Add fail2ban playbook for updating jails remotely
+ Can be used for a single host or a group of hosts + Update nginx-nobinary jail regex
This commit is contained in:
parent
909bf3278e
commit
b5a97de9ff
|
@ -0,0 +1,24 @@
|
||||||
|
- hosts: nginx-server
|
||||||
|
become: yes
|
||||||
|
tasks:
|
||||||
|
- name: Copy custom fail2ban filters
|
||||||
|
synchronize:
|
||||||
|
mode: push
|
||||||
|
src: fail2ban/filter.d/
|
||||||
|
dest: /etc/fail2ban/filter.d/
|
||||||
|
- name: Copy custom fail2ban jail.local
|
||||||
|
synchronize:
|
||||||
|
mode: push
|
||||||
|
src: fail2ban/jail.local
|
||||||
|
dest: /etc/fail2ban/
|
||||||
|
- name: Reload fail2ban service
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: fail2ban
|
||||||
|
state: reloaded
|
||||||
|
- name: Checking status of fail2ban service after restart
|
||||||
|
command: systemctl status fail2ban
|
||||||
|
register: result
|
||||||
|
- name: Showing fail2ban status report
|
||||||
|
debug:
|
||||||
|
var: result
|
||||||
|
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Fail2Ban filter for 3proxy
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
|
||||||
|
# all authentication problems (%E field)
|
||||||
|
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
|
||||||
|
#
|
||||||
|
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,71 @@
|
||||||
|
# Fail2Ban apache-auth filter
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# apache-common.local
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
# ignore messages of mod_evasive module:
|
||||||
|
apache-pref-ign-normal = (?!evasive)
|
||||||
|
# allow "denied by server configuration" from all modules:
|
||||||
|
apache-pref-ign-aggressive =
|
||||||
|
# mode related ignore prefix for common _apache_error_client substitution:
|
||||||
|
apache-pref-ignore = <apache-pref-ign-<mode>>
|
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
# auth_type = ((?:Digest|Basic): )?
|
||||||
|
auth_type = ([A-Z]\w+: )?
|
||||||
|
|
||||||
|
failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
|
||||||
|
^user (?!`)<F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
|
||||||
|
^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
|
||||||
|
^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
|
||||||
|
^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\b
|
||||||
|
^%(auth_type)sinvalid nonce .* received - length is not\b
|
||||||
|
^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
|
||||||
|
^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
|
||||||
|
^invalid qop `(?:[^']*|.*?)' received\b
|
||||||
|
^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
|
||||||
|
^(?:No h|H)ostname \S+ provided via SNI(?:, but no hostname provided| and hostname \S+ provided| for a name based virtual host)\b
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# This filter matches the authorization failures of Apache. It takes the log messages
|
||||||
|
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
|
||||||
|
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
|
||||||
|
#
|
||||||
|
# An unauthorized response 401 is the first step for a browser to instigate authentication
|
||||||
|
# however apache doesn't log this as an error. Only subsequent errors are logged in the
|
||||||
|
# error log.
|
||||||
|
#
|
||||||
|
# Source:
|
||||||
|
#
|
||||||
|
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
|
||||||
|
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
|
||||||
|
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
|
||||||
|
# to return the actual failure.
|
||||||
|
#
|
||||||
|
# Note that URI can contain spaces.
|
||||||
|
#
|
||||||
|
# See also: http://wiki.apache.org/httpd/ListOfErrors
|
||||||
|
# Expressions that don't have tests and aren't common.
|
||||||
|
# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284
|
||||||
|
# ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
|
||||||
|
# ^user .*: one-time-nonce mismatch - sending new nonce\s*$
|
||||||
|
# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
|
||||||
|
#
|
||||||
|
# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
|
||||||
|
#
|
||||||
|
# Author: Cyril Jaquier
|
||||||
|
# Major edits by Daniel Black and Ben Rubson.
|
||||||
|
# Rewritten for v.0.10 by Sergey Brester (sebres).
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Regexp to catch known spambots and software alike. Please verify
|
||||||
|
# that it is your intent to block IPs which were driven by
|
||||||
|
# above mentioned bots.
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
|
||||||
|
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# List of bad bots fetched from http://www.user-agents.org
|
||||||
|
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots.
|
||||||
|
#
|
||||||
|
# Author: Yaroslav Halchenko
|
|
@ -0,0 +1,39 @@
|
||||||
|
# Fail2Ban filter to match web requests for selected URLs that don't exist
|
||||||
|
#
|
||||||
|
# This filter is aimed at blocking specific URLs that don't exist. This
|
||||||
|
# could be a set of URLs places in a Disallow: directive in robots.txt or
|
||||||
|
# just some web services that don't exist caused bots are searching for
|
||||||
|
# exploitable content. This filter is designed to have a low false positive
|
||||||
|
# rate due.
|
||||||
|
#
|
||||||
|
# An alternative to this is the apache-noscript filter which blocks all
|
||||||
|
# types of scripts that don't exist.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# This is normally a predefined list of exploitable or valuable web services
|
||||||
|
# that are hidden or aren't actually installed.
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||||
|
# Load regexes for filtering from botsearch-common.conf
|
||||||
|
before = apache-common.conf
|
||||||
|
botsearch-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^(?:File does not exist|script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
|
||||||
|
^script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Webroot represents the webroot on which all other files are based
|
||||||
|
webroot = /var/www/
|
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,44 @@
|
||||||
|
# Generic configuration items (to be used as interpolations) in other
|
||||||
|
# apache filters.
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
# Load customizations if any available
|
||||||
|
after = apache-common.local
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# Apache logging mode:
|
||||||
|
# all - universal prefix (logfile, syslog)
|
||||||
|
# logfile - logfile only
|
||||||
|
# syslog - syslog only
|
||||||
|
# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog).
|
||||||
|
# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants.
|
||||||
|
logging = logfile
|
||||||
|
|
||||||
|
# Apache logging prefixes (date-pattern prefix, server, process etc.):
|
||||||
|
apache-prefix-syslog = %(__prefix_line)s
|
||||||
|
apache-prefix-logfile = \[\]\s
|
||||||
|
apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)?
|
||||||
|
|
||||||
|
# Setting for __prefix_line (only `logging=syslog`):
|
||||||
|
_daemon = (?:apache\d*|httpd(?:/\w+)?)
|
||||||
|
|
||||||
|
apache-prefix = <apache-prefix-<logging>>
|
||||||
|
|
||||||
|
apache-pref-ignore =
|
||||||
|
|
||||||
|
_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# Common prefix for [error] apache messages which also would include <HOST>
|
||||||
|
# Depending on the version it could be
|
||||||
|
# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
|
||||||
|
# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
|
||||||
|
# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to
|
||||||
|
#
|
||||||
|
# Reference: https://github.com/fail2ban/fail2ban/issues/268
|
||||||
|
#
|
||||||
|
# Author: Yaroslav Halchenko
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Fail2Ban filter for fake Googlebot User Agents
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> .*Googlebot.*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Lee Clemens
|
||||||
|
# Thanks: Johannes B. Ullrich, Ph.D.
|
||||||
|
# Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Fail2Ban apache-modsec filter
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# apache-common.local
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
|
||||||
|
# Author: Daniel Black
|
||||||
|
# Sergey G. Brester aka sebres (review, optimization)
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Fail2Ban filter to web requests for home directories on Apache servers
|
||||||
|
#
|
||||||
|
# Regex to match failures to find a home directory on a server, which
|
||||||
|
# became popular last days. Most often attacker just uses IP instead of
|
||||||
|
# domain name -- so expect to see them in generic error.log if you have
|
||||||
|
# per-domain log files.
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Fail2Ban filter to block web requests for scripts (on non scripted websites)
|
||||||
|
#
|
||||||
|
# This matches many types of scripts that don't exist. This could generate a
|
||||||
|
# lot of false positive matches in cases like wikis and forums where users
|
||||||
|
# no affiliated with the website can insert links to missing files/scripts into
|
||||||
|
# pages and cause non-malicious browsers of the site to trigger against this
|
||||||
|
# filter.
|
||||||
|
#
|
||||||
|
# If you'd like to match specific URLs that don't exist see the
|
||||||
|
# apache-botsearch filter.
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl)
|
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^(?:does not exist|not found or unable to stat): <script>\b
|
||||||
|
^'<script>\S*' not found or unable to stat
|
||||||
|
^error '[Pp]rimary script unknown(?:\\n)?'
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
|
||||||
|
#
|
||||||
|
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
|
||||||
|
#
|
||||||
|
# Author: Cyril Jaquier
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Fail2Ban filter to block web requests on a long or suspicious nature
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# [sebres] Because this apache-log could contain very long URLs (and/or referrer),
|
||||||
|
# the parsing of it anchored way may be very vulnerable (at least as regards
|
||||||
|
# the system resources, see gh-1790). Thus rewritten without end-anchor ($).
|
||||||
|
#
|
||||||
|
# fgrep -r 'URI too long' httpd-2.*
|
||||||
|
# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line);
|
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)",
|
||||||
|
#
|
||||||
|
# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
|
||||||
|
# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request);
|
||||||
|
# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request);
|
||||||
|
# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request);
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
|
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request);
|
||||||
|
#
|
||||||
|
# fgrep -r 'invalid characters in URI' httpd-2.*
|
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI");
|
||||||
|
#
|
||||||
|
# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
|
||||||
|
# ...possible attempt to establish SSL connection on non-SSL port
|
||||||
|
#
|
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors
|
||||||
|
# Author: Tim Connors
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Fail2Ban Apache pass filter
|
||||||
|
# This filter is for access.log, NOT for error.log
|
||||||
|
#
|
||||||
|
# The knocking request must have a referer.
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
knocking_url = /knocking/
|
||||||
|
|
||||||
|
# Author: Viktor Szépe
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect.
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
|
||||||
|
^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
|
||||||
|
#
|
||||||
|
# example log lines:
|
||||||
|
# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
|
||||||
|
# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
|
||||||
|
#
|
||||||
|
# Author: Eugene Hopkinson (e.hopkinson@gmail.com)
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP)
|
||||||
|
# Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later.
|
||||||
|
# Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended.
|
||||||
|
#
|
||||||
|
# Homepage: http://sourceforge.net/projects/assp/
|
||||||
|
# ProjectSite: http://sourceforge.net/projects/assp/?source=directory
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibility reasons.
|
||||||
|
|
||||||
|
__assp_actions = (?:dropping|refusing)
|
||||||
|
|
||||||
|
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
|
||||||
|
^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
|
||||||
|
^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
|
||||||
|
^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$
|
||||||
|
^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# V1 Examples matches:
|
||||||
|
# Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
|
||||||
|
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
|
||||||
|
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded
|
||||||
|
#
|
||||||
|
# V2 Examples matches:
|
||||||
|
# Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user@example.org relay attempt blocked for: someone@example.org
|
||||||
|
# Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
|
||||||
|
# Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
|
||||||
|
# Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed:
|
||||||
|
# Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> relay attempt blocked for (parsing): <user2@example>
|
||||||
|
# Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user2@example.com relay attempt blocked for (parsing): <a.notheruser69@example.c>
|
||||||
|
# Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism
|
||||||
|
# Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response
|
||||||
|
# Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
|
||||||
|
# Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
|
||||||
|
|
||||||
|
#
|
||||||
|
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
|
||||||
|
# V2 Filters: Robert Hardy (rhardy@webcon.ca)
|
|
@ -0,0 +1,55 @@
|
||||||
|
# Fail2Ban filter for asterisk authentication failures
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = asterisk
|
||||||
|
|
||||||
|
__pid_re = (?:\s*\[\d+\])
|
||||||
|
|
||||||
|
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
|
||||||
|
|
||||||
|
# All Asterisk log messages begin like this:
|
||||||
|
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
|
||||||
|
^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
|
||||||
|
^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
|
||||||
|
^No registration for peer '[^']*' \(from <HOST>\)$
|
||||||
|
^hacking attempt detected '<HOST>'$
|
||||||
|
^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
|
||||||
|
^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
|
||||||
|
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
|
||||||
|
|
||||||
|
# FreePBX (todo: make optional in v.0.10):
|
||||||
|
# ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Xavier Devlamynck / Daniel Black
|
||||||
|
#
|
||||||
|
# General log format - main/logger.c:ast_log
|
||||||
|
# Address format - ast_sockaddr_stringify
|
||||||
|
#
|
||||||
|
# First regex: channels/chan_sip.c
|
||||||
|
#
|
||||||
|
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=asterisk.service
|
||||||
|
|
||||||
|
|
||||||
|
[lt_journal]
