227 lines
8.2 KiB
Plaintext
227 lines
8.2 KiB
Plaintext
[DEFAULT]
|
|
|
|
#
|
|
# MISCELLANEOUS OPTIONS
|
|
#
|
|
|
|
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
|
|
# (default is true). Fail2ban will not ban a host which matches such addresses.
|
|
#ignorself = true
|
|
|
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
|
# will not ban a host which matches an address in this list. Several addresses
|
|
# can be defined using space (and/or comma) separator.
|
|
ignoreip = 127.0.0.1/8 ::1
|
|
|
|
# External command that will take an tagged arguments to ignore, e.g. <ip>,
|
|
# and return true if the IP is to be ignored. False otherwise.
|
|
#
|
|
# ignorecommand = /path/to/command <ip>
|
|
ignorecommand =
|
|
|
|
# "bantime" is the number of seconds that a host is banned.
|
|
bantime = 86400
|
|
|
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
|
# seconds.
|
|
findtime = 600
|
|
|
|
# "maxretry" is the number of failures before a host get banned.
|
|
maxretry = 3
|
|
|
|
# "backend" specifies the backend used to get files modification.
|
|
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
|
|
# This option can be overridden in each jail as well.
|
|
#
|
|
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
|
# If pyinotify is not installed, Fail2ban will use auto.
|
|
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
|
# If Gamin is not installed, Fail2ban will use auto.
|
|
# polling: uses a polling algorithm which does not require external libraries.
|
|
# systemd: uses systemd python library to access the systemd journal.
|
|
# Specifying "logpath" is not valid for this backend.
|
|
# See "journalmatch" in the jails associated filter config
|
|
# auto: will try to use the following backends, in order:
|
|
# pyinotify, gamin, polling.
|
|
#
|
|
# Note: if systemd backend is chosen as the default but you enable a jail
|
|
# for which logs are present only in its own log files, specify some other
|
|
# backend for that jail (e.g. polling) and provide empty value for
|
|
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
|
|
backend = auto
|
|
|
|
# "usedns" specifies if jails should trust hostnames in logs,
|
|
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
|
#
|
|
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
|
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
|
# but it will be logged as a warning.
|
|
# no: if a hostname is encountered, will not be used for banning,
|
|
# but it will be logged as info.
|
|
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
|
|
usedns = warn
|
|
|
|
# "logencoding" specifies the encoding of the log files handled by the jail
|
|
# This is used to decode the lines from the log file.
|
|
# Typical examples: "ascii", "utf-8"
|
|
#
|
|
# auto: will use the system locale setting
|
|
logencoding = auto
|
|
|
|
# "enabled" enables the jails.
|
|
# By default all jails are disabled, and it should stay this way.
|
|
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
|
|
#
|
|
# true: jail will be enabled and log files will get monitored for changes
|
|
# false: jail is not enabled
|
|
enabled = false
|
|
|
|
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
|
|
mode = normal
|
|
|
|
# "filter" defines the filter to use by the jail.
|
|
# By default jails have names matching their filter name
|
|
#
|
|
filter = %(__name__)s
|
|
|
|
#
|
|
# ACTIONS
|
|
#
|
|
|
|
# Some options used for actions
|
|
|
|
# Default banning action (e.g. iptables, iptables-new,
|
|
# iptables-multiport, shorewall, etc) It is used to define
|
|
# action_* variables. Can be overridden globally or per
|
|
# section within jail.local file
|
|
banaction = iptables-allports
|
|
|
|
# Destination email address used solely for the interpolations in
|
|
# jail.{conf,local,d/*} configuration files.
|
|
destemail = alerts@example.com
|
|
|
|
# Sender email address used solely for some actions
|
|
sendername = Fail2Ban
|
|
sender = fail2ban@<fq-hostname>
|
|
|
|
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
|
|
# mailing. Change mta configuration parameter to mail if you want to
|
|
# revert to conventional 'mail'.
|
|
mta = sendmail
|
|
|
|
# Default protocol
|
|
protocol = tcp
|
|
|
|
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
|
|
chain = INPUT
|
|
|
|
# Ports to be banned
|
|
# Usually should be overridden in a particular jail
|
|
port = 0:65535
|
|
|
|
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
|
|
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
|
|
|
|
#
|
|
# Action shortcuts. To be used to define action parameter
|
|
|
|
# Default banning action (e.g. iptables, iptables-new,
|
|
# iptables-multiport, shorewall, etc) It is used to define
|
|
# action_* variables. Can be overridden globally or per
|
|
# section within jail.local file
|
|
# banaction = iptables-multiport
|
|
banaction_allports = iptables-allports
|
|
|
|
# The simplest action to take: ban only
|
|
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
|
|
# ban & send an e-mail with whois report to the destemail.
|
|
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
|
|
# ban & send an e-mail with whois report and relevant log lines
|
|
# to the destemail.
|
|
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
|
|
|
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
|
|
#
|
|
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
|
|
# to the destemail.
|
|
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
|
|
|
|
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
|
|
# to the destemail.
|
|
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
|
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
|
|
|
# Report block via blocklist.de fail2ban reporting service API
|
|
#
|
|
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
|
|
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
|
|
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
|
|
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
|
|
# corresponding jail.d/my-jail.local file).
|
|
#
|
|
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
|
|
|
|
# Report ban via badips.com, and use as blacklist
|
|
#
|
|
# See BadIPsAction docstring in config/action.d/badips.py for
|
|
# documentation for this action.
|
|
#
|
|
# NOTE: This action relies on banaction being present on start and therefore
|
|
# should be last action defined for a jail.
|
|
#
|
|
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
|
|
#
|
|
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
|
|
#
|
|
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
|
|
|
|
# Report ban via abuseipdb.com.
|
|
#
|
|
# See action.d/abuseipdb.conf for usage example and details.
|
|
#
|
|
action_abuseipdb = abuseipdb
|
|
|
|
# Choose default action. To change, just override value of 'action' with the
|
|
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
|
# globally (section [DEFAULT]) or per specific section
|
|
#action = iptables-allports
|
|
action = %(action_mwl)s
|
|
|
|
|
|
#
|
|
# JAILS
|
|
#
|
|
|
|
#
|
|
# SSH servers
|
|
#
|
|
|
|
[sshd]
|
|
|
|
enabled = true
|
|
port = ssh
|
|
logpath = %(sshd_log)s
|
|
action = %(action_mwl)s
|
|
alerta[alertaurl=https://alerta.example.com/api/webhooks/fail2ban, alertaapikey=EXdp3haf4Xkk7Dpk5MFrqfafn6nYGgtz4JL4XzBY]
|
|
maxretry = 4
|
|
|
|
|
|
[dropbear]
|
|
|
|
enabled = false
|
|
port = ssh
|
|
logpath = %(dropbear_log)s
|
|
maxretry = 6
|
|
|
|
|
|
[selinux-ssh]
|
|
|
|
enabled = false
|
|
port = ssh
|
|
logpath = %(auditd_log)s
|