# Fail2Ban configuration file # # $Revision: 1.8.2.13 $ # # 2005.06.21 modified for readability Iain Lea iain@bricbrac.de [DEFAULT] # Option: background # Notes.: start fail2ban as a daemon. Output is redirect to logfile. # Values: [true | false] Default: false # background = true # Option: verbose # Notes.: verbosity of the output. # 0 - regular level # 1 - INFO level # 2 - DEBUG level (but commands get executed as opposed to # debug option) # Values: NUM Default: 0 # verbose = 1 # Option: debug # Notes.: enable debug mode. No real commands gets executed but only # reported, more verbose output, bypass root user test. # Values: [true | false] Default: false # debug = false # Option: logtargets # Notes.: log targets. Space separated list of logging targets. # Values: STDERR SYSLOG file Default: /var/log/fail2ban.log # logtargets = /var/log/fail2ban.log # Option: syslog-target # Notes.: where to find syslog facility if logtarget SYSLOG. # Values: SOCKET HOST HOST:PORT Default: /dev/log # syslog-target = /dev/log # Option: syslog-facility # Notes.: which syslog facility to use if logtarget SYSLOG. # Values: NUM Default: 1 # syslog-facility = 1 # Option: pidlock # Notes.: path of the PID lock file (must be able to write to file). # Values: FILE Default: /var/run/fail2ban.pid # pidlock = /var/run/fail2ban.pid # Option: maxfailures # Notes.: number of failures before IP gets banned. # Values: NUM Default: 5 # maxfailures = 5 # Option: bantime # Notes.: number of seconds an IP will be banned. # Values: NUM Default: 600 # bantime = 600 # Option: findtime # Notes.: lifetime in seconds of a "failed" log entry. # Values: NUM Default: 600 # findtime = 600 # Option: ignoreip # Notes.: space separated list of IP's to be ignored by fail2ban. # You can use CIDR mask in order to specify a range. # Example: ignoreip = 192.168.0.1/24 123.45.235.65 # Values: IP Default: 192.168.0.0/16 # ignoreip = 192.168.0.0/16 # Option: cmdstart # Notes.: command executed once at the start of Fail2Ban # Values: CMD Default: # cmdstart = # Option: cmdend # Notes.: command executed once at the end of Fail2Ban. # Values: CMD Default: # cmdend = # Option: polltime # Notes.: number of seconds fail2ban sleeps between iterations. # Values: NUM Default: 1 # polltime = 1 # Option: reinittime # Notes.: minimal number of seconds between the re-initialization of # firewalls due to external changes in their rules (see fwcheck) # Values: NUM Default: 100 # reinittime = 10 # Option: maxreinits # Notes.: maximal number of re-initialization of firewalls due to external # changes. -1 stays for infinite, so only reinittime is of importance # Values: NUM Default: -1 # maxreinits = -1 [MAIL] # Option: enabled # Notes.: enable mail notification when banning an IP address. # Values: [true | false] Default: false # enabled = false # Option: host # Notes.: host running the mail server. # Values: STR Default: localhost # host = localhost # Option: port # Notes.: port of the mail server. # Values: INT Default: 25 # port = 25 # Option: from # Notes.: e-mail address of the sender. # Values: MAIL Default: fail2ban # from = fail2ban@localhost # Option: to # Notes.: e-mail addresses of the receiver. Addresses are space # separated. # Values: MAIL Default: root # to = root@localhost # Option: subject # Notes.: subject of the e-mail. # Tags:
active section (eg ssh, apache, etc) # IP address # number of failures # unix timestamp of the last failure # Values: TEXT Default: [Fail2Ban:
] Banned # subject = [Fail2Ban:
] Banned # Option: message # Notes.: message of the e-mail. # Tags:
active section (eg ssh, apache, etc) # IP address # number of failures # unix timestamp of the last failure #
new line # Values: TEXT Default: # message = Hi,
The IP has just been banned by Fail2Ban after attempts.
Regards,
Fail2Ban # You can define a new section for each log file to check for # password failure. Each section has to define the following # options: logfile, fwban, fwunban, timeregex, timepattern, # failregex. [Apache] # Option: enabled # Notes.: enable monitoring for this section. # Values: [true | false] Default: false # enabled = false # Option: logfile # Notes.: logfile to monitor. # Values: FILE Default: /var/log/apache/access.log # logfile = /var/log/apache/access.log # Option: fwstart # Notes.: command executed once at the start of Fail2Ban # Values: CMD Default: # fwstart = iptables -N fail2ban-http iptables -I INPUT -p tcp --dport http -j fail2ban-http iptables -A fail2ban-http -j RETURN # Option: fwend # Notes.: command executed once at the end of Fail2Ban # Values: CMD Default: # fwend = iptables -D INPUT -p tcp --dport http -j fail2ban-http iptables -F fail2ban-http iptables -X fail2ban-http # Option: fwcheck # Notes.: command executed once before each fwban command # Values: CMD Default: # fwcheck = iptables -L INPUT | grep -q fail2ban-http # Option: fwban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD # Default: iptables -I INPUT 1 -s -j DROP # fwban = iptables -I fail2ban-http 1 -s -j DROP # Option: fwunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD # Default: iptables -D INPUT -s -j DROP # fwunban = iptables -D fail2ban-http -s -j DROP # Option: timeregex # Notes.: regex to match timestamp in Apache logfile. # Values: [Wed Jan 05 15:08:01 2005] # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # timeregex = \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # timepattern = %%a %%b %%d %%H:%%M:%%S %%Y # Option: failregex # Notes.: regex to match the password failure messages in the logfile. # Values: TEXT Default: [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) # failregex = [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) [SSH] # Option: enabled # Notes.: enable monitoring for this section. # Values: [true | false] Default: true # enabled = true # Option: logfile # Notes.: logfile to monitor. # Values: FILE Default: /var/log/auth.log # logfile = /var/log/auth.log # Option: fwstart # Notes.: command executed once at the start of Fail2Ban # Values: CMD Default: # fwstart = iptables -N fail2ban-ssh iptables -I INPUT -p tcp --dport ssh -j fail2ban-ssh iptables -A fail2ban-ssh -j RETURN # Option: fwend # Notes.: command executed once at the end of Fail2Ban # Values: CMD Default: # fwend = iptables -D INPUT -p tcp --dport ssh -j fail2ban-ssh iptables -F fail2ban-ssh iptables -X fail2ban-ssh # Option: fwcheck # Notes.: command executed once before each fwban command # Values: CMD Default: # fwcheck = iptables -L INPUT | grep -q fail2ban-ssh # Option: fwbanrule # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD # Default: iptables -I INPUT 1 -s -j DROP # fwban = iptables -I fail2ban-ssh 1 -s -j DROP # Option: fwunbanrule # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD # Default: iptables -D INPUT -s -j DROP # fwunban = iptables -D fail2ban-ssh -s -j DROP # Option: timeregex # Notes.: regex to match timestamp in SSH logfile. # Values: [Mar 7 17:53:28] # Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} # timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%b %%d %%H:%%M:%%S # timepattern = %%b %%d %%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT Default: (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P\S*) # failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user) .* from (?:::f{4,6}:)?(?P\S*)