|
||||||
|
|
||||||
|
# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
|
||||||
|
__extra_timestamp = (?:\[[^\]]+\]\s+)?
|
||||||
|
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s
|
|
@ -0,0 +1,6 @@
|
||||||
|
# Fail2Ban filter for Bitwarden
|
||||||
|
# Detecting failed login attempts
|
||||||
|
# Logged in bwdata/logs/identity/Identity/log.txt
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^\s*\[WRN\]\s+Failed login attempt(?:, 2FA invalid)?\. <HOST>$
|
|
@ -0,0 +1,19 @@
|
||||||
|
# Generic configuration file for -botsearch filters
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
# Block is the actual non-found directories to block
|
||||||
|
block = \/?(<webmail>|<phpmyadmin>|<wordpress>|cgi-bin|mysqladmin)[^,]*
|
||||||
|
|
||||||
|
# These are just convenient definitions that assist the blocking of stuff that
|
||||||
|
# isn't installed
|
||||||
|
webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
|
||||||
|
|
||||||
|
phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
|
||||||
|
|
||||||
|
wordpress = wp-(login|signup|admin)\.php
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# Taken from apache-botsearch filter
|
||||||
|
#
|
||||||
|
# Author: Frantisek Sumsal
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Fail2Ban filter for Centreon Web
|
||||||
|
# Detecting unauthorized access to the Centreon Web portal
|
||||||
|
# typically logged in /var/log/centreon/login.log
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>'
|
|
@ -0,0 +1,89 @@
|
||||||
|
# Generic configuration items (to be used as interpolations) in other
|
||||||
|
# filters or actions configurations
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Load customizations if any available
|
||||||
|
after = common.local
|
||||||
|
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# Type of log-file resp. log-format (file, short, journal, rfc542):
|
||||||
|
logtype = file
|
||||||
|
|
||||||
|
# Daemon definition is to be specialized (if needed) in .conf file
|
||||||
|
_daemon = \S*
|
||||||
|
|
||||||
|
#
|
||||||
|
# Shortcuts for easier comprehension of the failregex
|
||||||
|
#
|
||||||
|
# PID.
|
||||||
|
# EXAMPLES: [123]
|
||||||
|
__pid_re = (?:\[\d+\])
|
||||||
|
|
||||||
|
# Daemon name (with optional source_file:line or whatever)
|
||||||
|
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
|
||||||
|
__daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:?
|
||||||
|
|
||||||
|
# extra daemon info
|
||||||
|
# EXAMPLE: [ID 800047 auth.info]
|
||||||
|
__daemon_extra_re = \[ID \d+ \S+\]
|
||||||
|
|
||||||
|
# Combinations of daemon name and PID
|
||||||
|
# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
|
||||||
|
__daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?)
|
||||||
|
|
||||||
|
# Some messages have a kernel prefix with a timestamp
|
||||||
|
# EXAMPLES: kernel: [769570.846956]
|
||||||
|
__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
|
||||||
|
|
||||||
|
__hostname = \S+
|
||||||
|
|
||||||
|
# A MD5 hex
|
||||||
|
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
|
||||||
|
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
|
||||||
|
|
||||||
|
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
|
||||||
|
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
|
||||||
|
__bsd_syslog_verbose = <[^.]+\.[^.]+>
|
||||||
|
|
||||||
|
__vserver = @vserver_\S+
|
||||||
|
|
||||||
|
__date_ambit = (?:\[\])
|
||||||
|
|
||||||
|
# Common line prefixes (beginnings) which could be used in filters
|
||||||
|
#
|
||||||
|
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
|
||||||
|
#
|
||||||
|
# This can be optional (for instance if we match named native log files)
|
||||||
|
__prefix_line = <lt_<logtype>/__prefix_line>
|
||||||
|
|
||||||
|
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
|
||||||
|
# pam_ldap
|
||||||
|
__pam_auth = pam_unix
|
||||||
|
|
||||||
|
# standardly all formats using prefix have line-begin anchored date:
|
||||||
|
datepattern = <lt_<logtype>/datepattern>
|
||||||
|
|
||||||
|
[lt_file]
|
||||||
|
# Common line prefixes for logtype "file":
|
||||||
|
__prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)?
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
[lt_short]
|
||||||
|
# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
|
||||||
|
__prefix_line = \s*(?:%(__hostname)s\s+)?(?:%(_daemon)s%(__pid_re)s?:?\s+)?(?:%(__kernel_prefix)s\s+)?
|
||||||
|
datepattern = %(lt_file/datepattern)s
|
||||||
|
[lt_journal]
|
||||||
|
__prefix_line = %(lt_short/__prefix_line)s
|
||||||
|
datepattern = %(lt_short/datepattern)s
|
||||||
|
|
||||||
|
[lt_rfc5424]
|
||||||
|
# RFC 5424 log-format, see gh-2309:
|
||||||
|
#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+
|
||||||
|
__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+
|
||||||
|
datepattern = ^<\d+>\d+\s+{DATE}
|
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres)
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Fail2Ban filter for failure attempts in Counter Strike-1.6
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from "<HOST>:\d+"$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S
|
||||||
|
|
||||||
|
|
||||||
|
# Author: Daniel Black
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Fail2Ban filter for courier authentication failures
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Christoph Haas
|
||||||
|
# Modified by: Cyril Jaquier
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban filter to block relay attempts though a Courier smtp server
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = courieresmtpd
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)serror,relay=<HOST>,<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
|
||||||
|
^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Cyril Jaquier
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Fail2Ban filter for authentication failures on Cyrus imap server
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org>
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban configuration file for Directadmin
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
|
||||||
|
|
||||||
|
#
|
||||||
|
# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590
|
||||||
|
#
|
||||||
|
# Author: Cyril Roos
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts
|
||||||
|
#
|
||||||
|
# Author: Christian Brandlehner
|
||||||
|
#
|
||||||
|
# $Revision: 003 $
|
||||||
|
#
|
||||||
|
# Configuration:
|
||||||
|
# Set the following Domino Server parameters in notes.ini:
|
||||||
|
# console_log_enabled=1
|
||||||
|
# log_sessions=2
|
||||||
|
# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is:
|
||||||
|
# DateOrder=DMY
|
||||||
|
# DateSeparator=-
|
||||||
|
# ClockType=24_Hour
|
||||||
|
# TimeSeparator=:
|
||||||
|
#
|
||||||
|
# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log
|
||||||
|
|
||||||
|
#[INCLUDES]
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
#before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failure messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>\S+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
# Sample log entries (used different time formats and an extra sample with process info in front of date)
|
||||||
|
# 01-23-2009 19:54:51 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
|
||||||
|
# [28325:00010-3735542592] 22-06-2014 09:56:12 smtp: postmaster [1.2.3.4] authentication failure using internet password
|
||||||
|
# 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password
|
||||||
|
# 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
|
||||||
|
|
||||||
|
__prefix = (?:\[[^\]]+\])?\s*
|
||||||
|
__opt_data = (?::|\s+\[[^\]]+\])
|
||||||
|
failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?<HOST>\]?$
|
||||||
|
^%(__prefix)ssmtp: (?:[^\[]+ )*\[?<HOST>\]? authentication failure using internet password\s*$
|
||||||
|
^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?<HOST>\]? rejected for policy reasons\.
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Fail2Ban filter Dovecot authentication and pop3/imap server
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_auth_worker = (?:dovecot: )?auth(?:-worker)?
|
||||||
|
_daemon = (?:dovecot(?:-auth)?|auth)
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
|
||||||
|
^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
|
||||||
|
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
|
||||||
|
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)\s*$
|
||||||
|
<mdre-<mode>>
|
||||||
|
|
||||||
|
mdre-aggressive = ^(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
|
||||||
|
|
||||||
|
mdre-normal =
|
||||||
|
|
||||||
|
# Parameter `mode` - `normal` or `aggressive`.
|
||||||
|
# Aggressive mode can be used to match log-entries like:
|
||||||
|
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
|
||||||
|
# Note it may produce lots of false positives on misconfigured MTAs.
|
||||||
|
# Ex.:
|
||||||
|
# filter = dovecot[mode=aggressive]
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=dovecot.service
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}TAI64N
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# * the first regex is essentially a copy of pam-generic.conf
|
||||||
|
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
|
||||||
|
#
|
||||||
|
# Author: Martin Waschbuesch
|
||||||
|
# Daniel Black (rewrote with begin and end anchors)
|
||||||
|
# Martin O'Neal (added LDAP authentication failure regex)
|
||||||
|
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Fail2Ban filter for dropbear
|
||||||
|
#
|
||||||
|
# NOTE: The regex below is ONLY intended to work with a patched
|
||||||
|
# version of Dropbear as described here:
|
||||||
|
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
|
||||||
|
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
|
||||||
|
#
|
||||||
|
# The standard Dropbear output doesn't provide enough information to
|
||||||
|
# ban all types of attack. The Dropbear patch adds IP address
|
||||||
|
# information to the 'exit before auth' message which is always
|
||||||
|
# produced for any form of non-successful login. It is that message
|
||||||
|
# which this file matches.
|
||||||
|
#
|
||||||
|
# More information: http://bugs.debian.org/546913
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = dropbear
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
|
||||||
|
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
|
||||||
|
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# The first two regexs here match the unmodified dropbear messages. It isn't
|
||||||
|
# possible to match the source of the 'exit before auth' messages from dropbear
|
||||||
|
# as they don't include the "from <HOST>" bit.
|
||||||
|
#
|
||||||
|
# The second last failregex line we need to match with the modified dropbear.
|
||||||
|
#
|
||||||
|
# For the second regex the following apply:
|
||||||
|
#
|
||||||
|
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
|
||||||
|
# http://svn.dd-wrt.com/changeset/16642#file64
|
||||||
|
#
|
||||||
|
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
|
||||||
|
#
|
||||||
|
# Author: Francis Russell
|
||||||
|
# Zak B. Elep
|
|
@ -0,0 +1,26 @@
|
||||||
|
# Fail2Ban filter to block repeated failed login attempts to Drupal site(s)
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Drupal must be setup to use Syslog, which defaults to the following format:
|
||||||
|
#
|
||||||
|
# !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# https://www.drupal.org/documentation/modules/syslog
|
||||||
|
#
|
||||||
|
# Author: Lee Clemens
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Author: Steven Hiscocks
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Multiline regexs should use tag "<SKIPLINES>" to separate lines.
|
||||||
|
# This allows lines between the matching lines to continue to be
|
||||||
|
# searched for other failures. This tag can be used multiple times.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$
|
||||||
|
^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
||||||
|
maxlines = 2
|
||||||
|
|
||||||
|
# Option: journalmatch
|
||||||
|
# Notes.: systemd journalctl style match filter for journal based backend
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
journalmatch =
|
||||||
|
|
||||||
|
#datepattern = ^(?:=[^=]+={3,} )?({DATE})
|
||||||
|
# explicit time format using prefix =...==== and no date in second string begins with I(...)...
|
||||||
|
datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?)
|
||||||
|
^I\(()**
|
|
@ -0,0 +1,20 @@
|
||||||
|
# Fail2Ban filter file for common exim expressions
|
||||||
|
#
|
||||||
|
# This is to be used by other exim filters
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Load customizations if any available
|
||||||
|
after = exim-common.local
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
|
||||||
|
host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
|
||||||
|
host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s
|
||||||
|
pid = (?: \[\d+\])?
