ENH: purge excessive jail variations

2014-03-02 16:11:53 +11:00 · 2014-03-02 16:11:53 +11:00 · 666fd5eceb
parent 721b1473f0
commit 666fd5eceb
3 changed files with 14 additions and 173 deletions
--- a/config/common-paths.conf
+++ b/config/common-paths.conf
@ -54,3 +54,4 @@ dovecot_log = %(syslog_mail_warn)s
 # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
 solidpop3d_log = %(syslog_local0)s

+mysql_log = %(syslog_daemon)s
--- a/config/fedora-paths.conf
+++ b/config/fedora-paths.conf
@ -32,3 +32,4 @@ apache_access_log = /var/log/httpd/*access_log
 # proftpd_log = /var/log/proftpd/auth.log
 # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.

+mysql_log = /var/lib/mysql/mysqld.log
--- a/config/jail.conf
+++ b/config/jail.conf
@ -222,102 +222,6 @@ logpath  = %(auditd_log)s
 maxretry = 5


-# Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
-# used to avoid banning the user "myuser".
-[ssh-tcpwrapper]
-
-filter      = sshd
-action      = hostsdeny[daemon_list=sshd]
-              sendmail-whois[name=SSH, dest=you@example.com]
-ignoreregex = for myuser from
-logpath     = %(sshd_log)s
-
-
-# Here we use blackhole routes for not requiring any additional kernel support
-# to store large volumes of banned IPs
-
-[sshd-route]
-
-filter = sshd
-action = route
-logpath = %(sshd_log)s
-
-
-# Here we use a combination of Netfilter/Iptables and IPsets
-# for storing large volumes of banned IPs
-#
-# IPset comes in two versions. See ipset -V for which one to use
-# requires the ipset package and kernel support.
-[sshd-iptables-ipset4]
-
-filter   = sshd
-action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath  = %(sshd_log)s
-
-
-[sshd-iptables-ipset6]
-
-filter   = sshd
-action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath  = %(sshd_log)s
-
-
-[sshd-apf]
-
-filter  = sshd
-action  = apf[name=SSH]
-logpath = %(sshd_log)s
-maxretry = 5
-
-
-# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
-# option is overridden in this jail. Moreover, the action "mail-whois" defines
-# the variable "name" which contains a comma using "". The characters '' are
-# valid too.
-[sshd-ipfw]
-
-filter   = sshd
-action   = ipfw[localhost=192.168.0.1]
-           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath  = %(sshd_log)s
-
-
-# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
-# table number must be unique.
-#
-# This will create a deny rule for that table ONLY if a rule
-# for the table doesn't ready exist.
-#
-[sshd-bsd-ipfw]
-
-filter   = sshd
-action   = bsd-ipfw[port=ssh,table=1]
-logpath  = %(sshd_log)s
-
-
-[sshd-pf]
-# PF is a BSD based firewall
-filter  = sshd
-action  = pf
-logpath = %(sshd_log)s
-maxretry= 5
-
-
-# ipfw for osx (less capabilities that BSD)
-[osx-sshd-ipfw]
-
-filter = sshd
-action = osx-ipfw
-logpath = %(sshd_log)s
-
-
-[osx-sshd-afctl]
-
-filter   = sshd
-action   = osx-afctl[bantime=600]
-logpath  = %(sshd_log)s
-maxretry = 5
-
 #
 # HTTP servers
 #
@ -518,26 +422,6 @@ port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(vsftpd_log)s


-# Do not ban anybody. Just report information about the remote host.
-# A notification is sent at most every 600 seconds (bantime).
-[vsftpd-notification]
-
-filter   = vsftpd
-action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
-logpath  = %(vsftpd_log)s
-maxretry = 5
-bantime  = 1800
-
-
-# Same as above but with banning the IP address.
-[vsftpd-iptables]
-
-filter   = vsftpd
-port     = ftp,ftp-data,ftps,ftps-data
-logpath  = %(syslog_ftp)s
-maxretry = 5
-bantime  = 1800
-
 #
 # Mail servers
 #
@ -580,33 +464,10 @@ port    = smtp,465,submission
 logpath = /service/qmail/log/main/current


-# The hosts.deny path can be defined with the "file" argument if it is
-# not in /etc.
-[postfix-tcpwrapper]
-
-filter   = postfix
-action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
-           sendmail[name=Postfix, dest=you@example.com]
-logpath  = %(postfix_log)s
-bantime  = 300
-
-
-[sendmail-spam]
-
-logpath  = %(syslog_mail_warn)s
-
-
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]

-port    = pop3,pop3s,imap,imaps,submission,465,sieve
-logpath = %(syslog_mail_warn)s
-
-
-[dovecot-auth]
-
-filter  = dovecot
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s

@ -628,12 +489,15 @@ logpath = %(solidpop3d_log)s
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog

+
 [exim-spam]
+
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog


 [kerio]
+
 port    = imap,smtp,imaps,465
 logpath = /opt/kerio/mailserver/store/logs/security.log

@ -746,46 +610,21 @@ logpath  = /var/log/freeswitch.log
 maxretry = 10


-#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
-#  use [asterisk] for new jails
-[asterisk-tcp]
-
-filter   = asterisk
-port     = 5060,5061
-logpath  = /var/log/asterisk/messages
-maxretry = 10
-
-
-#  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
-#  use [asterisk] for new jails
-[asterisk-udp]
-
-filter   = asterisk
-port     = 5060,5061
-protocol = udp
-logpath  = /var/log/asterisk/messages
-maxretry = 10
-
-
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
-# log-error=/var/log/mysqld.log
 # log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
 [mysqld-auth]

 port     = 3306
-logpath  = /var/log/mysqld.log
-maxretry = 5
-
-
-# This requires my.cnf to contain (check the mysql version supports this)
-# [mysqld_safe]
-# syslog
-[mysqld-syslog]
-
-port     = 3306
-filter   = mysqld-auth
-logpath  = %(syslog_daemon)s
+logpath  = %(mysql_log)s
 maxretry = 5