diff --git a/config/action.d/dummy.conf b/config/action.d/dummy.conf index bfd9599d..21b7fa9d 100644 --- a/config/action.d/dummy.conf +++ b/config/action.d/dummy.conf @@ -9,20 +9,20 @@ # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: +# Values: CMD # actionstart = touch /tmp/fail2ban.dummy echo "" >> /tmp/fail2ban.dummy # Option: fwend # Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: +# Values: CMD # actionstop = rm /tmp/fail2ban.dummy # Option: fwcheck # Notes.: command executed once before each fwban command -# Values: CMD Default: +# Values: CMD # actioncheck = @@ -34,7 +34,6 @@ actioncheck = # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP # actionban = echo "+" >> /tmp/fail2ban.dummy @@ -45,10 +44,10 @@ actionban = echo "+" >> /tmp/fail2ban.dummy # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD -# Default: iptables -D INPUT -s -j DROP # actionunban = echo "-" >> /tmp/fail2ban.dummy [Init] init = 123 + diff --git a/config/action.d/hostsdeny.conf b/config/action.d/hostsdeny.conf index ba813ac8..f87ecb5a 100644 --- a/config/action.d/hostsdeny.conf +++ b/config/action.d/hostsdeny.conf @@ -9,19 +9,19 @@ # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: +# Values: CMD # actionstart = touch # Option: fwend # Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: +# Values: CMD # actionstop = rm -f # Option: fwcheck # Notes.: command executed once before each fwban command -# Values: CMD Default: +# Values: CMD # actioncheck = @@ -33,7 +33,6 @@ actioncheck = # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP # actionban = IP= && echo "ALL: $IP" >> @@ -45,7 +44,6 @@ actionban = IP= && # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD -# Default: iptables -D INPUT -s -j DROP # actionunban = IP= && grep -v "ALL: $IP" > && @@ -64,3 +62,4 @@ file = /etc/hosts.deny # Values: STR Default: /etc/hostsdeny.failban # tmpfile = /tmp/hosts.deny.tmp + diff --git a/config/action.d/iptables.conf b/config/action.d/iptables.conf index 3d9083f1..fe55731f 100644 --- a/config/action.d/iptables.conf +++ b/config/action.d/iptables.conf @@ -9,7 +9,7 @@ # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: +# Values: CMD # actionstart = iptables -N fail2ban- iptables -A fail2ban- -j RETURN @@ -17,7 +17,7 @@ actionstart = iptables -N fail2ban- # Option: fwend # Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: +# Values: CMD # actionstop = iptables -D INPUT -p --dport -j fail2ban- iptables -F fail2ban- @@ -25,7 +25,7 @@ actionstop = iptables -D INPUT -p --dport -j fail2ban- # Option: fwcheck # Notes.: command executed once before each fwban command -# Values: CMD Default: +# Values: CMD # actioncheck = iptables -L INPUT | grep -q fail2ban- @@ -37,7 +37,6 @@ actioncheck = iptables -L INPUT | grep -q fail2ban- # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP # actionban = iptables -I fail2ban- 1 -s -j DROP @@ -48,7 +47,6 @@ actionban = iptables -I fail2ban- 1 -s -j DROP # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD -# Default: iptables -D INPUT -s -j DROP # actionunban = iptables -D fail2ban- -s -j DROP @@ -69,3 +67,4 @@ port = ssh # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp + diff --git a/config/action.d/mail-whois.conf b/config/action.d/mail-whois.conf index 459fbf51..fc21065f 100644 --- a/config/action.d/mail-whois.conf +++ b/config/action.d/mail-whois.conf @@ -9,7 +9,7 @@ # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: +# Values: CMD # actionstart = echo -en "Hi,\n The jail has been started successfuly.\n @@ -18,7 +18,7 @@ actionstart = echo -en "Hi,\n # Option: fwend # Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: +# Values: CMD # actionstop = echo -en "Hi,\n The jail has been stopped.\n @@ -27,7 +27,7 @@ actionstop = echo -en "Hi,\n # Option: fwcheck # Notes.: command executed once before each fwban command -# Values: CMD Default: +# Values: CMD # actioncheck = @@ -39,7 +39,6 @@ actioncheck = # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP # actionban = echo -en "Hi,\n The IP has just been banned by Fail2Ban after @@ -56,7 +55,6 @@ actionban = echo -en "Hi,\n # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD -# Default: iptables -D INPUT -s -j DROP # actionunban = @@ -69,3 +67,4 @@ name = default # Destinataire of the mail # dest = root + diff --git a/config/action.d/mail.conf b/config/action.d/mail.conf index 88cbae25..90295906 100644 --- a/config/action.d/mail.conf +++ b/config/action.d/mail.conf @@ -9,7 +9,7 @@ # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. -# Values: CMD Default: +# Values: CMD # actionstart = echo -en "Hi,\n The jail has been started successfuly.