ENH: purge excessive jail variations

2014-03-02 16:11:53 +11:00 · 2014-03-02 16:11:53 +11:00 · 666fd5eceb
parent 721b1473f0
commit 666fd5eceb
3 changed files with 14 additions and 173 deletions
--- a/config/common-paths.conf
+++ b/config/common-paths.conf
@ -54,3 +54,4 @@ dovecot_log = %(syslog_mail_warn)s
 # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
 solidpop3d_log = %(syslog_local0)s
 mysql_log = %(syslog_daemon)s
--- a/config/fedora-paths.conf
+++ b/config/fedora-paths.conf
@ -32,3 +32,4 @@ apache_access_log = /var/log/httpd/*access_log
 # proftpd_log = /var/log/proftpd/auth.log
 # Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
 mysql_log = /var/lib/mysql/mysqld.log
--- a/config/jail.conf
+++ b/config/jail.conf
@ -222,102 +222,6 @@ logpath  = %(auditd_log)s
 maxretry = 5
 # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 # used to avoid banning the user "myuser".
 [ssh-tcpwrapper]
 filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
              sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = %(sshd_log)s
 # Here we use blackhole routes for not requiring any additional kernel support
 # to store large volumes of banned IPs
 [sshd-route]
 filter = sshd
 action = route
 logpath = %(sshd_log)s
 # Here we use a combination of Netfilter/Iptables and IPsets
 # for storing large volumes of banned IPs
 #
 # IPset comes in two versions. See ipset -V for which one to use
 # requires the ipset package and kernel support.
 [sshd-iptables-ipset4]
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = %(sshd_log)s
 [sshd-iptables-ipset6]
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = %(sshd_log)s
 [sshd-apf]
 filter  = sshd
 action  = apf[name=SSH]
 logpath = %(sshd_log)s
 maxretry = 5
 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 # option is overridden in this jail. Moreover, the action "mail-whois" defines
 # the variable "name" which contains a comma using "". The characters '' are
 # valid too.
 [sshd-ipfw]
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
           sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 logpath  = %(sshd_log)s
 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
 # table number must be unique.
 #
 # This will create a deny rule for that table ONLY if a rule
 # for the table doesn't ready exist.
 #
 [sshd-bsd-ipfw]
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
 logpath  = %(sshd_log)s
 [sshd-pf]
 # PF is a BSD based firewall
 filter  = sshd
 action  = pf
 logpath = %(sshd_log)s
 maxretry= 5
 # ipfw for osx (less capabilities that BSD)
 [osx-sshd-ipfw]
 filter = sshd
 action = osx-ipfw
 logpath = %(sshd_log)s
 [osx-sshd-afctl]
 filter   = sshd
 action   = osx-afctl[bantime=600]
 logpath  = %(sshd_log)s
 maxretry = 5
 #
 # HTTP servers
 #
@ -518,26 +422,6 @@ port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(vsftpd_log)s
 # Do not ban anybody. Just report information about the remote host.
 # A notification is sent at most every 600 seconds (bantime).
 [vsftpd-notification]
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = %(vsftpd_log)s
 maxretry = 5
 bantime  = 1800
 # Same as above but with banning the IP address.
 [vsftpd-iptables]
 filter   = vsftpd
 port     = ftp,ftp-data,ftps,ftps-data
 logpath  = %(syslog_ftp)s
 maxretry = 5
 bantime  = 1800
 #
 # Mail servers
 #
@ -580,33 +464,10 @@ port    = smtp,465,submission
 logpath = /service/qmail/log/main/current
 # The hosts.deny path can be defined with the "file" argument if it is
 # not in /etc.
 [postfix-tcpwrapper]
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
           sendmail[name=Postfix, dest=you@example.com]
 logpath  = %(postfix_log)s
 bantime  = 300
 [sendmail-spam]
 logpath  = %(syslog_mail_warn)s
 # dovecot defaults to logging to the mail syslog facility
 # but can be set by syslog_facility in the dovecot configuration.
 [dovecot]
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(syslog_mail_warn)s
 [dovecot-auth]
 filter  = dovecot
 port    = pop3,pop3s,imap,imaps,submission,465,sieve
 logpath = %(dovecot_log)s
@ -628,12 +489,15 @@ logpath = %(solidpop3d_log)s
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog
 [exim-spam]
 port   = smtp,465,submission
 logpath = /var/log/exim/mainlog
 [kerio]
 port    = imap,smtp,imaps,465
 logpath = /opt/kerio/mailserver/store/logs/security.log
@ -746,46 +610,21 @@ logpath  = /var/log/freeswitch.log
 maxretry = 10
 #  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 #  use [asterisk] for new jails
 [asterisk-tcp]
 filter   = asterisk
 port     = 5060,5061
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 #  Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 #  use [asterisk] for new jails
 [asterisk-udp]
 filter   = asterisk
 port     = 5060,5061
 protocol = udp
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 # equivalent section:
 # log-error=/var/log/mysqld.log
 # log-warning = 2
 #
 # for syslog (daemon facility)
 # [mysqld_safe]
 # syslog
 #
 # for own logfile
 # [mysqld]
 # log-error=/var/log/mysqld.log
 [mysqld-auth]
 port     = 3306
-logpath  = /var/log/mysqld.log
+logpath  = %(mysql_log)s
 maxretry = 5
 # This requires my.cnf to contain (check the mysql version supports this)
 # [mysqld_safe]
 # syslog
 [mysqld-syslog]
 port     = 3306
 filter   = mysqld-auth
 logpath  = %(syslog_daemon)s
 maxretry = 5