Beefing up debian/jail.conf

2014-03-18 23:25:21 -04:00 · 2014-03-18 23:25:21 -04:00 · 7376bb4321
parent f86ec8020f
commit 7376bb4321
2 changed files with 73 additions and 2 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,8 +1,13 @@
 fail2ban (0.8.13-1) unstable; urgency=low

-  * New upstream bug-fix release
+  * New upstream bug-fix release: but consider 0.9.0 (to be uploaded to
+    experimental)
+  * debian/jail:
+    - new jail definitions: apache-modsecurity, apache-nohome, freeswitch,
+      ejabberd-auth, ssh-blocklist, nagios
+    - new configuration option: ignorecommand

- -- Yaroslav Halchenko <debian@onerussian.com>  Sun, 16 Mar 2014 10:27:40 -0400
+ -- Yaroslav Halchenko <debian@onerussian.com>  Tue, 18 Mar 2014 23:13:35 -0400

 fail2ban (0.8.12-1) UNRELEASED; urgency=low

--- a/debian/jail.conf
+++ b/debian/jail.conf
@ -20,6 +20,12 @@
 # defined using space separator.
 ignoreip = 127.0.0.1/8

+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
 # "bantime" is the number of seconds that a host is banned.
 bantime  = 600

@ -239,6 +245,22 @@ filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2

+[apache-modsecurity]
+
+enabled  = false
+filter   = apache-modsecurity
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
+[apache-nohome]
+
+enabled  = false
+filter   = apache-nohome
+port     = http,https
+logpath  = /var/log/apache*/*error.log
+maxretry = 2
+
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
@ -447,6 +469,24 @@ protocol = tcp
 filter   = named-refused
 logpath  = /var/log/named/security.log

+[freeswitch]
+
+enabled  = false
+filter   = freeswitch
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
+           iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
+
+[ejabberd-auth]
+
+enabled  = false
+filter   = ejabberd-auth
+port     = xmpp-client
+protocol = tcp
+logpath  = /var/log/ejabberd/ejabberd.log
+
+
 # Multiple jails, 1 per protocol, are necessary ATM:
 # see https://github.com/fail2ban/fail2ban/issues/37
 [asterisk-tcp]
@ -481,3 +521,29 @@ action   = iptables-allports[name=recidive]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
+
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action
+#
+# Report block via blocklist.de fail2ban reporting service API
+# See action.d/blocklist_de.conf for more information
+[ssh-blocklist]
+
+enabled  = false
+filter   = sshd
+action   = iptables[name=SSH, port=ssh, protocol=tcp]
+           sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+           blocklist_de[email="%(sender)s", apikey="xxxxxx", service=%(filter)s]
+logpath  = /var/log/sshd.log
+maxretry = 20
+
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+enabled  = false
+filter   = nagios
+action   = iptables[name=Nagios, port=5666, protocol=tcp]
+           sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"]
+logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
+maxretry = 1