the push

README.md

@@ -0,0 +1,27 @@
+# ANSIBLE
+
+## PRINCIPE
+
+Ansible est un outils de configuration de machines.
+Ici il est utilisé pour se connecter au nouveau server où nous allons reinstaller la stack production du Garage.
+
+## INSTALLATION
+
+```bash
+python3 -m pip install --user ansible
+python3 -m pip install --user ansible-core
+#python3 -m pip install --user ansible-core==2.13.3 # (pour choisir une version spécifique)
+```
+
+## USAGE
+
+- Seul:
+```bash
+ansible -i inventory playbook.yml
+```
+
+- Avec Vagrant:
+```bash
+vagrant provision
+```
+> Nécessite une Vagrantfile!

Vagrantfile

@@ -0,0 +1,33 @@
+VAGRANTFILE_API_VERSION = "2"
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+  # General Vagrant VM configuration.
+  # All VMs will run under centos7 exploitation system
+  config.vm.box = "debian/bullseye64"
+  # If true, Vagrant will automatically insert a keypair
+  # to use for SSH, replacing Vagrant's default insecure key
+  # inside the machine if detected. By default, this is true
+  config.ssh.insert_key = false
+  # Configures synced folders on the machine, so that folders
+  # on your host machine can be synced to and from the guest machine
+  config.vm.synced_folder ".", "/vagrant", disabled: true
+  # VM Provider
+  config.vm.provider :virtualbox do |v|
+  v.memory = 1024
+  v.linked_clone = true
+  end
+
+  # new server
+  config.vm.define "newserver" do |newserver|
+    newserver.vm.hostname = "newserver.dev"
+    # static ip address
+    #newserver.vm.network :private_network, ip: "192.168.56.10"
+    newserver.vm.network :public_network, ip: "192.168.1.201"
+  config.vm.provision "ansible" do |ansible|
+    ansible.playbook= "./playbook.yml"
+    ansible.inventory_path="./inventory"
+    ansible.limit="newserver"
+    end
+
+  end
+
+end

fail2ban-conf/filter.d/3proxy.conf

@@ -0,0 +1,20 @@
+# Fail2Ban filter for 3proxy
+#
+#
+
+[Definition]
+
+
+failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}
+
+# DEV Notes:
+# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
+# all authentication problems (%E field)
+# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
+#
+# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
+# Author: Daniel Black

fail2ban-conf/filter.d/apache-auth.conf

@@ -0,0 +1,71 @@
+# Fail2Ban apache-auth filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
+mode = normal
+
+# ignore messages of mod_evasive module:
+apache-pref-ign-normal = (?!evasive)
+# allow "denied by server configuration" from all modules:
+apache-pref-ign-aggressive =
+# mode related ignore prefix for common _apache_error_client substitution:
+apache-pref-ignore = <apache-pref-ign-<mode>>
+
+prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
+
+# auth_type = ((?:Digest|Basic): )?
+auth_type = ([A-Z]\w+: )?
+
+failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
+            ^user (?!`)<F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
+            ^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
+            ^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
+            ^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\b
+            ^%(auth_type)sinvalid nonce .* received - length is not\b
+            ^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
+            ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
+            ^invalid qop `(?:[^']*|.*?)' received\b
+            ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
+            ^(?:No h|H)ostname \S+ provided via SNI(?:, but no hostname provided| and hostname \S+ provided| for a name based virtual host)\b
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# This filter matches the authorization failures of Apache. It takes the log messages
+# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
+# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
+#
+# An unauthorized response 401 is the first step for a browser to instigate authentication
+# however apache doesn't log this as an error. Only subsequent errors are logged in the 
+# error log.
+#
+# Source:
+#
+# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
+# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
+# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
+# to return the actual failure.
+#
+# Note that URI can contain spaces.
+#
+# See also: http://wiki.apache.org/httpd/ListOfErrors
+# Expressions that don't have tests and aren't common.
+# more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 
+#     ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
+#     ^user .*: one-time-nonce mismatch - sending new nonce\s*$
+#     ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
+#
+# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
+# 
+# Author: Cyril Jaquier
+# Major edits by Daniel Black and Ben Rubson.
+# Rewritten for v.0.10 by Sergey Brester (sebres).

fail2ban-conf/filter.d/apache-badbots.conf

@@ -0,0 +1,24 @@
+# Fail2Ban configuration file
+#
+# Regexp to catch known spambots and software alike. Please verify
+# that it is your intent to block IPs which were driven by
+# above mentioned bots.
+
+
+[Definition]
+
+badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
+badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
+
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+
+ignoreregex =
+
+datepattern = ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+# DEV Notes:
+# List of bad bots fetched from http://www.user-agents.org
+# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
+#
+# Author: Yaroslav Halchenko

fail2ban-conf/filter.d/apache-botsearch.conf

@@ -0,0 +1,39 @@
+# Fail2Ban filter to match web requests for selected URLs that don't exist
+#
+# This filter is aimed at blocking specific URLs that don't exist. This
+# could be a set of URLs places in a Disallow: directive in robots.txt or
+# just some web services that don't exist caused bots are searching for
+# exploitable content. This filter is designed to have a low false positive
+# rate due.
+#
+# An alternative to this is the apache-noscript filter which blocks all
+# types of scripts that don't exist.
+#
+#
+# This is normally a predefined list of exploitable or valuable web services
+# that are hidden or aren't actually installed.
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+# Load regexes for filtering from botsearch-common.conf
+before = apache-common.conf
+         botsearch-common.conf
+
+[Definition]
+
+prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^(?:File does not exist|script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
+            ^script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+# Webroot represents the webroot on which all other files are based
+webroot = /var/www/
+
+
+# DEV Notes:
+#
+# Author: Daniel Black

fail2ban-conf/filter.d/apache-common.conf

@@ -0,0 +1,44 @@
+# Generic configuration items (to be used as interpolations) in other
+# apache filters.
+
+[INCLUDES]
+
+before = common.conf
+# Load customizations if any available
+after = apache-common.local
+
+[DEFAULT]
+
+# Apache logging mode:
+#   all - universal prefix (logfile, syslog)
+#   logfile - logfile only
+#   syslog - syslog only
+# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog).
+# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants.
+logging = logfile
+
+# Apache logging prefixes (date-pattern prefix, server, process etc.):
+apache-prefix-syslog = %(__prefix_line)s
+apache-prefix-logfile = \[\]\s
+apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)?
+
+# Setting for __prefix_line (only `logging=syslog`):
+_daemon = (?:apache\d*|httpd(?:/\w+)?)
+
+apache-prefix = <apache-prefix-<logging>>
+
+apache-pref-ignore =
+
+_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
+
+datepattern = {^LN-BEG}
+
+# Common prefix for [error] apache messages which also would include <HOST>
+# Depending on the version it could be
+# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
+# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
+# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to 
+#
+# Reference: https://github.com/fail2ban/fail2ban/issues/268
+#
+# Author: Yaroslav Halchenko

fail2ban-conf/filter.d/apache-fakegooglebot.conf

@@ -0,0 +1,16 @@
+# Fail2Ban filter for fake Googlebot User Agents
+
+[Definition]
+
+failregex = ^<HOST> .*Googlebot.*$
+
+ignoreregex =
+
+datepattern = ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+# DEV Notes:
+#
+# Author: Lee Clemens
+# Thanks: Johannes B. Ullrich, Ph.D.
+# Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/

fail2ban-conf/filter.d/apache-modsecurity.conf

@@ -0,0 +1,19 @@
+# Fail2Ban apache-modsec filter
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# apache-common.local
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
+
+ignoreregex = 
+
+# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
+# Author: Daniel Black
+#         Sergey G. Brester aka sebres (review, optimization)

fail2ban-conf/filter.d/apache-nohome.conf

@@ -0,0 +1,20 @@
+# Fail2Ban filter to web requests for home directories on Apache servers
+#
+# Regex to match failures to find a home directory on a server, which
+# became popular last days. Most often attacker just uses IP instead of
+# domain name -- so expect to see them in generic error.log if you have
+# per-domain log files.
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+
+failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
+
+ignoreregex = 
+
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>

fail2ban-conf/filter.d/apache-noscript.conf

@@ -0,0 +1,37 @@
+# Fail2Ban filter to block web requests for scripts (on non scripted websites)
+#
+# This matches many types of scripts that don't exist. This could generate a
+# lot of false positive matches in cases like wikis and forums where users
+# no affiliated with the website can insert links to missing files/scripts into
+# pages and cause non-malicious browsers of the site to trigger against this
+# filter.
+#
+# If you'd like to match specific URLs that don't exist see the
+# apache-botsearch filter.
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
+
+prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^(?:does not exist|not found or unable to stat): <script>\b
+            ^'<script>\S*' not found or unable to stat
+            ^error '[Pp]rimary script unknown(?:\\n)?'
+
+ignoreregex = 
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
+#
+# Author: Cyril Jaquier

fail2ban-conf/filter.d/apache-overflows.conf

@@ -0,0 +1,40 @@
+# Fail2Ban filter to block web requests on a long or suspicious nature
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
+
+ignoreregex =
+
+# DEV Notes:
+#
+# [sebres] Because this apache-log could contain very long URLs (and/or referrer), 
+#          the parsing of it anchored way may be very vulnerable (at least as regards 
+#          the system resources, see gh-1790). Thus rewritten without end-anchor ($).
+# 
+# fgrep -r 'URI too long' httpd-2.*
+#   httpd-2.2.25/server/protocol.c:                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
+#   httpd-2.4.4/server/protocol.c:                              "request failed: URI too long (longer than %d)",
+#
+# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
+#   httpd-2.2.25/server/core.c:                     "Invalid URI in request %s", r->the_request);
+#   httpd-2.2.25/server/core.c:                          "Invalid method in request %s", r->the_request);
+#   httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
+#   httpd-2.4.4/server/core.c:                     "Invalid URI in request %s", r->the_request);
+#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
+#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s", r->the_request);
+#
+# fgrep -r 'invalid characters in URI' httpd-2.*
+#   httpd-2.4.4/server/protocol.c:                              "request failed: invalid characters in URI");
+#
+# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
+#   ...possible attempt to establish SSL connection on non-SSL port
+#
+# https://wiki.apache.org/httpd/ListOfErrors
+# Author: Tim Connors

