"Fossies" - the Fresh Open Source Software Archive

Member "fail2ban-0.11.1/config/jail.conf" (11 Jan 2020, 25740 Bytes) of package /linux/misc/fail2ban-0.11.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "jail.conf": 0.10.5_vs_0.11.1.

    1 #
    2 # WARNING: heavily refactored in 0.9.0 release.  Please review and
    3 #          customize settings for your setup.
    4 #
    5 # Changes:  in most of the cases you should not modify this
    6 #           file, but provide customizations in jail.local file,
    7 #           or separate .conf files under jail.d/ directory, e.g.:
    8 #
    9 # HOW TO ACTIVATE JAILS:
   10 #
   11 # YOU SHOULD NOT MODIFY THIS FILE.
   12 #
   13 # It will probably be overwritten or improved in a distribution update.
   14 #
   15 # Provide customizations in a jail.local file or a jail.d/customisation.local.
   16 # For example to change the default bantime for all jails and to enable the
   17 # ssh-iptables jail the following (uncommented) would appear in the .local file.
   18 # See man 5 jail.conf for details.
   19 #
   20 # [DEFAULT]
   21 # bantime = 1h
   22 #
   23 # [sshd]
   24 # enabled = true
   25 #
   26 # See jail.conf(5) man page for more information
   27 
   28 
   29 
   30 # Comments: use '#' for comment lines and ';' (following a space) for inline comments
   31 
   32 
   33 [INCLUDES]
   34 
   35 #before = paths-distro.conf
   36 before = paths-debian.conf
   37 
   38 # The DEFAULT allows a global definition of the options. They can be overridden
   39 # in each jail afterwards.
   40 
   41 [DEFAULT]
   42 
   43 #
   44 # MISCELLANEOUS OPTIONS
   45 #
   46 
   47 # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
   48 # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
   49 #bantime.increment = true
   50 
   51 # "bantime.rndtime" is the max number of seconds using for mixing with random time 
   52 # to prevent "clever" botnets calculate exact time IP can be unbanned again:
   53 #bantime.rndtime = 
   54 
   55 # "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
   56 #bantime.maxtime = 
   57 
   58 # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
   59 # default value of factor is 1 and with default value of formula, the ban time 
   60 # grows by 1, 2, 4, 8, 16 ...
   61 #bantime.factor = 1
   62 
   63 # "bantime.formula" used by default to calculate next value of ban time, default value bellow,
   64 # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
   65 #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
   66 #
   67 # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
   68 #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
   69 
   70 # "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
   71 # previously ban count and given "bantime.factor" (for multipliers default is 1);
   72 # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
   73 # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
   74 #bantime.multipliers = 1 2 4 8 16 32 64
   75 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
   76 # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
   77 #bantime.multipliers = 1 5 30 60 300 720 1440 2880
   78 
   79 # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
   80 # cross over all jails, if false (dafault), only current jail of the ban IP will be searched
   81 #bantime.overalljails = false
   82 
   83 # --------------------
   84 
   85 # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
   86 # (default is true). Fail2ban will not ban a host which matches such addresses.
   87 #ignoreself = true
   88 
   89 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
   90 # will not ban a host which matches an address in this list. Several addresses
   91 # can be defined using space (and/or comma) separator.
   92 #ignoreip = 127.0.0.1/8 ::1
   93 
   94 # External command that will take an tagged arguments to ignore, e.g. <ip>,
   95 # and return true if the IP is to be ignored. False otherwise.
   96 #
   97 # ignorecommand = /path/to/command <ip>
   98 ignorecommand =
   99 
  100 # "bantime" is the number of seconds that a host is banned.
  101 bantime  = 10m
  102 
  103 # A host is banned if it has generated "maxretry" during the last "findtime"
  104 # seconds.
  105 findtime  = 10m
  106 
  107 # "maxretry" is the number of failures before a host get banned.
  108 maxretry = 5
  109 
  110 # "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
  111 maxmatches = %(maxretry)s
  112 
  113 # "backend" specifies the backend used to get files modification.
  114 # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
  115 # This option can be overridden in each jail as well.
