272 lines
10 KiB
Plaintext
272 lines
10 KiB
Plaintext
#
|
|
# WARNING: heavily refactored in 0.9.0 release. Please review and
|
|
# customize settings for your setup.
|
|
#
|
|
# Changes: in most of the cases you should not modify this
|
|
# file, but provide customizations in jail.local file,
|
|
# or separate .conf files under jail.d/ directory, e.g.:
|
|
#
|
|
# HOW TO ACTIVATE JAILS:
|
|
#
|
|
# YOU SHOULD NOT MODIFY THIS FILE.
|
|
#
|
|
# It will probably be overwritten or improved in a distribution update.
|
|
#
|
|
# Provide customizations in a jail.local file or a jail.d/customisation.local.
|
|
# For example to change the default bantime for all jails and to enable the
|
|
# ssh-iptables jail the following (uncommented) would appear in the .local file.
|
|
# See man 5 jail.conf for details.
|
|
#
|
|
# [DEFAULT]
|
|
# bantime = 1h
|
|
#
|
|
# [sshd]
|
|
# enabled = true
|
|
#
|
|
# See jail.conf(5) man page for more information
|
|
|
|
|
|
|
|
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
|
|
|
|
|
|
[INCLUDES]
|
|
|
|
#before = paths-distro.conf
|
|
before = paths-debian.conf
|
|
|
|
# The DEFAULT allows a global definition of the options. They can be overridden
|
|
# in each jail afterwards.
|
|
|
|
[DEFAULT]
|
|
|
|
#
|
|
# MISCELLANEOUS OPTIONS
|
|
#
|
|
|
|
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
|
|
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
|
|
bantime.increment = true
|
|
|
|
# "bantime.rndtime" is the max number of seconds using for mixing with random time
|
|
# to prevent "clever" botnets calculate exact time IP can be unbanned again:
|
|
#bantime.rndtime =
|
|
|
|
# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
|
|
#bantime.maxtime =
|
|
|
|
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
|
|
# default value of factor is 1 and with default value of formula, the ban time
|
|
# grows by 1, 2, 4, 8, 16 ...
|
|
#bantime.factor = 1
|
|
|
|
# "bantime.formula" used by default to calculate next value of ban time, default value below,
|
|
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
|
|
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
|
|
#
|
|
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
|
|
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
|
|
|
|
# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
|
|
# previously ban count and given "bantime.factor" (for multipliers default is 1);
|
|
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
|
|
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
|
|
#bantime.multipliers = 1 2 4 8 16 32 64
|
|
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
|
|
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
|
|
#bantime.multipliers = 1 5 30 60 300 720 1440 2880
|
|
|
|
# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
|
|
# cross over all jails, if false (default), only current jail of the ban IP will be searched
|
|
#bantime.overalljails = false
|
|
|
|
# --------------------
|
|
|
|
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
|
|
# (default is true). Fail2ban will not ban a host which matches such addresses.
|
|
#ignoreself = true
|
|
|
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
|
# will not ban a host which matches an address in this list. Several addresses
|
|
# can be defined using space (and/or comma) separator.
|
|
#ignoreip = 127.0.0.1/8 ::1
|
|
|
|
# External command that will take an tagged arguments to ignore, e.g. <ip>,
|
|
# and return true if the IP is to be ignored. False otherwise.
|
|
#
|
|
# ignorecommand = /path/to/command <ip>
|
|
ignorecommand =
|
|
|
|
# "bantime" is the number of seconds that a host is banned.
|
|
bantime = 10m
|
|
|
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
|
# seconds.
|
|
findtime = 10m
|
|
|
|
# "maxretry" is the number of failures before a host get banned.
|
|
maxretry = 5
|
|
|
|
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
|
|
maxmatches = %(maxretry)s
|
|
|
|
# "backend" specifies the backend used to get files modification.
|
|
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
|
|
# This option can be overridden in each jail as well.
|
|
#
|
|
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
|
# If pyinotify is not installed, Fail2ban will use auto.
|
|
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
|
# If Gamin is not installed, Fail2ban will use auto.
|
|
# polling: uses a polling algorithm which does not require external libraries.
|
|
# systemd: uses systemd python library to access the systemd journal.
|
|
# Specifying "logpath" is not valid for this backend.
|
|
# See "journalmatch" in the jails associated filter config
|
|
# auto: will try to use the following backends, in order:
|
|
# pyinotify, gamin, polling.
|
|
#
|
|
# Note: if systemd backend is chosen as the default but you enable a jail
|
|
# for which logs are present only in its own log files, specify some other
|
|
# backend for that jail (e.g. polling) and provide empty value for
|
|
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
|
|
backend = auto
|
|
|
|
# "usedns" specifies if jails should trust hostnames in logs,
|
|
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
|
#
|
|
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
|
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
|
# but it will be logged as a warning.
|
|
# no: if a hostname is encountered, will not be used for banning,
|
|
# but it will be logged as info.
|
|
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
|
|
usedns = warn
|
|
|
|
# "logencoding" specifies the encoding of the log files handled by the jail
|
|
# This is used to decode the lines from the log file.
|
|
# Typical examples: "ascii", "utf-8"
|
|
#
|
|
# auto: will use the system locale setting
|
|
logencoding = auto
|
|
|
|
# "enabled" enables the jails.
|
|
# By default all jails are disabled, and it should stay this way.
|
|
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
|
|
#
|
|
# true: jail will be enabled and log files will get monitored for changes
|
|
# false: jail is not enabled
|
|
enabled = false
|
|
|
|
|
|
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
|
|
mode = normal
|
|
|
|
# "filter" defines the filter to use by the jail.
|
|
# By default jails have names matching their filter name
|
|
#
|
|
filter = %(__name__)s[mode=%(mode)s]
|
|
|
|
|
|
#
|
|
# ACTIONS
|
|
#
|
|
|
|
# Some options used for actions
|
|
|
|
# Destination email address used solely for the interpolations in
|
|
# jail.{conf,local,d/*} configuration files.
|
|
destemail = root@localhost
|
|
|
|
# Sender email address used solely for some actions
|
|
sender = root@<fq-hostname>
|
|
|
|
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
|
|
# mailing. Change mta configuration parameter to mail if you want to
|
|
# revert to conventional 'mail'.
|
|
mta = sendmail
|
|
|
|
# Default protocol
|
|
protocol = tcp
|
|
|
|
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
|
|
chain = <known/chain>
|
|
|
|
# Ports to be banned
|
|
# Usually should be overridden in a particular jail
|
|
port = 0:65535
|
|
|
|
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
|
|
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
|
|
|
|
#
|
|
# Action shortcuts. To be used to define action parameter
|
|
|
|
# Default banning action (e.g. iptables, iptables-new,
|
|
# iptables-multiport, shorewall, etc) It is used to define
|
|
# action_* variables. Can be overridden globally or per
|
|
# section within jail.local file
|
|
banaction = iptables-multiport
|
|
banaction_allports = iptables-allports
|
|
|
|
# The simplest action to take: ban only
|
|
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
|
|
# ban & send an e-mail with whois report to the destemail.
|
|
action_mw = %(action_)s
|
|
%(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
|
|
# ban & send an e-mail with whois report and relevant log lines
|
|
# to the destemail.
|
|
action_mwl = %(action_)s
|
|
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
|
|
|
|
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
|
|
#
|
|
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
|
|
# to the destemail.
|
|
action_xarf = %(action_)s
|
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
|
|
|
|
# ban & send a notification to one or more of the 50+ services supported by Apprise.
|
|
# See https://github.com/caronc/apprise/wiki for details on what is supported.
|
|
#
|
|
# You may optionally over-ride the default configuration line (containing the Apprise URLs)
|
|
# by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
|
|
# /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
|
|
# action = %(action_)s
|
|
# apprise
|
|
|
|
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
|
|
# to the destemail.
|
|
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
|
|
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
|
|
|
|
# Report block via blocklist.de fail2ban reporting service API
|
|
#
|
|
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
|
|
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
|
|
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
|
|
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
|
|
# corresponding jail.d/my-jail.local file).
|
|
#
|
|
action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
|
|
|
|
# Report ban via abuseipdb.com.
|
|
#
|
|
# See action.d/abuseipdb.conf for usage example and details.
|
|
#
|
|
action_abuseipdb = abuseipdb
|
|
|
|
# Choose default action. To change, just override value of 'action' with the
|
|
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
|
# globally (section [DEFAULT]) or per specific section
|
|
action = %(action_)s
|
|
|
|
|
|
|
|
[caddy-status]
|
|
enabled = true
|
|
port = http,https
|
|
filter = caddy-status
|
|
logpath = /var/log/caddy/ratelimiters.log
|