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# From exim source code: ./src/receive.c:add_host_info_for_log
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Fail2Ban filter for exim the spam rejection messages
|
||||||
|
#
|
||||||
|
# Honeypot traps are very useful for fighting spam. You just activate an email
|
||||||
|
# address on your domain that you do not intend to use at all, and that normal
|
||||||
|
# people do not risk to try for contacting you. It may be something that
|
||||||
|
# spammers often test. You can also hide the address on a web page to be picked
|
||||||
|
# by spam spiders. Or simply parse your mail logs for an invalid address
|
||||||
|
# already being frequently targeted by spammers. Enable the address and
|
||||||
|
# redirect it to the blackhole. In Exim's alias file, you would add the
|
||||||
|
# following line (assuming the address is honeypot@yourdomain.com):
|
||||||
|
#
|
||||||
|
# honeypot: :blackhole:
|
||||||
|
#
|
||||||
|
# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
|
||||||
|
#
|
||||||
|
# To this filter use the jail.local should contain in the right jail:
|
||||||
|
#
|
||||||
|
# filter = exim-spam[honeypot=honeypot@yourdomain.com]
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# exim-common.local
|
||||||
|
before = exim-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
|
||||||
|
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
|
||||||
|
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
|
||||||
|
^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
|
||||||
|
^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
# Option: honeypot
|
||||||
|
# Notes.: honeypot is an email address that isn't published anywhere that a
|
||||||
|
# legitimate email sender would send email too.
|
||||||
|
# Values: email address
|
||||||
|
|
||||||
|
honeypot = trap@example.com
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# The %(host_info) defination contains a <HOST> match
|
||||||
|
#
|
||||||
|
# Author: Cyril Jaquier
|
||||||
|
# Daniel Black (rewrote with strong regexs)
|
|
@ -0,0 +1,54 @@
|
||||||
|
# Fail2Ban filter for exim
|
||||||
|
#
|
||||||
|
# This includes the rejection messages of exim. For spam and filter
|
||||||
|
# related bans use the exim-spam.conf
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# exim-common.local
|
||||||
|
before = exim-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
|
||||||
|
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
|
||||||
|
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
|
||||||
|
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
|
||||||
|
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
|
||||||
|
^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
|
||||||
|
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
|
||||||
|
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
|
||||||
|
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
|
||||||
|
<mdre-<mode>>
|
||||||
|
|
||||||
|
mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
|
||||||
|
^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
|
||||||
|
|
||||||
|
mdre-normal =
|
||||||
|
|
||||||
|
# Parameter `mode` - `normal` or `aggressive`.
|
||||||
|
# Aggressive mode can be used to match flood and ddos-similar log-entries like:
|
||||||
|
# 'no host found for IP', 'no IP found for host'.
|
||||||
|
# Note this is not an authentication failures, so it may produce lots of false
|
||||||
|
# positives on misconfigured MTAs.
|
||||||
|
# Ex.:
|
||||||
|
# filter = exim[mode=aggressive]
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# The %(host_info) defination contains a <HOST> match
|
||||||
|
#
|
||||||
|
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy
|
||||||
|
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
|
||||||
|
# user injectable data.
|
||||||
|
#
|
||||||
|
# Author: Cyril Jaquier
|
||||||
|
# Daniel Black (rewrote with strong regexs)
|
||||||
|
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
|
|
@ -0,0 +1,58 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Enable "log-auth-failures" on each Sofia profile to monitor
|
||||||
|
# <param name="log-auth-failures" value="true"/>
|
||||||
|
# -- this requires a high enough loglevel on your logs to save these messages.
|
||||||
|
#
|
||||||
|
# In the fail2ban jail.local file for this filter set ignoreip to the internal
|
||||||
|
# IP addresses on your LAN.
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = freeswitch
|
||||||
|
|
||||||
|
# Parameter "mode": normal, ddos or extra (default, combines all)
|
||||||
|
# Usage example (for jail.local):
|
||||||
|
# [freeswitch]
|
||||||
|
# mode = normal
|
||||||
|
# # or with rewrite filter parameters of jail:
|
||||||
|
# [freeswitch-ddos]
|
||||||
|
# filter = freeswitch[mode=ddos]
|
||||||
|
#
|
||||||
|
mode = extra
|
||||||
|
|
||||||
|
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
|
||||||
|
_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
|
||||||
|
|
||||||
|
prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
|
||||||
|
|
||||||
|
mdre-normal = %(cmnfailre)s
|
||||||
|
^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
||||||
|
|
||||||
|
mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
|
||||||
|
|
||||||
|
mdre-extra = %(cmnfailre)s
|
||||||
|
<mdre-ddos>
|
||||||
|
|
||||||
|
failregex = <mdre-<mode>>
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
|
||||||
|
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
|
||||||
|
# Thanks to Jim on mailing list of samples and guidance
|
||||||
|
#
|
||||||
|
# No need to match the following. Its a duplicate of the SIP auth regex.
|
||||||
|
# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
|
||||||
|
#
|
||||||
|
# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
|
||||||
|
# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
|
||||||
|
# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
|
||||||
|
#
|
||||||
|
# Author: Joern Muehlencord
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = Froxlor
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^Unknown user \S* tried to login.$
|
||||||
|
^User \S* tried to login with wrong password.$
|
||||||
|
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
# Fail2Ban filter for Group-Office
|
||||||
|
#
|
||||||
|
# Enable logging with:
|
||||||
|
# $config['info_log']='/home/groupoffice/log/info.log';
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Daniel Black
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Fail2Ban filter file for gssftp
|
||||||
|
#
|
||||||
|
# Note: gssftp is part of the krb5-appl-servers in Fedora
|
||||||
|
#
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = ftpd
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Kevin Zembower
|
||||||
|
# Edited: Daniel Black - syslog based daemon
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Fail2Ban configuration file for guacamole
|
||||||
|
#
|
||||||
|
# Author: Steven Hiscocks
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
||||||
|
maxlines = 2
|
||||||
|
|
||||||
|
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
|
||||||
|
^WARNING:()**
|
||||||
|
{^LN-BEG}
|
|
@ -0,0 +1,37 @@
|
||||||
|
# Fail2Ban filter configuration file to match failed login attempts to
|
||||||
|
# HAProxy HTTP Authentication protected servers.
|
||||||
|
#
|
||||||
|
# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
|
||||||
|
# which prompts their browser to ask for login details.
|
||||||
|
# This initial 401 is logged by HAProxy.
|
||||||
|
# In other words, even successful logins will have at least 1 fail regex match.
|
||||||
|
# Please keep this in mind when setting findtime and maxretry for jails.
|
||||||
|
#
|
||||||
|
# Author: Jordan Moeser
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = haproxy
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,16 @@
|
||||||
|
# fail2ban filter configuration for horde
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
|
||||||
|
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
|
||||||
|
# https://github.com/horde/horde/blob/master/horde/login.php
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,38 @@
|
||||||
|
#!/usr/bin/env fail2ban-python
|
||||||
|
# Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
|
||||||
|
#
|
||||||
|
# Written in Python to reuse built-in Python batteries and not depend on
|
||||||
|
# presence of host and cut commands
|
||||||
|
#
|
||||||
|
import sys
|
||||||
|
from fail2ban.server.ipdns import DNSUtils, IPAddr
|
||||||
|
|
||||||
|
def process_args(argv):
|
||||||
|
if len(argv) != 2:
|
||||||
|
raise ValueError("Please provide a single IP as an argument. Got: %s\n"
|
||||||
|
% (argv[1:]))
|
||||||
|
ip = argv[1]
|
||||||
|
|
||||||
|
if not IPAddr(ip).isValid:
|
||||||
|
raise ValueError("Argument must be a single valid IP. Got: %s\n"
|
||||||
|
% ip)
|
||||||
|
return ip
|
||||||
|
|
||||||
|
google_ips = None
|
||||||
|
|
||||||
|
def is_googlebot(ip):
|
||||||
|
import re
|
||||||
|
|
||||||
|
host = DNSUtils.ipToName(ip)
|
||||||
|
if not host or not re.match(r'.*\.google(bot)?\.com$', host):
|
||||||
|
return False
|
||||||
|
host_ips = DNSUtils.dnsToIp(host)
|
||||||
|
return (ip in host_ips)
|
||||||
|
|
||||||
|
if __name__ == '__main__': # pragma: no cover
|
||||||
|
try:
|
||||||
|
ret = is_googlebot(process_args(sys.argv))
|
||||||
|
except ValueError as e:
|
||||||
|
sys.stderr.write(str(e))
|
||||||
|
sys.exit(2)
|
||||||
|
sys.exit(0 if ret else 1)
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Fail2ban filter for kerio
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^ SMTP Spam attack detected from <HOST>,
|
||||||
|
^ IP address <HOST> found in DNS blacklist
|
||||||
|
^ Relay attempt from IP address <HOST>
|
||||||
|
^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
|
||||||
|
^ Failed SMTP login from <HOST>
|
||||||
|
^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>
|
||||||
|
^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
|
||||||
|
^ Administration login into Web Administration from <HOST> failed: IP address not allowed$
|
||||||
|
^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
#
|
||||||
|
# Author: A.P. Lawrence
|
||||||
|
# Updated by: M. Bischoff <https://github.com/herrbischoff>
|
||||||
|
#
|
||||||
|
# Based off: http://aplawrence.com/Kerio/fail2ban.html
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Francois Boulogne <fboulogne@april.org>
|
|
@ -0,0 +1,49 @@
|
||||||
|
# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
|
||||||
|
#
|
||||||
|
# Logfile /var/log/mongodb/mongodb.log
|
||||||
|
#
|
||||||
|
# add setting in /etc/mongodb.conf
|
||||||
|
# logpath=/var/log/mongodb/mongodb.log
|
||||||
|
#
|
||||||
|
# and use of the authentication
|
||||||
|
# auth = true
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
|
||||||
|
failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
maxlines = 10
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Regarding the multiline regex:
|
||||||
|
#
|
||||||
|
# There can be a nunber of non-related lines between the first and second part
|
||||||
|
# of this regex maxlines of 10 is quite generious.
|
||||||
|
#
|
||||||
|
# Note the capture __connid, includes the connection ID, used in second part of regex.
|
||||||
|
#
|
||||||
|
# The first regex is commented out (but will match also), because it is better to use
|
||||||
|
# the host from "end connection" line (uncommented above):
|
||||||
|
# - it has the same prefix, searching begins directly with failure message
|
||||||
|
# (so faster, because ignores success connections at all)
|
||||||
|
# - it is not so vulnerable in case of possible race condition
|
||||||
|
#
|
||||||
|
# Log example:
|
||||||
|
# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
|
||||||
|
# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
|
||||||
|
# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
|
||||||
|
# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
|
||||||
|
# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
|
||||||
|
# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
|
||||||
|
# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
|
||||||
|
# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
|
||||||
|
#
|
||||||
|
# Authors: Alexander Finkhäuser
|
||||||
|
# Sergey G. Brester (sebres)
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Fail2Ban filter for monit.conf, looks for failed access attempts
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = monit
|
||||||
|
|
||||||
|
# Regexp for previous (accessing monit httpd) and new (access denied) versions
|
||||||
|
failregex = ^\[\s*\]\s*error\s*:\s*Warning:\s+Client '<HOST>' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$
|
||||||
|
^%(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$
|
||||||
|
|
||||||
|
# Ignore login with empty user (first connect, no user specified)
|
||||||
|
# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Fail2Ban filter for murmur/mumble-server
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = murmurd
|
||||||
|
|
||||||
|
# N.B. If you allow users to have usernames that include the '>' character you
|
||||||
|
# should change this to match the regex assigned to the 'username'
|
||||||
|
# variable in your server config file (murmur.ini / mumble-server.ini).
|
||||||
|
_usernameregex = [^>]+
|
||||||
|
|
||||||
|
# Prefix for systemd-journal (with second date-pattern as optional match):
|
||||||
|
#
|
||||||
|
__prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\<W\>[\d\-]+ [\d:]+.\d+)?)
|
||||||
|
|
||||||
|
__prefix_line = %(__prefix_journal)s?
|
||||||
|
|
||||||
|
_prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
|
||||||
|
|
||||||
|
prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^Invalid server password$
|
||||||
|
^Wrong certificate or password for existing user$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^<W>{DATE}
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Ross Brown
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Fail2Ban filter for unsuccesful MySQL authentication attempts
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
|
||||||
|
# log-error=/var/log/mysqld.log
|
||||||
|
# log-warnings = 2
|
||||||
|
#
|
||||||
|
# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = mysqld
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Technically __prefix_line can equate to an empty string hence it can support
|
||||||
|
# syslog and non-syslog at once.
|
||||||
|
# Example:
|
||||||
|
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
|
||||||
|
#
|
||||||
|
# Authors: Artur Penttinen
|
||||||
|
# Yaroslav O. Halchenko
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
|
||||||
|
# Detecting unauthorized access to the nrpe2 daemon
|
||||||
|
# typically logged in /var/log/messages syslog
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
# Read syslog common prefixes
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
_daemon = nrpe
|
||||||
|
failregex = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Ivo Truxa - 2014/02/03
