commit
8a5ca24016
@ -0,0 +1,27 @@ |
|||||||
|
# ANSIBLE |
||||||
|
|
||||||
|
## PRINCIPE |
||||||
|
|
||||||
|
Ansible est un outils de configuration de machines. |
||||||
|
Ici il est utilisé pour se connecter au nouveau server où nous allons reinstaller la stack production du Garage. |
||||||
|
|
||||||
|
## INSTALLATION |
||||||
|
|
||||||
|
```bash |
||||||
|
python3 -m pip install --user ansible |
||||||
|
python3 -m pip install --user ansible-core |
||||||
|
#python3 -m pip install --user ansible-core==2.13.3 # (pour choisir une version spécifique) |
||||||
|
``` |
||||||
|
|
||||||
|
## USAGE |
||||||
|
|
||||||
|
- Seul: |
||||||
|
```bash |
||||||
|
ansible -i inventory playbook.yml |
||||||
|
``` |
||||||
|
|
||||||
|
- Avec Vagrant: |
||||||
|
```bash |
||||||
|
vagrant provision |
||||||
|
``` |
||||||
|
> Nécessite une Vagrantfile! |
@ -0,0 +1,33 @@ |
|||||||
|
VAGRANTFILE_API_VERSION = "2" |
||||||
|
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| |
||||||
|
# General Vagrant VM configuration. |
||||||
|
# All VMs will run under centos7 exploitation system |
||||||
|
config.vm.box = "debian/bullseye64" |
||||||
|
# If true, Vagrant will automatically insert a keypair |
||||||
|
# to use for SSH, replacing Vagrant's default insecure key |
||||||
|
# inside the machine if detected. By default, this is true |
||||||
|
config.ssh.insert_key = false |
||||||
|
# Configures synced folders on the machine, so that folders |
||||||
|
# on your host machine can be synced to and from the guest machine |
||||||
|
config.vm.synced_folder ".", "/vagrant", disabled: true |
||||||
|
# VM Provider |
||||||
|
config.vm.provider :virtualbox do |v| |
||||||
|
v.memory = 1024 |
||||||
|
v.linked_clone = true |
||||||
|
end |
||||||
|
|
||||||
|
# new server |
||||||
|
config.vm.define "newserver" do |newserver| |
||||||
|
newserver.vm.hostname = "newserver.dev" |
||||||
|
# static ip address |
||||||
|
#newserver.vm.network :private_network, ip: "192.168.56.10" |
||||||
|
newserver.vm.network :public_network, ip: "192.168.1.201" |
||||||
|
config.vm.provision "ansible" do |ansible| |
||||||
|
ansible.playbook= "./playbook.yml" |
||||||
|
ansible.inventory_path="./inventory" |
||||||
|
ansible.limit="newserver" |
||||||
|
end |
||||||
|
|
||||||
|
end |
||||||
|
|
||||||
|
end |
@ -0,0 +1,20 @@ |
|||||||
|
# Fail2Ban filter for 3proxy |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are |
||||||
|
# all authentication problems (%E field) |
||||||
|
# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" |
||||||
|
# |
||||||
|
# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,71 @@ |
|||||||
|
# Fail2Ban apache-auth filter |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# apache-common.local |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive) |
||||||
|
mode = normal |
||||||
|
|
||||||
|
# ignore messages of mod_evasive module: |
||||||
|
apache-pref-ign-normal = (?!evasive) |
||||||
|
# allow "denied by server configuration" from all modules: |
||||||
|
apache-pref-ign-aggressive = |
||||||
|
# mode related ignore prefix for common _apache_error_client substitution: |
||||||
|
apache-pref-ignore = <apache-pref-ign-<mode>> |
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
# auth_type = ((?:Digest|Basic): )? |
||||||
|
auth_type = ([A-Z]\w+: )? |
||||||
|
|
||||||
|
failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b |
||||||
|
^user (?!`)<F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b |
||||||
|
^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b |
||||||
|
^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b |
||||||
|
^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\b |
||||||
|
^%(auth_type)sinvalid nonce .* received - length is not\b |
||||||
|
^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b |
||||||
|
^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b |
||||||
|
^invalid qop `(?:[^']*|.*?)' received\b |
||||||
|
^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b |
||||||
|
^(?:No h|H)ostname \S+ provided via SNI(?:, but no hostname provided| and hostname \S+ provided| for a name based virtual host)\b |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# This filter matches the authorization failures of Apache. It takes the log messages |
||||||
|
# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or |
||||||
|
# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. |
||||||
|
# |
||||||
|
# An unauthorized response 401 is the first step for a browser to instigate authentication |
||||||
|
# however apache doesn't log this as an error. Only subsequent errors are logged in the |
||||||
|
# error log. |
||||||
|
# |
||||||
|
# Source: |
||||||
|
# |
||||||
|
# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* |
||||||
|
# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get |
||||||
|
# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core |
||||||
|
# to return the actual failure. |
||||||
|
# |
||||||
|
# Note that URI can contain spaces. |
||||||
|
# |
||||||
|
# See also: http://wiki.apache.org/httpd/ListOfErrors |
||||||
|
# Expressions that don't have tests and aren't common. |
||||||
|
# more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 |
||||||
|
# ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ |
||||||
|
# ^user .*: one-time-nonce mismatch - sending new nonce\s*$ |
||||||
|
# ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$ |
||||||
|
# |
||||||
|
# Because url/referer are foreign input, short form of regex used if long enough to idetify failure. |
||||||
|
# |
||||||
|
# Author: Cyril Jaquier |
||||||
|
# Major edits by Daniel Black and Ben Rubson. |
||||||
|
# Rewritten for v.0.10 by Sergey Brester (sebres). |
@ -0,0 +1,24 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Regexp to catch known spambots and software alike. Please verify |
||||||
|
# that it is your intent to block IPs which were driven by |
||||||
|
# above mentioned bots. |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee |
||||||
|
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 |
