fail2ban done; todo configure email

assets/fail2ban.jail.conf

@@ -1,855 +0,0 @@
-#
-# WARNING: heavily refactored in 0.9.0 release.  Please review and
-#          customize settings for your setup.
-#
-# Changes:  in most of the cases you should not modify this
-#           file, but provide customizations in jail.local file,
-#           or separate .conf files under jail.d/ directory, e.g.:
-#
-# HOW TO ACTIVATE JAILS:
-#
-# YOU SHOULD NOT MODIFY THIS FILE.
-#
-# It will probably be overwritten or improved in a distribution update.
-#
-# Provide customizations in a jail.local file or a jail.d/customisation.local.
-# For example to change the default bantime for all jails and to enable the
-# ssh-iptables jail the following (uncommented) would appear in the .local file.
-# See man 5 jail.conf for details.
-#
-# [DEFAULT]
-# bantime = 3600
-#
-# [sshd]
-# enabled = true
-#
-# See jail.conf(5) man page for more information
-
-
-
-# Comments: use '#' for comment lines and ';' (following a space) for inline comments
-
-
-[INCLUDES]
-
-#before = paths-distro.conf
-before = paths-debian.conf
-
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
-[DEFAULT]
-
-#
-# MISCELLANEOUS OPTIONS
-#
-
-# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
-# ban a host which matches an address in this list. Several addresses can be
-# defined using space (and/or comma) separator.
-ignoreip = 127.0.0.1/8
-
-# External command that will take an tagged arguments to ignore, e.g. <ip>,
-# and return true if the IP is to be ignored. False otherwise.
-#
-# ignorecommand = /path/to/command <ip>
-ignorecommand =
-
-# "bantime" is the number of seconds that a host is banned.
-bantime  = 600
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
-findtime  = 600
-
-# "maxretry" is the number of failures before a host get banned.
-maxretry = 5
-
-# "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
-# This option can be overridden in each jail as well.
-#
-# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
-#              If pyinotify is not installed, Fail2ban will use auto.
-# gamin:     requires Gamin (a file alteration monitor) to be installed.
-#              If Gamin is not installed, Fail2ban will use auto.
-# polling:   uses a polling algorithm which does not require external libraries.
-# systemd:   uses systemd python library to access the systemd journal.
-#              Specifying "logpath" is not valid for this backend.
-#              See "journalmatch" in the jails associated filter config
-# auto:      will try to use the following backends, in order:
-#              pyinotify, gamin, polling.
-#
-# Note: if systemd backend is chosen as the default but you enable a jail
-#       for which logs are present only in its own log files, specify some other
-#       backend for that jail (e.g. polling) and provide empty value for
-#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
-backend = auto
-
-# "usedns" specifies if jails should trust hostnames in logs,
-#   warn when DNS lookups are performed, or ignore all hostnames in logs
-#
-# yes:   if a hostname is encountered, a DNS lookup will be performed.
-# warn:  if a hostname is encountered, a DNS lookup will be performed,
-#        but it will be logged as a warning.
-# no:    if a hostname is encountered, will not be used for banning,
-#        but it will be logged as info.
-# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
-usedns = warn
-
-# "logencoding" specifies the encoding of the log files handled by the jail
-#   This is used to decode the lines from the log file.
-#   Typical examples:  "ascii", "utf-8"
-#
-#   auto:   will use the system locale setting
-logencoding = auto
-
-# "enabled" enables the jails.
-#  By default all jails are disabled, and it should stay this way.
-#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
-#
-# true:  jail will be enabled and log files will get monitored for changes
-# false: jail is not enabled
-enabled = false
-
-
-# "filter" defines the filter to use by the jail.
-#  By default jails have names matching their filter name
-#
-filter = %(__name__)s
-
-
-#
-# ACTIONS
-#
-
-# Some options used for actions
-
-# Destination email address used solely for the interpolations in
-# jail.{conf,local,d/*} configuration files.
-destemail = root@localhost
-
-# Sender email address used solely for some actions
-sender = root@localhost
-
-# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
-# mailing. Change mta configuration parameter to mail if you want to
-# revert to conventional 'mail'.
-mta = sendmail
-
-# Default protocol
-protocol = tcp
-
-# Specify chain where jumps would need to be added in iptables-* actions
-chain = INPUT
-
-# Ports to be banned
-# Usually should be overridden in a particular jail
-port = 0:65535
-
-# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
-fail2ban_agent = Fail2Ban/%(fail2ban_version)s
-
-#
-# Action shortcuts. To be used to define action parameter
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
-banaction = iptables-multiport
-banaction_allports = iptables-allports
-
-# The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-             %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
-#
-# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
-# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
-
-# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
-                %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# Report block via blocklist.de fail2ban reporting service API
-# 
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to
-# use this action. Create a file jail.d/blocklist_de.local containing
-# [Init]
-# blocklist_de_apikey = {api key from registration]
-#
-action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
-
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
-#
-# Report ban via badips.com (uses action.d/badips.conf for reporting only)
-#
-action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-
-# Choose default action.  To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
-action = %(action_)s
-
-
-#
-# JAILS
-#
-
-#
-# SSH servers
-#
-
-[sshd]
-
-port    = ssh
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
-
-
-[sshd-ddos]
-# This jail corresponds to the standard configuration in Fail2ban.
-# The mail-whois action send a notification e-mail with a whois request
-# in the body.
-port    = ssh
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
-
-
-[dropbear]
-
-port     = ssh
-logpath  = %(dropbear_log)s
-backend  = %(dropbear_backend)s
-
-
-[selinux-ssh]
-
-port     = ssh
-logpath  = %(auditd_log)s
-
-
-#
-# HTTP servers
-#
-
-[apache-auth]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-
-
-[apache-badbots]
-# Ban hosts which agent identifies spammer robots crawling the web
-# for email addresses. The mail outputs are buffered.
-port     = http,https
-logpath  = %(apache_access_log)s
-bantime  = 172800
-maxretry = 1
-
-
-[apache-noscript]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-
-
-[apache-overflows]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-nohome]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-botsearch]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-fakegooglebot]
-
-port     = http,https
-logpath  = %(apache_access_log)s
-maxretry = 1
-ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
-
-
-[apache-modsecurity]
-
-port     = http,https
-logpath  = %(apache_error_log)s
-maxretry = 2
-
-
-[apache-shellshock]
-
-port    = http,https
-logpath = %(apache_error_log)s
-maxretry = 1
-
-
-[openhab-auth]
-
-filter = openhab
-action = iptables-allports[name=NoAuthFailures]
-logpath = /opt/openhab/logs/request.log
-
-
-[nginx-http-auth]
-
-port    = http,https
-logpath = %(nginx_error_log)s
-
-# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
-# and define `limit_req` and `limit_req_zone` as described in nginx documentation
-# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
-# or for example see in 'config/filter.d/nginx-limit-req.conf'
-[nginx-limit-req]
-port    = http,https
-logpath = %(nginx_error_log)s
-
-[nginx-botsearch]
-
-port     = http,https
-logpath  = %(nginx_error_log)s
-maxretry = 2
-
-
-# Ban attackers that try to use PHP's URL-fopen() functionality
-# through GET/POST variables. - Experimental, with more than a year
-# of usage in production environments.
-
-[php-url-fopen]
-
-port    = http,https
-logpath = %(nginx_access_log)s
-          %(apache_access_log)s
-
-
-[suhosin]
-
-port    = http,https
-logpath = %(suhosin_log)s
-
-
-[lighttpd-auth]
-# Same as above for Apache's mod_auth
-# It catches wrong authentifications
-port    = http,https
-logpath = %(lighttpd_error_log)s
-
-
-#
-# Webmail and groupware servers
-#
-
-[roundcube-auth]
-
-port     = http,https
-logpath  = %(roundcube_errors_log)s
-
-
-[openwebmail]
-
-port     = http,https
-logpath  = /var/log/openwebmail.log
-
-
-[horde]
-
-port     = http,https
-logpath  = /var/log/horde/horde.log
-
-
-[groupoffice]
-
-port     = http,https
-logpath  = /home/groupoffice/log/info.log
-
-
-[sogo-auth]
-# Monitor SOGo groupware server
-# without proxy this would be:
-# port    = 20000
-port     = http,https
-logpath  = /var/log/sogo/sogo.log
-
-
-[tine20]
-
-logpath  = /var/log/tine20/tine20.log
-port     = http,https
-
-
-#
-# Web Applications
-#
-#
-
-[drupal-auth]
-
-port     = http,https
-logpath  = %(syslog_daemon)s
-backend  = %(syslog_backend)s
-
-[guacamole]
-
-port     = http,https
-logpath  = /var/log/tomcat*/catalina.out
-
-[monit]
-#Ban clients brute-forcing the monit gui login
-port = 2812
-logpath  = /var/log/monit
-
-
-[webmin-auth]
-
-port    = 10000
-logpath = %(syslog_authpriv)s
-backend = %(syslog_backend)s
-
-
-[froxlor-auth]
-
-port    = http,https
-logpath  = %(syslog_authpriv)s
-backend  = %(syslog_backend)s
-
-
-#
-# HTTP Proxy servers
-#
-#
-
-[squid]
-
-port     =  80,443,3128,8080
-logpath = /var/log/squid/access.log
-
-
-[3proxy]
-
-port    = 3128
-logpath = /var/log/3proxy.log
-
-
-#
-# FTP servers
-#
-
-
-[proftpd]
-
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(proftpd_log)s
-backend  = %(proftpd_backend)s
-
-
-[pure-ftpd]
-
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(pureftpd_log)s
-backend  = %(pureftpd_backend)s
-
-
-[gssftpd]
-
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(syslog_daemon)s
-backend  = %(syslog_backend)s
-
-
-[wuftpd]
-
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(wuftpd_log)s
-backend  = %(wuftpd_backend)s
-
-
-[vsftpd]
-# or overwrite it in jails.local to be
-# logpath = %(syslog_authpriv)s
-# if you want to rely on PAM failed login attempts
-# vsftpd's failregex should match both of those formats
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(vsftpd_log)s
-
-
-#
-# Mail servers
-#
-
-# ASSP SMTP Proxy Jail
-[assp]
-
-port     = smtp,465,submission
-logpath  = /root/path/to/assp/logs/maillog.txt
-
-
-[courier-smtp]
-
-port     = smtp,465,submission
-logpath  = %(syslog_mail)s
-backend  = %(syslog_backend)s
-
-
-[postfix]
-
-port     = smtp,465,submission
-logpath  = %(postfix_log)s
-backend  = %(postfix_backend)s
-
-
-[postfix-rbl]
-
-port     = smtp,465,submission
-logpath  = %(postfix_log)s
-backend  = %(postfix_backend)s
-maxretry = 1
-
-
-[sendmail-auth]
-
-port    = submission,465,smtp
-logpath = %(syslog_mail)s
-backend = %(syslog_backend)s
-
-
-[sendmail-reject]
-
-port     = smtp,465,submission
-logpath  = %(syslog_mail)s
-backend  = %(syslog_backend)s
-
-
-[qmail-rbl]
-
-filter  = qmail
-port    = smtp,465,submission
-logpath = /service/qmail/log/main/current
-
-
-# dovecot defaults to logging to the mail syslog facility
-# but can be set by syslog_facility in the dovecot configuration.
-[dovecot]
-
-port    = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = %(dovecot_log)s
-backend = %(dovecot_backend)s
-
-
-[sieve]
-
-port   = smtp,465,submission
-logpath = %(dovecot_log)s
-backend = %(dovecot_backend)s
-
-
-[solid-pop3d]
-
-port    = pop3,pop3s
-logpath = %(solidpop3d_log)s
-
-
-[exim]
-
-port   = smtp,465,submission
-logpath = %(exim_main_log)s
-
-
-[exim-spam]
-
-port   = smtp,465,submission
-logpath = %(exim_main_log)s
-
-
-[kerio]
-
-port    = imap,smtp,imaps,465
-logpath = /opt/kerio/mailserver/store/logs/security.log
-
-
-#
-# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
-# all relevant ports get banned
-#
-
-[courier-auth]
-
-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
-logpath  = %(syslog_mail)s
-backend  = %(syslog_backend)s
-
-
-[postfix-sasl]
-
-port     = smtp,465,submission,imap3,imaps,pop3,pop3s
-# You might consider monitoring /var/log/mail.warn instead if you are
-# running postfix since it would provide the same log lines at the
-# "warn" level but overall at the smaller filesize.
-logpath  = %(postfix_log)s
-backend  = %(postfix_backend)s
-
-
-[perdition]
-
-port   = imap3,imaps,pop3,pop3s
-logpath = %(syslog_mail)s
-backend = %(syslog_backend)s
-
-
-[squirrelmail]
-
-port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
-logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
-
-
-[cyrus-imap]
-
-port   = imap3,imaps
-logpath = %(syslog_mail)s
-backend = %(syslog_backend)s
-
-
-[uwimap-auth]
-
-port   = imap3,imaps
-logpath = %(syslog_mail)s
-backend = %(syslog_backend)s
-
-
-#
-#
-# DNS servers
-#
-
-
-# !!! WARNING !!!
-#   Since UDP is connection-less protocol, spoofing of IP and imitation
-#   of illegal actions is way too simple.  Thus enabling of this filter
-#   might provide an easy way for implementing a DoS against a chosen
-#   victim. See
-#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-#   Please DO NOT USE this jail unless you know what you are doing.
-#
-# IMPORTANT: see filter.d/named-refused for instructions to enable logging
-# This jail blocks UDP traffic for DNS requests.
-# [named-refused-udp]
-#
-# filter   = named-refused
-# port     = domain,953
-# protocol = udp
-# logpath  = /var/log/named/security.log
-
-# IMPORTANT: see filter.d/named-refused for instructions to enable logging
-# This jail blocks TCP traffic for DNS requests.
-
-[named-refused]
-
-port     = domain,953
-logpath  = /var/log/named/security.log
-
-
-[nsd]
-
-port     = 53
-action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
-           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-logpath = /var/log/nsd.log
-
-
-#
-# Miscellaneous
-#
-
-[asterisk]
-
-port     = 5060,5061
-action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
-           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
-logpath  = /var/log/asterisk/messages
-maxretry = 10
-
-
-[freeswitch]
-
-port     = 5060,5061
-action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
-           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-           %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
-logpath  = /var/log/freeswitch.log
-maxretry = 10
-
-
-# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
-# equivalent section:
-# log-warning = 2
-#
-# for syslog (daemon facility)
-# [mysqld_safe]
-# syslog
-#
-# for own logfile
-# [mysqld]
-# log-error=/var/log/mysqld.log
-[mysqld-auth]
-
-port     = 3306
-logpath  = %(mysql_log)s
-backend  = %(mysql_backend)s
-
-
-# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
-[mongodb-auth]
-# change port when running with "--shardsvr" or "--configsvr" runtime operation
-port     = 27017
-logpath  = /var/log/mongodb/mongodb.log
-
-
-# Jail for more extended banning of persistent abusers
-# !!! WARNINGS !!!
-# 1. Make sure that your loglevel specified in fail2ban.conf/.local
-#    is not at DEBUG level -- which might then cause fail2ban to fall into
-#    an infinite loop constantly feeding itself with non-informative lines
-# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
-#    to maintain entries for failed logins for sufficient amount of time
-[recidive]
-
-logpath  = /var/log/fail2ban.log
-banaction = %(banaction_allports)s
-bantime  = 604800  ; 1 week
-findtime = 86400   ; 1 day
-
-
-# Generic filter for PAM. Has to be used with action which bans all
-# ports such as iptables-allports, shorewall
-
-[pam-generic]
-# pam-generic filter can be customized to monitor specific subset of 'tty's
-banaction = %(banaction_allports)s
-logpath  = %(syslog_authpriv)s
-backend  = %(syslog_backend)s
-
-
-[xinetd-fail]
-
-banaction = iptables-multiport-log
-logpath   = %(syslog_daemon)s
-backend   = %(syslog_backend)s
-maxretry  = 2
-
-
-# stunnel - need to set port for this
-[stunnel]
-
-logpath = /var/log/stunnel4/stunnel.log
-
-
-[ejabberd-auth]
-
-port    = 5222
-logpath = /var/log/ejabberd/ejabberd.log
-
-
-[counter-strike]
-
-logpath = /opt/cstrike/logs/L[0-9]*.log
-# Firewall: http://www.cstrike-planet.com/faq/6
-tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
-udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
-action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
-           %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
-
-# consider low maxretry and a long bantime
-# nobody except your own Nagios server should ever probe nrpe
-[nagios]
-
-logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
-backend  = %(syslog_backend)s
-maxretry = 1
-
-
-[oracleims]
-# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
-logpath = /opt/sun/comms/messaging64/log/mail.log_current
-banaction = %(banaction_allports)s
-
-[directadmin]
-logpath = /var/log/directadmin/login.log
-port = 2222
-
-[portsentry]
-logpath  = /var/lib/portsentry/portsentry.history
-maxretry = 1
-
-[pass2allow-ftp]
-# this pass2allow example allows FTP traffic after successful HTTP authentication
-port         = ftp,ftp-data,ftps,ftps-data
-# knocking_url variable must be overridden to some secret value in jail.local
-knocking_url = /knocking/
-filter       = apache-pass[knocking_url="%(knocking_url)s"]
-# access log of the website with HTTP auth
-logpath      = %(apache_access_log)s
-blocktype    = RETURN
-returntype   = DROP
-bantime      = 3600
-maxretry     = 1
-findtime     = 1
-
-
-[murmur]
-# AKA mumble-server
-port     = 64738
-action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
-           %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
-logpath  = /var/log/mumble-server/mumble-server.log
-
-
-[screensharingd]
-# For Mac OS Screen Sharing Service (VNC)
-logpath  = /var/log/system.log
-logencoding = utf-8
-
-[haproxy-http-auth]
-# HAProxy by default doesn't log to file you'll need to set it up to forward
-# logs to a syslog server which would then write them to disk.
-# See "haproxy-http-auth" filter for a brief cautionary note when setting
-# maxretry and findtime.
-logpath  = /var/log/haproxy.log
-
-[slapd]
-port    = ldap,ldaps
-filter  = slapd
-logpath = /var/log/slapd.log

assets/fail2ban.jail.conf.old

@@ -1,314 +0,0 @@
-# Fail2Ban configuration file.
-#
-# This file was composed for Debian systems from the original one
-#  provided now under /usr/share/doc/fail2ban/examples/jail.conf
-#  for additional examples.
-#
-# To avoid merges during upgrades DO NOT MODIFY THIS FILE
-# and rather provide your changes in /etc/fail2ban/jail.local
-#
-# Author: Yaroslav O. Halchenko <debian@onerussian.com>
-#
-# $Revision$
-#
-
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
-[DEFAULT]
-
-# "ignoreip" can be an IP address, a CIDR mask or a DNS host
-ignoreip = 127.0.0.1/8
-bantime  = 600
-maxretry = 3
-
-# "backend" specifies the backend used to get files modification. Available
-# options are "gamin", "polling" and "auto".
-# yoh: For some reason Debian shipped python-gamin didn't work as expected
-#      This issue left ToDo, so polling is default backend for now
-backend = auto
-
-#
-# Destination email address used solely for the interpolations in
-# jail.{conf,local} configuration files.
-destemail = root@localhost
-
-#
-# ACTIONS
-#
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
-banaction = iptables-multiport
-
-# email action. Since 0.8.1 upstream fail2ban uses sendmail
-# MTA for the mailing. Change mta configuration parameter to mail
-# if you want to revert to conventional 'mail'.
-mta = sendmail
-
-# Default protocol
-protocol = tcp
-
-# Specify chain where jumps would need to be added in iptables-* actions
-chain = INPUT
-
-#
-# Action shortcuts. To be used to define action parameter
-
-# The simplest action to take: ban only
-action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# Choose default action.  To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
-action = %(action_)s
-
-#
-# JAILS
-#
-
-# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
-# was shipped in Debian. Enable any defined here jail by including
-#
-# [SECTION_NAME]
-# enabled = true
-
-#
-# in /etc/fail2ban/jail.local.
-#
-# Optionally you may override any other parameter (e.g. banaction,
-# action, port, logpath, etc) in that section within jail.local
-
-[ssh]
-
-enabled  = true
-port     = ssh
-filter   = sshd
-logpath  = /var/log/auth.log
-maxretry = 6
-
-[dropbear]
-
-enabled  = false
-port     = ssh
-filter   = sshd
-logpath  = /var/log/dropbear
-maxretry = 6
-
-# Generic filter for pam. Has to be used with action which bans all ports
-# such as iptables-allports, shorewall
-[pam-generic]
-
-enabled  = false
-# pam-generic filter can be customized to monitor specific subset of 'tty's
-filter   = pam-generic
-# port actually must be irrelevant but lets leave it all for some possible uses
-port     = all
-banaction = iptables-allports
-port     = anyport
-logpath  = /var/log/auth.log
-maxretry = 6
-
-[xinetd-fail]
-
-enabled   = false
-filter    = xinetd-fail
-port      = all
-banaction = iptables-multiport-log
-logpath   = /var/log/daemon.log
-maxretry  = 2
-
-
-[ssh-ddos]
-
-enabled  = true
-port     = ssh
-filter   = sshd-ddos
-logpath  = /var/log/auth.log
-maxretry = 6
-
-#
-# HTTP servers
-#
-
-[apache]
-
-enabled  = true
-port     = http,https
-filter   = apache-auth
-logpath  = /var/log/apache*/*error.log
-maxretry = 6
-
-# default action is now multiport, so apache-multiport jail was left
-# for compatibility with previous (<0.7.6-2) releases
-[apache-multiport]
-
-enabled   = false
-port      = http,https
-filter    = apache-auth
-logpath   = /var/log/apache*/*error.log
-maxretry  = 6
-
-[apache-noscript]
-
-enabled  = false
-port     = http,https
-filter   = apache-noscript
-logpath  = /var/log/apache*/*error.log
-maxretry = 6
-
-[apache-overflows]
-
-enabled  = false
-port     = http,https
-filter   = apache-overflows
-logpath  = /var/log/apache*/*error.log
-maxretry = 2
-
-#
-# FTP servers
-#
-
-[vsftpd]
-
-enabled  = true
-port     = ftp,ftp-data,ftps,ftps-data
-filter   = vsftpd
-logpath  = /var/log/vsftpd.log
-# or overwrite it in jails.local to be
-# logpath = /var/log/auth.log
-# if you want to rely on PAM failed login attempts
-# vsftpd's failregex should match both of those formats
-maxretry = 6
-
-
-[proftpd]
-
-enabled  = true
-port     = ftp,ftp-data,ftps,ftps-data
-filter   = proftpd
-logpath  = /var/log/proftpd/proftpd.log
-maxretry = 6
-
-
-[pure-ftpd]
-
-enabled  = true
-port     = ftp,ftp-data,ftps,ftps-data
-filter   = pure-ftpd
-logpath  = /var/log/auth.log
-maxretry = 6
-
-
-[wuftpd]
-
-enabled  = false
-port     = ftp,ftp-data,ftps,ftps-data
-filter   = wuftpd
-logpath  = /var/log/auth.log
-maxretry = 6
-
-
-#
-# Mail servers
-#
-
-[postfix]
-
-enabled  = false
-port     = smtp,ssmtp
-filter   = postfix
-logpath  = /var/log/mail.log
-
-
-[couriersmtp]
-
-enabled  = false
-port     = smtp,ssmtp
-filter   = couriersmtp
-logpath  = /var/log/mail.log
-
-
-#
-# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
-# all relevant ports get banned
-#
-
-[courierauth]
-
-enabled  = false
-port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter   = courierlogin
-logpath  = /var/log/mail.log
-
-
-[sasl]
-
-enabled  = false
-port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter   = sasl
-# You might consider monitoring /var/log/mail.warn instead if you are
-# running postfix since it would provide the same log lines at the
-# "warn" level but overall at the smaller filesize.
-logpath  = /var/log/mail.log
-
-[dovecot]
-
-enabled = false
-port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
-filter  = dovecot
-logpath = /var/log/mail.log
-
-# DNS Servers
-
-
-# These jails block attacks against named (bind9). By default, logging is off
-# with bind9 installation. You will need something like this:
-#
-# logging {
-#     channel security_file {
-#         file "/var/log/named/security.log" versions 3 size 30m;
-#         severity dynamic;
-#         print-time yes;
-#     };
-#     category security {
-#         security_file;
-#     };
-# };
-#
-# in your named.conf to provide proper logging
-
-# !!! WARNING !!!
-#   Since UDP is connection-less protocol, spoofing of IP and imitation
-#   of illegal actions is way too simple.  Thus enabling of this filter
-#   might provide an easy way for implementing a DoS against a chosen
-#   victim. See
-#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
-#   Please DO NOT USE this jail unless you know what you are doing.
-#[named-refused-udp]
-#
-#enabled  = false
-#port     = domain,953
-#protocol = udp
-#filter   = named-refused
-#logpath  = /var/log/named/security.log
-
-[named-refused-tcp]
-
-enabled  = false
-port     = domain,953
-protocol = tcp
-filter   = named-refused
-logpath  = /var/log/named/security.log
-

install-debian-server.sh

@@ -51,19 +51,6 @@ apt-get install vim
 sed -i "s/^# en_GB.UTF-8/en_GB.UTF-8/g" /etc/locale.gen
 locale-gen
 
-
-# echo '\033[35m
-#     __  _____    ____  ____  _______   __
-#    / / / /   |  / __ \/ __ \/ ____/ | / /
-#   / /_/ / /| | / /_/ / / / / __/ /  |/ /
-#  / __  / ___ |/ _, _/ /_/ / /___/ /|  /
-# /_/ /_/_/  |_/_/ |_/_____/_____/_/ |_/
-# \033[0m'
-# echo "\033[35;1mInstalling harden \033[0m"
-# sleep 3
-# apt-get install harden
-# echo "\033[92;1mHarden instaled\033[Om"
-
 echo '\033[35m
     ______________  _______       _____    __    __
    / ____/  _/ __ \/ ____/ |     / /   |  / /   / /
@@ -89,7 +76,8 @@ echo '\033[35m
 \033[0m'
 echo "\033[35;1mInstalling fall2ban \033[0m"
 apt-get install fail2ban
-cat "$_cwd"/assets/fail2ban.jail.conf > /etc/fail2ban/jail.conf
+cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
+# ToDo ask for email and configure jail.local with it
 service fail2ban restart
 echo "\033[92;1mfail2ban installed and configured\033[Om"