|
|
@ -0,0 +1,50 @@
|
||||||
|
# Fail2Ban filter file for named (bind9).
|
||||||
|
#
|
||||||
|
|
||||||
|
# This filter blocks attacks against named (bind9) however it requires special
|
||||||
|
# configuration on bind.
|
||||||
|
#
|
||||||
|
# By default, logging is off with bind9 installation.
|
||||||
|
#
|
||||||
|
# You will need something like this in your named.conf to provide proper logging.
|
||||||
|
#
|
||||||
|
# logging {
|
||||||
|
# channel security_file {
|
||||||
|
# file "/var/log/named/security.log" versions 3 size 30m;
|
||||||
|
# severity dynamic;
|
||||||
|
# print-time yes;
|
||||||
|
# };
|
||||||
|
# category security {
|
||||||
|
# security_file;
|
||||||
|
# };
|
||||||
|
# };
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Daemon name
|
||||||
|
_daemon=named
|
||||||
|
|
||||||
|
# Shortcuts for easier comprehension of the failregex
|
||||||
|
|
||||||
|
__pid_re=(?:\[\d+\])
|
||||||
|
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
|
||||||
|
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
|
||||||
|
|
||||||
|
# hostname daemon_id spaces
|
||||||
|
# this can be optional (for instance if we match named native log files)
|
||||||
|
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
|
||||||
|
|
||||||
|
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
|
||||||
|
|
||||||
|
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
|
||||||
|
^zone transfer
|
||||||
|
^bad zone transfer request: '\S+/IN': non-authoritative zone
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# Trying to generalize the
|
||||||
|
# structure which is general to capture general patterns in log
|
||||||
|
# lines to cover different configurations/distributions
|
||||||
|
#
|
||||||
|
# Author: Yaroslav Halchenko
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Fail2Ban filter to match web requests for selected URLs that don't exist
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Load regexes for filtering
|
||||||
|
before = botsearch-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
|
||||||
|
^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
|
||||||
|
^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# Based on apache-botsearch filter
|
||||||
|
#
|
||||||
|
# Author: Frantisek Sumsal
|
|
@ -0,0 +1,17 @@
|
||||||
|
# fail2ban filter configuration for nginx
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
|
||||||
|
# Extensive search of all nginx auth failures not done yet.
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,46 @@
|
||||||
|
# Fail2ban filter configuration for nginx :: limit_req
|
||||||
|
# used to ban hosts, that were failed through nginx by limit request processing rate
|
||||||
|
#
|
||||||
|
# Author: Serg G. Brester (sebres)
|
||||||
|
#
|
||||||
|
# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`
|
||||||
|
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
|
||||||
|
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# http {
|
||||||
|
# ...
|
||||||
|
# limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s;
|
||||||
|
# ...
|
||||||
|
# # http, server, or location:
|
||||||
|
# location ... {
|
||||||
|
# limit_req zone=lr_zone burst=1 nodelay;
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
# ...
|
||||||
|
# }
|
||||||
|
# ...
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Specify following expression to define exact zones, if you want to ban IPs limited
|
||||||
|
# from specified zones only.
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# ngx_limit_req_zones = lr_zone|lr_zone2
|
||||||
|
#
|
||||||
|
ngx_limit_req_zones = [^"]+
|
||||||
|
|
||||||
|
# Use following full expression if you should range limit request to specified
|
||||||
|
# servers, requests, referrers etc. only :
|
||||||
|
#
|
||||||
|
# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
|
||||||
|
|
||||||
|
# Shortly, much faster and stable version of regexp:
|
||||||
|
failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST>.*\"(.|)\\x.*\"$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST>.*(\/\.env).*
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET .*/~.*
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,5 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET http.*
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET.*(masscan|ZmEu)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*(\.php|\.asp|\.exe|\.pl|\.cgi|\.scgi)
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET.*(phpmyadmin)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET.*(wp-includes)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*GET.*(wp-login.php)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Author: Bas van den Dikkenberg
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = nsd
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
|
||||||
|
^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch
|
||||||
|
{^LN-BEG}
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
|
||||||
|
#
|
||||||
|
# Block IPs trying to auth openhab by web or rest api
|
||||||
|
#
|
||||||
|
# Matches e.g.
|
||||||
|
# 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382
|
||||||
|
# 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
|
||||||
|
|
||||||
|
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Fail2Ban filter for Openwebmail
|
||||||
|
# banning hosts with authentication errors in /var/log/openwebmail.log
|
||||||
|
# OpenWebMail http://openwebmail.org
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
|
||||||
|
^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Ivo Truxa (c) 2013 truXoft.com
|
|
@ -0,0 +1,63 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
# for Oracle IMS with XML logging
|
||||||
|
#
|
||||||
|
# Author: Joel Snyder/jms@opus1.com/2014-June-01
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes.
|
||||||
|
# If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages
|
||||||
|
# in the logfile. The host must be matched by a
|
||||||
|
# group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is
|
||||||
|
# only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
|
||||||
|
#
|
||||||
|
# In OPTION.DAT you must have LOG_FORMAT=4 and
|
||||||
|
# bit 5 of LOG_CONNECTION must be set.
|
||||||
|
#
|
||||||
|
# Many of these sub-fields are optional and can be turned on and off
|
||||||
|
# by the system manager. We need the "tr" field
|
||||||
|
# (transport information (present if bit 5 of LOG_CONNECTION is
|
||||||
|
# set and transport information is available)).
|
||||||
|
# "di" should be there by default if you have LOG_FORMAT=4.
|
||||||
|
# Do not use "mi" as this is not included by default.
|
||||||
|
#
|
||||||
|
# Typical line IF YOU ARE USING TAGGING ! ! ! is:
|
||||||
|
# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
|
||||||
|
# sc="tcp_local" dr="+" ac="U"
|
||||||
|
# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
|
||||||
|
# mi="Bad password"
|
||||||
|
# us="01ko8hqnoif09qx0np@imap.opus1.com"
|
||||||
|
# di="535 5.7.8 Bad username or password (Authentication failed)."/>
|
||||||
|
# Format is generally documented in the PORT_ACCESS mapping
|
||||||
|
# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
|
||||||
|
#
|
||||||
|
# All that would be on one line.
|
||||||
|
# Note that you MUST have LOG_FORMAT=4 for this to work!
|
||||||
|
#
|
||||||
|
|
||||||
|
failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^<co ts="{DATE}"\s+
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Fail2Ban configuration file for generic PAM authentication errors
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# if you want to catch only login errors from specific daemons, use something like
|
||||||
|
#_ttys_re=(?:ssh|pure-ftpd|ftp)
|
||||||
|
#
|
||||||
|
# Default: catch all failed logins
|
||||||
|
_ttys_re=\S*
|
||||||
|
|
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
|
||||||
|
_daemon = \S+
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
|
||||||
|
# _daemon = \S*\(?pam_unix\)?
|
||||||
|
# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||||
|
#
|
||||||
|
# Author: Yaroslav Halchenko
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Fail2Ban filter for perdition
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon=perdition.\S+
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
|
||||||
|
^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Christophe Carles and Daniel Black
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Fail2Ban filter for URLs with a URL as a script parameters
|
||||||
|
# which can be an indication of a fopen url php injection
|
||||||
|
#
|
||||||
|
# Example of web requests in Apache access log:
|
||||||
|
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Version 2
|
||||||
|
# fixes the failregex so REFERERS that contain =http:// don't get blocked
|
||||||
|
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
|
||||||
|
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
|
||||||
|
#
|
||||||
|
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Fail2Ban fitler for the phpMyAdmin-syslog
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = phpMyAdmin
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
|
||||||
|
# Author: Pavel Mihadyuk
|
||||||
|
# Regex fixes: Serg G. Brester
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Fail2Ban filter for failure attempts in Counter Strike-1.6
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Pacop <pacoparu@gmail.com>
|
||||||
|
|
|
@ -0,0 +1,80 @@
|
||||||
|
# Fail2Ban filter for selected Postfix SMTP rejections
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
|
||||||
|
_port = (?::\d+)?
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
|
||||||
|
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
|
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
|
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
|
||||||
|
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
|
||||||
|
^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
|
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
|
||||||
|
^from [^[]*\[<HOST>\]%(_port)s:?
|
||||||
|
|
||||||
|
mdpr-auth = warning:
|
||||||
|
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
|
||||||
|
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
|
||||||
|
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
|
||||||
|
|
||||||
|
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
|
||||||
|
mdpr-rbl = %(mdpr-normal)s
|
||||||
|
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
|
||||||
|
|
||||||
|
# Mode "rbl" currently included in mode "normal" (within 1st rule)
|
||||||
|
mdpr-more = %(mdpr-normal)s
|
||||||
|
mdre-more = %(mdre-normal)s
|
||||||
|
|
||||||
|
mdpr-ddos = lost connection after(?! DATA) [A-Z]+
|
||||||
|
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
|
||||||
|
|
||||||
|
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
|
||||||
|
mdre-extra = %(mdre-auth)s
|
||||||
|
%(mdre-normal)s
|
||||||
|
|
||||||
|
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
|
||||||
|
mdre-aggressive = %(mdre-auth2)s
|
||||||
|
%(mdre-normal)s
|
||||||
|
|
||||||
|
mdpr-errors = too many errors after \S+
|
||||||
|
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
|
||||||
|
|
||||||
|
|
||||||
|
failregex = <mdre-<mode>>
|
||||||
|
|
||||||
|
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
|
||||||
|
# Usage example (for jail.local):
|
||||||
|
# [postfix]
|
||||||
|
# mode = aggressive
|
||||||
|
#
|
||||||
|
# # or another jail (rewrite filter parameters of jail):
|
||||||
|
# [postfix-rbl]
|
||||||
|
# filter = postfix[mode=rbl]
|
||||||
|
#
|
||||||
|
# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
|
||||||
|
# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
|
||||||
|
# [postfix-many-errors]
|
||||||
|
# filter = postfix[mode=errors]
|
||||||
|
# maxretry = 1
|
||||||
|
#
|
||||||
|
mode = more
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=postfix.service
|
||||||
|
|
||||||
|
# Author: Cyril Jaquier
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Fail2Ban fitler for the Proftpd FTP daemon
|
||||||
|
#
|
||||||
|
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
|
||||||
|
# See: http://www.proftpd.org/docs/howto/DNS.html
|
||||||
|
# When the default locale for your system is not en_US.UTF-8
|
||||||
|
# on Debian-based systems be sure to add this to /etc/default/proftpd
|
||||||
|
# export LC_TIME="en_US.UTF-8"
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = proftpd
|
||||||
|
|
||||||
|
__suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).?
|
||||||
|
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum).+</F-CONTENT>$
|
||||||
|
|
||||||
|
|
||||||
|
failregex = ^USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$
|
||||||
|
^USER .* \(Login failed\): %(__suffix_failed_login)s\s*$
|
||||||
|
^SECURITY VIOLATION: .* login attempted\. *$
|
||||||
|
^Maximum login attempts \(\d+\) exceeded *$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
journalmatch = _SYSTEMD_UNIT=proftpd.service
|
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko
|
||||||
|
# Daniel Black - hardening of regex
|
|
@ -0,0 +1,40 @@
|
||||||
|
# Fail2Ban filter for pureftp
|
||||||
|
#
|
||||||
|
# Disable hostname based logging by:
|
||||||
|
#
|
||||||
|
# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = pure-ftpd
|
||||||
|
|
||||||
|
# Error message specified in multiple languages
|
||||||
|
__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd
|
||||||
|
|
||||||
|
# Author: Cyril Jaquier
|
||||||
|
# Modified: Yaroslav Halchenko for pure-ftpd
|
||||||
|
# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
|
||||||
|
# UTF-8 editing and mechanism thanks to Johannes Weberhofer
|
||||||
|
#
|
||||||
|
# Only logs to syslog though facility can be changed configuration file/command line
|
||||||
|
#
|
||||||
|
# To get messages in the right encoding:
|
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
|
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
|
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
|
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
|
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Fail2Ban filters for qmail RBL patches/fake proxies
|
||||||
|
#
|
||||||
|
# the default djb RBL implementation doesn't log any rejections
|
||||||
|
# so is useless with this filter.
|
||||||
|
#
|
||||||
|
# One patch is here:
|
||||||
|
#
|
||||||
|
# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:qmail|rblsmtpd)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
|
||||||
|
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
|
||||||
|
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# These seem to be for two or 3 different patches to qmail or rblsmtpd