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# List of bad bots fetched from http://www.user-agents.org |
||||||
|
# Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. |
||||||
|
# |
||||||
|
# Author: Yaroslav Halchenko |
@ -0,0 +1,39 @@ |
|||||||
|
# Fail2Ban filter to match web requests for selected URLs that don't exist |
||||||
|
# |
||||||
|
# This filter is aimed at blocking specific URLs that don't exist. This |
||||||
|
# could be a set of URLs places in a Disallow: directive in robots.txt or |
||||||
|
# just some web services that don't exist caused bots are searching for |
||||||
|
# exploitable content. This filter is designed to have a low false positive |
||||||
|
# rate due. |
||||||
|
# |
||||||
|
# An alternative to this is the apache-noscript filter which blocks all |
||||||
|
# types of scripts that don't exist. |
||||||
|
# |
||||||
|
# |
||||||
|
# This is normally a predefined list of exploitable or valuable web services |
||||||
|
# that are hidden or aren't actually installed. |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect. |
||||||
|
# Load regexes for filtering from botsearch-common.conf |
||||||
|
before = apache-common.conf |
||||||
|
botsearch-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^(?:File does not exist|script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$ |
||||||
|
^script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Webroot represents the webroot on which all other files are based |
||||||
|
webroot = /var/www/ |
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,44 @@ |
|||||||
|
# Generic configuration items (to be used as interpolations) in other |
||||||
|
# apache filters. |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
# Load customizations if any available |
||||||
|
after = apache-common.local |
||||||
|
|
||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
# Apache logging mode: |
||||||
|
# all - universal prefix (logfile, syslog) |
||||||
|
# logfile - logfile only |
||||||
|
# syslog - syslog only |
||||||
|
# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog). |
||||||
|
# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants. |
||||||
|
logging = logfile |
||||||
|
|
||||||
|
# Apache logging prefixes (date-pattern prefix, server, process etc.): |
||||||
|
apache-prefix-syslog = %(__prefix_line)s |
||||||
|
apache-prefix-logfile = \[\]\s |
||||||
|
apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)? |
||||||
|
|
||||||
|
# Setting for __prefix_line (only `logging=syslog`): |
||||||
|
_daemon = (?:apache\d*|httpd(?:/\w+)?) |
||||||
|
|
||||||
|
apache-prefix = <apache-prefix-<logging>> |
||||||
|
|
||||||
|
apache-pref-ignore = |
||||||
|
|
||||||
|
_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\] |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# Common prefix for [error] apache messages which also would include <HOST> |
||||||
|
# Depending on the version it could be |
||||||
|
# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] |
||||||
|
# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] |
||||||
|
# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to |
||||||
|
# |
||||||
|
# Reference: https://github.com/fail2ban/fail2ban/issues/268 |
||||||
|
# |
||||||
|
# Author: Yaroslav Halchenko |
@ -0,0 +1,16 @@ |
|||||||
|
# Fail2Ban filter for fake Googlebot User Agents |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^<HOST> .*Googlebot.*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Lee Clemens |
||||||
|
# Thanks: Johannes B. Ullrich, Ph.D. |
||||||
|
# Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ |
@ -0,0 +1,19 @@ |
|||||||
|
# Fail2Ban apache-modsec filter |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# apache-common.local |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats |
||||||
|
# Author: Daniel Black |
||||||
|
# Sergey G. Brester aka sebres (review, optimization) |
@ -0,0 +1,20 @@ |
|||||||
|
# Fail2Ban filter to web requests for home directories on Apache servers |
||||||
|
# |
||||||
|
# Regex to match failures to find a home directory on a server, which |
||||||
|
# became popular last days. Most often attacker just uses IP instead of |
||||||
|
# domain name -- so expect to see them in generic error.log if you have |
||||||
|
# per-domain log files. |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect. |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Yaroslav O. Halchenko <debian@onerussian.com> |
@ -0,0 +1,37 @@ |
|||||||
|
# Fail2Ban filter to block web requests for scripts (on non scripted websites) |
||||||
|
# |
||||||
|
# This matches many types of scripts that don't exist. This could generate a |
||||||
|
# lot of false positive matches in cases like wikis and forums where users |
||||||
|
# no affiliated with the website can insert links to missing files/scripts into |
||||||
|
# pages and cause non-malicious browsers of the site to trigger against this |
||||||
|
# filter. |
||||||
|
# |
||||||
|
# If you'd like to match specific URLs that don't exist see the |
||||||
|
# apache-botsearch filter. |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect. |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) |
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^(?:does not exist|not found or unable to stat): <script>\b |
||||||
|
^'<script>\S*' not found or unable to stat |
||||||
|
^error '[Pp]rimary script unknown(?:\\n)?' |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs |
||||||
|
# |
||||||
|
# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2 |
||||||
|
# |
||||||
|
# Author: Cyril Jaquier |
@ -0,0 +1,40 @@ |
|||||||
|
# Fail2Ban filter to block web requests on a long or suspicious nature |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect. |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b) |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# [sebres] Because this apache-log could contain very long URLs (and/or referrer), |
||||||
|
# the parsing of it anchored way may be very vulnerable (at least as regards |
||||||
|
# the system resources, see gh-1790). Thus rewritten without end-anchor ($). |
||||||
|
# |
||||||
|
# fgrep -r 'URI too long' httpd-2.* |
||||||
|
# httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); |
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)", |
||||||
|
# |
||||||
|
# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid |
||||||
|
# httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request); |
||||||
|
# httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request); |
||||||
|
# httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'. |
||||||
|
# httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request); |
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request); |
||||||
|
# httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request); |
||||||
|
# |
||||||
|
# fgrep -r 'invalid characters in URI' httpd-2.* |
||||||
|
# httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI"); |
||||||
|
# |
||||||
|
# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620 |
||||||
|
# ...possible attempt to establish SSL connection on non-SSL port |
||||||
|
# |
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors |
||||||
|
# Author: Tim Connors |
@ -0,0 +1,19 @@ |
|||||||
|
# Fail2Ban Apache pass filter |
||||||
|
# This filter is for access.log, NOT for error.log |
||||||
|
# |
||||||
|
# The knocking request must have a referer. |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
knocking_url = /knocking/ |
||||||
|
|
||||||
|
# Author: Viktor Szépe |
@ -0,0 +1,28 @@ |
|||||||
|
# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# overwrite with apache-common.local if _apache_error_client is incorrect. |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$ |
||||||
|
^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs |
||||||
|
# |
||||||
|
# example log lines: |
||||||
|
# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt |
||||||
|
# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' |
||||||
|
# |
||||||
|
# Author: Eugene Hopkinson (e.hopkinson@gmail.com) |
@ -0,0 +1,46 @@ |
|||||||
|
# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP) |
||||||
|
# Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later. |
||||||
|
# Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended. |
||||||
|
# |
||||||
|
# Homepage: http://sourceforge.net/projects/assp/ |
||||||
|
# ProjectSite: http://sourceforge.net/projects/assp/?source=directory |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibility reasons. |
||||||
|
|
||||||
|
__assp_actions = (?:dropping|refusing) |
||||||
|
|
||||||
|
failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ |
||||||
|
^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ |
||||||
|
^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$ |
||||||
|
^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$ |
||||||
|
^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# V1 Examples matches: |
||||||
|
# Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); |
||||||
|
# Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; |
||||||
|
# Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded |
||||||
|
# |
||||||
|
# V2 Examples matches: |
||||||
|
# Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user@example.org relay attempt blocked for: someone@example.org |
||||||
|
# Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 |
||||||
|
# Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 |
||||||
|
# Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: |
||||||
|
# Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> relay attempt blocked for (parsing): <user2@example> |
||||||
|
# Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user2@example.com relay attempt blocked for (parsing): <a.notheruser69@example.c> |
||||||
|
# Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism |
||||||
|
# Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response |
||||||
|
# Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server |
||||||
|
# Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server |
||||||
|
|
||||||
|
# |
||||||
|
# Author: Enrico Labedzki (enrico.labedzki@deiwos.de) |
||||||
|
# V2 Filters: Robert Hardy (rhardy@webcon.ca) |
@ -0,0 +1,55 @@ |
|||||||
|
# Fail2Ban filter for asterisk authentication failures |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = asterisk |
||||||
|
|
||||||
|
__pid_re = (?:\s*\[\d+\]) |
||||||
|
|
||||||
|
iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} |
||||||
|
|
||||||
|
# All Asterisk log messages begin like this: |
||||||
|
log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)? |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ |
||||||
|
^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context |
||||||
|
^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b) |
||||||
|
^No registration for peer '[^']*' \(from <HOST>\)$ |
||||||
|
^hacking attempt detected '<HOST>'$ |
||||||
|
^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$ |
||||||
|
^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$ |
||||||
|
^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ |
||||||
|
|
||||||
|
# FreePBX (todo: make optional in v.0.10): |
||||||
|
# ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# Author: Xavier Devlamynck / Daniel Black |
||||||
|
# |
||||||
|
# General log format - main/logger.c:ast_log |
||||||
|
# Address format - ast_sockaddr_stringify |
||||||
|
# |
||||||
|
# First regex: channels/chan_sip.c |
||||||
|
# |
||||||
|
# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=asterisk.service |
||||||
|
|
||||||
|
|
||||||
|
[lt_journal] |
||||||
|
|
||||||
|
# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383): |
||||||
|
__extra_timestamp = (?:\[[^\]]+\]\s+)? |
||||||
|
__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s |
@ -0,0 +1,13 @@ |
|||||||
|
# Fail2Ban filter for Bitwarden |
||||||
|
# Detecting failed login attempts |
||||||
|
# Logged in bwdata/logs/identity/Identity/log.txt |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
_daemon = Bitwarden-Identity |
||||||
|
failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. <ADDR>$ |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once. |
@ -0,0 +1,19 @@ |
|||||||
|
# Generic configuration file for -botsearch filters |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
# Block is the actual non-found directories to block |
||||||
|
block = \/?(<webmail>|<phpmyadmin>|<wordpress>|cgi-bin|mysqladmin)[^,]* |
||||||
|
|
||||||
|
# These are just convenient definitions that assist the blocking of stuff that |
||||||
|
# isn't installed |
||||||
|
webmail = roundcube|(ext)?mail|horde|(v-?)?webmail |
||||||
|
|
||||||
|
phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) |
||||||
|
|
||||||
|
wordpress = wp-(login|signup|admin)\.php |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# Taken from apache-botsearch filter |
||||||
|
# |
||||||
|
# Author: Frantisek Sumsal |
@ -0,0 +1,9 @@ |
|||||||
|
# Fail2Ban filter for Centreon Web |
||||||
|
# Detecting unauthorized access to the Centreon Web portal |
||||||
|
# typically logged in /var/log/centreon/login.log |
||||||
|
|
||||||
|
[Init] |
||||||
|
datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S |
||||||
|
|
||||||
|
[Definition] |
||||||
|
failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>' |
@ -0,0 +1,89 @@ |
|||||||
|
# Generic configuration items (to be used as interpolations) in other |
||||||
|
# filters or actions configurations |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Load customizations if any available |
||||||
|
after = common.local |
||||||
|
|
||||||
|
|
||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
# Type of log-file resp. log-format (file, short, journal, rfc542): |
||||||
|
logtype = file |
||||||
|
|
||||||
|
# Daemon definition is to be specialized (if needed) in .conf file |
||||||
|
_daemon = \S* |
||||||
|
|
||||||
|
# |
||||||
|
# Shortcuts for easier comprehension of the failregex |
||||||
|
# |
||||||
|
# PID. |
||||||
|
# EXAMPLES: [123] |
||||||
|
__pid_re = (?:\[\d+\]) |
||||||
|
|
||||||
|
# Daemon name (with optional source_file:line or whatever) |
||||||
|
# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) |
||||||
|
__daemon_re = [\[\(]?<_daemon>(?:\(\S+\))?[\]\)]?:? |
||||||
|
|
||||||
|
# extra daemon info |
||||||
|
# EXAMPLE: [ID 800047 auth.info] |
||||||
|
__daemon_extra_re = \[ID \d+ \S+\] |
||||||
|
|
||||||
|
# Combinations of daemon name and PID |
||||||
|
# EXAMPLES: sshd[31607], pop(pam_unix)[4920] |
||||||
|
__daemon_combs_re = (?:<__pid_re>?:\s+<__daemon_re>|<__daemon_re><__pid_re>?:?) |
||||||
|
|
||||||
|
# Some messages have a kernel prefix with a timestamp |
||||||
|
# EXAMPLES: kernel: [769570.846956] |
||||||
|
__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:? |
||||||
|
|
||||||
|
__hostname = \S+ |
||||||
|
|
||||||
|
# A MD5 hex |
||||||
|
# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f |
||||||
|
__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} |
||||||
|
|
||||||
|
# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or |
||||||
|
# <auth.info> appearing before the host as per testcases/files/logs/bsd/*. |
||||||
|
__bsd_syslog_verbose = <[^.]+\.[^.]+> |
||||||
|
|
||||||
|
__vserver = @vserver_\S+ |
||||||
|
|
||||||
|
__date_ambit = (?:\[\]) |
||||||
|
|
||||||
|
# Common line prefixes (beginnings) which could be used in filters |
||||||
|
# |
||||||
|
# [bsdverbose]? [hostname] [vserver tag] daemon_id spaces |
||||||
|
# |
||||||
|
# This can be optional (for instance if we match named native log files) |
||||||
|
__prefix_line = <lt_<logtype>/__prefix_line> |
||||||
|
|
||||||
|
# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, |
||||||
|
# pam_ldap |
||||||
|
__pam_auth = pam_unix |
||||||
|
|
||||||
|
# standardly all formats using prefix have line-begin anchored date: |
||||||
|
datepattern = <lt_<logtype>/datepattern> |
||||||
|
|
||||||
|
[lt_file] |
||||||
|
# Common line prefixes for logtype "file": |
||||||
|
__prefix_line = <__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)? |
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
[lt_short] |
||||||
|
# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry): |
||||||
|
__prefix_line = \s*(?:<__hostname>\s+)?(?:<_daemon><__pid_re>?:?\s+)?(?:<__kernel_prefix>\s+)? |
||||||
|
datepattern = %(lt_file/datepattern)s |
||||||
|
[lt_journal] |
||||||
|
__prefix_line = %(lt_short/__prefix_line)s |
||||||
|
datepattern = %(lt_short/datepattern)s |
||||||
|
|
||||||
|
[lt_rfc5424] |
||||||
|
# RFC 5424 log-format, see gh-2309: |
||||||
|
#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+ |
||||||
|
__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+ |
||||||
|
datepattern = ^<\d+>\d+\s+{DATE} |
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres) |
@ -0,0 +1,15 @@ |
|||||||
|
# Fail2Ban filter for failure attempts in Counter Strike-1.6 |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from "<HOST>:\d+"$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S |
||||||
|
|
||||||
|
|
||||||
|
# Author: Daniel Black |
||||||
|
|
@ -0,0 +1,21 @@ |
|||||||
|
# Fail2Ban filter for courier authentication failures |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# Author: Christoph Haas |
||||||
|
# Modified by: Cyril Jaquier |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2Ban filter to block relay attempts though a Courier smtp server |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = courieresmtpd |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)serror,relay=<HOST>,(?:port=\d+,)?<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$ |
||||||
|
^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Cyril Jaquier |
@ -0,0 +1,20 @@ |
|||||||
|
# Fail2Ban filter for authentication failures on Cyrus imap server |
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org> |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2Ban configuration file for Directadmin |
||||||
|
# |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s* |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S |
||||||
|
|
||||||
|
# |
||||||
|
# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590 |
||||||
|
# |
||||||
|
# Author: Cyril Roos |
||||||
|
|
@ -0,0 +1,50 @@ |
|||||||
|
# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts |
||||||
|
# |
||||||
|
# Author: Christian Brandlehner |
||||||
|
# |
||||||
|
# $Revision: 003 $ |
||||||
|
# |
||||||
|
# Configuration: |
||||||
|
# Set the following Domino Server parameters in notes.ini: |
||||||
|
# console_log_enabled=1 |
||||||
|
# log_sessions=2 |
||||||
|
# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is: |
||||||
|
# DateOrder=DMY |
||||||
|
# DateSeparator=- |
||||||
|
# ClockType=24_Hour |
||||||
|
# TimeSeparator=: |
||||||
|
# |
||||||
|
# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log |
||||||
|
|
||||||
|
#[INCLUDES] |
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
#before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failure messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>\S+) |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
# Sample log entries (used different time formats and an extra sample with process info in front of date) |
||||||
|
# 01-23-2009 19:54:51 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 |
||||||
|
# [28325:00010-3735542592] 22-06-2014 09:56:12 smtp: postmaster [1.2.3.4] authentication failure using internet password |
||||||
|
# 08-09-2014 06:14:27 smtp: postmaster [1.2.3.4] authentication failure using internet password |
||||||
|
# 08-09-2014 06:14:27 SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4 |
||||||
|
|
||||||
|
__prefix = (?:\[[^\]]+\])?\s* |
||||||
|
__opt_data = (?::|\s+\[[^\]]+\]) |
||||||
|
failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?<HOST>\]?$ |
||||||
|
^%(__prefix)ssmtp: (?:[^\[]+ )*\[?<HOST>\]? authentication failure using internet password\s*$ |
||||||
|
^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?<HOST>\]? rejected for policy reasons\. |
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
@ -0,0 +1,47 @@ |
|||||||
|
# Fail2Ban filter Dovecot authentication and pop3/imap server |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_auth_worker = (?:dovecot: )?auth(?:-worker)? |
||||||
|
_daemon = (?:dovecot(?:-auth)?|auth) |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_auth)s(?:\(dovecot:auth\))?: |(?:pop3|imap|managesieve|submission)-login: )?(?:Info: )?<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$ |
||||||
|
^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ |
||||||
|
^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\)|Permission denied)\s*$ |
||||||
|
^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:unknown user|invalid credentials|Password mismatch) |
||||||
|
<mdre-<mode>> |
||||||
|
|
||||||
|
mdre-aggressive = ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)(?::(?: [^ \(]+)+)? \((?:no auth attempts|disconnected before auth was ready,|client didn't finish \S+ auth,)(?: (?:in|waited) \d+ secs)?\):(?: user=<[^>]*>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$ |
||||||
|
|
||||||
|
mdre-normal = |
||||||
|
|
||||||
|
# Parameter `mode` - `normal` or `aggressive`. |
||||||
|
# Aggressive mode can be used to match log-entries like: |
||||||
|
# 'no auth attempts', 'disconnected before auth was ready', 'client didn't finish SASL auth'. |
||||||
|
# Note it may produce lots of false positives on misconfigured MTAs. |
||||||
|
# Ex.: |
||||||
|
# filter = dovecot[mode=aggressive] |
||||||
|
mode = normal |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=dovecot.service |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}TAI64N |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# * the first regex is essentially a copy of pam-generic.conf |
||||||
|
# * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) |
||||||
|
# |
||||||
|
# Author: Martin Waschbuesch |
||||||
|
# Daniel Black (rewrote with begin and end anchors) |
||||||
|
# Martin O'Neal (added LDAP authentication failure regex) |
||||||
|
# Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) |
@ -0,0 +1,50 @@ |
|||||||
|
# Fail2Ban filter for dropbear |
||||||
|
# |
||||||
|
# NOTE: The regex below is ONLY intended to work with a patched |
||||||
|
# version of Dropbear as described here: |
||||||
|
# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches |
||||||
|
# ^%(__prefix_line)sexit before auth from <HOST>.*\s*$ |
||||||
|
# |
||||||
|
# The standard Dropbear output doesn't provide enough information to |
||||||
|
# ban all types of attack. The Dropbear patch adds IP address |
||||||
|
# information to the 'exit before auth' message which is always |
||||||
|
# produced for any form of non-successful login. It is that message |
||||||
|
# which this file matches. |
||||||
|
# |
||||||
|
# More information: http://bugs.debian.org/546913 |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = dropbear |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$ |
||||||
|
^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$ |
||||||
|
^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# The first two regexs here match the unmodified dropbear messages. It isn't |
||||||
|
# possible to match the source of the 'exit before auth' messages from dropbear |
||||||
|
# as they don't include the "from <HOST>" bit. |
||||||
|
# |
||||||
|
# The second last failregex line we need to match with the modified dropbear. |
||||||
|
# |
||||||
|
# For the second regex the following apply: |
||||||
|
# |
||||||
|
# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c |
||||||
|
# http://svn.dd-wrt.com/changeset/16642#file64 |
||||||
|
# |
||||||
|
# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c |
||||||
|
# |
||||||
|
# Author: Francis Russell |
||||||
|
# Zak B. Elep |
@ -0,0 +1,26 @@ |
|||||||
|
# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) |
||||||
|
# |
||||||
|
# |
||||||
|
# Drupal must be setup to use Syslog, which defaults to the following format: |
||||||
|
# |
||||||
|
# !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# https://www.drupal.org/documentation/modules/syslog |
||||||
|
# |
||||||
|
# Author: Lee Clemens |
@ -0,0 +1,40 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Author: Steven Hiscocks |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Multiline regexs should use tag "<SKIPLINES>" to separate lines. |
||||||
|
# This allows lines between the matching lines to continue to be |
||||||
|
# searched for other failures. This tag can be used multiple times. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$ |
||||||
|
^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$) |
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# "maxlines" is number of log lines to buffer for multi-line regex searches |
||||||
|
maxlines = 2 |
||||||
|
|
||||||
|
# Option: journalmatch |
||||||
|
# Notes.: systemd journalctl style match filter for journal based backend |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
journalmatch = |
||||||
|
|
||||||
|
#datepattern = ^(?:=[^=]+={3,} )?({DATE}) |
||||||
|
# explicit time format using prefix =...==== and no date in second string begins with I(...)... |
||||||
|
datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?) |
||||||
|
^I\(()** |
@ -0,0 +1,20 @@ |
|||||||
|
# Fail2Ban filter file for common exim expressions |
||||||
|
# |
||||||
|
# This is to be used by other exim filters |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Load customizations if any available |
||||||
|
after = exim-common.local |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)? |
||||||
|
host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s |
||||||
|
host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s |
||||||
|
pid = (?: \[\d+\])? |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# From exim source code: ./src/receive.c:add_host_info_for_log |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,50 @@ |
|||||||
|
# Fail2Ban filter for exim the spam rejection messages |
||||||
|
# |
||||||
|
# Honeypot traps are very useful for fighting spam. You just activate an email |
||||||
|
# address on your domain that you do not intend to use at all, and that normal |
||||||
|
# people do not risk to try for contacting you. It may be something that |
||||||
|
# spammers often test. You can also hide the address on a web page to be picked |
||||||
|
# by spam spiders. Or simply parse your mail logs for an invalid address |
||||||
|
# already being frequently targeted by spammers. Enable the address and |
||||||
|
# redirect it to the blackhole. In Exim's alias file, you would add the |
||||||
|
# following line (assuming the address is honeypot@yourdomain.com): |
||||||
|
# |
||||||
|
# honeypot: :blackhole: |
||||||
|
# |
||||||
|
# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used. |
||||||
|
# |
||||||
|
# To this filter use the jail.local should contain in the right jail: |
||||||
|
# |
||||||
|
# filter = exim-spam[honeypot=honeypot@yourdomain.com] |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# exim-common.local |
||||||
|
before = exim-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ |
||||||
|
^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ |
||||||
|
^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ |
||||||
|
^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$ |
||||||
|
^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
# Option: honeypot |
||||||
|
# Notes.: honeypot is an email address that isn't published anywhere that a |
||||||
|
# legitimate email sender would send email too. |
||||||
|
# Values: email address |
||||||
|
|
||||||
|
honeypot = trap@example.com |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# The %(host_info) defination contains a <HOST> match |
||||||
|
# |
||||||
|
# Author: Cyril Jaquier |
||||||
|
# Daniel Black (rewrote with strong regexs) |
@ -0,0 +1,54 @@ |
|||||||
|
# Fail2Ban filter for exim |
||||||
|
# |
||||||
|
# This includes the rejection messages of exim. For spam and filter |
||||||
|
# related bans use the exim-spam.conf |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# exim-common.local |
||||||
|
before = exim-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed): |
||||||
|
#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ |
||||||
|
^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ |
||||||
|
^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$ |
||||||
|
^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ |
||||||
|
^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$ |
||||||
|
^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$ |
||||||
|
^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$ |
||||||
|
^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ |
||||||
|
<mdre-<mode>> |
||||||
|
|
||||||
|
mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$ |
||||||
|
^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$ |
||||||
|
|
||||||
|
mdre-normal = |
||||||
|
|
||||||
|
# Parameter `mode` - `normal` or `aggressive`. |
||||||
|
# Aggressive mode can be used to match flood and ddos-similar log-entries like: |
||||||
|
# 'no host found for IP', 'no IP found for host'. |
||||||
|
# Note this is not an authentication failures, so it may produce lots of false |
||||||
|
# positives on misconfigured MTAs. |
||||||
|
# Ex.: |
||||||
|
# filter = exim[mode=aggressive] |
||||||
|
mode = normal |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# The %(host_info) defination contains a <HOST> match |
||||||
|
# |
||||||
|
# SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy |
||||||
|
# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is |
||||||
|
# user injectable data. |
||||||
|
# |
||||||
|
# Author: Cyril Jaquier |
||||||
|
# Daniel Black (rewrote with strong regexs) |
||||||
|
# Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) |
@ -0,0 +1,58 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Enable "log-auth-failures" on each Sofia profile to monitor |
||||||
|
# <param name="log-auth-failures" value="true"/> |
||||||
|
# -- this requires a high enough loglevel on your logs to save these messages. |
||||||
|
# |
||||||
|
# In the fail2ban jail.local file for this filter set ignoreip to the internal |
||||||
|
# IP addresses on your LAN. |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = freeswitch |
||||||
|
|
||||||
|
# Parameter "mode": normal, ddos or extra (default, combines all) |
||||||
|
# Usage example (for jail.local): |
||||||
|
# [freeswitch] |
||||||
|
# mode = normal |
||||||
|
# # or with rewrite filter parameters of jail: |
||||||
|
# [freeswitch-ddos] |
||||||
|
# filter = freeswitch[mode=ddos] |
||||||
|
# |
||||||
|
mode = extra |
||||||
|
|
||||||
|
# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend |
||||||
|
_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)? |
||||||
|
|
||||||
|
prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$ |
||||||
|
|
||||||
|
mdre-normal = %(cmnfailre)s |
||||||
|
^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$ |
||||||
|
|
||||||
|
mdre-ddos = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$ |
||||||
|
|
||||||
|
mdre-extra = %(cmnfailre)s |
||||||
|
<mdre-ddos> |
||||||
|
|
||||||
|
failregex = <mdre-<mode>> |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)? |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres |
||||||
|
# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban |
||||||
|
# Thanks to Jim on mailing list of samples and guidance |
||||||
|
# |
||||||
|
# No need to match the following. Its a duplicate of the SIP auth regex. |
||||||
|
# ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$ |
@ -0,0 +1,40 @@ |
|||||||
|
# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) |
||||||
|
# |
||||||
|
# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages |
||||||
|
# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login. |
||||||
|
# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password. |
||||||
|
# |
||||||
|
# Author: Joern Muehlencord |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = Froxlor |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^Unknown user \S* tried to login.$ |
||||||
|
^User \S* tried to login with wrong password.$ |
||||||
|
|
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
ignoreregex = |
||||||
|
|
@ -0,0 +1,6 @@ |
|||||||
|
# Fail2Ban filter for Gitlab |
||||||
|
# Detecting unauthorized access to the Gitlab Web portal |
||||||
|
# typically logged in /var/log/gitlab/gitlab-rails/application.log |
||||||
|
|
||||||
|
[Definition] |
||||||
|
failregex = ^: Failed Login: username=<F-USER>.+</F-USER> ip=<HOST>$ |
@ -0,0 +1,9 @@ |
|||||||
|
# Fail2Ban filter for Grafana |
||||||
|
# Detecting unauthorized access |
||||||
|
# Typically logged in /var/log/grafana/grafana.log |
||||||
|
|
||||||
|
[Init] |
||||||
|
datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z |
||||||
|
|
||||||
|
[Definition] |
||||||
|
failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"<F-ALT_USER>[^"]+</F-ALT_USER>"|<F-USER>\S+</F-USER>)| error="<F-ERROR>[^"]+</F-ERROR>"| \S+=(?:\S*|"[^"]+"))* remote_addr=<ADDR>$ |
@ -0,0 +1,14 @@ |
|||||||
|
# Fail2Ban filter for Group-Office |
||||||
|
# |
||||||
|
# Enable logging with: |
||||||
|
# $config['info_log']='/home/groupoffice/log/info.log'; |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Daniel Black |
||||||
|
|
@ -0,0 +1,18 @@ |
|||||||
|
# Fail2Ban filter file for gssftp |
||||||
|
# |
||||||
|
# Note: gssftp is part of the krb5-appl-servers in Fedora |
||||||
|
# |
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = ftpd |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Kevin Zembower |
||||||
|
# Edited: Daniel Black - syslog based daemon |
@ -0,0 +1,51 @@ |
|||||||
|
# Fail2Ban configuration file for guacamole |
||||||
|
# |
||||||
|
# Author: Steven Hiscocks |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
logging = catalina |
||||||
|
failregex = <L_<logging>/failregex> |
||||||
|
maxlines = <L_<logging>/maxlines> |
||||||
|
datepattern = <L_<logging>/datepattern> |
||||||
|
|
||||||
|
[L_catalina] |
||||||
|
|
||||||
|
failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$ |
||||||
|
|
||||||
|
maxlines = 2 |
||||||
|
|
||||||
|
datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p |
||||||
|
^WARNING:()** |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
[L_webapp] |
||||||
|
|
||||||
|
failregex = ^ \[\S+\] WARN \S+ - Authentication attempt from <HOST> for user "<F-USER>[^"]+</F-USER>" failed. |
||||||
|
|
||||||
|
maxlines = 1 |
||||||
|
|
||||||
|
datepattern = ^%%H:%%M:%%S.%%f |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# failregex is based on the default pattern given in Guacamole documentation : |
||||||
|
# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging |
||||||
|
# |
||||||
|
# The following logback.xml Guacamole configuration file can then be used accordingly : |
||||||
|
# <configuration> |
||||||
|
# <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender"> |
||||||
|
# <file>/var/log/guacamole.log</file> |
||||||
|
# <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> |
||||||
|
# <fileNamePattern>/var/log/guacamole.%d.log.gz</fileNamePattern> |
||||||
|
# <maxHistory>32</maxHistory> |
||||||
|
# </rollingPolicy> |
||||||
|
# <encoder> |
||||||
|
# <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern> |
||||||
|
# </encoder> |
||||||
|
# </appender> |
||||||
|
# <root level="info"> |
||||||
|
# <appender-ref ref="FILE" /> |
||||||
|
# </root> |
||||||
|
# </configuration> |
@ -0,0 +1,37 @@ |
|||||||
|
# Fail2Ban filter configuration file to match failed login attempts to |
||||||
|
# HAProxy HTTP Authentication protected servers. |
||||||
|
# |
||||||
|
# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server |
||||||
|
# which prompts their browser to ask for login details. |
||||||
|
# This initial 401 is logged by HAProxy. |
||||||
|
# In other words, even successful logins will have at least 1 fail regex match. |
||||||
|
# Please keep this in mind when setting findtime and maxretry for jails. |
||||||
|
# |
||||||
|