fail2ban-conf/filter.d/apache-pass.conf

@@ -0,0 +1,19 @@
+# Fail2Ban Apache pass filter
+# This filter is for access.log, NOT for error.log
+#
+# The knocking request must have a referer.
+
+[Definition]
+
+failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
+
+ignoreregex =
+
+datepattern = ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+[Init]
+
+knocking_url = /knocking/
+
+# Author: Viktor Szépe

fail2ban-conf/filter.d/apache-shellshock.conf

@@ -0,0 +1,28 @@
+# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
+#
+#
+
+[INCLUDES]
+
+# overwrite with apache-common.local if _apache_error_client is incorrect.
+before = apache-common.conf
+
+[Definition]
+
+prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
+            ^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
+
+ignoreregex = 
+
+
+# DEV Notes:
+#
+# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
+#
+# example log lines: 
+# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
+# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
+#
+# Author: Eugene Hopkinson (e.hopkinson@gmail.com)

fail2ban-conf/filter.d/assp.conf

@@ -0,0 +1,46 @@
+# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP)
+#    Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later.
+#    Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended.
+#
+#    Homepage:    http://sourceforge.net/projects/assp/
+#    ProjectSite: http://sourceforge.net/projects/assp/?source=directory
+#
+#
+
+[Definition] 
+# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibility reasons.
+
+__assp_actions = (?:dropping|refusing)
+
+failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
+			^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
+			^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
+			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$
+			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S
+              {^LN-BEG}
+
+# DEV Notes:
+# V1 Examples matches:
+#   Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
+#   Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
+#   Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
+#
+# V2 Examples matches:
+#   Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user@example.org relay attempt blocked for: someone@example.org
+#   Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
+#   Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
+#   Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed:
+#   Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> relay attempt blocked for (parsing): <user2@example>
+#   Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user2@example.com relay attempt blocked for (parsing): <a.notheruser69@example.c>
+#   Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism
+#   Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response
+#   Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
+#   Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
+
+#
+# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
+# V2 Filters: Robert Hardy (rhardy@webcon.ca)

fail2ban-conf/filter.d/asterisk.conf

@@ -0,0 +1,55 @@
+# Fail2Ban filter for asterisk authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = asterisk
+
+__pid_re = (?:\s*\[\d+\])
+
+iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
+
+# All Asterisk log messages begin like this:
+log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?
+
+prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
+            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
+            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
+            ^No registration for peer '[^']*' \(from <HOST>\)$
+            ^hacking attempt detected '<HOST>'$
+            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
+            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
+            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
+
+# FreePBX (todo: make optional in v.0.10):
+#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}
+
+# Author: Xavier Devlamynck / Daniel Black
+#
+# General log format - main/logger.c:ast_log
+# Address format - ast_sockaddr_stringify
+#
+# First regex: channels/chan_sip.c
+#
+# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
+
+journalmatch = _SYSTEMD_UNIT=asterisk.service
+
+
+[lt_journal]
+
+# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
+__extra_timestamp = (?:\[[^\]]+\]\s+)?
+__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s

fail2ban-conf/filter.d/bitwarden.conf

@@ -0,0 +1,13 @@
+# Fail2Ban filter for Bitwarden
+# Detecting failed login attempts
+# Logged in bwdata/logs/identity/Identity/log.txt
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = Bitwarden-Identity
+failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. <ADDR>$
+
+# DEV Notes:
+# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once.

fail2ban-conf/filter.d/botsearch-common.conf

@@ -0,0 +1,19 @@
+# Generic configuration file for -botsearch filters
+
+[Init]
+
+# Block is the actual non-found directories to block
+block = \/?(<webmail>|<phpmyadmin>|<wordpress>|cgi-bin|mysqladmin)[^,]*
+
+# These are just convenient definitions that assist the blocking of stuff that 
+# isn't installed
+webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
+
+phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
+
+wordpress = wp-(login|signup|admin)\.php
+
+# DEV Notes:
+# Taken from apache-botsearch filter
+# 
+# Author: Frantisek Sumsal

fail2ban-conf/filter.d/centreon.conf

@@ -0,0 +1,9 @@
+# Fail2Ban filter for Centreon Web
+# Detecting unauthorized access to the Centreon Web portal
+# typically logged in /var/log/centreon/login.log
+
+[Init]
+datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
+
+[Definition]
+failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>'

fail2ban-conf/filter.d/common.conf

@@ -0,0 +1,89 @@
+# Generic configuration items (to be used as interpolations) in other
+# filters  or actions configurations
+#
+
+[INCLUDES]
+
+# Load customizations if any available
+after = common.local
+
+
+[DEFAULT]
+
+# Type of log-file resp. log-format (file, short, journal, rfc542):
+logtype = file
+
+# Daemon definition is to be specialized (if needed) in .conf file
+_daemon = \S*
+
+#
+# Shortcuts for easier comprehension of the failregex
+#
+# PID.
+# EXAMPLES: [123]
+__pid_re = (?:\[\d+\])
+
+# Daemon name (with optional source_file:line or whatever)
+# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
+__daemon_re = [\[\(]?<_daemon>(?:\(\S+\))?[\]\)]?:?
+
+# extra daemon info
+# EXAMPLE: [ID 800047 auth.info]
+__daemon_extra_re = \[ID \d+ \S+\]
+
+# Combinations of daemon name and PID
+# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
+__daemon_combs_re = (?:<__pid_re>?:\s+<__daemon_re>|<__daemon_re><__pid_re>?:?)
+
+# Some messages have a kernel prefix with a timestamp
+# EXAMPLES: kernel: [769570.846956]
+__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
+
+__hostname = \S+
+
+# A MD5 hex
+# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
+__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
+
+# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
+# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
+__bsd_syslog_verbose = <[^.]+\.[^.]+>
+
+__vserver = @vserver_\S+
+
+__date_ambit = (?:\[\])
+
+# Common line prefixes (beginnings) which could be used in filters
+#
+#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
+#
+# This can be optional (for instance if we match named native log files)
+__prefix_line = <lt_<logtype>/__prefix_line>
+
+# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
+# pam_ldap
+__pam_auth = pam_unix
+
+# standardly all formats using prefix have line-begin anchored date:
+datepattern = <lt_<logtype>/datepattern>
+
+[lt_file]
+# Common line prefixes for logtype "file":
+__prefix_line = <__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)?
+datepattern = {^LN-BEG}
+
+[lt_short]
+# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
+__prefix_line = \s*(?:<__hostname>\s+)?(?:<_daemon><__pid_re>?:?\s+)?(?:<__kernel_prefix>\s+)?
+datepattern = %(lt_file/datepattern)s
+[lt_journal]
+__prefix_line = %(lt_short/__prefix_line)s
+datepattern = %(lt_short/datepattern)s
+
+[lt_rfc5424]
+# RFC 5424 log-format, see gh-2309:
+#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+
+__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+
+datepattern = ^<\d+>\d+\s+{DATE}
+
+# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres)

fail2ban-conf/filter.d/counter-strike.conf

@@ -0,0 +1,15 @@
+# Fail2Ban filter for failure attempts in Counter Strike-1.6
+#
+#
+
+[Definition]
+
+failregex = ^: Bad Rcon: "rcon \d+ "\S+"  sv_contact ".*?"" from "<HOST>:\d+"$
+
+ignoreregex =
+
+datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S
+
+
+# Author: Daniel Black
+

fail2ban-conf/filter.d/courier-auth.conf

@@ -0,0 +1,21 @@
+# Fail2Ban filter for courier authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
+
+failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}
+
+# Author: Christoph Haas
+# Modified by: Cyril Jaquier

fail2ban-conf/filter.d/courier-smtp.conf

@@ -0,0 +1,22 @@
+# Fail2Ban filter to block relay attempts though a Courier smtp server
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = courieresmtpd
+
+prefregex = ^%(__prefix_line)serror,relay=<HOST>,(?:port=\d+,)?<F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
+            ^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
+
+ignoreregex = 
+
+# Author: Cyril Jaquier

fail2ban-conf/filter.d/cyrus-imap.conf

@@ -0,0 +1,20 @@
+# Fail2Ban filter for authentication failures on Cyrus imap server
+#
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
+
+failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
+
+ignoreregex = 
+
+# Author: Jan Wagner <waja@cyconet.org>

fail2ban-conf/filter.d/directadmin.conf

@@ -0,0 +1,22 @@
+# Fail2Ban configuration file for Directadmin
+#
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
+
+ignoreregex = 
+
+datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
+
+#
+# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590
+#
+# Author: Cyril Roos
+

fail2ban-conf/filter.d/domino-smtp.conf

@@ -0,0 +1,50 @@
+# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts
+#
+# Author: Christian Brandlehner
+#
+# $Revision: 003 $
+#
+# Configuration:
+# Set the following Domino Server parameters in notes.ini:
+#       console_log_enabled=1
+#       log_sessions=2
+# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is:
+#       DateOrder=DMY
+#       DateSeparator=-
+#       ClockType=24_Hour
+#       TimeSeparator=:
+#
+# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log
+
+#[INCLUDES]
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+#before = common.conf
+
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+# Sample log entries (used different time formats and an extra sample with process info in front of date)
+# 01-23-2009 19:54:51   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
+# [28325:00010-3735542592] 22-06-2014 09:56:12   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# 08-09-2014 06:14:27   smtp: postmaster [1.2.3.4] authentication failure using internet password
+# 08-09-2014 06:14:27   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
+
+__prefix = (?:\[[^\]]+\])?\s*
+__opt_data = (?::|\s+\[[^\]]+\])
+failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?<HOST>\]?$
+            ^%(__prefix)ssmtp: (?:[^\[]+ )*\[?<HOST>\]? authentication failure using internet password\s*$
+            ^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?<HOST>\]? rejected for policy reasons\.
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+
+ignoreregex =
+

fail2ban-conf/filter.d/dovecot.conf

@@ -0,0 +1,47 @@
+# Fail2Ban filter Dovecot authentication and pop3/imap server
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_auth_worker = (?:dovecot: )?auth(?:-worker)?
+_daemon = (?:dovecot(?:-auth)?|auth)
+
+prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+            ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+            ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$
+            ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch)
+            <mdre-<mode>>
+
+mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+
+mdre-normal = 
+
+# Parameter `mode` - `normal` or `aggressive`.
+# Aggressive mode can be used to match log-entries like:
+#   'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'.
+# Note it may produce lots of false positives on misconfigured MTAs.
+# Ex.:
+# filter = dovecot[mode=aggressive]
+mode = normal
+
+ignoreregex = 
+
+journalmatch = _SYSTEMD_UNIT=dovecot.service
+
+datepattern = {^LN-BEG}TAI64N
+              {^LN-BEG}
+
+# DEV Notes:
+# * the first regex is essentially a copy of pam-generic.conf
+# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
+#
+# Author: Martin Waschbuesch
+#         Daniel Black (rewrote with begin and end anchors)
+#         Martin O'Neal (added LDAP authentication failure regex)
+#         Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility)

fail2ban-conf/filter.d/dropbear.conf

@@ -0,0 +1,50 @@
+# Fail2Ban filter for dropbear
+#
+# NOTE: The regex below is ONLY intended to work with a patched
+# version of Dropbear as described here:
+# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
+#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
+#
+# The standard Dropbear output doesn't provide enough information to
+# ban all types of attack.  The Dropbear patch adds IP address
+# information to the 'exit before auth' message which is always
+# produced for any form of non-successful login. It is that message
+# which this file matches.
+#
+# More information: http://bugs.debian.org/546913
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = dropbear
+
+prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
+
+failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
+            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
+            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# The first two regexs here match the unmodified dropbear messages. It isn't
+# possible to match the source of the 'exit before auth' messages from dropbear
+# as they don't include the "from <HOST>" bit.
+#
+# The second last failregex line we need to match with the modified dropbear.
+#
+# For the second regex the following apply:
+#
+# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
+# http://svn.dd-wrt.com/changeset/16642#file64
+#
+# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
+#
+# Author: Francis Russell
+#         Zak B. Elep

fail2ban-conf/filter.d/drupal-auth.conf

@@ -0,0 +1,26 @@
+# Fail2Ban filter to block repeated failed login attempts to Drupal site(s)
+#
+#
+# Drupal must be setup to use Syslog, which defaults to the following format:
+#
+#   !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+
+[Definition]
+
+failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
+
+ignoreregex =
+
+
+# DEV Notes:
+#
+# https://www.drupal.org/documentation/modules/syslog
+#
+# Author: Lee Clemens

fail2ban-conf/filter.d/ejabberd-auth.conf

@@ -0,0 +1,40 @@
+# Fail2Ban configuration file
+#
+# Author: Steven Hiscocks
+#
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
+#          This allows lines between the matching lines to continue to be
+#          searched for other failures. This tag can be used multiple times.
+# Values:  TEXT
+#
+failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$
+            ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 2
+
+# Option:  journalmatch
+# Notes.:  systemd journalctl style match filter for journal based backend
+# Values:  TEXT
+#
+journalmatch = 
+
+#datepattern = ^(?:=[^=]+={3,} )?({DATE})
+# explicit time format using prefix =...==== and no date in second string begins with I(...)... 
+datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?)
+              ^I\(()**

fail2ban-conf/filter.d/exim-common.conf

@@ -0,0 +1,20 @@
+# Fail2Ban filter file for common exim expressions
+#
+# This is to be used by other exim filters
+
+[INCLUDES]
+
+# Load customizations if any available
+after = exim-common.local
+
+[Definition]
+
+host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
+host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
+host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s
+pid = (?: \[\d+\])?
+
+# DEV Notes:
+# From exim source code: ./src/receive.c:add_host_info_for_log
+#
+# Author:  Daniel Black

fail2ban-conf/filter.d/exim-spam.conf

@@ -0,0 +1,50 @@
+# Fail2Ban filter for exim the spam rejection messages
+#
+# Honeypot traps are very useful for fighting spam. You just activate an email
+# address on your domain that you do not intend to use at all, and that normal
+# people do not risk to try for contacting you. It may be something that 
+# spammers often test. You can also hide the address on a web page to be picked
+# by spam spiders. Or simply parse your mail logs for an invalid address 
+# already being frequently targeted by spammers. Enable the address and 
+# redirect it to the blackhole. In Exim's alias file, you would add the 
+# following line (assuming the address is honeypot@yourdomain.com):
+#
+# honeypot:  :blackhole:
+#
+# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
+#
+# To this filter use the jail.local should contain in the right jail:
+#
+# filter = exim-spam[honeypot=honeypot@yourdomain.com]
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+failregex =  ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
+             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
+             ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
+             ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
+             ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
+
+ignoreregex = 
+
+[Init]
+
+# Option:  honeypot
+# Notes.:  honeypot is an email address that isn't published anywhere that a
+#          legitimate email sender would send email too.
+# Values:  email address
+
+honeypot = trap@example.com
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# Author: Cyril Jaquier
+#         Daniel Black (rewrote with strong regexs)

fail2ban-conf/filter.d/exim.conf

@@ -0,0 +1,54 @@
+# Fail2Ban filter for exim
+#
+# This includes the rejection messages of exim. For spam and filter
+# related bans use the exim-spam.conf
+#
+
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# exim-common.local
+before = exim-common.conf
+
+[Definition]
+
+# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
+#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$
+
+failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
+            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
+            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
+            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
+            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
+            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
+            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
+            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
+            <mdre-<mode>>
+
+mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
+                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
+
+mdre-normal = 
+
+# Parameter `mode` - `normal` or `aggressive`.
+# Aggressive mode can be used to match flood and ddos-similar log-entries like:
+#   'no host found for IP', 'no IP found for host'.
+# Note this is not an authentication failures, so it may produce lots of false 
+# positives on misconfigured MTAs.
+# Ex.:
+#   filter = exim[mode=aggressive]
+mode = normal
+
+ignoreregex = 
+
+# DEV Notes:
+# The %(host_info) defination contains a <HOST> match
+#
+# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
+# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
+# user injectable data.
+#
+# Author: Cyril Jaquier
+#         Daniel Black (rewrote with strong regexs)
+#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)

fail2ban-conf/filter.d/freeswitch.conf

@@ -0,0 +1,58 @@
+# Fail2Ban configuration file
+#
+# Enable "log-auth-failures" on each Sofia profile to monitor
+# <param name="log-auth-failures" value="true"/>
+# -- this requires a high enough loglevel on your logs to save these messages.
+#
+# In the fail2ban jail.local file for this filter set ignoreip to the internal
+# IP addresses on your LAN.
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = freeswitch
+
+# Parameter "mode": normal, ddos or extra (default, combines all)
+# Usage example (for jail.local):
+#   [freeswitch]
+#   mode = normal
+#   # or with rewrite filter parameters of jail:
+#   [freeswitch-ddos]
+#   filter = freeswitch[mode=ddos]
+#
+mode = extra
+              
+# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
+_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
+
+prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
+
+cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
+
+mdre-normal = %(cmnfailre)s
+              ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
+
+mdre-ddos   = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
+
+mdre-extra  = %(cmnfailre)s
+              <mdre-ddos>
+
+failregex = <mdre-<mode>>
+
+ignoreregex =
+
+datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
+              {^LN-BEG}
+
+# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
+# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
+# Thanks to Jim on mailing list of samples and guidance
+#
+# No need to match the following. Its a duplicate of the SIP auth regex.
+#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$

fail2ban-conf/filter.d/froxlor-auth.conf

@@ -0,0 +1,40 @@
+# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
+# 
+# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
+# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
+# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
+#
+# Author: Joern Muehlencord
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = Froxlor
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+
+prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^Unknown user \S* tried to login.$
+            ^User \S* tried to login with wrong password.$
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+

fail2ban-conf/filter.d/gitlab.conf

@@ -0,0 +1,6 @@
+# Fail2Ban filter for Gitlab
+# Detecting unauthorized access to the Gitlab Web portal
+# typically logged in /var/log/gitlab/gitlab-rails/application.log
+
+[Definition]
+failregex = ^: Failed Login: username=<F-USER>.+</F-USER> ip=<HOST>$

fail2ban-conf/filter.d/grafana.conf

@@ -0,0 +1,9 @@
+# Fail2Ban filter for Grafana
+# Detecting unauthorized access
+# Typically logged in /var/log/grafana/grafana.log
+
+[Init]
+datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
+
+[Definition]
+failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"<F-ALT_USER>[^"]+</F-ALT_USER>"|<F-USER>\S+</F-USER>)| error="<F-ERROR>[^"]+</F-ERROR>"| \S+=(?:\S*|"[^"]+"))* remote_addr=<ADDR>$

fail2ban-conf/filter.d/groupoffice.conf

@@ -0,0 +1,14 @@
+# Fail2Ban filter for Group-Office
+#
+# Enable logging with:
+# $config['info_log']='/home/groupoffice/log/info.log';
+#
+
+[Definition]
+
+failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
+
+ignoreregex =
+
+# Author: Daniel Black
+

fail2ban-conf/filter.d/gssftpd.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter file for gssftp
+#
+# Note: gssftp is part of the krb5-appl-servers in Fedora
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = ftpd
+
+failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
+
+ignoreregex = 
+
+# Author: Kevin Zembower
+# Edited: Daniel Black - syslog based daemon

fail2ban-conf/filter.d/guacamole.conf

@@ -0,0 +1,51 @@
+# Fail2Ban configuration file for guacamole
+#
+# Author: Steven Hiscocks
+#
+
+[Definition]
+
+logging = catalina
+failregex = <L_<logging>/failregex>
+maxlines = <L_<logging>/maxlines>
+datepattern = <L_<logging>/datepattern>
+
+[L_catalina]
+
+failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
+
+maxlines = 2
+
+datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
+              ^WARNING:()**
+              {^LN-BEG}
+
+[L_webapp]
+
+failregex = ^ \[\S+\] WARN  \S+ - Authentication attempt from <HOST> for user "<F-USER>[^"]+</F-USER>" failed.
+
+maxlines = 1
+
+datepattern = ^%%H:%%M:%%S.%%f
+
+# DEV Notes:
+#
+# failregex is based on the default pattern given in Guacamole documentation :
+# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
+#
+# The following logback.xml Guacamole configuration file can then be used accordingly :
+# <configuration>
+#   <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
+#     <file>/var/log/guacamole.log</file>
+#     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+#       <fileNamePattern>/var/log/guacamole.%d.log.gz</fileNamePattern>
+#       <maxHistory>32</maxHistory>
+#     </rollingPolicy>
+#     <encoder>
+#       <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
+#     </encoder>
+#   </appender>
+#   <root level="info">
+#     <appender-ref ref="FILE" />
+#   </root>
+# </configuration>

fail2ban-conf/filter.d/haproxy-http-auth.conf

@@ -0,0 +1,37 @@
+# Fail2Ban filter configuration file to match failed login attempts to
+# HAProxy HTTP Authentication protected servers.
+#
+# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
+# which prompts their browser to ask for login details.
+# This initial 401 is logged by HAProxy.
+# In other words, even successful logins will have at least 1 fail regex match.
+# Please keep this in mind when setting findtime and maxretry for jails.
+#
+# Author: Jordan Moeser
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = haproxy
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

fail2ban-conf/filter.d/horde.conf

@@ -0,0 +1,16 @@
+# fail2ban filter configuration for horde
+
+
+[Definition]
+
+
+failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
+
+
+ignoreregex = 
+
+# DEV NOTES:
+# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
+# https://github.com/horde/horde/blob/master/horde/login.php
+# 
+# Author: Daniel Black

fail2ban-conf/filter.d/kerio.conf

@@ -0,0 +1,24 @@
+# Fail2ban filter for kerio
+
+[Definition]
+
+failregex = ^ SMTP Spam attack detected from <HOST>,
+            ^ IP address <HOST> found in DNS blacklist
+            ^ Relay attempt from IP address <HOST>
+            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
+            ^ Failed SMTP login from <HOST>
+            ^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>
+            ^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
+            ^ Administration login into Web Administration from <HOST> failed: IP address not allowed$
+            ^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$
+
+ignoreregex =
+
+datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
+
+# DEV NOTES:
+# 
+# Author: A.P. Lawrence
+# Updated by: M. Bischoff <https://github.com/herrbischoff>
+#
+# Based off: http://aplawrence.com/Kerio/fail2ban.html

fail2ban-conf/filter.d/lighttpd-auth.conf

@@ -0,0 +1,10 @@
+# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
+#
+
+[Definition]
+
+failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
+
+ignoreregex = 
+
+# Author: Francois Boulogne <fboulogne@april.org>

fail2ban-conf/filter.d/mongodb-auth.conf

@@ -0,0 +1,49 @@
+# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
+#
+# Logfile /var/log/mongodb/mongodb.log
+#
+# add setting in /etc/mongodb.conf
+# logpath=/var/log/mongodb/mongodb.log
+#
+# and use of the authentication
+# auth = true
+#
+
+[Definition]
+#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
+failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
+
+ignoreregex =
+
+
+[Init]
+maxlines = 10
+
+# DEV Notes:
+#
+# Regarding the multiline regex:
+#
+# There can be a nunber of non-related lines between the first and second part
+# of this regex maxlines of 10 is quite generious.
+#
+# Note the capture __connid, includes the connection ID, used in second part of regex.
+#
+# The first regex is commented out (but will match also), because it is better to use
+# the host from "end connection" line (uncommented above):
+#  -  it has the same prefix, searching begins directly with failure message
+#     (so faster, because ignores success connections at all)
+#  -  it is not so vulnerable in case of possible race condition
+#
+# Log example:
+# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
+# 2016-10-20T09:54:27.109+0200 [conn1]  authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
+# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
+# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
+# 2016-11-09T11:55:58.892+0100 [conn1510]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
+# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
+# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
+#
+# Authors: Alexander Finkhäuser
+#          Sergey G. Brester (sebres)
+

fail2ban-conf/filter.d/monit.conf

@@ -0,0 +1,25 @@
+# Fail2Ban filter for monit.conf, looks for failed access attempts
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+# [DEFAULT]
+# logtype = short
+
+[Definition]
+
+_daemon = monit
+
+_prefix = Warning|HttpRequest
+
+# Regexp for previous (accessing monit httpd) and new (access denied) versions
+failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied|\s*:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'|wrong password for user '<F-USER>[^']*</F-USER>'|empty password)
+
+# Ignore login with empty user (first connect, no user specified)
+# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
+ignoreregex =

fail2ban-conf/filter.d/murmur.conf

@@ -0,0 +1,34 @@
+# Fail2Ban filter for murmur/mumble-server
+#
+
+[Definition]
+
+_daemon = murmurd
+
+# N.B. If you allow users to have usernames that include the '>' character you
+#      should change this to match the regex assigned to the 'username'
+#      variable in your server config file (murmur.ini / mumble-server.ini).
+_usernameregex = [^>]+
+
+# Prefix for systemd-journal (with second date-pattern as optional match):
+#
+__prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\<W\>[\d\-]+ [\d:]+.\d+)?)
+
+__prefix_line = %(__prefix_journal)s?
+
+_prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
+
+prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^Invalid server password$
+            ^Wrong certificate or password for existing user$
+
+ignoreregex =
+
+datepattern = ^<W>{DATE}
+
+journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd
+
+# DEV Notes:
+#
+# Author: Ross Brown

fail2ban-conf/filter.d/mysqld-auth.conf

@@ -0,0 +1,32 @@
+# Fail2Ban filter for unsuccesful MySQL authentication attempts
+#
+#
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
+# log-error=/var/log/mysqld.log
+# log-warnings = 2
+#
+# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = mysqld
+
+failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '<F-USER>[^']+</F-USER>'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# Technically __prefix_line can equate to an empty string hence it can support
+# syslog and non-syslog at once.
+# Example:
+# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
+#
+# Authors: Artur Penttinen
+#          Yaroslav O. Halchenko

fail2ban-conf/filter.d/nagios.conf

@@ -0,0 +1,17 @@
+# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
+# Detecting unauthorized access to the nrpe2 daemon 
+# typically logged in /var/log/messages syslog
+#
+
+[INCLUDES]
+# Read syslog common prefixes
+before = common.conf
+
+[Definition]
+_daemon     = nrpe
+failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
+ignoreregex =
+
+# DEV Notes:
+# 
+# Author: Ivo Truxa - 2014/02/03

fail2ban-conf/filter.d/named-refused.conf

@@ -0,0 +1,50 @@
+# Fail2Ban filter file for named (bind9).
+#
+
+# This filter blocks attacks against named (bind9) however it requires special
+# configuration on bind.
+#
+# By default, logging is off with bind9 installation.
+#
+# You will need something like this in your named.conf to provide proper logging.
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+
+[Definition]
+
+# Daemon name
+_daemon=named
+
+# Shortcuts for easier comprehension of the failregex
+
+__pid_re=(?:\[\d+\])
+__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:?
+__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:)
+
+#       hostname       daemon_id         spaces
+# this can be optional (for instance if we match named native log files)
+__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)?
+
+prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$
+
+failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))?
+            ^zone transfer
+            ^bad zone transfer request: '\S+/IN': non-authoritative zone
+
+ignoreregex =
+
+# DEV Notes:
+# Trying to generalize the
+#          structure which is general to capture general patterns in log
+#          lines to cover different configurations/distributions
+#          
+# Author: Yaroslav Halchenko

fail2ban-conf/filter.d/nginx-botsearch.conf

@@ -0,0 +1,23 @@
+# Fail2Ban filter to match web requests for selected URLs that don't exist
+#
+
+[INCLUDES]
+
+# Load regexes for filtering
+before = botsearch-common.conf
+
+[Definition]
+
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
+            ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+# DEV Notes:
+# Based on apache-botsearch filter
+# 
+# Author: Frantisek Sumsal

fail2ban-conf/filter.d/nginx-http-auth.conf

@@ -0,0 +1,17 @@
+# fail2ban filter configuration for nginx
+
+
+[Definition]
+
+
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}
+
+# DEV NOTES:
+# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
+# Extensive search of all nginx auth failures not done yet.
+# 
+# Author: Daniel Black

fail2ban-conf/filter.d/nginx-limit-req.conf

@@ -0,0 +1,46 @@
+# Fail2ban filter configuration for nginx :: limit_req
+# used to ban hosts, that were failed through nginx by limit request processing rate 
+#
+# Author: Serg G. Brester (sebres)
+#
+# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+#
+# Example:
+#
+#   http {
+#     ...
+#     limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s;
+#     ...
+#     # http, server, or location:
+#     location ... {
+#       limit_req zone=lr_zone burst=1 nodelay;
+#       ...
+#     }
+#     ...
+#   }
+#   ...
+#
+
+[Definition]
+
+# Specify following expression to define exact zones, if you want to ban IPs limited 
+# from specified zones only.
+# Example:
+#
+#   ngx_limit_req_zones = lr_zone|lr_zone2
+#
+ngx_limit_req_zones = [^"]+
+
+# Use following full expression if you should range limit request to specified 
+# servers, requests, referrers etc. only :
+#
+# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
+
+# Shortly, much faster and stable version of regexp:
+failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}

fail2ban-conf/filter.d/nsd.conf

@@ -0,0 +1,31 @@
+# Fail2Ban configuration file
+#
+# Author: Bas van den Dikkenberg
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = nsd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+
+failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
+             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}Epoch
+              {^LN-BEG}

fail2ban-conf/filter.d/openhab.conf

@@ -0,0 +1,15 @@
+# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
+#
+# Block IPs trying to auth openhab by web or rest api
+#
+# Matches e.g.
+# 12.34.33.22 -  -  [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 
+# 175.18.15.10 -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
+
+[Definition] 
+failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
+
+datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z
+
+
+

fail2ban-conf/filter.d/openwebmail.conf

@@ -0,0 +1,15 @@
+# Fail2Ban filter for Openwebmail
+# banning hosts with authentication errors in /var/log/openwebmail.log
+# OpenWebMail http://openwebmail.org
+#
+
+[Definition]
+
+failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
+            ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# Author: Ivo Truxa (c) 2013 truXoft.com

fail2ban-conf/filter.d/oracleims.conf

@@ -0,0 +1,63 @@
+# Fail2Ban configuration file
+# for Oracle IMS with XML logging
+#
+# Author: Joel Snyder/jms@opus1.com/2014-June-01
+#
+#
+
+
+[INCLUDES]
+
+# Read common prefixes.
+# If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages
+# in the logfile. The host must be matched by a
+# group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is
+# only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#
+# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
+#
+# In OPTION.DAT you must have LOG_FORMAT=4 and
+#  bit 5 of LOG_CONNECTION must be set. 
+#
+# Many of these sub-fields are optional and can be turned on and off
+# by the system manager.  We need the "tr" field
+#  (transport information (present if bit 5 of LOG_CONNECTION is
+# set and transport information is available)).
+# "di" should be there by default if you have LOG_FORMAT=4.
+# Do not use "mi" as this is not included by default.
+#
+# Typical line IF YOU ARE USING TAGGING ! ! ! is:
+# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
+# sc="tcp_local" dr="+" ac="U"
+# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
+# mi="Bad password"
+# us="01ko8hqnoif09qx0np@imap.opus1.com"
+# di="535 5.7.8 Bad username or password (Authentication failed)."/>
+# Format is generally documented in the PORT_ACCESS mapping 
+# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
+#
+# All that would be on one line.
+# Note that you MUST have LOG_FORMAT=4 for this to work!
+#
+
+failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+
+datepattern = ^<co ts="{DATE}"\s+

fail2ban-conf/filter.d/pam-generic.conf

@@ -0,0 +1,33 @@
+# Fail2Ban configuration file for generic PAM authentication errors
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+# if you want to catch only login errors from specific daemons, use something like
+#_ttys_re=(?:ssh|pure-ftpd|ftp)
+#
+# Default: catch all failed logins
+_ttys_re=\S*
+
+__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
+_daemon = \S+
+
+prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$
+
+ignoreregex = 
+
+datepattern = {^LN-BEG}
+
+# DEV Notes:
+#
+# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
+# _daemon = \S*\(?pam_unix\)?
+# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+#
+# Author: Yaroslav Halchenko

fail2ban-conf/filter.d/perdition.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter for perdition
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon=perdition.\S+
+
+failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
+            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
+
+ignoreregex =
+
+# Author: Christophe Carles and Daniel Black

fail2ban-conf/filter.d/php-url-fopen.conf

@@ -0,0 +1,23 @@
+# Fail2Ban filter for URLs with a URL as a script parameters
+# which can be an indication of a fopen url php injection
+#
+# Example of web requests in Apache access log:
+# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
+
+[Definition]
+
+failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# Version 2
+# fixes the failregex so REFERERS that contain =http:// don't get blocked
+# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
+# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
+
+datepattern = ^[^\[]*\[({DATE})
+              {^LN-BEG}

fail2ban-conf/filter.d/phpmyadmin-syslog.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter for the phpMyAdmin-syslog
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = phpMyAdmin
+
+failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
+
+ignoreregex =
+
+
+# Author: Pavel Mihadyuk
+# Regex fixes: Serg G. Brester

fail2ban-conf/filter.d/portsentry.conf

@@ -0,0 +1,15 @@
+# Fail2Ban filter for failure attempts in Counter Strike-1.6
+#
+#
+
+[Definition]
+
+failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}Epoch
+              {^LN-BEG}
+
+# Author: Pacop <pacoparu@gmail.com>
+

fail2ban-conf/filter.d/postfix.conf

@@ -0,0 +1,80 @@
+# Fail2Ban filter for selected Postfix SMTP rejections
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
+_port = (?::\d+)?
+
+prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
+
+mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
+mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
+            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
+            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
+            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
+            ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
+            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
+            ^from [^[]*\[<HOST>\]%(_port)s:?
+
+mdpr-auth = warning:
+mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
+mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
+# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
+
+# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
+mdpr-rbl = %(mdpr-normal)s
+mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
+
+# Mode "rbl" currently included in mode "normal" (within 1st rule)
+mdpr-more = %(mdpr-normal)s
+mdre-more = %(mdre-normal)s
+
+mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+)))
+mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
+
+mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
+mdre-extra = %(mdre-auth)s
+            %(mdre-normal)s
+
+mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
+mdre-aggressive = %(mdre-auth2)s
+                  %(mdre-normal)s
+
+mdpr-errors = too many errors after \S+
+mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
+
+
+failregex = <mdre-<mode>>
+
+# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
+# Usage example (for jail.local):
+#   [postfix]
+#   mode = aggressive
+#
+#   # or another jail (rewrite filter parameters of jail):
+#   [postfix-rbl]
+#   filter = postfix[mode=rbl]
+#
+#   # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
+#   # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
+#   [postfix-many-errors]
+#   filter = postfix[mode=errors]
+#   maxretry = 1
+#
+mode = more
+
+ignoreregex = 
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=postfix.service
+
+# Author: Cyril Jaquier

fail2ban-conf/filter.d/proftpd.conf

@@ -0,0 +1,33 @@
+# Fail2Ban filter for the Proftpd FTP daemon
+#
+# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
+# See: http://www.proftpd.org/docs/howto/DNS.html
+# When the default locale for your system is not en_US.UTF-8
+# on Debian-based systems be sure to add this to /etc/default/proftpd
+# export LC_TIME="en_US.UTF-8"
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = proftpd
+
+__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
+
+
+prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
+
+
+failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
+            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
+            ^Maximum login attempts \(\d+\) exceeded
+
+ignoreregex = 
+
+[Init]
+journalmatch = _SYSTEMD_UNIT=proftpd.service
+
+# Author: Yaroslav Halchenko
+#         Daniel Black - hardening of regex

fail2ban-conf/filter.d/pure-ftpd.conf

@@ -0,0 +1,40 @@
+# Fail2Ban filter for pureftp
+#
+# Disable hostname based logging by:
+#
+# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
+#
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = pure-ftpd
+
+# Error message specified in multiple languages
+__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
+
+failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
+
+ignoreregex = 
+
+[Init]
+
+journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd
+
+# Author: Cyril Jaquier
+# Modified: Yaroslav Halchenko for pure-ftpd
+# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
+# UTF-8 editing and mechanism thanks to Johannes Weberhofer
+#
+# Only logs to syslog though facility can be changed configuration file/command line
+#
+# To get messages in the right encoding:
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
+# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages

fail2ban-conf/filter.d/qmail.conf

@@ -0,0 +1,31 @@
+# Fail2Ban filters for qmail RBL patches/fake proxies
+#
+# the default djb RBL implementation doesn't log any rejections 
+# so is useless with this filter.
+#
+# One patch is here:
+#
+# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:qmail|rblsmtpd)
+
+failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
+            ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
+            ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
+
+ignoreregex =
+
+# DEV Notes:
+#
+# These seem to be for two or 3 different patches to qmail or rblsmtpd
+# so you'll probably only ever see one of these regex's that match.
+#
+# ref: https://github.com/fail2ban/fail2ban/pull/386
+#
+# Author: Daniel Black

fail2ban-conf/filter.d/recidive.conf

@@ -0,0 +1,38 @@
+# Fail2Ban filter for repeat bans
+#
+# This filter monitors the fail2ban log file, and enables you to add long 
+# time bans for ip addresses that get banned by fail2ban multiple times.
+#
+# Reasons to use this: block very persistent attackers for a longer time, 
+# stop receiving email notifications about the same attacker over and 
+# over again.
+#
+# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
+# in jail.conf to a higher value than the other jails. Also, this jail has its
+# drawbacks, namely in that it works only with iptables, or if you use a 
+# different blocking mechanism for this jail versus others (e.g. hostsdeny 
+# for most jails, and shorewall for this one).
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:fail2ban(?:-server|\.actions)\s*)
+
+# The name of the jail that this filter is used for. In jail.conf, name the jail using
+# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
+_jailname = recidive
+
+failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
+
+datepattern = ^{DATE}
+
+ignoreregex = 
+
+journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5
+
+# Author: Tom Hendrikx, modifications by Amir Caspi 

fail2ban-conf/filter.d/roundcube-auth.conf

@@ -0,0 +1,39 @@
+# Fail2Ban configuration file for roundcube web server
+#
+# By default failed logins are printed to 'errors'. The first regex matches those
+# The second regex matches those printed to 'userlogins'
+#   The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
+#
+# The logpath in your jail can be updated to userlogins if you wish
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
+            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
+
+ignoreregex = Could not connect to .* Connection refused
+
+journalmatch = SYSLOG_IDENTIFIER=roundcube
+
+# DEV Notes:
+#
+# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
+#
+# Part after <HOST> comes straight from IMAP server up until the " in ....."
+# Earlier versions didn't log the IMAP response hence optional.
+#
+# DoS resistance:
+#
+# Assume that the user can inject "from <HOST>" into the imap response
+# somehow. Write test cases around this to ensure that the combination of
+# arbitrary user input and IMAP response doesn't inject the wrong IP for
+# fail2ban
+#
+# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens

fail2ban-conf/filter.d/screensharingd.conf

@@ -0,0 +1,31 @@
+# Fail2Ban configuration file
+#
+# Author: Simon Brown
+#
+# Filter for Mac OS X Screen Sharing service
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = screensharingd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =

fail2ban-conf/filter.d/selinux-common.conf

@@ -0,0 +1,23 @@
+# Fail2Ban configuration file for generic SELinux audit messages
+#
+# This file is not intended to be used directly, and should be included into a
+# filter file which would define following variables. See selinux-ssh.conf as
+# and example.
+#
+# _type
+# _uid
+# _auid 
+# _subj
+# _msg
+#
+# Also one of these variables must include <HOST>.
+
+[Definition]
+
+failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
+
+ignoreregex =
+
+datepattern = EPOCH
+
+# Author: Daniel Black

fail2ban-conf/filter.d/selinux-ssh.conf

@@ -0,0 +1,25 @@
+# Fail2Ban configuration file for SELinux ssh authentication errors
+#
+
+[INCLUDES]
+
+after = selinux-common.conf
+
+[Definition]
+
+_type = USER_(ERR|AUTH)
+_uid  = 0
+_auid = \d+
+_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
+
+_exe  =/usr/sbin/sshd
+_terminal = ssh
+
+_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
+
+# DEV Notes:
+#
+# Note: USER_LOGIN is ignored as this is the duplicate messsage
+# ssh logs after 3 USER_AUTH failures.
+# 
+# Author: Daniel Black

fail2ban-conf/filter.d/sendmail-auth.conf

@@ -0,0 +1,25 @@
+# Fail2Ban filter for sendmail authentication failures
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
+# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
+__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
+addr = (?:IPv6:<IP6>|<IP4>)
+
+prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
+            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
+ignoreregex =
+
+journalmatch = _SYSTEMD_UNIT=sendmail.service
+
+# DEV Notes:
+#
+# Author: Daniel Black

fail2ban-conf/filter.d/sendmail-reject.conf

@@ -0,0 +1,68 @@
+# Fail2Ban filter for sendmail spam/relay type failures
+#
+# Some of the below failregex will only work properly, when the following
+# options are set in the .mc file (see your Sendmail documentation on how
+# to modify it and generate the corresponding .cf file):
+#
+# FEATURE(`delay_checks')
+# FEATURE(`greet_pause', `500')
+# FEATURE(`ratecontrol', `nodelay', `terminate')
+# FEATURE(`conncontrol', `nodelay', `terminate')
+#
+# ratecontrol and conncontrol also need corresponding options ClientRate:
+# and ClientConn: in the access file, see documentation for ratecontrol and
+# conncontrol in the sendmail/cf/README file.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
+__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
+addr = (?:IPv6:<IP6>|<IP4>)
+
+prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
+
+cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
+            ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
+            ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
+            ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
+            ^<[^@]+@[^>]+>\.\.\. No such user here$
+            ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$
+
+mdre-normal =
+
+mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection
+
+mdre-aggressive = %(mdre-extra)s
+
+failregex = %(cmnfailre)s
+            <mdre-<mode>>
+
+# Parameter "mode": normal (default), extra or aggressive
+# Usage example (for jail.local):
+#   [sendmail-reject]
+#   filter = sendmail-reject[mode=extra]
+#
+mode = normal
+
+ignoreregex = 
+
+journalmatch = SYSLOG_IDENTIFIER=sm-mta + _SYSTEMD_UNIT=sendmail.service
+
+# DEV NOTES:
+# 
+# Regarding the multiline regex:
+#
+# "No such user" lines generate a failure and needs to be matched together with
+# another line with the HOST, therefore no-failure line was added as regex, that
+# contains HOST (see line with tag <F-NOFAIL>).
+#
+# Note the capture <F-MLFID>, includes both the __prefix_lines (which includes
+# the sendmail PID), but also the `\w{14}` which the the sendmail assigned 
+# mail ID (todo: check this is necessary, possible obsolete).
+#
+# Author: Daniel Black, Fabian Wenk and Sergey Brester aka sebres.
+# Rewritten using prefregex by Serg G. Brester.

fail2ban-conf/filter.d/sieve.conf

@@ -0,0 +1,18 @@
+# Fail2Ban filter for sieve authentication failures
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = (?:cyrus/)?(?:tim)?sieved?
+
+failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
+
+ignoreregex = 
+
+# Author: Jan Wagner <waja@cyconet.org>

fail2ban-conf/filter.d/slapd.conf

@@ -0,0 +1,25 @@
+# slapd (Stand-alone LDAP Daemon) openldap daemon filter
+#
+# Detecting invalid credentials: error code 49
+# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49)
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = slapd
+
+failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$
+
+ignoreregex =
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 20
+
+# Author: Andrii Melnyk

fail2ban-conf/filter.d/softethervpn.conf

@@ -0,0 +1,9 @@
+# Fail2Ban filter for SoftEtherVPN
+# Detecting unauthorized access to SoftEtherVPN
+# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$

fail2ban-conf/filter.d/sogo-auth.conf

@@ -0,0 +1,22 @@
+# Fail2ban filter for SOGo authentcation
+#
+# Log file usually in /var/log/sogo/sogo.log
+
+[Definition]
+
+failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
+
+ignoreregex = "^<ADDR>"
+
+datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
+              {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
+              ^[^\[]*\[({DATE})
+              {^LN-BEG}
+
+# 
+# DEV Notes:
+#
+# The error log may contain multiple hosts, whereas the first one 
+# is the client and all others are poxys. We match the first one, only
+#
+# Author: Arnd Brandes

fail2ban-conf/filter.d/solid-pop3d.conf

@@ -0,0 +1,32 @@
+# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts
+#
+# Doesn't currently provide PAM support as PAM log messages don't include rhost as
+# remote IP.
+#
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = solid-pop3d
+
+failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
+            ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
+            ^%(__prefix_line)sroot login not allowed - <HOST>$
+            ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# solid-pop3d needs to be compiled with --enable-logextend to support
+# IP addresses in log messages.
+#
+# solid-pop3d-0.15/src/main.c contains all authentication errors
+# except for PAM authentication messages ( src/authenticate.c )
+#
+# A pam authentication failure message (note no IP for rhost).
+# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jacques
+# 
+# Authors: Daniel Black

fail2ban-conf/filter.d/squid.conf

@@ -0,0 +1,16 @@
+# Fail2Ban filter for Squid attempted proxy bypasses
+#
+#
+
+[Definition]
+
+failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
+            ^\s+\d\s<HOST>\s+NONE/405 .*$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}Epoch
+              {^LN-BEG}
+
+# Author: Daniel Black
+

fail2ban-conf/filter.d/squirrelmail.conf

@@ -0,0 +1,12 @@
+
+[Definition]
+
+failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$
+
+ignoreregex =
+
+datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S
+
+# DEV NOTES:
+#
+# Author: Daniel Black

fail2ban-conf/filter.d/sshd.conf

@@ -0,0 +1,136 @@
+# Fail2Ban filter for openssh
+#
+# If you want to protect OpenSSH from being bruteforced by password
+# authentication then get public key authentication working before disabling
+# PasswordAuthentication in sshd_config.
+#
+#
+# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[DEFAULT]
+
+_daemon = sshd
+
+# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: "
+__pref = (?:(?:error|fatal): (?:PAM: )?)?
+# optional suffix (logged from several ssh versions) like " [preauth]"
+#__suff = (?: port \d+)?(?: \[preauth\])?\s*
+__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s*
+__on_port_opt = (?: (?:port \d+|on \S+)){0,2}
+# close by authenticating user:
+__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)?
+
+# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found",
+# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors.
+__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+)
+
+# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`:
+__pam_auth = pam_[a-z]+
+
+[Definition]
+
+prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$
+
+cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$
+            ^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$
+            <cmnfailre-failed-pub-<publickey>>
+            ^Failed <cmnfailed> for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+            ^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>
+            ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not in any group%(__suff)s$
+            ^refused connect from \S+ \(<HOST>\)
+            ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$
+            ^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$
+            ^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$
+            ^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s
+            ^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$
+            ^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$
+            ^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11:
+            <mdre-<mode>-other>
+            ^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$)
+
+cmnfailed-any = \S+
+cmnfailed-ignore = \b(?!publickey)\S+
+cmnfailed-invalid = <cmnfailed-ignore>
+cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+)
+cmnfailed = <cmnfailed-<publickey>>
+
+mdre-normal =
+# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode)
+mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$
+
+mdre-ddos = ^Did not receive identification string from <HOST>
+            ^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host)
+            ^Bad protocol version identification '.*' from <HOST>
+            ^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+:
+            ^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer
+# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only:
+mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$
+
+mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available
+            ^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found.
+            ^Unable to negotiate a <__alg_match>
+            ^no matching <__alg_match> found:
+# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only:
+mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$
+
+mdre-aggressive = %(mdre-ddos)s
+                  %(mdre-extra)s
+# mdre-extra-other is fully included within mdre-ddos-other:
+mdre-aggressive-other = %(mdre-ddos-other)s
+
+# Parameter "publickey": nofail (default), invalid, any, ignore
+publickey = nofail
+# consider failed publickey for invalid users only:
+cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
+# consider failed publickey for valid users too (don't need RE, see cmnfailed):
+cmnfailre-failed-pub-any =
+# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed):
+cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid>
+# don't consider failed publickey as failures (don't need RE, see cmnfailed):
+cmnfailre-failed-pub-ignore =
+
+cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
+
+failregex = %(cmnfailre)s
+            <mdre-<mode>>
+            %(cfooterre)s
+
+# Parameter "mode": normal (default), ddos, extra or aggressive (combines all)
+# Usage example (for jail.local):
+#   [sshd]
+#   mode = extra
+#   # or another jail (rewrite filter parameters of jail):
+#   [sshd-aggressive]
+#   filter = sshd[mode=aggressive]
+#
+mode = normal
+
+#filter = sshd[mode=aggressive]
+
+ignoreregex = 
+
+maxlines = 1
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+# DEV Notes:
+#
+#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
+#   and later catch-all's could contain user-provided input, which need to be greedily
+#   matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres
+# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester.

fail2ban-conf/filter.d/stunnel.conf

@@ -0,0 +1,13 @@
+# Fail2ban filter for stunnel
+
+[Definition]
+
+failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
+
+ignoreregex =
+
+# DEV NOTES:
+# 
+# Author: Daniel Black
+#
+# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4

fail2ban-conf/filter.d/suhosin.conf

@@ -0,0 +1,28 @@
+# Fail2Ban filter for suhosian PHP hardening
+#
+# This occurs with lighttpd or directly from the plugin
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = (?:lighttpd|suhosin)
+
+
+_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
+
+failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '<HOST>', file '[^']*'(?:, line \d+)?\)$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
+#
+# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>

fail2ban-conf/filter.d/tine20.conf

@@ -0,0 +1,24 @@
+# Fail2Ban filter for Tine 2.0 authentication
+#
+# Enable logging with:
+# $config['info_log']='/var/log/tine20/tine20.log';
+#
+
+[Definition]
+
+failregex =  ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} -  WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from <HOST> failed \(-[13]\)!$
+
+ignoreregex = 
+
+datepattern = ^[^-]+ -- [^-]+ -- - ({DATE})
+              {^LN-BEG}
+
+# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766
+# Editor: Daniel Black
+# Advisor: Lars Kneschke
+#
+# Usernames can contain spaces.
+#
+# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105
+# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php
+# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276

fail2ban-conf/filter.d/traefik-auth.conf

@@ -0,0 +1,76 @@
+# Fail2ban filter configuration for traefik :: auth
+# used to ban hosts, that were failed through traefik
+#
+# Author: CrazyMax
+#
+# To use 'traefik-auth' filter you have to configure your Traefik instance to write
+# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs
+# into a log file on host and specifiy users for Basic Authentication
+# https://docs.traefik.io/configuration/entrypoints/#basic-authentication
+#
+# Example:
+#
+# version: "3.2"
+#
+# services:
+#   traefik:
+#     image: traefik:latest
+#     command:
+#       - "--loglevel=INFO"
+#       - "--accesslog=true"
+#       - "--accessLog.filePath=/var/log/access.log"
+# #       - "--accessLog.filters.statusCodes=400-499"
+#       - "--defaultentrypoints=http,https"
+#       - "--entryPoints=Name:http Address::80"
+#       - "--entryPoints=Name:https Address::443 TLS"
+#       - "--docker.domain=example.com"
+#       - "--docker.watch=true"
+#       - "--docker.exposedbydefault=false"
+#       - "--api=true"
+#       - "--api.dashboard=true"
+#     ports:
+#       - target: 80
+#         published: 80
+#         protocol: tcp
+#         mode: host
+#       - target: 443
+#         published: 443
+#         protocol: tcp
+#         mode: host
+#     labels:
+#       - "traefik.enable=true"
+#       - "traefik.port=8080"
+#       - "traefik.backend=traefik"
+#       - "traefik.frontend.rule=Host:traefik.example.com"
+#       - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
+#     volumes:
+#       - "/var/log/traefik:/var/log"
+#       - "/var/run/docker.sock:/var/run/docker.sock"
+#     restart: always
+#
+
+[Definition]
+
+# Parameter "method" can be used to specifiy request method
+req-method = \S+
+# Usage example (for jail.local):
+#   filter = traefik-auth[req-method="GET|POST|HEAD"]
+
+failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b
+
+ignoreregex =
+
+# Parameter "mode": normal (default), ddos or aggressive
+# Usage example (for jail.local):
+#   [traefik-auth]
+#   mode = aggressive
+#   # or another jail (rewrite filter parameters of jail):
+#   [traefik-auth-ddos]
+#   filter = traefik-auth[mode=ddos]
+#
+mode = normal
+
+# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode):
+usrre-normal = (?!- )<F-USER>\S+</F-USER>
+usrre-ddos = -
+usrre-aggressive = <F-USER>\S+</F-USER>

fail2ban-conf/filter.d/uwimap-auth.conf

@@ -0,0 +1,17 @@
+# Fail2Ban filter for uwimap
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = (?:ipop3d|imapd)
+
+failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ 
+            ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
+
+ignoreregex = 
+
+# Author: Amir Caspi

fail2ban-conf/filter.d/vsftpd.conf

@@ -0,0 +1,22 @@
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
+
+ignoreregex = 
+
+# Author: Cyril Jaquier
+# Documentation from fail2ban wiki

fail2ban-conf/filter.d/webmin-auth.conf

@@ -0,0 +1,22 @@
+# Fail2Ban filter for webmin
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+_daemon = webmin
+
+failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
+            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# pattern :     webmin[15673]: Non-existent login as toto from 86.0.6.217
+#               webmin[29544]: Invalid login as root from 86.0.6.217
+#
+# Rule Author: Delvit Guillaume

fail2ban-conf/filter.d/wuftpd.conf

@@ -0,0 +1,22 @@
+# Fail2Ban configuration file for wuftpd
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = wu-ftpd
+__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:?
+
+failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
+            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+
+
+ignoreregex = 
+
+# Author: Yaroslav Halchenko

fail2ban-conf/filter.d/xinetd-fail.conf

@@ -0,0 +1,29 @@
+# Fail2Ban filter for xinetd failures
+#
+# Cfr.: /var/log/(daemon\.|sys)log
+#
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = xinetd
+
+prefregex = ^%(__prefix_line)sFAIL: <F-CONTENT>.+</F-CONTENT>$
+
+failregex = ^\S+ address from=<HOST>$
+            ^\S+ libwrap from=<HOST>$
+
+ignoreregex = 
+
+# DEV Notes:
+#
+# libwrap => tcp wrappers: hosts.(allow|deny)
+# address => xinetd: deny_from|only_from
+#
+# Author: Guido Bozzetto

fail2ban-conf/filter.d/znc-adminlog.conf

@@ -0,0 +1,34 @@
+# Fail2Ban filter for ZNC (requires adminlog module)
+#
+# to use this module, enable the adminlog module from within ZNC and point
+# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
+
+[DEFAULT]
+
+logtype = file
+
+[Definition]
+
+_daemon = znc
+
+# Prefix for different logtype (file, journal):
+#
+__prefix_file = (?:\[\]\s+)?
+__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+
+__prefix_journal = %(__prefix_short)s
+
+__prefix_line = <__prefix_<logtype>>
+
+failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR>
+
+ignoreregex = 
+
+journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc
+
+# DEV Notes:
+# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR>
+# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
+# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
+# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
+#
+# Author: Tobias Girstmair (//gir.st/)

fail2ban-conf/filter.d/zoneminder.conf

@@ -0,0 +1,21 @@
+# Fail2Ban filter for Zoneminder login failures
+
+[INCLUDES]
+before = apache-common.conf
+
+[Definition]
+
+# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
+#
+#
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile.
+
+failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
+
+ignoreregex =
+
+# Notes:
+#	Tested on Zoneminder 1.29.0
+#
+# Author: John Marzella

fail2ban-conf/jail.conf

@@ -0,0 +1,964 @@
+#
+# WARNING: heavily refactored in 0.9.0 release.  Please review and
+#          customize settings for your setup.
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in jail.local file,
+#           or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 1h
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
+# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
+#bantime.increment = true
+
+# "bantime.rndtime" is the max number of seconds using for mixing with random time 
+# to prevent "clever" botnets calculate exact time IP can be unbanned again:
+#bantime.rndtime = 
+
+# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
+#bantime.maxtime = 
+
+# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
+# default value of factor is 1 and with default value of formula, the ban time 
+# grows by 1, 2, 4, 8, 16 ...
+#bantime.factor = 1
+
+# "bantime.formula" used by default to calculate next value of ban time, default value below,
+# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
+#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
+#
+# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
+#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
+
+# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 
+# previously ban count and given "bantime.factor" (for multipliers default is 1);
+# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
+# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
+#bantime.multipliers = 1 2 4 8 16 32 64
+# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
+# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
+#bantime.multipliers = 1 5 30 60 300 720 1440 2880
+
+# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
+# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
+#bantime.overalljails = false
+
+# --------------------
+
+# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
+# (default is true). Fail2ban will not ban a host which matches such addresses.
+#ignoreself = true
+
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+#ignoreip = 127.0.0.1/8 ::1
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 10m
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 10m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
+maxmatches = %(maxretry)s
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+#              If pyinotify is not installed, Fail2ban will use auto.
+# gamin:     requires Gamin (a file alteration monitor) to be installed.
+#              If Gamin is not installed, Fail2ban will use auto.
+# polling:   uses a polling algorithm which does not require external libraries.
+# systemd:   uses systemd python library to access the systemd journal.
+#              Specifying "logpath" is not valid for this backend.
+#              See "journalmatch" in the jails associated filter config
+# auto:      will try to use the following backends, in order:
+#              pyinotify, gamin, polling.
+#
+# Note: if systemd backend is chosen as the default but you enable a jail
+#       for which logs are present only in its own log files, specify some other
+#       backend for that jail (e.g. polling) and provide empty value for
+#       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+#   warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes:   if a hostname is encountered, a DNS lookup will be performed.
+# warn:  if a hostname is encountered, a DNS lookup will be performed,
+#        but it will be logged as a warning.
+# no:    if a hostname is encountered, will not be used for banning,
+#        but it will be logged as info.
+# raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+#   This is used to decode the lines from the log file.
+#   Typical examples:  "ascii", "utf-8"
+#
+#   auto:   will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+#  By default all jails are disabled, and it should stay this way.
+#  Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true:  jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
+mode = normal
+
+# "filter" defines the filter to use by the jail.
+#  By default jails have names matching their filter name
+#
+filter = %(__name__)s[mode=%(mode)s]
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = <known/chain>
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(action_)s
+            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(action_)s
+             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(action_)s
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+# 
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
+# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
+# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
+# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
+# corresponding jail.d/my-jail.local file).
+#
+action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
+#
+# Report ban via badips.com (uses action.d/badips.conf for reporting only)
+#
+action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
+
+# Report ban via abuseipdb.com.
+#
+# See action.d/abuseipdb.conf for usage example and details.
+#
+action_abuseipdb = abuseipdb
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
+# normal (default), ddos, extra or aggressive (combines all).
+# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
+#mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+
+[dropbear]
+
+port     = ssh
+logpath  = %(dropbear_log)s
+backend  = %(dropbear_backend)s
+
+
+[selinux-ssh]
+
+port     = ssh
+logpath  = %(auditd_log)s
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port     = http,https
+logpath  = %(apache_access_log)s
+bantime  = 48h
+maxretry = 1
+
+
+[apache-noscript]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+
+
+[apache-overflows]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port     = http,https
+logpath  = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-shellshock]
+
+port    = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+
+[openhab-auth]
+
+filter = openhab
+banaction = %(banaction_allports)s
+logpath = /opt/openhab/logs/request.log
+
+
+[nginx-http-auth]
+
+port    = http,https
+logpath = %(nginx_error_log)s
+
+# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
+# and define `limit_req` and `limit_req_zone` as described in nginx documentation
+# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
+# or for example see in 'config/filter.d/nginx-limit-req.conf'
+[nginx-limit-req]
+port    = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+port     = http,https
+logpath  = %(nginx_error_log)s
+maxretry = 2
+
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port    = http,https
+logpath = %(nginx_access_log)s
+          %(apache_access_log)s
+
+
+[suhosin]
+
+port    = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port    = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port     = http,https
+logpath  = %(roundcube_errors_log)s
+# Use following line in your jail.local if roundcube logs to journal.
+#backend = %(syslog_backend)s
+
+
+[openwebmail]
+
+port     = http,https
+logpath  = /var/log/openwebmail.log
+
+
+[horde]
+
+port     = http,https
+logpath  = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port     = http,https
+logpath  = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port    = 20000
+port     = http,https
+logpath  = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath  = /var/log/tine20/tine20.log
+port     = http,https
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port     = http,https
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+[guacamole]
+
+port     = http,https
+logpath  = /var/log/tomcat*/catalina.out
+#logpath  = /var/log/guacamole.log
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+port = 2812
+logpath  = /var/log/monit
+           /var/log/monit.log
+
+
+[webmin-auth]
+
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[froxlor-auth]
+
+port    = http,https
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port     =  80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port    = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
+
+
+[pure-ftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(pureftpd_log)s
+backend  = %(pureftpd_backend)s
+
+
+[gssftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(syslog_daemon)s
+backend  = %(syslog_backend)s
+
+
+[wuftpd]
+
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(wuftpd_log)s
+backend  = %(wuftpd_backend)s
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port     = smtp,465,submission
+logpath  = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+mode    = more
+port    = smtp,465,submission
+logpath = %(postfix_log)s
+backend = %(postfix_backend)s
+
+
+[postfix-rbl]
+
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[qmail-rbl]
+
+filter  = qmail
+port    = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[sieve]
+
+port   = smtp,465,submission
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+
+[solid-pop3d]
+
+port    = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+# see filter.d/exim.conf for further modes supported from filter:
+#mode = normal
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port   = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port    = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+
+
+[postfix-sasl]
+
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+
+[perdition]
+
+port   = imap,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+[uwimap-auth]
+
+port   = imap,imaps
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+#   Since UDP is connection-less protocol, spoofing of IP and imitation
+#   of illegal actions is way too simple.  Thus enabling of this filter
+#   might provide an easy way for implementing a DoS against a chosen
+#   victim. See
+#    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+#   Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter   = named-refused
+# port     = domain,953
+# protocol = udp
+# logpath  = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port     = domain,953
+logpath  = /var/log/named/security.log
+
+
+[nsd]
+
+port     = 53
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port     = 5060,5061
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port     = 5060,5061
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/freeswitch.log
+maxretry = 10
+
+
+# enable adminlog; it will log to a file inside znc's directory by default.
+[znc-adminlog]
+
+port     = 6667
+logpath  = /var/lib/znc/moddata/adminlog/znc.log
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warnings = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+
+
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+[mongodb-auth]
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+port     = 27017
+logpath  = /var/log/mongodb/mongodb.log
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+#    is not at DEBUG level -- which might then cause fail2ban to fall into
+#    an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+#    to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath  = /var/log/fail2ban.log
+banaction = %(banaction_allports)s
+bantime  = 1w
+findtime = 1d
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = %(banaction_allports)s
+logpath  = %(syslog_authpriv)s
+backend  = %(syslog_backend)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath   = %(syslog_daemon)s
+backend   = %(syslog_backend)s
+maxretry  = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port    = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
+
+[softethervpn]
+port     = 500,4500
+protocol = udp
+logpath  = /usr/local/vpnserver/security_log/*/sec.log
+
+[gitlab]
+port    = http,https
+logpath = /var/log/gitlab/gitlab-rails/application.log
+
+[grafana]
+port    = http,https
+logpath = /var/log/grafana/grafana.log
+
+[bitwarden]
+port    = http,https
+logpath = /home/*/bwdata/logs/identity/Identity/log.txt
+
+[centreon]
+port    = http,https
+logpath = /var/log/centreon/login.log
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
+backend  = %(syslog_backend)s
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+banaction = %(banaction_allports)s
+
+[directadmin]
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+logpath  = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port         = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in jail.local
+knocking_url = /knocking/
+filter       = apache-pass[knocking_url="%(knocking_url)s"]
+# access log of the website with HTTP auth
+logpath      = %(apache_access_log)s
+blocktype    = RETURN
+returntype   = DROP
+action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
+                        actionstart_on_demand=false, actionrepair_on_unban=true]
+bantime      = 1h
+maxretry     = 1
+findtime     = 1
+
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/mumble-server/mumble-server.log
+
+
+[screensharingd]
+# For Mac OS Screen Sharing Service (VNC)
+logpath  = /var/log/system.log
+logencoding = utf-8
+
+[haproxy-http-auth]
+# HAProxy by default doesn't log to file you'll need to set it up to forward
+# logs to a syslog server which would then write them to disk.
+# See "haproxy-http-auth" filter for a brief cautionary note when setting
+# maxretry and findtime.
+logpath  = /var/log/haproxy.log
+
+[slapd]
+port    = ldap,ldaps
+logpath = /var/log/slapd.log
+
+[domino-smtp]
+port    = smtp,ssmtp
+logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
+
+[phpmyadmin-syslog]
+port    = http,https
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+
+[zoneminder]
+# Zoneminder HTTP/HTTPS web interface auth
+# Logs auth failures to apache2 error log
+port    = http,https
+logpath = %(apache_error_log)s
+
+[traefik-auth]
+# to use 'traefik-auth' filter you have to configure your Traefik instance,
+# see `filter.d/traefik-auth.conf` for details and service example.
+port    = http,https
+logpath = /var/log/traefik/access.log

fail2ban-conf/jail.local

@@ -0,0 +1,84 @@
+[DEFAULT]
+
+ignoreip = 127.0.0.1/8 IP
+bantime = 3600
+findtime = 3600
+#mta = mail
+#destemail = 
+#sendername = Fail2BanAlerts
+#action = %(action_mwl)s
+
+[nginx-http-auth]
+
+enabled  = true
+filter   = nginx-http-auth
+port     = http,https
+logpath  = /var/log/nginx/*error.log
+bantime = 259200
+
+#[nginx-badbots]
+
+#enabled  = true
+#port     = http,https
+#filter   = nginx-badbots
+#logpath  = /var/log/nginx/access.log
+#maxretry = 2
+
+[nginx-badbots]
+
+enabled = true
+port = http,https
+filter = nginx-badbots
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 437
+#ignoreregex =
+backend = auto
+logpath = /var/log/nginx/*access.log
+bantime = 259200
+maxretry= 1
+
+[nginx-nohome]
+
+enabled  = true
+port     = http,https
+filter   = nginx-nohome
+logpath  = /var/log/nginx/*access.log
+bantime = 259200
+maxretry = 2
+
+[nginx-noproxy]
+
+enabled  = true
+port     = http,https
+filter   = nginx-noproxy
+logpath  = /var/log/nginx/*access.log
+bantime = 259200
+maxretry = 2
+
+[nginx-req-limit] 
+
+enabled = true 
+filter = nginx-req-limit 
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] 
+logpath = /var/log/nginx/*error.log 
+findtime = 600 
+bantime = 259200
+maxretry = 10 
+
+[nginx-conn-limit] 
+
+enabled = true 
+filter = nginx-conn-limit 
+action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp] 
+logpath = /var/log/nginx/*error.log 
+findtime = 300 
+bantime = 259200
+maxretry = 100
+
+[ssh]
+
+enabled = true
+port = SSH_PORT
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = -1

inventory

@@ -0,0 +1,10 @@
+
+# New server
+[newserver]	
+192.168.1.201	
+	
+# Variables that will be applied to server
+[newserver:vars]	
+ansible_ssh_user=vagrant	
+ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key	
+ansible_ssh_common_args='-o	StrictHostKeyChecking=no'	

playbook.yml

@@ -0,0 +1,175 @@
+---
+- hosts: newserver
+  become: true
+  remote_user: admin
+
+  vars_files:
+    - secrets.yaml
+
+  tasks:
+######################################## CONFIG BASE ########################################
+
+    - name: Ensure group Docker exists
+      group:
+        name: docker
+        state: present
+
+    - name: Create user admin
+      user:
+        name: admin
+        password: "{{ admin_password }}"
+        groups:
+        - docker
+        - sudo
+        state: present
+        shell: /bin/bash
+        system: no
+        createhome: yes
+        home: /home/admin
+
+    - name: Create workspace folder
+      file:
+        path: "{{ item }}"
+        state: directory
+        owner: admin
+        group: admin
+        mode: 0751
+      with_items:
+        - /workspace/jellyfin/
+        - /workspace/syncthing/
+
+
+################# GIT #################
+
+    - name: Git install
+      apt:
+        pkg: git
+        state: present
+        update_cache: yes
+
+################# NGINX #################
+
+    - name: Ensure nginx is at the latest version
+      apt: name=nginx state=latest
+    - name: start nginx
+      service:
+          name: nginx
+          state: started
+
+################# DOCKER #################
+
+    - name: Apt update
+      apt:
+        name: aptitude
+        state: latest
+        update_cache: true
+
+    - name: Install required system packages for Docker
+      apt:
+        pkg:
+          - apt-transport-https
+          - ca-certificates
+          - curl
+          - software-properties-common
+          - python3-pip
+          - virtualenv
+          - python3-setuptools
+        state: latest
+        update_cache: true
+
+    - name: Add Docker GPG apt Key
+      apt_key:
+        url: https://download.docker.com/linux/ubuntu/gpg
+        state: present
+
+    - name: Add Docker Repository
+      apt_repository:
+        repo: deb https://download.docker.com/linux/ubuntu focal stable
+        state: present
+
+    - name: Install Docker-ce
+      apt:
+        name: docker-ce
+        state: latest
+        update_cache: true
+
+    - name: Install Docker Module for Python
+      pip:
+        name: docker
+
+################# DOCKER COMPOSE #################
+
+    - name: Install Docker-compose
+      remote_user: admin
+      get_url:
+        url : https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64
+        dest: /usr/local/bin/docker-compose
+        mode: 'u+x,g+x'
+
+    - name: Change Docker-compose folder file permission
+      file:
+        path: /usr/local/bin/docker-compose
+        owner: admin
+        group: admin
+
+################# CERTBOT #################
+
+    - name: Install Certbot
+      apt:
+        pkg: python3-certbot-nginx
+        state: latest
+
+################# FAIL2BAN #################
+      
+    - name: Install apt fail2ban packages
+      apt: 
+        name: fail2ban  
+        state: latest
+        update_cache: yes
+        cache_valid_time: 3600
+
+    
+    - name: Override the basic Fail2ban configuration
+      copy:
+        src: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+        owner: root
+        group: root
+        mode: 0644
+      with_items:
+        - { src: ./fail2ban-conf/jail.local, dest: /etc/fail2ban }
+        - { src: ./fail2ban-conf/jail.conf, dest: /etc/fail2ban }
+        - { src: ./fail2ban-conf/filter.d, dest: /etc/fail2ban }
+
+    - name: Restart Fail2ban service
+      service:
+        name: fail2ban
+        state: restarted
+
+
+######################################## INSTALL STACK ########################################
+
+    # - name: Copy Nginx configs
+
+
+    # - name: Copy volumes of /data/
+
+
+    - name: Git pull stack
+      become: yes
+      git:
+        repo: "{{ item.src }}"
+        dest: "{{ item.dest }}"
+      with_items:
+        - { src: 'https://git.gregandev.fr/gregandev/jellyfin.git', dest: '/workspace/jellyfin/' }
+        - { src: 'https://git.gregandev.fr/gregandev/syncthing.git', dest: '/workspace/syncthing' }
+
+# ERROR PULLING IMAGES ...
+    - name: Run container
+      become: True
+      shell:
+        cmd: "docker-compose -f docker-compose.yml up -d"
+        chdir: "{{ item }}"
+      with_items:
+        - /workspace/jellyfin
+        - /workspace/syncthing

secrets.yaml

@@ -0,0 +1,6 @@
+# password encoded with MKpaswwords for Ansible (mdp admin)
+admin_password: $6$zs1lCREIwXN8GY5m$h3RdrV8xXSvTl5qjrMWNGyoh97XtM92cP1twdakOy//QSIueMeqyeEs30MNbYRu9FpD28vMwYPE/SqDuRuml50
+destination: /workspace/
+new-server-ssh-key: 
+gitlab-user: 
+gitlab-token: