Conf: jail.local
ll-------------------## WARNING: heavily refactored in 0.9.0 release. Please review and# customize settings for your setup.## Changes: in most of the cases you should not modify this# file, but provide customizations in jail.local file,# or separate .conf files under jail.d/ directory, e.g.:## HOW TO ACTIVATE JAILS:## YOU SHOULD NOT MODIFY THIS FILE.## It will probably be overwritten or improved in a distribution update.## Provide customizations in a jail.local file or a jail.d/customisation.local.# For example to change the default bantime for all jails and to enable the# ssh-iptables jail the following (uncommented) would appear in the .local file.# See man 5 jail.conf for details.## [DEFAULT]# bantime = 1h## [sshd]# enabled = true## See jail.conf(5) man page for more information# Comments: use '#' for comment lines and ';' (following a space) for inline comments[INCLUDES]#before = paths-distro.confbefore = paths-debian.conf# The DEFAULT allows a global definition of the options. They can be overridden# in each jail afterwards.[DEFAULT]## MISCELLANEOUS OPTIONS## "ignorself" specifies whether the local resp. own IP addresses should be ignored# (default is true). Fail2ban will not ban a host which matches such addresses.#ignorself = true# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban# will not ban a host which matches an address in this list. Several addresses# can be defined using space (and/or comma) separator.ignoreip = 127.0.0.1/8 ::1 175.29.168.49 175.29.168.49/32 175.29.175.0/24 175.29.168.0/24 202.22.192.0/24# External command that will take an tagged arguments to ignore, e.g. <ip>,# and return true if the IP is to be ignored. False otherwise.## ignorecommand = /path/to/command <ip>ignorecommand =# "bantime" is the number of seconds that a host is banned.bantime = 72h# A host is banned if it has generated "maxretry" during the last "findtime"# seconds.findtime = 10m# "maxretry" is the number of failures before a host get banned.maxretry = 3# "backend" specifies the backend used to get files modification.# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".# This option can be overridden in each jail as well.## pyinotify: requires pyinotify (a file alteration monitor) to be installed.# If pyinotify is not installed, Fail2ban will use auto.# gamin: requires Gamin (a file alteration monitor) to be installed.# If Gamin is not installed, Fail2ban will use auto.# polling: uses a polling algorithm which does not require external libraries.# systemd: uses systemd python library to access the systemd journal.# Specifying "logpath" is not valid for this backend.# See "journalmatch" in the jails associated filter config# auto: will try to use the following backends, in order:# pyinotify, gamin, polling.## Note: if systemd backend is chosen as the default but you enable a jail# for which logs are present only in its own log files, specify some other# backend for that jail (e.g. polling) and provide empty value for# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200backend = auto# "usedns" specifies if jails should trust hostnames in logs,# warn when DNS lookups are performed, or ignore all hostnames in logs## yes: if a hostname is encountered, a DNS lookup will be performed.# warn: if a hostname is encountered, a DNS lookup will be performed,# but it will be logged as a warning.# no: if a hostname is encountered, will not be used for banning,# but it will be logged as info.# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)usedns = warn# "logencoding" specifies the encoding of the log files handled by the jail# This is used to decode the lines from the log file.# Typical examples: "ascii", "utf-8"## auto: will use the system locale settinglogencoding = auto# "enabled" enables the jails.# By default all jails are disabled, and it should stay this way.# Enable only relevant to your setup jails in your .local or jail.d/*.conf## true: jail will be enabled and log files will get monitored for changes# false: jail is not enabledenabled = false# "mode" defines the mode of the filter (see corresponding filter implementation for more info).mode = aggressive# "filter" defines the filter to use by the jail.# By default jails have names matching their filter name#filter = %(__name__)s[mode=%(mode)s]## ACTIONS## Some options used for actions# Destination email address used solely for the interpolations in# jail.