|
||||||
|
# so you'll probably only ever see one of these regex's that match.
|
||||||
|
#
|
||||||
|
# ref: https://github.com/fail2ban/fail2ban/pull/386
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,38 @@
|
||||||
|
# Fail2Ban filter for repeat bans
|
||||||
|
#
|
||||||
|
# This filter monitors the fail2ban log file, and enables you to add long
|
||||||
|
# time bans for ip addresses that get banned by fail2ban multiple times.
|
||||||
|
#
|
||||||
|
# Reasons to use this: block very persistent attackers for a longer time,
|
||||||
|
# stop receiving email notifications about the same attacker over and
|
||||||
|
# over again.
|
||||||
|
#
|
||||||
|
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
|
||||||
|
# in jail.conf to a higher value than the other jails. Also, this jail has its
|
||||||
|
# drawbacks, namely in that it works only with iptables, or if you use a
|
||||||
|
# different blocking mechanism for this jail versus others (e.g. hostsdeny
|
||||||
|
# for most jails, and shorewall for this one).
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:fail2ban(?:-server|\.actions)\s*)
|
||||||
|
|
||||||
|
# The name of the jail that this filter is used for. In jail.conf, name the jail using
|
||||||
|
# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
|
||||||
|
_jailname = recidive
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
|
||||||
|
|
||||||
|
datepattern = ^{DATE}
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
|
||||||
|
|
||||||
|
# Author: Tom Hendrikx, modifications by Amir Caspi
|
|
@ -0,0 +1,39 @@
|
||||||
|
# Fail2Ban configuration file for roundcube web server
|
||||||
|
#
|
||||||
|
# By default failed logins are printed to 'errors'. The first regex matches those
|
||||||
|
# The second regex matches those printed to 'userlogins'
|
||||||
|
# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
|
||||||
|
#
|
||||||
|
# The logpath in your jail can be updated to userlogins if you wish
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
|
||||||
|
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = SYSLOG_IDENTIFIER=roundcube
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
|
||||||
|
#
|
||||||
|
# Part after <HOST> comes straight from IMAP server up until the " in ....."
|
||||||
|
# Earlier versions didn't log the IMAP response hence optional.
|
||||||
|
#
|
||||||
|
# DoS resistance:
|
||||||
|
#
|
||||||
|
# Assume that the user can inject "from <HOST>" into the imap response
|
||||||
|
# somehow. Write test cases around this to ensure that the combination of
|
||||||
|
# arbitrary user input and IMAP response doesn't inject the wrong IP for
|
||||||
|
# fail2ban
|
||||||
|
#
|
||||||
|
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
|
|
@ -0,0 +1,31 @@
|
||||||
|
# Fail2Ban configuration file
|
||||||
|
#
|
||||||
|
# Author: Simon Brown
|
||||||
|
#
|
||||||
|
# Filter for Mac OS X Screen Sharing service
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = screensharingd
|
||||||
|
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$
|
||||||
|
|
||||||
|
# Option: ignoreregex
|
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored.
|
||||||
|
# Values: TEXT
|
||||||
|
#
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,23 @@
|
||||||
|
# Fail2Ban configuration file for generic SELinux audit messages
|
||||||
|
#
|
||||||
|
# This file is not intended to be used directly, and should be included into a
|
||||||
|
# filter file which would define following variables. See selinux-ssh.conf as
|
||||||
|
# and example.
|
||||||
|
#
|
||||||
|
# _type
|
||||||
|
# _uid
|
||||||
|
# _auid
|
||||||
|
# _subj
|
||||||
|
# _msg
|
||||||
|
#
|
||||||
|
# Also one of these variables must include <HOST>.
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = EPOCH
|
||||||
|
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Fail2Ban configuration file for SELinux ssh authentication errors
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
after = selinux-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_type = USER_(ERR|AUTH)
|
||||||
|
_uid = 0
|
||||||
|
_auid = \d+
|
||||||
|
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
|
||||||
|
|
||||||
|
_exe =/usr/sbin/sshd
|
||||||
|
_terminal = ssh
|
||||||
|
|
||||||
|
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Note: USER_LOGIN is ignored as this is the duplicate messsage
|
||||||
|
# ssh logs after 3 USER_AUTH failures.
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban filter for sendmail authentication failures
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
|
||||||
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
|
||||||
|
|
||||||
|
# "w{14,20}" will give support for IDs from 14 up to 20 characters long
|
||||||
|
failregex = ^%(__prefix_line)s(\S+ )?\[(?:IPv6:<IP6>|<IP4>)\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=sendmail.service
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,67 @@
|
||||||
|
# Fail2Ban filter for sendmail spam/relay type failures
|
||||||
|
#
|
||||||
|
# Some of the below failregex will only work properly, when the following
|
||||||
|
# options are set in the .mc file (see your Sendmail documentation on how
|
||||||
|
# to modify it and generate the corresponding .cf file):
|
||||||
|
#
|
||||||
|
# FEATURE(`delay_checks')
|
||||||
|
# FEATURE(`greet_pause', `500')
|
||||||
|
# FEATURE(`ratecontrol', `nodelay', `terminate')
|
||||||
|
# FEATURE(`conncontrol', `nodelay', `terminate')
|
||||||
|
#
|
||||||
|
# ratecontrol and conncontrol also need corresponding options ClientRate:
|
||||||
|
# and ClientConn: in the access file, see documentation for ratecontrol and
|
||||||
|
# conncontrol in the sendmail/cf/README file.
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
|
||||||
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
|
||||||
|
|
||||||
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
|
||||||
|
^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=(?:IPv6:<IP6>|<IP4>), relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
|
||||||
|
^rejecting commands from (\S* )?\[(?:IPv6:<IP6>|<IP4>)\] due to pre-greeting traffic after \d+ seconds$
|
||||||
|
^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
|
||||||
|
^<[^@]+@[^>]+>\.\.\. No such user here$
|
||||||
|
^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[(?:IPv6:<IP6>|<IP4>)\]$
|
||||||
|
|
||||||
|
mdre-normal =
|
||||||
|
|
||||||
|
mdre-extra = ^(?:\S+ )?\[(?:IPv6:<IP6>|<IP4>)\](?: \(may be forged\))? did not issue (?:[A-Z]{4}[/ ]?)+during connection to (?:TLS)?M(?:TA|S[PA])(?:-\w+)?$
|
||||||
|
|
||||||
|
mdre-aggressive = %(mdre-extra)s
|
||||||
|
|
||||||
|
failregex = %(cmnfailre)s
|
||||||
|
<mdre-<mode>>
|
||||||
|
|
||||||
|
# Parameter "mode": normal (default), extra or aggressive
|
||||||
|
# Usage example (for jail.local):
|
||||||
|
# [sendmail-reject]
|
||||||
|
# filter = sendmail-reject[mode=extra]
|
||||||
|
#
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = SYSLOG_IDENTIFIER=sm-mta + _SYSTEMD_UNIT=sendmail.service
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
#
|
||||||
|
# Regarding the multiline regex:
|
||||||
|
#
|
||||||
|
# "No such user" lines generate a failure and needs to be matched together with
|
||||||
|
# another line with the HOST, therefore no-failure line was added as regex, that
|
||||||
|
# contains HOST (see line with tag <F-NOFAIL>).
|
||||||
|
#
|
||||||
|
# Note the capture <F-MLFID>, includes both the __prefix_lines (which includes
|
||||||
|
# the sendmail PID), but also the `\w{14}` which the the sendmail assigned
|
||||||
|
# mail ID (todo: check this is necessary, possible obsolete).
|
||||||
|
#
|
||||||
|
# Author: Daniel Black, Fabian Wenk and Sergey Brester aka sebres.
|
||||||
|
# Rewritten using prefregex by Serg G. Brester.
|
|
@ -0,0 +1,18 @@
|
||||||
|
# Fail2Ban filter for sieve authentication failures
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:cyrus/)?(?:tim)?sieved?
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org>
|
|
@ -0,0 +1,25 @@
|
||||||
|
# slapd (Stand-alone LDAP Daemon) openldap daemon filter
|
||||||
|
#
|
||||||
|
# Detecting invalid credentials: error code 49
|
||||||
|
# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49)
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = slapd
|
||||||
|
|
||||||
|
failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
# "maxlines" is number of log lines to buffer for multi-line regex searches
|
||||||
|
maxlines = 20
|
||||||
|
|
||||||
|
# Author: Andrii Melnyk
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2ban filter for SOGo authentcation
|
||||||
|
#
|
||||||
|
# Log file usually in /var/log/sogo/sogo.log
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$
|
||||||
|
|
||||||
|
ignoreregex = "^<ADDR>"
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
|
||||||
|
{^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
|
||||||
|
^[^\[]*\[({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
#
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# The error log may contain multiple hosts, whereas the first one
|
||||||
|
# is the client and all others are poxys. We match the first one, only
|
||||||
|
#
|
||||||
|
# Author: Arnd Brandes
|
|
@ -0,0 +1,32 @@
|
||||||
|
# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts
|
||||||
|
#
|
||||||
|
# Doesn't currently provide PAM support as PAM log messages don't include rhost as
|
||||||
|
# remote IP.
|
||||||
|
#
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = solid-pop3d
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
|
||||||
|
^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
|
||||||
|
^%(__prefix_line)sroot login not allowed - <HOST>$
|
||||||
|
^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# solid-pop3d needs to be compiled with --enable-logextend to support
|
||||||
|
# IP addresses in log messages.
|
||||||
|
#
|
||||||
|
# solid-pop3d-0.15/src/main.c contains all authentication errors
|
||||||
|
# except for PAM authentication messages ( src/authenticate.c )
|
||||||
|
#
|
||||||
|
# A pam authentication failure message (note no IP for rhost).
|
||||||
|
# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques
|
||||||
|
#
|
||||||
|
# Authors: Daniel Black
|
|
@ -0,0 +1,16 @@
|
||||||
|
# Fail2Ban filter for Squid attempted proxy bypasses
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
|
||||||
|
^\s+\d\s<HOST>\s+NONE/405 .*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Daniel Black
|
||||||
|
|
|
@ -0,0 +1,12 @@
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
|
@ -0,0 +1,6 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^.*(sshd).*(Bad protocol).*(from )<HOST>.*