\n @@ -18,7 +18,7 @@ actionstart = echo -en "Hi,\n # Option: fwend # Notes.: command executed once at the end of Fail2Ban -# Values: CMD Default: +# Values: CMD # actionstop = echo -en "Hi,\n The jail has been stopped.\n @@ -27,7 +27,7 @@ actionstop = echo -en "Hi,\n # Option: fwcheck # Notes.: command executed once before each fwban command -# Values: CMD Default: +# Values: CMD # actioncheck = @@ -39,7 +39,6 @@ actioncheck = # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD -# Default: iptables -I INPUT 1 -s -j DROP # actionban = echo -en "Hi,\n The IP has just been banned by Fail2Ban after @@ -54,7 +53,6 @@ actionban = echo -en "Hi,\n # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD -# Default: iptables -D INPUT -s -j DROP # actionunban = @@ -67,3 +65,4 @@ name = default # Destinataire of the mail # dest = root + diff --git a/config/filter.d/apache-auth.conf b/config/filter.d/apache-auth.conf index b4d5bb94..ac3a0256 100644 --- a/config/filter.d/apache-auth.conf +++ b/config/filter.d/apache-auth.conf @@ -9,6 +9,6 @@ # Option: failregex # Notes.: regex to match the password failure messages in the logfile. -# Values: TEXT Default: authentication failure|user .* not found +# Values: TEXT # -failregex = authentication failure|user .* not found +failregex = [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) diff --git a/config/filter.d/couriersmtp.conf b/config/filter.d/couriersmtp.conf index 92d942b6..29242a34 100644 --- a/config/filter.d/couriersmtp.conf +++ b/config/filter.d/couriersmtp.conf @@ -9,6 +9,6 @@ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: +# Values: TEXT # failregex = error,relay=(?:::f{4,6}:)?(?P\S*),.*550 User unknown diff --git a/config/filter.d/postfix.conf b/config/filter.d/postfix.conf index a226d28b..1fded787 100644 --- a/config/filter.d/postfix.conf +++ b/config/filter.d/postfix.conf @@ -9,6 +9,6 @@ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: +# Values: TEXT # failregex = reject: RCPT from (.*)\[(?P\S*)\]: 554 diff --git a/config/filter.d/qmail.conf b/config/filter.d/qmail.conf index 082f15cc..58c6bd05 100644 --- a/config/filter.d/qmail.conf +++ b/config/filter.d/qmail.conf @@ -9,6 +9,6 @@ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: +# Values: TEXT # failregex = (?:[\d,.]+[\d,.] rblsmtpd: |421 badiprbl: ip )(?P\S*) diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf index 88b4cc50..92552674 100644 --- a/config/filter.d/sshd.conf +++ b/config/filter.d/sshd.conf @@ -9,7 +9,7 @@ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# Values: TEXT # failregex = (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user|ROOT LOGIN REFUSED) .*(?: from|FROM) (?:::f{4,6}:)?(?P\S*) diff --git a/config/filter.d/vsftpd.conf b/config/filter.d/vsftpd.conf index 0c992359..0b7cd843 100644 --- a/config/filter.d/vsftpd.conf +++ b/config/filter.d/vsftpd.conf @@ -9,6 +9,6 @@ # Option: failregex # Notes.: regex to match the password failures messages in the logfile. -# Values: TEXT Default: Authentication failure|Failed password|Invalid user +# Values: TEXT # failregex = vsftpd: \(pam_unix\) authentication failure; .* rhost=(?P\S*) diff --git a/config/jail.conf b/config/jail.conf index ffb47fe7..c96dedb5 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -52,6 +52,17 @@ action = hostsdeny mail-whois[name=SSH, dest=yourmail@mail.com] logpath = /var/log/sshd.log +# This jail demonstrates the use of wildcards in "logpath". +# Moreover, it is possible to give other files on a new line. + +[apache-tcpwrapper] + +enabled = false +filter = apache-auth +action = hostsdeny +logpath = /var/log/apache*/*access.log + /home/www/myhomepage/access.log +maxretry = 6 # The hosts.deny path can be defined with the "file" argument if it is # not in /etc.