From 7376bb4321f0bd54a119234663b6702611ad2152 Mon Sep 17 00:00:00 2001 From: Yaroslav Halchenko Date: Tue, 18 Mar 2014 23:25:21 -0400 Subject: [PATCH] Beefing up debian/jail.conf --- debian/changelog | 11 +++++--- debian/jail.conf | 66 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index d1492765..eb21d9f3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,13 @@ fail2ban (0.8.13-1) unstable; urgency=low - * New upstream bug-fix release - - -- Yaroslav Halchenko Sun, 16 Mar 2014 10:27:40 -0400 + * New upstream bug-fix release: but consider 0.9.0 (to be uploaded to + experimental) + * debian/jail: + - new jail definitions: apache-modsecurity, apache-nohome, freeswitch, + ejabberd-auth, ssh-blocklist, nagios + - new configuration option: ignorecommand + + -- Yaroslav Halchenko Tue, 18 Mar 2014 23:13:35 -0400 fail2ban (0.8.12-1) UNRELEASED; urgency=low diff --git a/debian/jail.conf b/debian/jail.conf index bffb5cef..a8c840c5 100644 --- a/debian/jail.conf +++ b/debian/jail.conf @@ -20,6 +20,12 @@ # defined using space separator. ignoreip = 127.0.0.1/8 +# External command that will take an tagged arguments to ignore, e.g. , +# and return true if the IP is to be ignored. False otherwise. +# +# ignorecommand = /path/to/command +ignorecommand = + # "bantime" is the number of seconds that a host is banned. bantime = 600 @@ -239,6 +245,22 @@ filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 +[apache-modsecurity] + +enabled = false +filter = apache-modsecurity +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + +[apache-nohome] + +enabled = false +filter = apache-nohome +port = http,https +logpath = /var/log/apache*/*error.log +maxretry = 2 + # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. @@ -447,6 +469,24 @@ protocol = tcp filter = named-refused logpath = /var/log/named/security.log +[freeswitch] + +enabled = false +filter = freeswitch +logpath = /var/log/freeswitch.log +maxretry = 10 +action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] + iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] + +[ejabberd-auth] + +enabled = false +filter = ejabberd-auth +port = xmpp-client +protocol = tcp +logpath = /var/log/ejabberd/ejabberd.log + + # Multiple jails, 1 per protocol, are necessary ATM: # see https://github.com/fail2ban/fail2ban/issues/37 [asterisk-tcp] @@ -481,3 +521,29 @@ action = iptables-allports[name=recidive] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 + +# See the IMPORTANT note in action.d/blocklist_de.conf for when to +# use this action +# +# Report block via blocklist.de fail2ban reporting service API +# See action.d/blocklist_de.conf for more information +[ssh-blocklist] + +enabled = false +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] + blocklist_de[email="%(sender)s", apikey="xxxxxx", service=%(filter)s] +logpath = /var/log/sshd.log +maxretry = 20 + + +# consider low maxretry and a long bantime +# nobody except your own Nagios server should ever probe nrpe +[nagios] +enabled = false +filter = nagios +action = iptables[name=Nagios, port=5666, protocol=tcp] + sendmail-whois[name=Nagios, dest="%(destemail)s", sender="%(sender)s", sendername="%(sendername)s"] +logpath = /var/log/messages ; nrpe.cfg may define a different log_facility +maxretry = 1