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
|
@ -0,0 +1,119 @@
|
||||||
|
# Fail2Ban filter for openssh
|
||||||
|
#
|
||||||
|
# If you want to protect OpenSSH from being bruteforced by password
|
||||||
|
# authentication then get public key authentication working before disabling
|
||||||
|
# PasswordAuthentication in sshd_config.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
_daemon = sshd
|
||||||
|
|
||||||
|
# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
|
||||||
|
__pref = (?:(?:error|fatal): (?:PAM: )?)?
|
||||||
|
# optional suffix (logged from several ssh versions) like " [preauth]"
|
||||||
|
#__suff = (?: port \d+)?(?: \[preauth\])?\s*
|
||||||
|
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
|
||||||
|
__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
|
||||||
|
# close by authenticating user:
|
||||||
|
__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.+?</F-USER>)?
|
||||||
|
|
||||||
|
# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
|
||||||
|
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
|
||||||
|
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
|
||||||
|
|
||||||
|
# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`:
|
||||||
|
__pam_auth = pam_[a-z]+
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
|
||||||
|
^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$
|
||||||
|
^Failed publickey for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|
||||||
|
^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
|
||||||
|
^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>
|
||||||
|
^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> from <HOST> not allowed because not in any group%(__suff)s$
|
||||||
|
^refused connect from \S+ \(<HOST>\)
|
||||||
|
^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
|
||||||
|
^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
|
||||||
|
^(error: )?maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
|
||||||
|
^User <F-USER>.+</F-USER> not allowed because account is locked%(__suff)s
|
||||||
|
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
|
||||||
|
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>: Too many authentication failures(?: for <F-USER>.+?</F-USER>)?%(__suff)s$
|
||||||
|
^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
|
||||||
|
<mdre-<mode>-other>
|
||||||
|
^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
|
||||||
|
|
||||||
|
mdre-normal =
|
||||||
|
# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
|
||||||
|
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
|
||||||
|
|
||||||
|
mdre-ddos = ^Did not receive identification string from <HOST>
|
||||||
|
^Bad protocol version identification '.*' from <HOST>
|
||||||
|
^Connection <F-MLFFORGET>reset</F-MLFFORGET> by <HOST>
|
||||||
|
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
|
||||||
|
^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
|
||||||
|
# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
|
||||||
|
mdre-ddos-other = ^<F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
|
||||||
|
|
||||||
|
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No supported authentication methods available
|
||||||
|
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
|
||||||
|
^Unable to negotiate a <__alg_match>
|
||||||
|
^no matching <__alg_match> found:
|
||||||
|
# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only:
|
||||||
|
mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
|
||||||
|
|
||||||
|
mdre-aggressive = %(mdre-ddos)s
|
||||||
|
%(mdre-extra)s
|
||||||
|
# mdre-extra-other is fully included within mdre-ddos-other:
|
||||||
|
mdre-aggressive-other = %(mdre-ddos-other)s
|
||||||
|
|
||||||
|
cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
|
||||||
|
|
||||||
|
failregex = %(cmnfailre)s
|
||||||
|
<mdre-<mode>>
|
||||||
|
%(cfooterre)s
|
||||||
|
|
||||||
|
# Parameter "mode": normal (default), ddos, extra or aggressive (combines all)
|
||||||
|
# Usage example (for jail.local):
|
||||||
|
# [sshd]
|
||||||
|
# mode = extra
|
||||||
|
# # or another jail (rewrite filter parameters of jail):
|
||||||
|
# [sshd-aggressive]
|
||||||
|
# filter = sshd[mode=aggressive]
|
||||||
|
#
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
#filter = sshd[mode=aggressive]
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
maxlines = 1
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
|
||||||
|
# it is coming before use of <HOST> which is not hard-anchored at the end as well,
|
||||||
|
# and later catch-all's could contain user-provided input, which need to be greedily
|
||||||
|
# matched away first.
|
||||||
|
#
|
||||||
|
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres
|
||||||
|
# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.
|
|
@ -0,0 +1,13 @@
|
||||||
|
# Fail2ban filter for stunnel
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV NOTES:
|
||||||
|
#
|
||||||
|
# Author: Daniel Black
|
||||||
|
#
|
||||||
|
# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4
|
|
@ -0,0 +1,28 @@
|
||||||
|
# Fail2Ban filter for suhosian PHP hardening
|
||||||
|
#
|
||||||
|
# This occurs with lighttpd or directly from the plugin
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:lighttpd|suhosin)
|
||||||
|
|
||||||
|
|
||||||
|
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '<HOST>', file '[^']*'(?:, line \d+)?\)$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
|
||||||
|
#
|
||||||
|
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Fail2Ban filter for Tine 2.0 authentication
|
||||||
|
#
|
||||||
|
# Enable logging with:
|
||||||
|
# $config['info_log']='/var/log/tine20/tine20.log';
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from <HOST> failed \(-[13]\)!$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
datepattern = ^[^-]+ -- [^-]+ -- - ({DATE})
|
||||||
|
{^LN-BEG}
|
||||||
|
|
||||||
|
# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766
|
||||||
|
# Editor: Daniel Black
|
||||||
|
# Advisor: Lars Kneschke
|
||||||
|
#
|
||||||
|
# Usernames can contain spaces.
|
||||||
|
#
|
||||||
|
# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105
|
||||||
|
# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php
|
||||||
|
# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276
|
|
@ -0,0 +1,56 @@
|
||||||
|
# Fail2ban filter configuration for traefik :: auth
|
||||||
|
# used to ban hosts, that were failed through traefik
|
||||||
|
#
|
||||||
|
# Author: CrazyMax
|
||||||
|
#
|
||||||
|
# To use 'traefik-auth' filter you have to configure your Traefik instance to write
|
||||||
|
# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs
|
||||||
|
# into a log file on host and specifiy users for Basic Authentication
|
||||||
|
# https://docs.traefik.io/configuration/entrypoints/#basic-authentication
|
||||||
|
#
|
||||||
|
# Example:
|
||||||
|
#
|
||||||
|
# version: "3.2"
|
||||||
|
#
|
||||||
|
# services:
|
||||||
|
# traefik:
|
||||||
|
# image: traefik:latest
|
||||||
|
# command:
|
||||||
|
# - "--loglevel=INFO"
|
||||||
|
# - "--accesslog=true"
|
||||||
|
# - "--accessLog.filePath=/var/log/access.log"
|
||||||
|
# # - "--accessLog.filters.statusCodes=400-499"
|
||||||
|
# - "--defaultentrypoints=http,https"
|
||||||
|
# - "--entryPoints=Name:http Address::80"
|
||||||
|
# - "--entryPoints=Name:https Address::443 TLS"
|
||||||
|
# - "--docker.domain=example.com"
|
||||||
|
# - "--docker.watch=true"
|
||||||
|
# - "--docker.exposedbydefault=false"
|
||||||
|
# - "--api=true"
|
||||||
|
# - "--api.dashboard=true"
|
||||||
|
# ports:
|
||||||
|
# - target: 80
|
||||||
|
# published: 80
|
||||||
|
# protocol: tcp
|
||||||
|
# mode: host
|
||||||
|
# - target: 443
|
||||||
|
# published: 443
|
||||||
|
# protocol: tcp
|
||||||
|
# mode: host
|
||||||
|
# labels:
|
||||||
|
# - "traefik.enable=true"
|
||||||
|
# - "traefik.port=8080"
|
||||||
|
# - "traefik.backend=traefik"
|
||||||
|
# - "traefik.frontend.rule=Host:traefik.example.com"
|
||||||
|
# - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
|
||||||
|
# volumes:
|
||||||
|
# - "/var/log/traefik:/var/log"
|
||||||
|
# - "/var/run/docker.sock:/var/run/docker.sock"
|
||||||
|
# restart: always
|
||||||
|
#
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
failregex = ^<HOST> \- (?!- )\S+ \[\] \"(GET|POST|HEAD) [^\"]+\" 401\b
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Fail2Ban filter for uwimap
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = (?:ipop3d|imapd)
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$
|
||||||
|
^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Amir Caspi
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban filter for vsftp
|
||||||
|
#
|
||||||
|
# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
|
||||||
|
# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
|
||||||
|
# incoming ip address rather than domain names.
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
|
||||||
|
_daemon = vsftpd
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||||
|
^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Cyril Jaquier
|
||||||
|
# Documentation from fail2ban wiki
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban filter for webmin
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = webmin
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
|
||||||
|
^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217
|
||||||
|
# webmin[29544]: Invalid login as root from 86.0.6.217
|
||||||
|
#
|
||||||
|
# Rule Author: Delvit Guillaume
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Fail2Ban configuration file for wuftpd
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = wu-ftpd
|
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:?
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
|
||||||
|
^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
|
||||||
|
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko
|
|
@ -0,0 +1,29 @@
|
||||||
|
# Fail2Ban filter for xinetd failures
|
||||||
|
#
|
||||||
|
# Cfr.: /var/log/(daemon\.|sys)log
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from
|
||||||
|
# common.local
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = xinetd
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)sFAIL: <F-CONTENT>.+</F-CONTENT>$
|
||||||
|
|
||||||
|
failregex = ^\S+ address from=<HOST>$
|
||||||
|
^\S+ libwrap from=<HOST>$
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
#
|
||||||
|
# libwrap => tcp wrappers: hosts.(allow|deny)
|
||||||
|
# address => xinetd: deny_from|only_from
|
||||||
|
#
|
||||||
|
# Author: Guido Bozzetto
|
|
@ -0,0 +1,34 @@
|
||||||
|
# Fail2Ban filter for ZNC (requires adminlog module)
|
||||||
|
#
|
||||||
|
# to use this module, enable the adminlog module from within ZNC and point
|
||||||
|
# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
logtype = file
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
_daemon = znc
|
||||||
|
|
||||||
|
# Prefix for different logtype (file, journal):
|
||||||
|
#
|
||||||
|
__prefix_file = (?:\[\]\s+)?
|
||||||
|
__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+
|
||||||
|
__prefix_journal = %(__prefix_short)s
|
||||||
|
|
||||||
|
__prefix_line = <__prefix_<logtype>>
|
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR>
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc
|
||||||
|
|
||||||
|
# DEV Notes:
|
||||||
|
# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR>
|
||||||
|
# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
|
||||||
|
# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
|
||||||
|
# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
|
||||||
|
#
|
||||||
|
# Author: Tobias Girstmair (//gir.st/)
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Fail2Ban filter for Zoneminder login failures
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
before = apache-common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# Option: failregex
