diff --git a/config/jail.conf b/config/jail.conf index 7ed1bbb6..337fe0b0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -1,9 +1,13 @@ # Fail2Ban jail specifications file # +# WARNING: heavily refactored in 0.9.0 release. Please review and +# customize settings for your setup. +# # Comments: use '#' for comment lines and ';' for inline comments # # Changes: in most of the cases you should not modify this -# file, but provide customizations in jail.local file, e.g.: +# file, but provide customizations in jail.local file, +# or separate .conf files under jail.d/ directory, e.g.: # # [DEFAULT] # bantime = 3600 @@ -11,12 +15,17 @@ # [ssh-iptables] # enabled = true # +# See jail.conf(5) man page for more information # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] +# +# MISCELANEOUS OPTIONS +# + # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. @@ -30,7 +39,7 @@ bantime = 600 findtime = 600 # "maxretry" is the number of failures before a host get banned. -maxretry = 3 +maxretry = 5 # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 1 @@ -52,7 +61,7 @@ backend = auto # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. -# warn: if a hostname is encountered, a reverse DNS lookup will be performed, +# warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. @@ -66,43 +75,113 @@ usedns = warn logencoding = auto -# This jail corresponds to the standard configuration in Fail2ban 0.6. -# The mail-whois action send a notification e-mail with a whois request -# in the body. +# +# ACTIONS +# -[ssh-iptables] +# +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = root@localhost -enabled = false +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = iptables-multiport + +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the +# mailing. Change mta configuration parameter to mail if you want to +# revert to conventional 'mail'. +mta = sendmail + +# Default protocol +protocol = tcp + +# Specify chain where jumps would need to be added in iptables-* actions +chain = INPUT + +# +# Action shortcuts. To be used to define action parameter + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %(action_)s + + +# +# JAILS +# + +# +# SSH servers +# + +[sshd] + +enabled = true +port = ssh filter = sshd -action = iptables[name=SSH, port=ssh, protocol=tcp] - sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com] -logpath = /var/log/sshd.log -maxretry = 5 +logpath = /var/log/auth.log + /var/log/sshd.log -[proftpd-iptables] +[sshd-ddos] enabled = false -filter = proftpd -action = iptables[name=ProFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=ProFTPD, dest=you@example.com] -logpath = /var/log/proftpd/proftpd.log -maxretry = 6 +port = ssh +filter = sshd-ddos +logpath = /var/log/auth.log + /var/log/sshd.log -# This jail forces the backend to "polling". - -[sasl-iptables] +[dropbear] enabled = false -filter = sasl -backend = polling -action = iptables[name=sasl, port=smtp, protocol=tcp] - sendmail-whois[name=sasl, dest=you@example.com] -logpath = /var/log/mail.log +port = ssh +filter = sshd +logpath = /var/log/dropbear + + +# Generic filter for PAM. Has to be used with action which bans all +# ports such as iptables-allports, shorewall + +[pam-generic] + +enabled = false +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +banaction = iptables-allports +# port actually must be irrelevant but lets leave it all for some possible uses +port = anyport +logpath = /var/log/auth.log + +[xinetd-fail] + +enabled = false +filter = xinetd-fail +port = all +banaction = iptables-multiport-log +logpath = /var/log/daemon.log +maxretry = 2 + +# .. custom jails # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". -[ssh-tcpwrapper] +[sshd-tcpwrapper] enabled = false filter = sshd @@ -114,36 +193,138 @@ logpath = /var/log/sshd.log # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs -[ssh-route] +[sshd-route] enabled = false filter = sshd action = route logpath = /var/log/sshd.log -maxretry = 5 # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs # # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. -[ssh-iptables-ipset4] +[sshd-iptables-ipset4] enabled = false filter = sshd action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/sshd.log -maxretry = 5 -[ssh-iptables-ipset6] +[sshd-iptables-ipset6] + enabled = false filter = sshd action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] logpath = /var/log/sshd.log -maxretry = 5 -# This jail demonstrates the use of wildcards in "logpath". -# Moreover, it is possible to give other files on a new line. +# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" +# option is overridden in this jail. Moreover, the action "mail-whois" defines +# the variable "name" which contains a comma using "". The characters '' are +# valid too. + +[sshd-ipfw] + +enabled = false +filter = sshd +action = ipfw[localhost=192.168.0.1] + sendmail-whois[name="SSH,IPFW", dest=you@example.com] +logpath = /var/log/auth.log +ignoreip = 168.192.0.1 + + +# +# HTTP servers +# + +[apache-auth] + +enabled = false +port = http,https +filter = apache-auth +logpath = /var/log/apache*/*error.log + +# Ban hosts which agent identifies spammer robots crawling the web +# for email addresses. The mail outputs are buffered. + +[apache-badbots] + +enabled = false +port = http,https +filter = apache-badbots +logpath = /var/log/apache*/*access.log + /var/www/*/logs/access_log +bantime = 172800 +maxretry = 1 + +[apache-noscript] + +enabled = false +port = http,https +filter = apache-noscript +logpath = /var/log/apache*/*error.log +maxretry = 6 + +[apache-overflows] + +enabled = false +port = http,https +filter = apache-overflows +logpath = /var/log/apache*/*error.log +maxretry = 2 + +# Ban attackers that try to use PHP's URL-fopen() functionality +# through GET/POST variables. - Experimental, with more than a year +# of usage in production environments. + +[php-url-fopen] + +enabled = false +port = http,https +filter = php-url-fopen +logpath = /var/www/*/logs/access_log + +# A simple PHP-fastcgi jail which works with lighttpd. +# If you run a lighttpd server, then you probably will +# find these kinds of messages in your error_log: +# ALERT – tried to register forbidden variable ‘GLOBALS’ +# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') + +[lighttpd-fastcgi] + +enabled = false +port = http,https +filter = lighttpd-fastcgi +logpath = /var/log/lighttpd/error.log + +# Same as above for mod_auth +# It catches wrong authentifications + +[lighttpd-auth] + +enabled = false +port = http,https +filter = lighttpd-auth +logpath = /var/log/lighttpd/error.log + +[roundcube-auth] + +enabled = false +port = http,https +filter = roundcube-auth +logpath = /var/log/roundcube/userlogins + +[sogo-auth] + +enabled = false +filter = sogo-auth +port = http,https +# without proxy this would be: +# port = 20000 +logpath = /var/log/sogo/sogo.log + +# ... custom jails [apache-tcpwrapper] @@ -151,20 +332,39 @@ enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log - /home/www/myhomepage/error.log maxretry = 6 -# The hosts.deny path can be defined with the "file" argument if it is -# not in /etc. -[postfix-tcpwrapper] +# +# FTP servers +# + + +[proftpd] enabled = false -filter = postfix -action = hostsdeny[file=/not/a/standard/path/hosts.deny] - sendmail[name=Postfix, dest=you@example.com] -logpath = /var/log/postfix.log -bantime = 300 +port = ftp,ftp-data,ftps,ftps-data +filter = proftpd +logpath = /var/log/proftpd/proftpd.log + +[pure-ftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = pure-ftpd +logpath = /var/log/auth.log +maxretry = 6 + +[vsftpd] + +enabled = false +port = ftp,ftp-data,ftps,ftps-data +filter = vsftpd +logpath = /var/log/vsftpd.log +# or overwrite it in jails.local to be +# logpath = /var/log/auth.log +# if you want to rely on PAM failed login attempts +# vsftpd's failregex should match both of those formats # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). @@ -178,117 +378,78 @@ logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 -# Same as above but with banning the IP address. -[vsftpd-iptables] +[wuftpd] enabled = false -filter = vsftpd -action = iptables[name=VSFTPD, port=ftp, protocol=tcp] - sendmail-whois[name=VSFTPD, dest=you@example.com] -logpath = /var/log/vsftpd.log -maxretry = 5 -bantime = 1800 +port = ftp,ftp-data,ftps,ftps-data +filter = wuftpd +logpath = /var/log/syslog +maxretry = 6 -# Ban hosts which agent identifies spammer robots crawling the web -# for email addresses. The mail outputs are buffered. +# +# Mail servers +# -[apache-badbots] +[couriersmtp] enabled = false -filter = apache-badbots -action = iptables-multiport[name=BadBots, port="http,https"] - sendmail-buffered[name=BadBots, lines=5, dest=you@example.com] -logpath = /var/www/*/logs/access_log -bantime = 172800 -maxretry = 1 +port = smtp,ssmtp +filter = couriersmtp +logpath = /var/log/mail.log -# Use shorewall instead of iptables. - -[apache-shorewall] +[postfix] enabled = false -filter = apache-noscript -action = shorewall +port = smtp,ssmtp +filter = postfix +logpath = /var/log/mail.log + +# The hosts.deny path can be defined with the "file" argument if it is +# not in /etc. + +[postfix-tcpwrapper] + +enabled = false +filter = postfix +action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=you@example.com] -logpath = /var/log/apache2/error_log +logpath = /var/log/postfix.log +bantime = 300 -# Monitor roundcube server +# +# Mail servers authenticators: might be used for smtp,ftp,imap servers, so +# all relevant ports get banned +# -[roundcube-iptables] +[courierauth] enabled = false -filter = roundcube-auth -action = iptables[name=RoundCube, port="http,https"] -logpath = /var/log/roundcube/userlogins +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s +filter = courierlogin +logpath = /var/log/mail.log -# Monitor SOGo groupware server - -[sogo-iptables] +[sasl] enabled = false -filter = sogo-auth -port = http, https -# without proxy this would be: -# port = 20000 +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s +filter = sasl +# You might consider monitoring /var/log/mail.warn instead if you are +# running postfix since it would provide the same log lines at the +# "warn" level but overall at the smaller filesize. +logpath = /var/log/mail.log -action = iptables[name=SOGo, port="http,https"] -logpath = /var/log/sogo/sogo.log - -# Ban attackers that try to use PHP's URL-fopen() functionality -# through GET/POST variables. - Experimental, with more than a year -# of usage in production environments. - -[php-url-fopen] +[dovecot] enabled = false -port = http,https -filter = php-url-fopen -logpath = /var/www/*/logs/access_log -maxretry = 1 +port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s +filter = dovecot +logpath = /var/log/mail.log -# A simple PHP-fastcgi jail which works with lighttpd. -# If you run a lighttpd server, then you probably will -# find these kinds of messages in your error_log: -# ALERT – tried to register forbidden variable ‘GLOBALS’ -# through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') -# This jail would block the IP 1.2.3.4. - -[lighttpd-fastcgi] - -enabled = false -port = http,https -filter = lighttpd-fastcgi -# adapt the following two items as needed -logpath = /var/log/lighttpd/error.log -maxretry = 2 - -# Same as above for mod_auth -# It catches wrong authentications - -[lighttpd-auth] - -enabled = false -port = http,https -filter = lighttpd-auth -# adapt the following two items as needed -logpath = /var/log/lighttpd/error.log -maxretry = 2 - -# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" -# option is overridden in this jail. Moreover, the action "mail-whois" defines -# the variable "name" which contains a comma using "". The characters '' are -# valid too. - -[ssh-ipfw] - -enabled = false -filter = sshd -action = ipfw[localhost=192.168.0.1] - sendmail-whois[name="SSH,IPFW", dest=you@example.com] -logpath = /var/log/auth.log -ignoreip = 168.192.0.1 +# +# DNS servers +# # These jails block attacks against named (bind9). By default, logging is off # with bind9 installation. You will need something like this: @@ -319,30 +480,33 @@ ignoreip = 168.192.0.1 # # enabled = false # filter = named-refused -# action = iptables-multiport[name=Named, port="domain,953", protocol=udp] -# sendmail-whois[name=Named, dest=you@example.com] +# port = domain,953 +# protocol = udp # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 # This jail blocks TCP traffic for DNS requests. -[named-refused-tcp] +[named-refused] enabled = false filter = named-refused -action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] - sendmail-whois[name=Named, dest=you@example.com] +port = domain,953 logpath = /var/log/named/security.log ignoreip = 168.192.0.1 +# +# Miscelaneous +# + # Multiple jails, 1 per protocol, are necessary ATM: # see https://github.com/fail2ban/fail2ban/issues/37 [asterisk-tcp] enabled = false filter = asterisk -action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] - sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] +port = 5060,5061 +protocol = tcp logpath = /var/log/asterisk/messages maxretry = 10 @@ -350,31 +514,27 @@ maxretry = 10 enabled = false filter = asterisk -action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] - sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com] +port = 5060,5061 +protocol = udp logpath = /var/log/asterisk/messages maxretry = 10 # To log wrong MySQL access attempts add to /etc/my.cnf: # log-error=/var/log/mysqld.log # log-warning = 2 -[mysqld-iptables] +[mysqld-auth] enabled = false filter = mysqld-auth -action = iptables[name=mysql, port=3306, protocol=tcp] - sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com] +port = 3306 logpath = /var/log/mysqld.log -maxretry = 5 -[guacamole-iptables] +[guacamole] enabled = false filter = guacamole -action = iptables-multiport[name=Guacmole, port="http,https"] - sendmail-whois[name=Guacamole, dest=root, sender=fail2ban@example.com] +port = http,https logpath = /var/log/tomcat*/catalina.out -maxretry = 5 maxlines = 2