mirror of https://github.com/fail2ban/fail2ban
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
66 lines
3.1 KiB
66 lines
3.1 KiB
# Fail2Ban configuration file
|
|
#
|
|
# Author: Donald Yandt
|
|
#
|
|
# Because of the rich rule commands requires firewalld-0.3.1+
|
|
# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
|
|
# by chain. So for an example all deny rules will be listed under <zone>_deny and all log rules under <zone>_log.
|
|
#
|
|
# Also this action logs banned access attempts so you can filter that and increase ban time for offenders.
|
|
#
|
|
# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
|
|
#
|
|
# Example commands to view rules:
|
|
# firewall-cmd [--zone=<zone>] --list-rich-rules
|
|
# firewall-cmd [--zone=<zone>] --list-all
|
|
# firewall-cmd [--zone=zone] --query-rich-rule='rule'
|
|
|
|
[Definition]
|
|
|
|
actionstart =
|
|
|
|
actionstop =
|
|
|
|
actioncheck =
|
|
|
|
# you can also use zones and/or service names.
|
|
#
|
|
# zone example:
|
|
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
|
|
# service name example:
|
|
# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"
|
|
# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges seperated by a comma or space for an example: http, https, 22-60, 18 smtp
|
|
|
|
actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
|
|
|
|
actionunban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="rule family='ipv4' source address='<ip>' port port='$p' protocol='<protocol>' log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <blocktype>"; done
|
|
|
|
[Init]
|
|
|
|
name = default
|
|
|
|
# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
|
|
level = info
|
|
|
|
# log rate per minute
|
|
rate = 1
|
|
|
|
zone = public
|
|
|
|
# use command firewall-cmd --get-services to see a list of services available
|
|
#
|
|
# Examples:
|
|
#
|
|
# amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps
|
|
# freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos
|
|
# kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s
|
|
# postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy
|
|
# telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
|
|
|
|
service = ssh
|
|
|
|
# reject types: 'icmp-net-unreachable', 'icmp-host-unreachable', 'icmp-port-unreachable', 'icmp-proto-unreachable',
|
|
# 'icmp-net-prohibited', 'icmp-host-prohibited', 'icmp-admin-prohibited' or 'tcp-reset'
|
|
|
|
blocktype = reject type='icmp-port-unreachable'
|