|
||||||
|
# Notes.: regex to match the password failure messages in the logfile.
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
|
||||||
|
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
# Notes:
|
||||||
|
# Tested on Zoneminder 1.29.0
|
||||||
|
#
|
||||||
|
# Author: John Marzella
|
|
@ -0,0 +1,972 @@
|
||||||
|
#
|
||||||
|
# WARNING: heavily refactored in 0.9.0 release. Please review and
|
||||||
|
# customize settings for your setup.
|
||||||
|
#
|
||||||
|
# Changes: in most of the cases you should not modify this
|
||||||
|
# file, but provide customizations in jail.local file,
|
||||||
|
# or separate .conf files under jail.d/ directory, e.g.:
|
||||||
|
#
|
||||||
|
# HOW TO ACTIVATE JAILS:
|
||||||
|
#
|
||||||
|
# YOU SHOULD NOT MODIFY THIS FILE.
|
||||||
|
#
|
||||||
|
# It will probably be overwritten or improved in a distribution update.
|
||||||
|
#
|
||||||
|
# Provide customizations in a jail.local file or a jail.d/customisation.local.
|
||||||
|
# For example to change the default bantime for all jails and to enable the
|
||||||
|
# ssh-iptables jail the following (uncommented) would appear in the .local file.
|
||||||
|
# See man 5 jail.conf for details.
|
||||||
|
#
|
||||||
|
# [DEFAULT]
|
||||||
|
# bantime = 1h
|
||||||
|
#
|
||||||
|
# [sshd]
|
||||||
|
# enabled = true
|
||||||
|
#
|
||||||
|
# See jail.conf(5) man page for more information
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
|
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
#before = paths-distro.conf
|
||||||
|
before = paths-debian.conf
|
||||||
|
|
||||||
|
# The DEFAULT allows a global definition of the options. They can be overridden
|
||||||
|
# in each jail afterwards.
|
||||||
|
|
||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
#
|
||||||
|
# MISCELLANEOUS OPTIONS
|
||||||
|
#
|
||||||
|
|
||||||
|
# "ignorself" specifies whether the local resp. own IP addresses should be ignored
|
||||||
|
# (default is true). Fail2ban will not ban a host which matches such addresses.
|
||||||
|
#ignorself = true
|
||||||
|
|
||||||
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||||
|
# will not ban a host which matches an address in this list. Several addresses
|
||||||
|
# can be defined using space (and/or comma) separator.
|
||||||
|
#ignoreip = 127.0.0.1/8 ::1
|
||||||
|
|
||||||
|
# External command that will take an tagged arguments to ignore, e.g. <ip>,
|
||||||
|
# and return true if the IP is to be ignored. False otherwise.
|
||||||
|
#
|
||||||
|
# ignorecommand = /path/to/command <ip>
|
||||||
|
ignorecommand =
|
||||||
|
|
||||||
|
# "bantime" is the number of seconds that a host is banned.
|
||||||
|
bantime = 10m
|
||||||
|
|
||||||
|
# A host is banned if it has generated "maxretry" during the last "findtime"
|
||||||
|
# seconds.
|
||||||
|
findtime = 10m
|
||||||
|
|
||||||
|
# "maxretry" is the number of failures before a host get banned.
|
||||||
|
maxretry = 5
|
||||||
|
|
||||||
|
# "backend" specifies the backend used to get files modification.
|
||||||
|
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
|
||||||
|
# This option can be overridden in each jail as well.
|
||||||
|
#
|
||||||
|
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
||||||
|
# If pyinotify is not installed, Fail2ban will use auto.
|
||||||
|
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
||||||
|
# If Gamin is not installed, Fail2ban will use auto.
|
||||||
|
# polling: uses a polling algorithm which does not require external libraries.
|
||||||
|
# systemd: uses systemd python library to access the systemd journal.
|
||||||
|
# Specifying "logpath" is not valid for this backend.
|
||||||
|
# See "journalmatch" in the jails associated filter config
|
||||||
|
# auto: will try to use the following backends, in order:
|
||||||
|
# pyinotify, gamin, polling.
|
||||||
|
#
|
||||||
|
# Note: if systemd backend is chosen as the default but you enable a jail
|
||||||
|
# for which logs are present only in its own log files, specify some other
|
||||||
|
# backend for that jail (e.g. polling) and provide empty value for
|
||||||
|
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
|
||||||
|
backend = auto
|
||||||
|
|
||||||
|
# "usedns" specifies if jails should trust hostnames in logs,
|
||||||
|
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
||||||
|
#
|
||||||
|
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
||||||
|
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
||||||
|
# but it will be logged as a warning.
|
||||||
|
# no: if a hostname is encountered, will not be used for banning,
|
||||||
|
# but it will be logged as info.
|
||||||
|
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
|
||||||
|
usedns = warn
|
||||||
|
|
||||||
|
# "logencoding" specifies the encoding of the log files handled by the jail
|
||||||
|
# This is used to decode the lines from the log file.
|
||||||
|
# Typical examples: "ascii", "utf-8"
|
||||||
|
#
|
||||||
|
# auto: will use the system locale setting
|
||||||
|
logencoding = auto
|
||||||
|
|
||||||
|
# "enabled" enables the jails.
|
||||||
|
# By default all jails are disabled, and it should stay this way.
|
||||||
|
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
|
||||||
|
#
|
||||||
|
# true: jail will be enabled and log files will get monitored for changes
|
||||||
|
# false: jail is not enabled
|
||||||
|
enabled = false
|
||||||
|
|
||||||
|
|
||||||
|
# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
|
||||||
|
mode = normal
|
||||||
|
|
||||||
|
# "filter" defines the filter to use by the jail.
|
||||||
|
# By default jails have names matching their filter name
|
||||||
|
#
|
||||||
|
filter = %(__name__)s[mode=%(mode)s]
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# ACTIONS
|
||||||
|
#
|
||||||
|
|
||||||
|
# Some options used for actions
|
||||||
|
|
||||||
|
# Destination email address used solely for the interpolations in
|
||||||
|
# jail.{conf,local,d/*} configuration files.
|
||||||
|
destemail = mailedknoats@gmail.com
|
||||||
|
|
||||||
|
# Sender email address used solely for some actions
|
||||||
|
sender = admin@bookstack
|
||||||
|
|
||||||
|
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
|
||||||
|
# mailing. Change mta configuration parameter to mail if you want to
|
||||||
|
# revert to conventional 'mail'.
|
||||||
|
mta = mail
|
||||||
|
|
||||||
|
# Default protocol
|
||||||
|
protocol = tcp
|
||||||
|
|
||||||
|
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
|
||||||
|
chain = <known/chain>
|
||||||
|
|
||||||
|
# Ports to be banned
|
||||||
|
# Usually should be overridden in a particular jail
|
||||||
|
port = 0:65535
|
||||||
|
|
||||||
|
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
|
||||||
|
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
|
||||||
|
|
||||||
|
#
|
||||||
|
# Action shortcuts. To be used to define action parameter
|
||||||
|
|
||||||
|
# Default banning action (e.g. iptables, iptables-new,
|
||||||
|
# iptables-multiport, shorewall, etc) It is used to define
|
||||||
|
# action_* variables. Can be overridden globally or per
|
||||||
|
# section within jail.local file
|
||||||
|
banaction = iptables-multiport
|
||||||
|
banaction_allports = iptables-allports
|
||||||
|
|
||||||
|
# The simplest action to take: ban only
|
||||||
|
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
|
||||||
|
# ban & send an e-mail with whois report to the destemail.
|
||||||
|
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
|
||||||
|
# ban & send an e-mail with whois report and relevant log lines
|
||||||
|
# to the destemail.
|
||||||
|
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
||||||
|
|
||||||
|
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
|
||||||
|
#
|
||||||
|
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
|
||||||
|
# to the destemail.
|
||||||
|
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
||||||
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
|
||||||
|
|
||||||
|
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
|
||||||
|
# to the destemail.
|
||||||
|
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
|
||||||
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
|
||||||
|
|
||||||
|
# Report block via blocklist.de fail2ban reporting service API
|
||||||
|
#
|
||||||
|
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
|
||||||
|
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
|
||||||
|
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
|
||||||
|
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
|
||||||
|
# corresponding jail.d/my-jail.local file).
|
||||||
|
#
|
||||||
|
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
|
||||||
|
|
||||||
|
# Report ban via badips.com, and use as blacklist
|
||||||
|
#
|
||||||
|
# See BadIPsAction docstring in config/action.d/badips.py for
|
||||||
|
# documentation for this action.
|
||||||
|
#
|
||||||
|
# NOTE: This action relies on banaction being present on start and therefore
|
||||||
|
# should be last action defined for a jail.
|
||||||
|
#
|
||||||
|
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
|
||||||
|
#
|
||||||
|
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
|
||||||
|
#
|
||||||
|
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
|
||||||
|
|
||||||
|
# Report ban via abuseipdb.com.
|
||||||
|
#
|
||||||
|
# See action.d/abuseipdb.conf for usage example and details.
|
||||||
|
#
|
||||||
|
action_abuseipdb = abuseipdb
|
||||||
|
|
||||||
|
# Choose default action. To change, just override value of 'action' with the
|
||||||
|
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
|
||||||
|
# globally (section [DEFAULT]) or per specific section
|
||||||
|
action = %(action_mwl)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# JAILS
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# SSH servers
|
||||||
|
#
|
||||||
|
|
||||||
|
[sshd]
|
||||||
|
|
||||||
|
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
|
||||||
|
# normal (default), ddos, extra or aggressive (combines all).
|
||||||
|
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
|
||||||
|
#mode = normal
|
||||||
|
port = 4719
|
||||||
|
logpath = %(sshd_log)s
|
||||||
|
backend = %(sshd_backend)s
|
||||||
|
maxretry = 2
|
||||||
|
bantime = -1
|
||||||
|
|
||||||
|
[dropbear]
|
||||||
|
|
||||||
|
port = ssh
|
||||||
|
logpath = %(dropbear_log)s
|
||||||
|
backend = %(dropbear_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[selinux-ssh]
|
||||||
|
|
||||||
|
port = ssh
|
||||||
|
logpath = %(auditd_log)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# HTTP servers
|
||||||
|
#
|
||||||
|
|
||||||
|
[apache-auth]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[apache-badbots]
|
||||||
|
# Ban hosts which agent identifies spammer robots crawling the web
|
||||||
|
# for email addresses. The mail outputs are buffered.
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_access_log)s
|
||||||
|
bantime = 48h
|
||||||
|
maxretry = 1
|
||||||
|
|
||||||
|
|
||||||
|
[apache-noscript]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[apache-overflows]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
[apache-nohome]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
[apache-botsearch]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
[apache-fakegooglebot]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_access_log)s
|
||||||
|
maxretry = 1
|
||||||
|
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
|
||||||
|
|
||||||
|
|
||||||
|
[apache-modsecurity]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
[apache-shellshock]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
maxretry = 1
|
||||||
|
|
||||||
|
|
||||||
|
[openhab-auth]
|
||||||
|
|
||||||
|
filter = openhab
|
||||||
|
action = iptables-allports[name=NoAuthFailures]
|
||||||
|
logpath = /opt/openhab/logs/request.log
|
||||||
|
|
||||||
|
[nginx-http-auth]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
logpath = %(nginx_error_log)s
|
||||||
|
|
||||||
|
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
|
||||||
|
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
|
||||||
|
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
|
||||||
|
# or for example see in 'config/filter.d/nginx-limit-req.conf'
|
||||||
|
[nginx-limit-req]
|
||||||
|
port = http,https
|
||||||
|
logpath = %(nginx_error_log)s
|
||||||
|
|
||||||
|
[nginx-botsearch]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
logpath = %(nginx_error_log)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
[nginx-noproxy]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-noproxy
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
[nginx-noscript]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-noscript
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 6
|
||||||
|
|
||||||
|
[nginx-nohome]
|
||||||
|
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-nohome
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
[nginx-noscan]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-noscan
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = -1
|
||||||
|
|
||||||
|
[nginx-noenv]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-noenv
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = 4h
|
||||||
|
|
||||||
|
[nginx-wplogin]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-wplogin
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = 4h
|
||||||
|
|
||||||
|
[nginx-wpinclude]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-wpinclude
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = 4h
|
||||||
|
|
||||||
|
[nginx-phpmyadmin]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-phpmyadmin
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = 4h
|
||||||
|
|
||||||
|
[nginx-nobinary]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-nobinary
|
||||||
|
logpath = /var/log/nginx/access.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = -1
|
||||||
|
|
||||||
|
[sshd-badproto]
|
||||||
|
enabled = true
|
||||||
|
port = 4719
|
||||||
|
filter = sshd-badproto
|
||||||
|
logpath = /var/log/auth.log
|
||||||
|
maxretry = 1
|
||||||
|
bantime = -1
|
||||||
|
|
||||||
|
# Ban attackers that try to use PHP's URL-fopen() functionality
|
||||||
|
# through GET/POST variables. - Experimental, with more than a year
|
||||||
|
# of usage in production environments.
|
||||||
|
|
||||||
|
[php-url-fopen]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(nginx_access_log)s
|
||||||
|
%(apache_access_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[suhosin]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(suhosin_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[lighttpd-auth]
|
||||||
|
# Same as above for Apache's mod_auth
|
||||||
|
# It catches wrong authentifications
|
||||||
|
port = http,https
|
||||||
|
logpath = %(lighttpd_error_log)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Webmail and groupware servers
|
||||||
|
#
|
||||||
|
|
||||||
|
[roundcube-auth]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(roundcube_errors_log)s
|
||||||
|
# Use following line in your jail.local if roundcube logs to journal.
|
||||||
|
#backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[openwebmail]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = /var/log/openwebmail.log
|
||||||
|
|
||||||
|
|
||||||
|
[horde]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = /var/log/horde/horde.log
|
||||||
|
|
||||||
|
|
||||||
|
[groupoffice]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = /home/groupoffice/log/info.log
|
||||||
|
|
||||||
|
|
||||||
|
[sogo-auth]
|
||||||
|
# Monitor SOGo groupware server
|
||||||
|
# without proxy this would be:
|
||||||
|
# port = 20000
|
||||||
|
port = http,https
|
||||||
|
logpath = /var/log/sogo/sogo.log
|
||||||
|
|
||||||
|
|
||||||
|
[tine20]
|
||||||
|
|
||||||
|
logpath = /var/log/tine20/tine20.log
|
||||||
|
port = http,https
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Web Applications
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[drupal-auth]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(syslog_daemon)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
[guacamole]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = /var/log/tomcat*/catalina.out
|
||||||
|
|
||||||
|
[monit]
|
||||||
|
#Ban clients brute-forcing the monit gui login
|
||||||
|
port = 2812
|
||||||
|
logpath = /var/log/monit
|
||||||
|
|
||||||
|
|
||||||
|
[webmin-auth]
|
||||||
|
|
||||||
|
port = 10000
|
||||||
|
logpath = %(syslog_authpriv)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[froxlor-auth]
|
||||||
|
|
||||||
|
port = http,https
|
||||||
|
logpath = %(syslog_authpriv)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# HTTP Proxy servers
|
||||||
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
[squid]
|
||||||
|
|
||||||
|
port = 80,443,3128,8080
|
||||||
|
logpath = /var/log/squid/access.log
|
||||||
|
|
||||||
|
|
||||||
|
[3proxy]
|
||||||
|
|
||||||
|
port = 3128
|
||||||
|
logpath = /var/log/3proxy.log
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# FTP servers
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
[proftpd]
|
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
logpath = %(proftpd_log)s
|
||||||
|
backend = %(proftpd_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[pure-ftpd]
|
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
logpath = %(pureftpd_log)s
|
||||||
|
backend = %(pureftpd_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[gssftpd]
|
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
logpath = %(syslog_daemon)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[wuftpd]
|
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
logpath = %(wuftpd_log)s
|
||||||
|
backend = %(wuftpd_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[vsftpd]
|
||||||
|
# or overwrite it in jails.local to be
|
||||||
|
# logpath = %(syslog_authpriv)s
|
||||||
|
# if you want to rely on PAM failed login attempts
|
||||||
|
# vsftpd's failregex should match both of those formats
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
logpath = %(vsftpd_log)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Mail servers
|
||||||
|
#
|
||||||
|
|
||||||
|
# ASSP SMTP Proxy Jail
|
||||||
|
[assp]
|
||||||
|
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = /root/path/to/assp/logs/maillog.txt
|
||||||
|
|
||||||
|
|
||||||
|
[courier-smtp]
|
||||||
|
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[postfix]
|
||||||
|
# To use another modes set filter parameter "mode" in jail.local:
|
||||||
|
mode = more
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(postfix_log)s
|
||||||
|
backend = %(postfix_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[postfix-rbl]
|
||||||
|
|
||||||
|
filter = postfix[mode=rbl]
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(postfix_log)s
|
||||||
|
backend = %(postfix_backend)s
|
||||||
|
maxretry = 1
|
||||||
|
|
||||||
|
|
||||||
|
[sendmail-auth]
|
||||||
|
|
||||||
|
port = submission,465,smtp
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[sendmail-reject]
|
||||||
|
# To use more aggressive modes set filter parameter "mode" in jail.local:
|
||||||
|
# normal (default), extra or aggressive
|
||||||
|
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
|
||||||
|
#mode = normal
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[qmail-rbl]
|
||||||
|
|
||||||
|
filter = qmail
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = /service/qmail/log/main/current
