|
|
|
|
@ -290,9 +290,9 @@ filter = sshd
|
|
|
|
|
action = bsd-ipfw[port=ssh,table=1]
|
|
|
|
|
logpath = /var/log/auth.log
|
|
|
|
|
|
|
|
|
|
# PF is a BSD based firewall
|
|
|
|
|
[sshd-pf]
|
|
|
|
|
|
|
|
|
|
[sshd-pf]
|
|
|
|
|
# PF is a BSD based firewall
|
|
|
|
|
filter = sshd
|
|
|
|
|
action = pf
|
|
|
|
|
logpath = /var/log/sshd.log
|
|
|
|
|
@ -313,6 +313,7 @@ filter = sshd
|
|
|
|
|
action = osx-afctl[bantime=600]
|
|
|
|
|
logpath = /var/log/secure.log
|
|
|
|
|
maxretry = 5
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# HTTP servers
|
|
|
|
|
#
|
|
|
|
|
@ -322,14 +323,13 @@ maxretry = 5
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/apache*/*error.log
|
|
|
|
|
|
|
|
|
|
# Ban hosts which agent identifies spammer robots crawling the web
|
|
|
|
|
# for email addresses. The mail outputs are buffered.
|
|
|
|
|
|
|
|
|
|
[apache-badbots]
|
|
|
|
|
|
|
|
|
|
# Ban hosts which agent identifies spammer robots crawling the web
|
|
|
|
|
# for email addresses. The mail outputs are buffered.
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/apache*/*access.log
|
|
|
|
|
/var/www/*/logs/access_log
|
|
|
|
|
/var/www/*/logs/access_log
|
|
|
|
|
bantime = 172800
|
|
|
|
|
maxretry = 1
|
|
|
|
|
|
|
|
|
|
@ -345,6 +345,15 @@ maxretry = 6
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/apache*/*error.log
|
|
|
|
|
/var/www/*/logs/error_log
|
|
|
|
|
maxretry = 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[apache-nohome]
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/apache*/*error.log
|
|
|
|
|
/var/www/*/logs/error_log
|
|
|
|
|
maxretry = 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -352,6 +361,7 @@ maxretry = 2
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/apache*/*error.log
|
|
|
|
|
/var/www/*/logs/error_log
|
|
|
|
|
maxretry = 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -370,20 +380,24 @@ logpath = /var/log/nginx/error.log
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/www/*/logs/access_log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[suhosin]
|
|
|
|
|
|
|
|
|
|
filter = suhosin
|
|
|
|
|
# Same as above for mod_auth
|
|
|
|
|
# It catches wrong authentifications
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/lighttpd/error.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[lighttpd-auth]
|
|
|
|
|
|
|
|
|
|
# Same as above for Apache's mod_auth
|
|
|
|
|
# It catches wrong authentifications
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/lighttpd/error.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Webmail and groupware servers
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[roundcube-auth]
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
@ -393,22 +407,34 @@ logpath = /var/log/roundcube/userlogins
|
|
|
|
|
[openwebmail]
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/openwebmail.log`
|
|
|
|
|
logpath = /var/log/openwebmail.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[horde]
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/horde/horde.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[groupoffice]
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /home/groupoffice/log/info.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[sogo-auth]
|
|
|
|
|
# Monitor SOGo groupware server
|
|
|
|
|
# without proxy this would be:
|
|
|
|
|
# port = 20000
|
|
|
|
|
|
|
|
|
|
port = http,https
|
|
|
|
|
logpath = /var/log/sogo/sogo.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[3proxy]
|
|
|
|
|
|
|
|
|
|
port = 3128
|
|
|
|
|
logpath = /var/log/3proxy.log
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Web Applications
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
[guacamole]
|
|
|
|
|
|
|
|
|
|
@ -422,43 +448,61 @@ port = 10000
|
|
|
|
|
logpath = /var/log/auth.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# ... custom jails
|
|
|
|
|
#
|
|
|
|
|
# HTTP Proxy servers
|
|
|
|
|
#
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# This jail demonstrates the use of wildcards in "logpath".
|
|
|
|
|
# Moreover, it is possible to give other files on a new line.
|
|
|
|
|
[apache-tcpwrapper]
|
|
|
|
|
[squid]
|
|
|
|
|
|
|
|
|
|
filter = apache-auth
|
|
|
|
|
action = hostsdeny
|
|
|
|
|
logpath = /var/log/apache*/*error.log
|
|
|
|
|
maxretry = 6
|
|
|
|
|
port = 80,443,3128,8080
|
|
|
|
|
logpath = /var/log/squid/access.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[3proxy]
|
|
|
|
|
|
|
|
|
|
port = 3128
|
|
|
|
|
logpath = /var/log/3proxy.log
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# FTP servers
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The hosts.deny path can be defined with the "file" argument if it is
