# Fail2Ban configuration file. # # This file was composed for Debian systems from the original one # provided now under /usr/share/doc/fail2ban/examples/jail.conf # for additional examples. # # Comments: use '#' for comment lines and ';' for inline comments # # To avoid merges during upgrades DO NOT MODIFY THIS FILE # and rather provide your changes in /etc/fail2ban/jail.local # # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 {{ cm_ip }} {{ monitoring_ip }} # "bantime" is the number of seconds that a host is banned. bantime = {{ f2b_ban_time }} # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = {{ f2b_findtime }} maxretry = {{ f2b_maxretry }} # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = {{ f2b_default_backend }} # "usedns" specifies if jails should trust hostnames in logs, # warn when reverse DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a reverse DNS lookup will be performed. # warn: if a hostname is encountered, a reverse DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = {{ f2b_usedns }} # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = {{ f2b_dest_email }} # # Name of the sender for mta actions sendername = {{ f2b_sender_email }} # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = {{ f2b_default_banaction }} # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp # Specify chain where jumps would need to be added in iptables-* actions chain = {{ f2b_default_iptableschain }} # # Action shortcuts. To be used to define action parameter # The simplest action to take: ban only action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] # ban & send an e-mail with whois report to the destemail. action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] # ban & send an e-mail with whois report and relevant log lines # to the destemail. action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] # Choose default action. To change, just override value of 'action' with the # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local # globally (section [DEFAULT]) or per specific section action = %({{ f2b_default_action }})s # # JAILS # # Next jails corresponds to the standard configuration in Fail2ban 0.6 which # was shipped in Debian. Enable any defined here jail by including # # [SECTION_NAME] # enabled = true # # in /etc/fail2ban/jail.local. # # Optionally you may override any other parameter (e.g. banaction, # action, port, logpath, etc) in that section within jail.local [ssh] enabled = {{ f2b_ssh_enabled }} port = ssh filter = sshd logpath = /var/log/auth.log maxretry = {{ f2b_maxretry }} [dropbear] enabled = false port = ssh filter = dropbear logpath = /var/log/auth.log maxretry = 6 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = false # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 [xinetd-fail] enabled = false filter = xinetd-fail port = all banaction = iptables-multiport-log logpath = /var/log/daemon.log maxretry = 2 [ssh-ddos] enabled = {{ f2b_ssh_ddos_enabled }} port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = {{ f2b_maxretry }} # # HTTP servers # # default action is now multiport, so apache-multiport jail was left # for compatibility with previous (<0.7.6-2) releases [apache-multiport] enabled = {{ f2b_apache_auth_enabled }} port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 6 [apache-noscript] enabled = {{ f2b_apache_noscript_enabled }} port = http,https filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] enabled = {{ f2b_apache_overflow_enabled }} port = http,https filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = {{ f2b_php_url_popen }} port = http,https filter = php-url-fopen logpath = /var/www/*/logs/access_log # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will # find these kinds of messages in your error_log: # ALERT – tried to register forbidden variable ‘GLOBALS’ # through GET variables (attacker '1.2.3.4', file '/var/www/default/htdocs/index.php') [nginx-http-auth] enabled = {{ f2b_nginx_auth_enabled }} filter = nginx-http-auth port = http,https logpath = /var/log/nginx/error.log # # FTP servers # [vsftpd] enabled = {{ f2b_vsftpd_enabled }} port = ftp,ftp-data,ftps,ftps-data filter = vsftpd logpath = {{ f2b_vsftpd_logpath }} # or overwrite it in jails.local to be # logpath = /var/log/auth.log # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats maxretry = 6 # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive] enabled = {{ f2b_recidive_enabled }} filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = {{ f2b_recidive_ban_time }} findtime = {{ f2b_recidive_findtime }} maxretry = 5