|
||||||
|
|
||||||
|
|
||||||
|
# dovecot defaults to logging to the mail syslog facility
|
||||||
|
# but can be set by syslog_facility in the dovecot configuration.
|
||||||
|
[dovecot]
|
||||||
|
|
||||||
|
port = pop3,pop3s,imap,imaps,submission,465,sieve
|
||||||
|
logpath = %(dovecot_log)s
|
||||||
|
backend = %(dovecot_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[sieve]
|
||||||
|
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(dovecot_log)s
|
||||||
|
backend = %(dovecot_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[solid-pop3d]
|
||||||
|
|
||||||
|
port = pop3,pop3s
|
||||||
|
logpath = %(solidpop3d_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[exim]
|
||||||
|
# see filter.d/exim.conf for further modes supported from filter:
|
||||||
|
#mode = normal
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(exim_main_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[exim-spam]
|
||||||
|
|
||||||
|
port = smtp,465,submission
|
||||||
|
logpath = %(exim_main_log)s
|
||||||
|
|
||||||
|
|
||||||
|
[kerio]
|
||||||
|
|
||||||
|
port = imap,smtp,imaps,465
|
||||||
|
logpath = /opt/kerio/mailserver/store/logs/security.log
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
|
||||||
|
# all relevant ports get banned
|
||||||
|
#
|
||||||
|
|
||||||
|
[courier-auth]
|
||||||
|
|
||||||
|
port = smtp,465,submission,imap,imaps,pop3,pop3s
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[postfix-sasl]
|
||||||
|
|
||||||
|
filter = postfix[mode=auth]
|
||||||
|
port = smtp,465,submission,imap,imaps,pop3,pop3s
|
||||||
|
# You might consider monitoring /var/log/mail.warn instead if you are
|
||||||
|
# running postfix since it would provide the same log lines at the
|
||||||
|
# "warn" level but overall at the smaller filesize.
|
||||||
|
logpath = %(postfix_log)s
|
||||||
|
backend = %(postfix_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[perdition]
|
||||||
|
|
||||||
|
port = imap,imaps,pop3,pop3s
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[squirrelmail]
|
||||||
|
|
||||||
|
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
|
||||||
|
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
|
||||||
|
|
||||||
|
|
||||||
|
[cyrus-imap]
|
||||||
|
|
||||||
|
port = imap,imaps
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[uwimap-auth]
|
||||||
|
|
||||||
|
port = imap,imaps
|
||||||
|
logpath = %(syslog_mail)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# DNS servers
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
# !!! WARNING !!!
|
||||||
|
# Since UDP is connection-less protocol, spoofing of IP and imitation
|
||||||
|
# of illegal actions is way too simple. Thus enabling of this filter
|
||||||
|
# might provide an easy way for implementing a DoS against a chosen
|
||||||
|
# victim. See
|
||||||
|
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
|
||||||
|
# Please DO NOT USE this jail unless you know what you are doing.
|
||||||
|
#
|
||||||
|
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
|
||||||
|
# This jail blocks UDP traffic for DNS requests.
|
||||||
|
# [named-refused-udp]
|
||||||
|
#
|
||||||
|
# filter = named-refused
|
||||||
|
# port = domain,953
|
||||||
|
# protocol = udp
|
||||||
|
# logpath = /var/log/named/security.log
|
||||||
|
|
||||||
|
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
|
||||||
|
# This jail blocks TCP traffic for DNS requests.
|
||||||
|
|
||||||
|
[named-refused]
|
||||||
|
|
||||||
|
port = domain,953
|
||||||
|
logpath = /var/log/named/security.log
|
||||||
|
|
||||||
|
|
||||||
|
[nsd]
|
||||||
|
|
||||||
|
port = 53
|
||||||
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
||||||
|
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
||||||
|
logpath = /var/log/nsd.log
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Miscellaneous
|
||||||
|
#
|
||||||
|
|
||||||
|
[asterisk]
|
||||||
|
|
||||||
|
port = 5060,5061
|
||||||
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
||||||
|
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
||||||
|
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
|
||||||
|
logpath = /var/log/asterisk/messages
|
||||||
|
maxretry = 10
|
||||||
|
|
||||||
|
|
||||||
|
[freeswitch]
|
||||||
|
|
||||||
|
port = 5060,5061
|
||||||
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
||||||
|
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
||||||
|
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
|
||||||
|
logpath = /var/log/freeswitch.log
|
||||||
|
maxretry = 10
|
||||||
|
|
||||||
|
|
||||||
|
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
|
||||||
|
# equivalent section:
|
||||||
|
# log-warning = 2
|
||||||
|
#
|
||||||
|
# for syslog (daemon facility)
|
||||||
|
# [mysqld_safe]
|
||||||
|
# syslog
|
||||||
|
#
|
||||||
|
# for own logfile
|
||||||
|
# [mysqld]
|
||||||
|
# log-error=/var/log/mysqld.log
|
||||||
|
[mysqld-auth]
|
||||||
|
|
||||||
|
port = 3306
|
||||||
|
logpath = %(mysql_log)s
|
||||||
|
backend = %(mysql_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
|
||||||
|
[mongodb-auth]
|
||||||
|
# change port when running with "--shardsvr" or "--configsvr" runtime operation
|
||||||
|
port = 27017
|
||||||
|
logpath = /var/log/mongodb/mongodb.log
|
||||||
|
|
||||||
|
|
||||||
|
# Jail for more extended banning of persistent abusers
|
||||||
|
# !!! WARNINGS !!!
|
||||||
|
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
|
||||||
|
# is not at DEBUG level -- which might then cause fail2ban to fall into
|
||||||
|
# an infinite loop constantly feeding itself with non-informative lines
|
||||||
|
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
|
||||||
|
# to maintain entries for failed logins for sufficient amount of time
|
||||||
|
[recidive]
|
||||||
|
|
||||||
|
logpath = /var/log/fail2ban.log
|
||||||
|
banaction = %(banaction_allports)s
|
||||||
|
bantime = 1w
|
||||||
|
findtime = 1d
|
||||||
|
|
||||||
|
|
||||||
|
# Generic filter for PAM. Has to be used with action which bans all
|
||||||
|
# ports such as iptables-allports, shorewall
|
||||||
|
|
||||||
|
[pam-generic]
|
||||||
|
# pam-generic filter can be customized to monitor specific subset of 'tty's
|
||||||
|
banaction = %(banaction_allports)s
|
||||||
|
logpath = %(syslog_authpriv)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[xinetd-fail]
|
||||||
|
|
||||||
|
banaction = iptables-multiport-log
|
||||||
|
logpath = %(syslog_daemon)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
maxretry = 2
|
||||||
|
|
||||||
|
|
||||||
|
# stunnel - need to set port for this
|
||||||
|
[stunnel]
|
||||||
|
|
||||||
|
logpath = /var/log/stunnel4/stunnel.log
|
||||||
|
|
||||||
|
|
||||||
|
[ejabberd-auth]
|
||||||
|
|
||||||
|
port = 5222
|
||||||
|
logpath = /var/log/ejabberd/ejabberd.log
|
||||||
|
|
||||||
|
|
||||||
|
[counter-strike]
|
||||||
|
|
||||||
|
logpath = /opt/cstrike/logs/L[0-9]*.log
|
||||||
|
# Firewall: http://www.cstrike-planet.com/faq/6
|
||||||
|
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
|
||||||
|
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
|
||||||
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
|
||||||
|
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
|
||||||
|
|
||||||
|
# consider low maxretry and a long bantime
|
||||||
|
# nobody except your own Nagios server should ever probe nrpe
|
||||||
|
[nagios]
|
||||||
|
|
||||||
|
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
maxretry = 1
|
||||||
|
|
||||||
|
|
||||||
|
[oracleims]
|
||||||
|
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
|
||||||
|
logpath = /opt/sun/comms/messaging64/log/mail.log_current
|
||||||
|
banaction = %(banaction_allports)s
|
||||||
|
|
||||||
|
[directadmin]
|
||||||
|
logpath = /var/log/directadmin/login.log
|
||||||
|
port = 2222
|
||||||
|
|
||||||
|
[portsentry]
|
||||||
|
logpath = /var/lib/portsentry/portsentry.history
|
||||||
|
maxretry = 1
|
||||||
|
|
||||||
|
[pass2allow-ftp]
|
||||||
|
# this pass2allow example allows FTP traffic after successful HTTP authentication
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data
|
||||||
|
# knocking_url variable must be overridden to some secret value in jail.local
|
||||||
|
knocking_url = /knocking/
|
||||||
|
filter = apache-pass[knocking_url="%(knocking_url)s"]
|
||||||
|
# access log of the website with HTTP auth
|
||||||
|
logpath = %(apache_access_log)s
|
||||||
|
blocktype = RETURN
|
||||||
|
returntype = DROP
|
||||||
|
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s]
|
||||||
|
bantime = 1h
|
||||||
|
maxretry = 1
|
||||||
|
findtime = 1
|
||||||
|
|
||||||
|
|
||||||
|
[murmur]
|
||||||
|
# AKA mumble-server
|
||||||
|
port = 64738
|
||||||
|
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
|
||||||
|
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
|
||||||
|
logpath = /var/log/mumble-server/mumble-server.log
|
||||||
|
|
||||||
|
|
||||||
|
[screensharingd]
|
||||||
|
# For Mac OS Screen Sharing Service (VNC)
|
||||||
|
logpath = /var/log/system.log
|
||||||
|
logencoding = utf-8
|
||||||
|
|
||||||
|
[haproxy-http-auth]
|
||||||
|
# HAProxy by default doesn't log to file you'll need to set it up to forward
|
||||||
|
# logs to a syslog server which would then write them to disk.
|
||||||
|
# See "haproxy-http-auth" filter for a brief cautionary note when setting
|
||||||
|
# maxretry and findtime.
|
||||||
|
logpath = /var/log/haproxy.log
|
||||||
|
|
||||||
|
[slapd]
|
||||||
|
port = ldap,ldaps
|
||||||
|
logpath = /var/log/slapd.log
|
||||||
|
|
||||||
|
[domino-smtp]
|
||||||
|
port = smtp,ssmtp
|
||||||
|
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
|
||||||
|
|
||||||
|
[phpmyadmin-syslog]
|
||||||
|
port = http,https
|
||||||
|
logpath = %(syslog_authpriv)s
|
||||||
|
backend = %(syslog_backend)s
|
||||||
|
|
||||||
|
|
||||||
|
[zoneminder]
|
||||||
|
# Zoneminder HTTP/HTTPS web interface auth
|
||||||
|
# Logs auth failures to apache2 error log
|
||||||
|
port = http,https
|
||||||
|
logpath = %(apache_error_log)s
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue