ENH: complete stock jail.conf to contain all filters

2014-01-05 21:03:16 +11:00 · 2014-01-05 21:03:16 +11:00 · a9f804e443
parent d7666c8942
commit a9f804e443
1 changed files with 163 additions and 4 deletions
--- a/config/jail.conf
+++ b/config/jail.conf
@ -75,6 +75,22 @@ usedns = warn
 # The mail-whois action send a notification e-mail with a whois request
 # in the body.

+[pam-generic]
+
+enabled = false
+filter  = pam-generic
+action  = iptables-allports[name=pam,protocol=all]
+logpath = /var/log/secure
+
+
+[xinetd-fail]
+
+enabled = false
+filter  = xinetd-fail
+action  = iptables-allports[name=xinetd,protocol=all]
+logpath = /var/log/daemon*log
+
+
 [ssh-iptables]

 enabled  = false
@ -84,6 +100,25 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 5

+
+[ssh-ddos]
+
+enabled  = false
+filter   = sshd-ddos
+action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
+logpath  = /var/log/sshd.log
+maxretry = 2
+
+
+[dropbear]
+
+enabled  = false
+filter   = dropbear
+action   = iptables[name=dropbear, port=ssh, protocol=tcp]
+logpath  = /var/log/messages
+maxretry = 5
+
+
 [proftpd-iptables]

 enabled  = false
@ -94,6 +129,35 @@ logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6


+[gssftpd-iptables]
+
+enabled  = false
+filter   = gssftpd
+action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
+           sendmail-whois[name=GSSFTPd, dest=you@example.com]
+logpath  = /var/log/daemon.log
+maxretry = 6
+
+
+[pure-ftpd]
+
+enabled  = false
+filter   = pure-ftpd
+action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
+logpath  = /var/log/pureftpd.log
+maxretry = 6
+
+
+[wuftpd]
+
+enabled  = false
+filter   = wuftpd
+action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
+logpath  = /var/log/daemon.log
+maxretry = 6
+
+
+
 # This jail forces the backend to "polling".
 [sasl-iptables]

@ -197,7 +261,26 @@ logpath  = /var/log/apache*/*error.log
 maxretry = 2


-[nginx-http-auth]
+[apache-overflows]
+
+enabled  = false
+filter	 = apache-overflows
+action   = iptables-multiport[name=apache-overflows,port="80,443"]
+logpath  = /var/log/apache*/*error.log
+           /home/www/myhomepage/error.log
+maxretry = 2
+
+
+[apache-nohome]
+
+enabled  = false
+filter	 = apache-nohome
+action   = iptables-multiport[name=apache-nohome,port="80,443"]
+logpath  = /var/log/apache*/*error.log
+           /home/www/myhomepage/error.log
+maxretry = 2
+
+
 [nginx-http-auth]

 enabled = false
@ -206,6 +289,14 @@ action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
 logpath = /var/log/nginx/error.log


+[squid]
+
+enabled = false
+filter  = squid
+action  = iptables-multiport[name=squid,port="80,443,8080"]
+logpath = /var/log/squid/access.log
+
+
 # The hosts.deny path can be defined with the "file" argument if it is
 # not in /etc.
 [postfix-tcpwrapper]
@ -218,6 +309,46 @@ logpath  = /var/log/postfix.log
 bantime  = 300


+[cyrus-imap]
+
+enabled = false
+filter  = cyrus-imap
+action  = iptables-multiport[name=cyrus-imap,port="143,993"]
+logpath = /var/log/mail*log
+
+
+[courierlogin]
+
+enabled = false
+filter  = courierlogin
+action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
+logpath = /var/log/mail*log
+
+
+[couriersmtp]
+
+enabled = false
+filter  = couriersmtp
+action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
+logpath = /var/log/mail*log
+
+
+[qmail-rbl]
+
+enabled = false
+filter  = qmail
+action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
+logpath = /service/qmail/log/main/current
+
+
+[sieve]
+
+enabled = false
+filter  = sieve
+action  = iptables-multiport[name=sieve,port="25,465,587"]
+logpath = /var/log/mail*log
+
+
 # Do not ban anybody. Just report information about the remote host.
 # A notification is sent at most every 600 seconds (bantime).
 [vsftpd-notification]
@ -295,6 +426,25 @@ action   = ipfw
 maxretry = 5


+[horde]
+
+enabled  = false
+filter   = horde
+logpath  = /var/log/horde/horde.log
+action   = iptables-multiport[name=horde, port="http,https"]
+maxretry = 5
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+[php-url-fopen]
+
+enabled  = false
+action   = iptables-multiport[name=php-url-open, port="http,https"]
+filter   = php-url-fopen
+logpath  = /var/www/*/logs/access_log
+maxretry = 1
 # Ban attackers that try to use PHP's URL-fopen() functionality
 # through GET/POST variables. - Experimental, with more than a year
 # of usage in production environments.
@ -372,6 +522,15 @@ logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1


+[nsd]
+
+enabled = false
+filter  = nsd
+action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
+          iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
+logpath = /var/log/nsd.log
+
+
 [asterisk]

 enabled  = false
@ -565,9 +724,9 @@ logpath = /var/log/mail.log


 [selinux-ssh]
-enabled = false
-filter  = selinux-ssh
-action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
+enabled  = false
+filter   = selinux-ssh
+action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5