{conf,local,d/*} configuration files.destemail = root@localhost# Sender email address used solely for some actionssender = root@<fq-hostname># E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the# mailing. Change mta configuration parameter to mail if you want to# revert to conventional 'mail'.mta = sendmail# Default protocolprotocol = tcp# Specify chain where jumps would need to be added in ban-actions expecting parameter chainchain = <known/chain># Ports to be banned# Usually should be overridden in a particular jailport = 0:65535# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3fail2ban_agent = Fail2Ban/%(fail2ban_version)s## Action shortcuts. To be used to define action parameter# Default banning action (e.g. iptables, iptables-new,# iptables-multiport, shorewall, etc) It is used to define# action_* variables. Can be overridden globally or per# section within jail.local filebanaction = iptables-multiportbanaction_allports = iptables-allports# The simplest action to take: ban onlyaction_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report to the destemail.action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]# ban & send an e-mail with whois report and relevant log lines# to the destemail.action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action## ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines# to the destemail.action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines# to the destemail.action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]# Report block via blocklist.de fail2ban reporting service API# # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in # corresponding jail.d/my-jail.local file).#action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]# Report ban via badips.com, and use as blacklist## See BadIPsAction docstring in config/action.d/badips.py for# documentation for this action.## NOTE: This action relies on banaction being present on start and therefore# should be last action defined for a jail.#action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]## Report ban via badips.com (uses action.d/badips.conf for reporting only)#action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]# Report ban via abuseipdb.com.## See action.d/abuseipdb.conf for usage example and details.#action_abuseipdb = abuseipdb# Choose default action. To change, just override value of 'action' with the# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local# globally (section [DEFAULT]) or per specific sectionaction = %(action_)s## JAILS### SSH servers#[sshd]enabled = false# To use more aggressive sshd modes set filter parameter "mode" in jail.local:# normal (default), ddos, extra or aggressive (combines all).# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.#mode = normalport = sshlogpath = %(sshd_log)sbackend = %(sshd_backend)s[dropbear]port = sshlogpath = %(dropbear_log)sbackend = %(dropbear_backend)s[selinux-ssh]port = sshlogpath = %(auditd_log)s## HTTP servers#[apache-auth]port = http,httpslogpath = %(apache_error_log)s[apache-badbots]# Ban hosts which agent identifies spammer robots crawling the web# for email addresses. The mail outputs are buffered.port = http,httpslogpath = %(apache_access_log)sbantime = 48hmaxretry = 1[apache-noscript]port = http,httpslogpath = %(apache_error_log)s[apache-overflows]port = http,httpslogpath = %(apache_error_log)smaxretry = 2[apache-nohome]port = http,httpslogpath = %(apache_error_log)smaxretry = 2[apache-botsearch]port = http,httpslogpath = %(apache_error_log)smaxretry = 2[apache-fakegooglebot]port = http,httpslogpath = %(apache_access_log)smaxretry = 1ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>[apache-modsecurity]port = http,httpslogpath = %(apache_error_log)smaxretry = 2[apache-shellshock]port = http,httpslogpath = %(apache_error_log)smaxretry = 1[openhab-auth]filter = openhabaction = iptables-allports[name=NoAuthFailures]logpath = /opt/openhab/logs/request.log[nginx-http-auth]port = http,httpslogpath = %(nginx_error_log)s# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html# or for example see in 'config/filter.d/nginx-limit-req.conf'[nginx-limit-req]port = http,httpslogpath = %(nginx_error_log)s[nginx-botsearch]port = http,httpslogpath = %(nginx_error_log)smaxretry = 2# Ban attackers that try to use PHP's URL-fopen() functionality# through GET/POST variables. - Experimental, with more than a year# of usage in production environments.[php-url-fopen]port = http,httpslogpath = %(nginx_access_log)s %(apache_access_log)s[suhosin]port = http,httpslogpath = %(suhosin_log)s[lighttpd-auth]# Same as above for Apache's mod_auth# It catches wrong authentificationsport = http,httpslogpath = %(lighttpd_error_log)s## Webmail and groupware servers#[roundcube-auth]port = http,httpslogpath = %(roundcube_errors_log)s# Use following line in your jail.local if roundcube logs to journal.#backend = %(syslog_backend)s[openwebmail]port = http,httpslogpath = /var/log/openwebmail.log[horde]port = http,httpslogpath = /var/log/horde/horde.log[groupoffice]port = http,httpslogpath = /home/groupoffice/log/info.log[sogo-auth]# Monitor SOGo groupware server# without proxy this would be:# port = 20000port = http,httpslogpath = /var/log/sogo/sogo.log[tine20]logpath = /var/log/tine20/tine20.logport = http,https## Web Applications##[drupal-auth]port = http,httpslogpath = %(syslog_daemon)sbackend = %(syslog_backend)s[guacamole]port = http,httpslogpath = /var/log/tomcat*/catalina.out[monit]#Ban clients brute-forcing the monit gui loginport = 2812logpath = /var/log/monit[webmin-auth]port = 10000logpath = %(syslog_authpriv)sbackend = %(syslog_backend)s[froxlor-auth]port = http,httpslogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s## HTTP Proxy servers##[squid]port = 80,443,3128,8080logpath = /var/log/squid/access.log[3proxy]port = 3128logpath = /var/log/3proxy.log## FTP servers#[proftpd]port = ftp,ftp-data,ftps,ftps-datalogpath = %(proftpd_log)sbackend = %(proftpd_backend)s[pure-ftpd]port = ftp,ftp-data,ftps,ftps-datalogpath = %(pureftpd_log)sbackend = %(pureftpd_backend)s[gssftpd]port = ftp,ftp-data,ftps,ftps-datalogpath = %(syslog_daemon)sbackend = %(syslog_backend)s[wuftpd]port = ftp,ftp-data,ftps,ftps-datalogpath = %(wuftpd_log)sbackend = %(wuftpd_backend)s[vsftpd]# or overwrite it in jails.local to be# logpath = %(syslog_authpriv)s# if you want to rely on PAM failed login attempts# vsftpd's failregex should match both of those formatsport = ftp,ftp-data,ftps,ftps-datalogpath = %(vsftpd_log)s## Mail servers## ASSP SMTP Proxy Jail[assp]port = smtp,465,submissionlogpath = /root/path/to/assp/logs/maillog.txt[courier-smtp]port = smtp,465,submissionlogpath = %(syslog_mail)sbackend = %(syslog_backend)s[postfix]# To use another modes set filter parameter "mode" in jail.local:enabled = truemode = aggressiveport = smtp,465,submissionlogpath = %(postfix_log)sbackend = %(postfix_backend)s[postfix-rbl]filter = postfix[mode=rbl]port = smtp,465,submissionlogpath = %(postfix_log)sbackend = %(postfix_backend)smaxretry = 1[sendmail-auth]port = submission,465,smtplogpath = %(syslog_mail)sbackend = %(syslog_backend)s[sendmail-reject]# To use more aggressive modes set filter parameter "mode" in jail.local:# normal (default), extra or aggressive# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.#mode = normalport = smtp,465,submissionlogpath = %(syslog_mail)sbackend = %(syslog_backend)s[qmail-rbl]filter = qmailport = smtp,465,submissionlogpath = /service/qmail/log/main/current# dovecot defaults to logging to the mail syslog facility# but can be set by syslog_facility in the dovecot configuration.[dovecot]enabled = truemode = aggressiveport = pop3,pop3s,imap,imaps,submission,465,sievelogpath = %(dovecot_log)sbackend = %(dovecot_backend)s[sieve]port = smtp,465,submissionlogpath = %(dovecot_log)sbackend = %(dovecot_backend)s[solid-pop3d]port = pop3,pop3slogpath = %(solidpop3d_log)s[exim]# see filter.d/exim.conf for further modes supported from filter:#mode = normalport = smtp,465,submissionlogpath = %(exim_main_log)s[exim-spam]port = smtp,465,submissionlogpath = %(exim_main_log)s[kerio]port = imap,smtp,imaps,465logpath = /opt/kerio/mailserver/store/logs/security.log## Mail servers authenticators: might be used for smtp,ftp,imap servers, so# all relevant ports get banned#[courier-auth]port = smtp,465,submission,imap,imaps,pop3,pop3slogpath = %(syslog_mail)sbackend = %(syslog_backend)s[postfix-sasl]enabled = truemode = aggressivefilter = postfix[mode=auth]port = smtp,465,submission,imap,imaps,pop3,pop3s# You might consider monitoring /var/log/mail.warn instead if you are# running postfix since it would provide the same log lines at the# "warn" level but overall at the smaller filesize.logpath = %(postfix_log)sbackend = %(postfix_backend)s[perdition]port = imap,imaps,pop3,pop3slogpath = %(syslog_mail)sbackend = %(syslog_backend)s[squirrelmail]port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,sockslogpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log[cyrus-imap]port = imap,imapslogpath = %(syslog_mail)sbackend = %(syslog_backend)s[uwimap-auth]port = imap,imapslogpath = %(syslog_mail)sbackend = %(syslog_backend)s### DNS servers## !!! WARNING !!!# Since UDP is connection-less protocol, spoofing of IP and imitation# of illegal actions is way too simple. Thus enabling of this filter# might provide an easy way for implementing a DoS against a chosen# victim. See# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html# Please DO NOT USE this jail unless you know what you are doing.## IMPORTANT: see filter.d/named-refused for instructions to enable logging# This jail blocks UDP traffic for DNS requests.# [named-refused-udp]## filter = named-refused# port = domain,953# protocol = udp# logpath = /var/log/named/security.log# IMPORTANT: see filter.d/named-refused for instructions to enable logging# This jail blocks TCP traffic for DNS requests.[named-refused]port = domain,953logpath = /var/log/named/security.log[nsd]port = 53action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]logpath = /var/log/nsd.log## Miscellaneous#[asterisk]port = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /var/log/asterisk/messagesmaxretry = 10[freeswitch]port = 5060,5061action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]logpath = /var/log/freeswitch.logmaxretry = 10# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or# equivalent section:# log-warning = 2## for syslog (daemon facility)# [mysqld_safe]# syslog## for own logfile# [mysqld]# log-error=/var/log/mysqld.log[mysqld-auth]port = 3306logpath = %(mysql_log)sbackend = %(mysql_backend)s# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')[mongodb-auth]# change port when running with "--shardsvr" or "--configsvr" runtime operationport = 27017logpath = /var/log/mongodb/mongodb.log# Jail for more extended banning of persistent abusers# !!! WARNINGS !!!# 1. Make sure that your loglevel specified in fail2ban.conf/.local# is not at DEBUG level -- which might then cause fail2ban to fall into# an infinite loop constantly feeding itself with non-informative lines# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)# to maintain entries for failed logins for sufficient amount of time[recidive]logpath = /var/log/fail2ban.logbanaction = %(banaction_allports)sbantime = 1wfindtime = 1d# Generic filter for PAM. Has to be used with action which bans all# ports such as iptables-allports, shorewall[pam-generic]# pam-generic filter can be customized to monitor specific subset of 'tty'sbanaction = %(banaction_allports)slogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s[xinetd-fail]banaction = iptables-multiport-loglogpath = %(syslog_daemon)sbackend = %(syslog_backend)smaxretry = 2# stunnel - need to set port for this[stunnel]logpath = /var/log/stunnel4/stunnel.log[ejabberd-auth]port = 5222logpath = /var/log/ejabberd/ejabberd.log[counter-strike]logpath = /opt/cstrike/logs/L[0-9]*.log# Firewall: http://www.cstrike-planet.com/faq/6tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]# consider low maxretry and a long bantime# nobody except your own Nagios server should ever probe nrpe[nagios]logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facilitybackend = %(syslog_backend)smaxretry = 1[oracleims]# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and abovelogpath = /opt/sun/comms/messaging64/log/mail.log_currentbanaction = %(banaction_allports)s[directadmin]logpath = /var/log/directadmin/login.logport = 2222[portsentry]logpath = /var/lib/portsentry/portsentry.historymaxretry = 1[pass2allow-ftp]# this pass2allow example allows FTP traffic after successful HTTP authenticationport = ftp,ftp-data,ftps,ftps-data# knocking_url variable must be overridden to some secret value in jail.localknocking_url = /knocking/filter = apache-pass[knocking_url="%(knocking_url)s"]# access log of the website with HTTP authlogpath = %(apache_access_log)sblocktype = RETURNreturntype = DROPaction = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]bantime = 1hmaxretry = 1findtime = 1[murmur]# AKA mumble-serverport = 64738action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]logpath = /var/log/mumble-server/mumble-server.log[screensharingd]# For Mac OS Screen Sharing Service (VNC)logpath = /var/log/system.loglogencoding = utf-8[haproxy-http-auth]# HAProxy by default doesn't log to file you'll need to set it up to forward# logs to a syslog server which would then write them to disk.# See "haproxy-http-auth" filter for a brief cautionary note when setting# maxretry and findtime.logpath = /var/log/haproxy.log[slapd]port = ldap,ldapslogpath = /var/log/slapd.log[domino-smtp]port = smtp,ssmtplogpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log[phpmyadmin-syslog]port = http,httpslogpath = %(syslog_authpriv)sbackend = %(syslog_backend)s[zoneminder]# Zoneminder HTTP/HTTPS web interface auth# Logs auth failures to apache2 error logport = http,httpslogpath = %(apache_error_log)sll--------------------------