# Fail2Ban configuration file # # $Revision: 1.9 $ # # 2005.06.21 modified for readability Iain Lea iain@bricbrac.de [DEFAULT] # Option: background # Notes.: start fail2ban as a daemon. Output is redirect to logfile. # Values: [true | false] Default: false # background = true # Option: verbose # Notes.: verbosity of the output. # 0 - regular level # 1 - INFO level # 2 - DEBUG level (but commands get executed as opposed to # debug option) # Values: NUM Default: 0 # verbose = 1 # Option: debug # Notes.: enable debug mode. No real commands gets executed but only # reported, more verbose output, bypass root user test. # Values: [true | false] Default: false # debug = false # Option: logtargets # Notes.: log targets. Space separated list of logging targets. # Values: STDERR SYSLOG file Default: /var/log/fail2ban.log # logtargets = /var/log/fail2ban.log # Option: syslog-target # Notes.: where to find syslog facility if logtarget SYSLOG. # Values: SOCKET HOST HOST:PORT Default: /dev/log # syslog-target = /dev/log # Option: syslog-facility # Notes.: which syslog facility to use if logtarget SYSLOG. # Values: NUM Default: 1 # syslog-facility = 1 # Option: pidlock # Notes.: path of the PID lock file (must be able to write to file). # Values: FILE Default: /var/run/fail2ban.pid # pidlock = /var/run/fail2ban.pid # Option: maxfailures # Notes.: number of failures before IP gets banned. # Values: NUM Default: 5 # maxfailures = 5 # Option: bantime # Notes.: number of seconds an IP will be banned. # Values: NUM Default: 600 # bantime = 600 # Option: findtime # Notes.: lifetime in seconds of a "failed" log entry. # Values: NUM Default: 600 # findtime = 600 # Option: ignoreip # Notes.: space separated list of IP's to be ignored by fail2ban. # You can use CIDR mask in order to specify a range. # Example: ignoreip = 192.168.0.1/24 123.45.235.65 # Values: IP Default: # ignoreip = # Option: cmdstart # Notes.: command executed once at the start of Fail2Ban # Values: CMD Default: # cmdstart = # Option: cmdend # Notes.: command executed once at the end of Fail2Ban. # Values: CMD Default: # cmdend = # Option: polltime # Notes.: number of seconds fail2ban sleeps between iterations. # Values: NUM Default: 1 # polltime = 1 # Option: reinittime # Notes.: minimal number of seconds between the re-initialization of # firewalls due to external changes in their rules (see fwcheck) # Values: NUM Default: 100 # reinittime = 10 # Option: maxreinits # Notes.: maximal number of re-initialization of firewalls due to external # changes. -1 stays for infinite, so only reinittime is of importance # Values: NUM Default: -1 # maxreinits = -1 # # NOTE: Interpolations # # fwstart, as well as fwend, fwcheck, fwban, fwunban, ise interpolations # so %(__name__)s will be substituted by a name of each section # (unless the option is overriden in a section). # If you are going to use interpolations in your setup, please make # sure that you specified options port and protocol (which also has # an option in DEFAULT) # # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: fwstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD Default: # fwstart = iptables -N fail2ban-%(__name__)s iptables -A fail2ban-%(__name__)s -j RETURN iptables -I INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s # Option: fwend # Notes.: command executed once at the end of Fail2Ban # Values: CMD Default: # fwend = iptables -D INPUT -p %(protocol)s --dport %(port)s -j fail2ban-%(__name__)s iptables -F fail2ban-%(__name__)s iptables -X fail2ban-%(__name__)s # Option: fwcheck # Notes.: command executed once before each fwban command # Values: CMD Default: # fwcheck = iptables -L INPUT | grep -q fail2ban-%(__name__)s # Option: fwban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures # unix timestamp of the last failure # unix timestamp of the ban time # Values: CMD # Default: iptables -I INPUT 1 -s -j DROP # fwban = iptables -I fail2ban-%(__name__)s 1 -s -j DROP # Option: fwunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # unix timestamp of the ban time # unix timestamp of the unban time # Values: CMD # Default: iptables -D INPUT -s -j DROP # fwunban = iptables -D fail2ban-%(__name__)s -s -j DROP [MAIL] # Option: enabled # Notes.: enable mail notification when banning an IP address. # Values: [true | false] Default: false # enabled = false # Option: host # Notes.: host running the mail server. # Values: STR Default: localhost # host = localhost # Option: port # Notes.: port of the mail server. # Values: INT Default: 25 # port = 25 # Option: from # Notes.: e-mail address of the sender. # Values: MAIL Default: fail2ban # from = fail2ban@localhost # Option: to # Notes.: e-mail addresses of the receiver. Addresses are space # separated. # Values: MAIL Default: root # to = root@localhost # Option: localtime # Notes.: report local time (including timezone) or GMT # Values: [true | false] Default: false # localtime = true # Option: subject # Notes.: subject of the e-mail. # Tags:
active section (eg ssh, apache, etc) # IP address # number of failures # unix timestamp of the last failure # Values: TEXT Default: [Fail2Ban]
: Banned # subject = [Fail2Ban]
: Banned # Option: message # Notes.: message of the e-mail. # Tags:
active section (eg ssh, apache, etc) # IP address # number of failures # unix timestamp of the last failure #
new line # Values: TEXT Default: # message = Hi,
The IP has just been banned by Fail2Ban after attempts against
.
Regards,
Fail2Ban # You can define a new section for each log file to check for # password failure. Each section has to define the following # options: logfile, fwban, fwunban, timeregex, timepattern, # failregex. [Apache] # Option: enabled # Notes.: enable monitoring for this section. # Values: [true | false] Default: false # enabled = false # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = http # Option: logfile # Notes.: logfile to monitor. # Values: FILE Default: /var/log/apache/access.log # logfile = /var/log/apache/access.log # Option: timeregex # Notes.: regex to match timestamp in Apache logfile. Seems to be # Debian specific configuration # Values: [08/Feb/2006:01:08:46] # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # timepattern = %%d/%%b/%%Y:%%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failure messages in the logfile. # Values: TEXT Default: [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) # failregex = [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) [ApacheAttacks] # Option: enabled # Notes.: enable monitoring for this section. # Values: [true | false] Default: false # enabled = false # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = http # Option: logfile # Notes.: logfile to monitor. # Values: FILE Default: /var/log/apache/access.log # logfile = /var/log/apache/access.log # Option: maxfailures # Notes.: number of failures before IP gets banned. # Values: NUM Default: 5 # maxfailures = 2 # Option: timeregex # Notes.: regex to match timestamp in Apache logfile. # Values: [Wed Jan 05 15:08:01 2005] # Default: \S{3} \S{3} \d{2} \d{2}:\d{2}:\d{2} \d{4} # timeregex = \d{2}/\S{3}/\d{4}:\d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%a %%b %%d %%H:%%M:%%S %%Y # timepattern = %%d/%%b/%%Y:%%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failure messages in the logfile. # Values: TEXT Default: [[]client (?P\S*)[]] user .*(?:: authentication failure|not found) # failregex = ^(?P\S*) -.*"GET .*awstats\.pl\?configdir=\|echo.* [SSH] # Option: enabled # Notes.: enable monitoring for this section. # Values: [true | false] Default: true # enabled = true # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: logfile # Notes.: logfile to monitor. # Values: FILE Default: /var/log/auth.log # logfile = /var/log/auth.log # Option: timeregex # Notes.: regex to match timestamp in SSH logfile. # Values: [Mar 7 17:53:28] # Default: \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} # timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2} # Option: timepattern # Notes.: format used in "timeregex" fields definition. Note that '%' must be # escaped with '%' (see http://rgruet.free.fr/PQR2.3.html#timeModule) # Values: TEXT Default: %%b %%d %%H:%%M:%%S # timepattern = %%b %%d %%H:%%M:%%S # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT Default: (?:Authentication failure|Failed (?:keyboard-interactive/pam|password)) for(?: illegal user)? .* from (?:::f{4,6}:)?(?P\S*) # failregex = : (?:(?:Authentication failure|Failed [-/\w+]+) for(?: [iI](?:llegal|nvalid) user)?|[Ii](?:llegal|nvalid) user) .* from (?:::f{4,6}:)?(?P\S*)