|
|
|
|
|
# not in /etc.
|
|
|
|
|
[proftpd]
|
|
|
|
|
|
|
|
|
|
port = ftp,ftp-data,ftps,ftps-data
|
|
|
|
|
logpath = /var/log/proftpd/proftpd.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[pure-ftpd]
|
|
|
|
|
|
|
|
|
|
port = ftp,ftp-data,ftps,ftps-data
|
|
|
|
|
logpath = /var/log/auth.log
|
|
|
|
|
maxretry = 6
|
|
|
|
|
|
|
|
|
|
[vsftpd]
|
|
|
|
|
|
|
|
|
|
[gssftpd-iptables]
|
|
|
|
|
|
|
|
|
|
port = ftp,ftp-data,ftps,ftps-data
|
|
|
|
|
logpath = /var/log/vsftpd.log
|
|
|
|
|
logpath = /var/log/daemon.log
|
|
|
|
|
maxretry = 6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[wuftpd]
|
|
|
|
|
|
|
|
|
|
port = ftp,ftp-data,ftps,ftps-data
|
|
|
|
|
logpath = /var/log/daemon.log
|
|
|
|
|
maxretry = 6
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[vsftpd]
|
|
|
|
|
# or overwrite it in jails.local to be
|
|
|
|
|
# logpath = /var/log/auth.log
|
|
|
|
|
# if you want to rely on PAM failed login attempts
|
|
|
|
|
# vsftpd's failregex should match both of those formats
|
|
|
|
|
port = ftp,ftp-data,ftps,ftps-data
|
|
|
|
|
logpath = /var/log/vsftpd.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Do not ban anybody. Just report information about the remote host.
|
|
|
|
|
@ -488,22 +532,30 @@ bantime = 1800
|
|
|
|
|
# ASSP SMTP Proxy Jail
|
|
|
|
|
[assp]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /root/path/to/assp/logs/maillog.txt
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[courier-smtp]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /var/log/mail.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[postfix]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /var/log/mail.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[qmail-rbl]
|
|
|
|
|
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /service/qmail/log/main/current
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The hosts.deny path can be defined with the "file" argument if it is
|
|
|
|
|
# not in /etc.
|
|
|
|
|
[postfix-tcpwrapper]
|
|
|
|
|
|
|
|
|
|
filter = postfix
|
|
|
|
|
@ -532,6 +584,12 @@ port = pop3,pop3s,imap,imaps,submission,465,sieve
|
|
|
|
|
logpath = /var/log/secure
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[sieve]
|
|
|
|
|
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /var/log/mail*log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[solid-pop3d]
|
|
|
|
|
|
|
|
|
|
port = pop3,pop3s
|
|
|
|
|
@ -540,12 +598,12 @@ logpath = /var/log/mail.log
|
|
|
|
|
|
|
|
|
|
[exim]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /var/log/exim/mainlog
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[exim-spam]
|
|
|
|
|
port = smtp,ssmtp,submission
|
|
|
|
|
port = smtp,465,submission
|
|
|
|
|
logpath = /var/log/exim/mainlog
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@ -556,13 +614,13 @@ logpath = /var/log/exim/mainlog
|
|
|
|
|
|
|
|
|
|
[courier-auth]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
|
|
|
|
|
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s
|
|
|
|
|
logpath = /var/log/mail.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[postfix-sasl]
|
|
|
|
|
|
|
|
|
|
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
|
|
|
|
|
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s
|
|
|
|
|
# You might consider monitoring /var/log/mail.warn instead if you are
|
|
|
|
|
# running postfix since it would provide the same log lines at the
|
|
|
|
|
# "warn" level but overall at the smaller filesize.
|
|
|
|
|
@ -574,6 +632,13 @@ logpath = /var/log/mail.log
|
|
|
|
|
port = imap2,imap3,imaps,pop3,pop3s
|
|
|
|
|
logpath = /var/log/maillog
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[cyrus-imap]
|
|
|
|
|
|
|
|
|
|
port = imap3,imaps
|
|
|
|
|
logpath = /var/log/mail*log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# DNS servers
|
|
|
|
|
#
|
|
|
|
|
@ -604,6 +669,15 @@ logpath = /var/log/maillog
|
|
|
|
|
port = domain,953
|
|
|
|
|
logpath = /var/log/named/security.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[nsd]
|
|
|
|
|
|
|
|
|
|
port = 53
|
|
|
|
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
|
|
|
|
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
|
|
|
|
logpath = /var/log/nsd.log
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Miscelaneous
|
|
|
|
|
#
|
|
|
|
|
@ -617,6 +691,7 @@ action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp",
|
|
|
|
|
logpath = /var/log/asterisk/messages
|
|
|
|
|
maxretry = 10
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
|
|
|
|
|
# use [asterisk] for new jails
|
|
|
|
|
[asterisk-tcp]
|
|
|
|
|
@ -689,3 +764,5 @@ logpath = /var/log/auth.log
|
|
|
|
|
banaction = iptables-multiport-log
|
|
|
|
|
logpath = /var/log/daemon.log
|
|
|
|
|
maxretry = 2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Daniel Black
11 years ago