  116 #
  117 # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
  118 #              If pyinotify is not installed, Fail2ban will use auto.
  119 # gamin:     requires Gamin (a file alteration monitor) to be installed.
  120 #              If Gamin is not installed, Fail2ban will use auto.
  121 # polling:   uses a polling algorithm which does not require external libraries.
  122 # systemd:   uses systemd python library to access the systemd journal.
  123 #              Specifying "logpath" is not valid for this backend.
  124 #              See "journalmatch" in the jails associated filter config
  125 # auto:      will try to use the following backends, in order:
  126 #              pyinotify, gamin, polling.
  127 #
  128 # Note: if systemd backend is chosen as the default but you enable a jail
  129 #       for which logs are present only in its own log files, specify some other
  130 #       backend for that jail (e.g. polling) and provide empty value for
  131 #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
  132 backend = auto
  133 
  134 # "usedns" specifies if jails should trust hostnames in logs,
  135 #   warn when DNS lookups are performed, or ignore all hostnames in logs
  136 #
  137 # yes:   if a hostname is encountered, a DNS lookup will be performed.
  138 # warn:  if a hostname is encountered, a DNS lookup will be performed,
  139 #        but it will be logged as a warning.
  140 # no:    if a hostname is encountered, will not be used for banning,
  141 #        but it will be logged as info.
  142 # raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
  143 usedns = warn
  144 
  145 # "logencoding" specifies the encoding of the log files handled by the jail
  146 #   This is used to decode the lines from the log file.
  147 #   Typical examples:  "ascii", "utf-8"
  148 #
  149 #   auto:   will use the system locale setting
  150 logencoding = auto
  151 
  152 # "enabled" enables the jails.
  153 #  By default all jails are disabled, and it should stay this way.
  154 #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
  155 #
  156 # true:  jail will be enabled and log files will get monitored for changes
  157 # false: jail is not enabled
  158 enabled = false
  159 
  160 
  161 # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
  162 mode = normal
  163 
  164 # "filter" defines the filter to use by the jail.
  165 #  By default jails have names matching their filter name
  166 #
  167 filter = %(__name__)s[mode=%(mode)s]
  168 
  169 
  170 #
  171 # ACTIONS
  172 #
  173 
  174 # Some options used for actions
  175 
  176 # Destination email address used solely for the interpolations in
  177 # jail.{conf,local,d/*} configuration files.
  178 destemail = root@localhost
  179 
  180 # Sender email address used solely for some actions
  181 sender = root@<fq-hostname>
  182 
  183 # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
  184 # mailing. Change mta configuration parameter to mail if you want to
  185 # revert to conventional 'mail'.
  186 mta = sendmail
  187 
  188 # Default protocol
  189 protocol = tcp
  190 
  191 # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
  192 chain = <known/chain>
  193 
  194 # Ports to be banned
  195 # Usually should be overridden in a particular jail
  196 port = 0:65535
  197 
  198 # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
  199 fail2ban_agent = Fail2Ban/%(fail2ban_version)s
  200 
  201 #
  202 # Action shortcuts. To be used to define action parameter
  203 
  204 # Default banning action (e.g. iptables, iptables-new,
  205 # iptables-multiport, shorewall, etc) It is used to define
  206 # action_* variables. Can be overridden globally or per
  207 # section within jail.local file
  208 banaction = iptables-multiport
  209 banaction_allports = iptables-allports
  210 
  211 # The simplest action to take: ban only
  212 action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  213 
  214 # ban & send an e-mail with whois report to the destemail.
  215 action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  216             %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
  217 
  218 # ban & send an e-mail with whois report and relevant log lines
  219 # to the destemail.
  220 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  221              %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
  222 
  223 # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
  224 #
  225 # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
  226 # to the destemail.
  227 action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  228              xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
  229 
  230 # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
  231 # to the destemail.
  232 action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
  233                 %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
  234 
  235 # Report block via blocklist.de fail2ban reporting service API
  236 # 
  237 # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
  238 # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
  239 # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
  240 # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
  241 # corresponding jail.d/my-jail.local file).
