in fail2ban.conf/.local# is not at DEBUG level -- which might then cause fail2ban to fall into# an infinite loop constantly feeding itself with non-informative lines# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)# to maintain entries for failed logins for sufficient amount of time[recidive]
logpath = /var/log/fail2ban.logbanaction = %(banaction_allports)sbantime = 1wfindtime = 1d
# Generic filter for PAM. Has to be used with action which bans all# ports such as iptables-allports, shorewall
[pam-generic]# pam-generic filter can be customized to monitor specific subset of 'tty'sbanaction = %(banaction_allports)slogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-loglogpath = %(syslog_daemon)sbackend = %(syslog_backend)smaxretry = 2
# stunnel - need to set port for this[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log# Firewall: http://www.cstrike-planet.com/faq/6tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime# nobody except your own Nagios server should ever probe nrpe[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facilitybackend = %(syslog_backend)smaxretry = 1
[oracleims]# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and abovelogpath = /opt/sun/comms/messaging64/log/mail.log_currentbanaction = %(banaction_allports)s
[directadmin]logpath = /var/log/directadmin/login.logport = 2222
[portsentry]logpath = /var/lib/portsentry/portsentry.historymaxretry = 1
[pass2allow-ftp]# this pass2allow example allows FTP traffic after successful HTTP authenticationport = ftp,ftp-data,ftps,ftps-data# knocking_url variable must be overridden to some secret value in jail.localknocking_url = /knocking/filter = apache-pass[knocking_url="%(knocking_url)s"]# access log of the website with HTTP authlogpath = %(apache_access_log)sblocktype = RETURNreturntype = DROPaction = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]bantime = 1hmaxretry = 1findtime = 1
[murmur]# AKA mumble-serverport = 64738action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]# For Mac OS Screen Sharing Service (VNC)logpath = /var/log/system.loglogencoding = utf-8
[haproxy-http-auth]# HAProxy by default doesn't log to file you'll need to set it up to forward# logs to a syslog server which would then write them to disk.# See "haproxy-http-auth" filter for a brief cautionary note when setting# maxretry and findtime.logpath = /var/log/haproxy.log
[slapd]port = ldap,ldapslogpath = /var/log/slapd.log
[domino-smtp]port = smtp,ssmtplogpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
[phpmyadmin-syslog]port = http,httpslogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s
[zoneminder]# Zoneminder HTTP/HTTPS web interface auth# Logs auth failures to apache2 error logport = http,httpslogpath = %(apache_error_log)s
ll--------------------------
Page updated
Google Sites
Report abuse