fail2ban.jail.conf 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314
  1. # Fail2Ban configuration file.
  2. #
  3. # This file was composed for Debian systems from the original one
  4. # provided now under /usr/share/doc/fail2ban/examples/jail.conf
  5. # for additional examples.
  6. #
  7. # To avoid merges during upgrades DO NOT MODIFY THIS FILE
  8. # and rather provide your changes in /etc/fail2ban/jail.local
  9. #
  10. # Author: Yaroslav O. Halchenko <debian@onerussian.com>
  11. #
  12. # $Revision$
  13. #
  14. # The DEFAULT allows a global definition of the options. They can be overridden
  15. # in each jail afterwards.
  16. [DEFAULT]
  17. # "ignoreip" can be an IP address, a CIDR mask or a DNS host
  18. ignoreip = 127.0.0.1/8
  19. bantime = 600
  20. maxretry = 3
  21. # "backend" specifies the backend used to get files modification. Available
  22. # options are "gamin", "polling" and "auto".
  23. # yoh: For some reason Debian shipped python-gamin didn't work as expected
  24. # This issue left ToDo, so polling is default backend for now
  25. backend = auto
  26. #
  27. # Destination email address used solely for the interpolations in
  28. # jail.{conf,local} configuration files.
  29. destemail = root@localhost
  30. #
  31. # ACTIONS
  32. #
  33. # Default banning action (e.g. iptables, iptables-new,
  34. # iptables-multiport, shorewall, etc) It is used to define
  35. # action_* variables. Can be overridden globally or per
  36. # section within jail.local file
  37. banaction = iptables-multiport
  38. # email action. Since 0.8.1 upstream fail2ban uses sendmail
  39. # MTA for the mailing. Change mta configuration parameter to mail
  40. # if you want to revert to conventional 'mail'.
  41. mta = sendmail
  42. # Default protocol
  43. protocol = tcp
  44. # Specify chain where jumps would need to be added in iptables-* actions
  45. chain = INPUT
  46. #
  47. # Action shortcuts. To be used to define action parameter
  48. # The simplest action to take: ban only
  49. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  50. # ban & send an e-mail with whois report to the destemail.
  51. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  52. %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
  53. # ban & send an e-mail with whois report and relevant log lines
  54. # to the destemail.
  55. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  56. %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
  57. # Choose default action. To change, just override value of 'action' with the
  58. # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
  59. # globally (section [DEFAULT]) or per specific section
  60. action = %(action_)s
  61. #
  62. # JAILS
  63. #
  64. # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
  65. # was shipped in Debian. Enable any defined here jail by including
  66. #
  67. # [SECTION_NAME]
  68. # enabled = true
  69. #
  70. # in /etc/fail2ban/jail.local.
  71. #
  72. # Optionally you may override any other parameter (e.g. banaction,
  73. # action, port, logpath, etc) in that section within jail.local
  74. [ssh]
  75. enabled = true
  76. port = ssh
  77. filter = sshd
  78. logpath = /var/log/auth.log
  79. maxretry = 6
  80. [dropbear]
  81. enabled = false
  82. port = ssh
  83. filter = sshd
  84. logpath = /var/log/dropbear
  85. maxretry = 6
  86. # Generic filter for pam. Has to be used with action which bans all ports
  87. # such as iptables-allports, shorewall
  88. [pam-generic]
  89. enabled = false
  90. # pam-generic filter can be customized to monitor specific subset of 'tty's
  91. filter = pam-generic
  92. # port actually must be irrelevant but lets leave it all for some possible uses
  93. port = all
  94. banaction = iptables-allports
  95. port = anyport
  96. logpath = /var/log/auth.log
  97. maxretry = 6
  98. [xinetd-fail]
  99. enabled = false
  100. filter = xinetd-fail
  101. port = all
  102. banaction = iptables-multiport-log
  103. logpath = /var/log/daemon.log
  104. maxretry = 2
  105. [ssh-ddos]
  106. enabled = false
  107. port = ssh
  108. filter = sshd-ddos
  109. logpath = /var/log/auth.log
  110. maxretry = 6
  111. #
  112. # HTTP servers
  113. #
  114. [apache]
  115. enabled = false
  116. port = http,https
  117. filter = apache-auth
  118. logpath = /var/log/apache*/*error.log
  119. maxretry = 6
  120. # default action is now multiport, so apache-multiport jail was left
  121. # for compatibility with previous (<0.7.6-2) releases
  122. [apache-multiport]
  123. enabled = false
  124. port = http,https
  125. filter = apache-auth
  126. logpath = /var/log/apache*/*error.log
  127. maxretry = 6
  128. [apache-noscript]
  129. enabled = false
  130. port = http,https
  131. filter = apache-noscript
  132. logpath = /var/log/apache*/*error.log
  133. maxretry = 6
  134. [apache-overflows]
  135. enabled = false
  136. port = http,https
  137. filter = apache-overflows
  138. logpath = /var/log/apache*/*error.log
  139. maxretry = 2
  140. #
  141. # FTP servers
  142. #
  143. [vsftpd]
  144. enabled = false
  145. port = ftp,ftp-data,ftps,ftps-data
  146. filter = vsftpd
  147. logpath = /var/log/vsftpd.log
  148. # or overwrite it in jails.local to be
  149. # logpath = /var/log/auth.log
  150. # if you want to rely on PAM failed login attempts
  151. # vsftpd's failregex should match both of those formats
  152. maxretry = 6
  153. [proftpd]
  154. enabled = false
  155. port = ftp,ftp-data,ftps,ftps-data
  156. filter = proftpd
  157. logpath = /var/log/proftpd/proftpd.log
  158. maxretry = 6
  159. [pure-ftpd]
  160. enabled = false
  161. port = ftp,ftp-data,ftps,ftps-data
  162. filter = pure-ftpd
  163. logpath = /var/log/auth.log
  164. maxretry = 6
  165. [wuftpd]
  166. enabled = false
  167. port = ftp,ftp-data,ftps,ftps-data
  168. filter = wuftpd
  169. logpath = /var/log/auth.log
  170. maxretry = 6
  171. #
  172. # Mail servers
  173. #
  174. [postfix]
  175. enabled = false
  176. port = smtp,ssmtp
  177. filter = postfix
  178. logpath = /var/log/mail.log
  179. [couriersmtp]
  180. enabled = false
  181. port = smtp,ssmtp
  182. filter = couriersmtp
  183. logpath = /var/log/mail.log
  184. #
  185. # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
  186. # all relevant ports get banned
  187. #
  188. [courierauth]
  189. enabled = false
  190. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  191. filter = courierlogin
  192. logpath = /var/log/mail.log
  193. [sasl]
  194. enabled = false
  195. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  196. filter = sasl
  197. # You might consider monitoring /var/log/mail.warn instead if you are
  198. # running postfix since it would provide the same log lines at the
  199. # "warn" level but overall at the smaller filesize.
  200. logpath = /var/log/mail.log
  201. [dovecot]
  202. enabled = false
  203. port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
  204. filter = dovecot
  205. logpath = /var/log/mail.log
  206. # DNS Servers
  207. # These jails block attacks against named (bind9). By default, logging is off
  208. # with bind9 installation. You will need something like this:
  209. #
  210. # logging {
  211. # channel security_file {
  212. # file "/var/log/named/security.log" versions 3 size 30m;
  213. # severity dynamic;
  214. # print-time yes;
  215. # };
  216. # category security {
  217. # security_file;
  218. # };
  219. # };
  220. #
  221. # in your named.conf to provide proper logging
  222. # !!! WARNING !!!
  223. # Since UDP is connection-less protocol, spoofing of IP and imitation
  224. # of illegal actions is way too simple. Thus enabling of this filter
  225. # might provide an easy way for implementing a DoS against a chosen
  226. # victim. See
  227. # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
  228. # Please DO NOT USE this jail unless you know what you are doing.
  229. #[named-refused-udp]
  230. #
  231. #enabled = false
  232. #port = domain,953
  233. #protocol = udp
  234. #filter = named-refused
  235. #logpath = /var/log/named/security.log
  236. [named-refused-tcp]
  237. enabled = false
  238. port = domain,953
  239. protocol = tcp
  240. filter = named-refused
  241. logpath = /var/log/named/security.log