  242 #
  243 action_blocklist_de  = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
  244 
  245 # Report ban via badips.com, and use as blacklist
  246 #
  247 # See BadIPsAction docstring in config/action.d/badips.py for
  248 # documentation for this action.
  249 #
  250 # NOTE: This action relies on banaction being present on start and therefore
  251 # should be last action defined for a jail.
  252 #
  253 action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
  254 #
  255 # Report ban via badips.com (uses action.d/badips.conf for reporting only)
  256 #
  257 action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
  258 
  259 # Report ban via abuseipdb.com.
  260 #
  261 # See action.d/abuseipdb.conf for usage example and details.
  262 #
  263 action_abuseipdb = abuseipdb
  264 
  265 # Choose default action.  To change, just override value of 'action' with the
  266 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
  267 # globally (section [DEFAULT]) or per specific section
  268 action = %(action_)s
  269 
  270 
  271 #
  272 # JAILS
  273 #
  274 
  275 #
  276 # SSH servers
  277 #
  278 
  279 [sshd]
  280 
  281 # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
  282 # normal (default), ddos, extra or aggressive (combines all).
  283 # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
  284 #mode   = normal
  285 port    = ssh
  286 logpath = %(sshd_log)s
  287 backend = %(sshd_backend)s
  288 
  289 
  290 [dropbear]
  291 
  292 port     = ssh
  293 logpath  = %(dropbear_log)s
  294 backend  = %(dropbear_backend)s
  295 
  296 
  297 [selinux-ssh]
  298 
  299 port     = ssh
  300 logpath  = %(auditd_log)s
  301 
  302 
  303 #
  304 # HTTP servers
  305 #
  306 
  307 [apache-auth]
  308 
  309 port     = http,https
  310 logpath  = %(apache_error_log)s
  311 
  312 
  313 [apache-badbots]
  314 # Ban hosts which agent identifies spammer robots crawling the web
  315 # for email addresses. The mail outputs are buffered.
  316 port     = http,https
  317 logpath  = %(apache_access_log)s
  318 bantime  = 48h
  319 maxretry = 1
  320 
  321 
  322 [apache-noscript]
  323 
  324 port     = http,https
  325 logpath  = %(apache_error_log)s
  326 
  327 
  328 [apache-overflows]
  329 
  330 port     = http,https
  331 logpath  = %(apache_error_log)s
  332 maxretry = 2
  333 
  334 
  335 [apache-nohome]
  336 
  337 port     = http,https
  338 logpath  = %(apache_error_log)s
  339 maxretry = 2
  340 
  341 
  342 [apache-botsearch]
  343 
  344 port     = http,https
  345 logpath  = %(apache_error_log)s
  346 maxretry = 2
  347 
  348 
  349 [apache-fakegooglebot]
  350 
  351 port     = http,https
  352 logpath  = %(apache_access_log)s
  353 maxretry = 1
  354 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
  355 
  356 
  357 [apache-modsecurity]
  358 
  359 port     = http,https
  360 logpath  = %(apache_error_log)s
  361 maxretry = 2
  362 
  363 
  364 [apache-shellshock]
  365 
  366 port    = http,https
  367 logpath = %(apache_error_log)s
  368 maxretry = 1
  369 
  370 
  371 [openhab-auth]
  372 
  373 filter = openhab
  374 action = iptables-allports[name=NoAuthFailures]
  375 logpath = /opt/openhab/logs/request.log
  376 
  377 
  378 [nginx-http-auth]
  379 
  380 port    = http,https
  381 logpath = %(nginx_error_log)s
  382 
  383 # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
  384 # and define `limit_req` and `limit_req_zone` as described in nginx documentation
  385 # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
  386 # or for example see in 'config/filter.d/nginx-limit-req.conf'
  387 [nginx-limit-req]
  388 port    = http,https
  389 logpath = %(nginx_error_log)s
  390 
  391 [nginx-botsearch]
  392 
  393 port     = http,https
  394 logpath  = %(nginx_error_log)s
  395 maxretry = 2
  396 
  397 
  398 # Ban attackers that try to use PHP's URL-fopen() functionality
  399 # through GET/POST variables. - Experimental, with more than a year
  400 # of usage in production environments.
  401 
  402 [php-url-fopen]
  403 
  404 port    = http,https
  405 logpath = %(nginx_access_log)s
  406           %(apache_access_log)s
  407 
  408 
  409 [suhosin]
  410 
  411 port    = http,https
  412 logpath = %(suhosin_log)s
  413 
  414 
  415 [lighttpd-auth]
  416 # Same as above for Apache's mod_auth
  417 # It catches wrong authentifications
  418 port    = http,https
  419 logpath = %(lighttpd_error_log)s
  420 
  421 
  422 #
  423 # Webmail and groupware servers
  424 #
  425 
  426 [roundcube-auth]
  427 
  428 port     = http,https
  429 logpath  = %(roundcube_errors_log)s
  430 # Use following line in your jail.local if roundcube logs to journal.
  431 #backend = %(syslog_backend)s
  432 
  433 
  434 [openwebmail]
  435 
  436 port     = http,https
  437 logpath  = /var/log/openwebmail.log
  438 
  439 
  440 [horde]
  441 
  442 port     = http,https
  443 logpath  = /var/log/horde/horde.log
  444 
  445 
  446 [groupoffice]
  447 
  448 port     = http,https
  449 logpath  = /home/groupoffice/log/info.log
  450 
  451 
  452 [sogo-auth]
  453 # Monitor SOGo groupware server
  454 # without proxy this would be:
  455 # port    = 20000
  456 port     = http,https
  457 logpath  = /var/log/sogo/sogo.log
  458 
  459 
  460 [tine20]
  461 
  462 logpath  = /var/log/tine20/tine20.log
  463 port     = http,https
  464 
  465 
  466 #
  467 # Web Applications
  468 #
  469 #
  470 
  471 [drupal-auth]
  472 
  473 port     = http,https
  474 logpath  = %(syslog_daemon)s
  475 backend  = %(syslog_backend)s
  476 
  477 [guacamole]
  478 
  479 port     = http,https
  480 logpath  = /var/log/tomcat*/catalina.out
  481 
  482 [monit]
  483 #Ban clients brute-forcing the monit gui login
  484 port = 2812
  485 logpath  = /var/log/monit
  486            /var/log/monit.log
  487 
  488 
  489 [webmin-auth]
  490 
  491 port    = 10000
  492 logpath = %(syslog_authpriv)s
  493 backend = %(syslog_backend)s
  494 
  495 
  496 [froxlor-auth]
  497 
  498 port    = http,https
  499 logpath  = %(syslog_authpriv)s
  500 backend  = %(syslog_backend)s
  501 
  502 
  503 #
  504 # HTTP Proxy servers
  505 #
  506 #
  507 
  508 [squid]
  509 
  510 port     =  80,443,3128,8080
  511 logpath = /var/log/squid/access.log
  512 
  513 
  514 [3proxy]
  515 
  516 port    = 3128
  517 logpath = /var/log/3proxy.log
  518 
  519 
  520 #
  521 # FTP servers
  522 #
  523 
  524 
  525 [proftpd]
  526 
  527 port     = ftp,ftp-data,ftps,ftps-data
  528 logpath  = %(proftpd_log)s
  529 backend  = %(proftpd_backend)s
  530 
  531 
  532 [pure-ftpd]
  533 
  534 port     = ftp,ftp-data,ftps,ftps-data
  535 logpath  = %(pureftpd_log)s
  536 backend  = %(pureftpd_backend)s
  537 
  538 
  539 [gssftpd]
  540 
  541 port     = ftp,ftp-data,ftps,ftps-data
  542 logpath  = %(syslog_daemon)s
  543 backend  = %(syslog_backend)s
  544 
  545 
  546 [wuftpd]
  547 
  548 port     = ftp,ftp-data,ftps,ftps-data
  549 logpath  = %(wuftpd_log)s
  550 backend  = %(wuftpd_backend)s
  551 
  552 
  553 [vsftpd]
  554 # or overwrite it in jails.local to be
  555 # logpath = %(syslog_authpriv)s
  556 # if you want to rely on PAM failed login attempts
  557 # vsftpd's failregex should match both of those formats
  558 port     = ftp,ftp-data,ftps,ftps-data
  559 logpath  = %(vsftpd_log)s
  560 
  561 
  562 #
  563 # Mail servers
  564 #
  565 
  566 # ASSP SMTP Proxy Jail
  567 [assp]
  568 
  569 port     = smtp,465,submission
  570 logpath  = /root/path/to/assp/logs/maillog.txt
  571 
  572 
  573 [courier-smtp]
  574 
  575 port     = smtp,465,submission
  576 logpath  = %(syslog_mail)s
  577 backend  = %(syslog_backend)s
  578 
  579 
  580 [postfix]
  581 # To use another modes set filter parameter "mode" in jail.local:
  582 mode    = more
  583 port    = smtp,465,submission
  584 logpath = %(postfix_log)s
  585 backend = %(postfix_backend)s
  586 
  587 
  588 [postfix-rbl]
  589 
  590 filter   = postfix[mode=rbl]
  591 port     = smtp,465,submission
  592 logpath  = %(postfix_log)s
  593 backend  = %(postfix_backend)s
  594 maxretry = 1
  595 
  596 
  597 [sendmail-auth]
  598 
  599 port    = submission,465,smtp
  600 logpath = %(syslog_mail)s
  601 backend = %(syslog_backend)s
  602 
  603 
  604 [sendmail-reject]
  605 # To use more aggressive modes set filter parameter "mode" in jail.local:
  606 # normal (default), extra or aggressive
  607 # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
  608 #mode    = normal
  609 port     = smtp,465,submission
  610 logpath  = %(syslog_mail)s
  611 backend  = %(syslog_backend)s
  612 
  613 
  614 [qmail-rbl]
  615 
  616 filter  = qmail
  617 port    = smtp,465,submission
  618 logpath = /service/qmail/log/main/current
  619 
  620 
  621 # dovecot defaults to logging to the mail syslog facility
  622 # but can be set by syslog_facility in the dovecot configuration.
  623 [dovecot]
  624 
  625 port    = pop3,pop3s,imap,imaps,submission,465,sieve
  626 logpath = %(dovecot_log)s
  627 backend = %(dovecot_backend)s
  628 
  629 
  630 [sieve]
  631 
  632 port   = smtp,465,submission
  633 logpath = %(dovecot_log)s
  634 backend = %(dovecot_backend)s
  635 
  636 
  637 [solid-pop3d]
  638 
  639 port    = pop3,pop3s
  640 logpath = %(solidpop3d_log)s
  641 
  642 
  643 [exim]
  644 # see filter.d/exim.conf for further modes supported from filter:
  645 #mode = normal
  646 port   = smtp,465,submission
  647 logpath = %(exim_main_log)s
  648 
  649 
  650 [exim-spam]
  651 
  652 port   = smtp,465,submission
  653 logpath = %(exim_main_log)s
  654 
  655 
  656 [kerio]
  657 
  658 port    = imap,smtp,imaps,465
  659 logpath = /opt/kerio/mailserver/store/logs/security.log
  660 
  661 
  662 #
  663 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
  664 # all relevant ports get banned
  665 #
  666 
  667 [courier-auth]
  668 
  669 port     = smtp,465,submission,imap,imaps,pop3,pop3s
  670 logpath  = %(syslog_mail)s
  671 backend  = %(syslog_backend)s
  672 
  673 
  674 [postfix-sasl]
  675 
  676 filter   = postfix[mode=auth]
  677 port     = smtp,465,submission,imap,imaps,pop3,pop3s
  678 # You might consider monitoring /var/log/mail.warn instead if you are
  679 # running postfix since it would provide the same log lines at the
  680 # "warn" level but overall at the smaller filesize.
  681 logpath  = %(postfix_log)s
  682 backend  = %(postfix_backend)s
  683 
  684 
  685 [perdition]
  686 
  687 port   = imap,imaps,pop3,pop3s
  688 logpath = %(syslog_mail)s
  689 backend = %(syslog_backend)s
  690 
  691 
  692 [squirrelmail]
  693 
  694 port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
  695 logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
  696 
  697 
  698 [cyrus-imap]
  699 
  700 port   = imap,imaps
  701 logpath = %(syslog_mail)s
  702 backend = %(syslog_backend)s
  703 
  704 
  705 [uwimap-auth]
  706 
  707 port   = imap,imaps
  708 logpath = %(syslog_mail)s
  709 backend = %(syslog_backend)s
  710 
  711 
  712 #
  713 #
  714 # DNS servers
  715 #
  716 
  717 
  718 # !!! WARNING !!!
  719 #   Since UDP is connection-less protocol, spoofing of IP and imitation
  720 #   of illegal actions is way too simple.  Thus enabling of this filter
  721 #   might provide an easy way for implementing a DoS against a chosen
  722 #   victim. See
  723 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
  724 #   Please DO NOT USE this jail unless you know what you are doing.
  725 #
  726 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  727 # This jail blocks UDP traffic for DNS requests.
  728 # [named-refused-udp]
  729 #
  730 # filter   = named-refused
  731 # port     = domain,953
  732 # protocol = udp
  733 # logpath  = /var/log/named/security.log
  734 
  735 # IMPORTANT: see filter.d/named-refused for instructions to enable logging
  736 # This jail blocks TCP traffic for DNS requests.
  737 
  738 [named-refused]
  739 
  740 port     = domain,953
  741 logpath  = /var/log/named/security.log
  742 
  743 
  744 [nsd]
  745 
  746 port     = 53
  747 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  748            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  749 logpath = /var/log/nsd.log
  750 
  751 
  752 #
  753 # Miscellaneous
  754 #
  755 
  756 [asterisk]
  757 
  758 port     = 5060,5061
  759 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  760            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  761            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
  762 logpath  = /var/log/asterisk/messages
  763 maxretry = 10
  764 
  765 
  766 [freeswitch]
  767 
  768 port     = 5060,5061
  769 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  770            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  771            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
  772 logpath  = /var/log/freeswitch.log
  773 maxretry = 10
  774 
  775 
  776 # enable adminlog; it will log to a file inside znc's directory by default.
  777 [znc-adminlog]
  778 
  779 port     = 6667
  780 logpath  = /var/lib/znc/moddata/adminlog/znc.log
  781 
  782 
  783 # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
  784 # equivalent section:
  785 # log-warnings = 2
  786 #
  787 # for syslog (daemon facility)
  788 # [mysqld_safe]
  789 # syslog
  790 #
  791 # for own logfile
  792 # [mysqld]
  793 # log-error=/var/log/mysqld.log
  794 [mysqld-auth]
  795 
  796 port     = 3306
  797 logpath  = %(mysql_log)s
  798 backend  = %(mysql_backend)s
  799 
  800 
  801 # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
  802 [mongodb-auth]
  803 # change port when running with "--shardsvr" or "--configsvr" runtime operation
  804 port     = 27017
  805 logpath  = /var/log/mongodb/mongodb.log
  806 
  807 
  808 # Jail for more extended banning of persistent abusers
  809 # !!! WARNINGS !!!
  810 # 1. Make sure that your loglevel specified in fail2ban.conf/.local
  811 #    is not at DEBUG level -- which might then cause fail2ban to fall into
  812 #    an infinite loop constantly feeding itself with non-informative lines
  813 # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
  814 #    to maintain entries for failed logins for sufficient amount of time
  815 [recidive]
  816 
  817 logpath  = /var/log/fail2ban.log
  818 banaction = %(banaction_allports)s
  819 bantime  = 1w
  820 findtime = 1d
  821 
  822 
  823 # Generic filter for PAM. Has to be used with action which bans all
  824 # ports such as iptables-allports, shorewall
  825 
  826 [pam-generic]
  827 # pam-generic filter can be customized to monitor specific subset of 'tty's
  828 banaction = %(banaction_allports)s
  829 logpath  = %(syslog_authpriv)s
  830 backend  = %(syslog_backend)s
  831 
  832 
  833 [xinetd-fail]
  834 
  835 banaction = iptables-multiport-log
  836 logpath   = %(syslog_daemon)s
  837 backend   = %(syslog_backend)s
  838 maxretry  = 2
  839 
  840 
  841 # stunnel - need to set port for this
  842 [stunnel]
  843 
  844 logpath = /var/log/stunnel4/stunnel.log
  845 
  846 
  847 [ejabberd-auth]
  848 
  849 port    = 5222
  850 logpath = /var/log/ejabberd/ejabberd.log
  851 
  852 
  853 [counter-strike]
  854 
  855 logpath = /opt/cstrike/logs/L[0-9]*.log
  856 # Firewall: http://www.cstrike-planet.com/faq/6
  857 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
  858 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
  859 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
  860            %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
  861 
  862 [bitwarden]
  863 port    = http,https
  864 logpath = /home/*/bwdata/logs/identity/Identity/log.txt
  865 
  866 [centreon]
  867 port    = http,https
  868 logpath = /var/log/centreon/login.log
  869 
  870 # consider low maxretry and a long bantime
  871 # nobody except your own Nagios server should ever probe nrpe
  872 [nagios]
  873 
  874 logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
  875 backend  = %(syslog_backend)s
  876 maxretry = 1
  877 
  878 
  879 [oracleims]
  880 # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
  881 logpath = /opt/sun/comms/messaging64/log/mail.log_current
  882 banaction = %(banaction_allports)s
  883 
  884 [directadmin]
  885 logpath = /var/log/directadmin/login.log
  886 port = 2222
  887 
  888 [portsentry]
  889 logpath  = /var/lib/portsentry/portsentry.history
  890 maxretry = 1
  891 
  892 [pass2allow-ftp]
  893 # this pass2allow example allows FTP traffic after successful HTTP authentication
  894 port         = ftp,ftp-data,ftps,ftps-data
  895 # knocking_url variable must be overridden to some secret value in jail.local
  896 knocking_url = /knocking/
  897 filter       = apache-pass[knocking_url="%(knocking_url)s"]
  898 # access log of the website with HTTP auth
  899 logpath      = %(apache_access_log)s
  900 blocktype    = RETURN
  901 returntype   = DROP
  902 action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
  903                         actionstart_on_demand=false, actionrepair_on_unban=true]
  904 bantime      = 1h
  905 maxretry     = 1
  906 findtime     = 1
  907 
  908 
  909 [murmur]
  910 # AKA mumble-server
  911 port     = 64738
  912 action   = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
  913            %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
  914 logpath  = /var/log/mumble-server/mumble-server.log
  915 
  916 
  917 [screensharingd]
  918 # For Mac OS Screen Sharing Service (VNC)
  919 logpath  = /var/log/system.log
  920 logencoding = utf-8
  921 
  922 [haproxy-http-auth]
  923 # HAProxy by default doesn't log to file you'll need to set it up to forward
  924 # logs to a syslog server which would then write them to disk.
  925 # See "haproxy-http-auth" filter for a brief cautionary note when setting
  926 # maxretry and findtime.
  927 logpath  = /var/log/haproxy.log
  928 
  929 [slapd]
  930 port    = ldap,ldaps
  931 logpath = /var/log/slapd.log
  932 
  933 [domino-smtp]
  934 port    = smtp,ssmtp
  935 logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
  936 
  937 [phpmyadmin-syslog]
  938 port    = http,https
  939 logpath = %(syslog_authpriv)s
  940 backend = %(syslog_backend)s
  941 
  942 
  943 [zoneminder]
  944 # Zoneminder HTTP/HTTPS web interface auth
  945 # Logs auth failures to apache2 error log
  946 port    = http,https
  947 logpath = %(apache_error_log)s
  948 
  949 [traefik-auth]
  950 # to use 'traefik-auth' filter you have to configure your Traefik instance,
  951 # see `filter.d/traefik-auth.conf` for details and service example.
  952 port    = http,https
  953 logpath = /var/log/traefik/access.log