# Author: Jordan Moeser |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = haproxy |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401 |
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
ignoreregex = |
@ -0,0 +1,16 @@ |
|||||||
|
# fail2ban filter configuration for horde |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$ |
||||||
|
|
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132 |
||||||
|
# https://github.com/horde/horde/blob/master/horde/login.php |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,24 @@ |
|||||||
|
# Fail2ban filter for kerio |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^ SMTP Spam attack detected from <HOST>, |
||||||
|
^ IP address <HOST> found in DNS blacklist |
||||||
|
^ Relay attempt from IP address <HOST> |
||||||
|
^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$ |
||||||
|
^ Failed SMTP login from <HOST> |
||||||
|
^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST> |
||||||
|
^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$ |
||||||
|
^ Administration login into Web Administration from <HOST> failed: IP address not allowed$ |
||||||
|
^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# |
||||||
|
# Author: A.P. Lawrence |
||||||
|
# Updated by: M. Bischoff <https://github.com/herrbischoff> |
||||||
|
# |
||||||
|
# Based off: http://aplawrence.com/Kerio/fail2ban.html |
@ -0,0 +1,10 @@ |
|||||||
|
# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Francois Boulogne <fboulogne@april.org> |
@ -0,0 +1,49 @@ |
|||||||
|
# Fail2Ban filter for unsuccesfull MongoDB authentication attempts |
||||||
|
# |
||||||
|
# Logfile /var/log/mongodb/mongodb.log |
||||||
|
# |
||||||
|
# add setting in /etc/mongodb.conf |
||||||
|
# logpath=/var/log/mongodb/mongodb.log |
||||||
|
# |
||||||
|
# and use of the authentication |
||||||
|
# auth = true |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+ |
||||||
|
failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST> |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
|
||||||
|
[Init] |
||||||
|
maxlines = 10 |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Regarding the multiline regex: |
||||||
|
# |
||||||
|
# There can be a nunber of non-related lines between the first and second part |
||||||
|
# of this regex maxlines of 10 is quite generious. |
||||||
|
# |
||||||
|
# Note the capture __connid, includes the connection ID, used in second part of regex. |
||||||
|
# |
||||||
|
# The first regex is commented out (but will match also), because it is better to use |
||||||
|
# the host from "end connection" line (uncommented above): |
||||||
|
# - it has the same prefix, searching begins directly with failure message |
||||||
|
# (so faster, because ignores success connections at all) |
||||||
|
# - it is not so vulnerable in case of possible race condition |
||||||
|
# |
||||||
|
# Log example: |
||||||
|
# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) |
||||||
|
# 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } |
||||||
|
# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test |
||||||
|
# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) |
||||||
|
# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) |
||||||
|
# 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } |
||||||
|
# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch |
||||||
|
# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) |
||||||
|
# |
||||||
|
# Authors: Alexander Finkhäuser |
||||||
|
# Sergey G. Brester (sebres) |
||||||
|
|
@ -0,0 +1,25 @@ |
|||||||
|
# Fail2Ban filter for monit.conf, looks for failed access attempts |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
# [DEFAULT] |
||||||
|
# logtype = short |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = monit |
||||||
|
|
||||||
|
_prefix = Warning|HttpRequest |
||||||
|
|
||||||
|
# Regexp for previous (accessing monit httpd) and new (access denied) versions |
||||||
|
failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied|\s*:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'|wrong password for user '<F-USER>[^']*</F-USER>'|empty password) |
||||||
|
|
||||||
|
# Ignore login with empty user (first connect, no user specified) |
||||||
|
# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '') |
||||||
|
ignoreregex = |
@ -0,0 +1,34 @@ |
|||||||
|
# Fail2Ban filter for murmur/mumble-server |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = murmurd |
||||||
|
|
||||||
|
# N.B. If you allow users to have usernames that include the '>' character you |
||||||
|
# should change this to match the regex assigned to the 'username' |
||||||
|
# variable in your server config file (murmur.ini / mumble-server.ini). |
||||||
|
_usernameregex = [^>]+ |
||||||
|
|
||||||
|
# Prefix for systemd-journal (with second date-pattern as optional match): |
||||||
|
# |
||||||
|
__prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\<W\>[\d\-]+ [\d:]+.\d+)?) |
||||||
|
|
||||||
|
__prefix_line = %(__prefix_journal)s? |
||||||
|
|
||||||
|
_prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+: |
||||||
|
|
||||||
|
prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^Invalid server password$ |
||||||
|
^Wrong certificate or password for existing user$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^<W>{DATE} |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Ross Brown |
@ -0,0 +1,32 @@ |
|||||||
|
# Fail2Ban filter for unsuccesful MySQL authentication attempts |
||||||
|
# |
||||||
|
# |
||||||
|
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: |
||||||
|
# log-error=/var/log/mysqld.log |
||||||
|
# log-warnings = 2 |
||||||
|
# |
||||||
|
# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = mysqld |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '<F-USER>[^']+</F-USER>'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Technically __prefix_line can equate to an empty string hence it can support |
||||||
|
# syslog and non-syslog at once. |
||||||
|
# Example: |
||||||
|
# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) |
||||||
|
# |
||||||
|
# Authors: Artur Penttinen |
||||||
|
# Yaroslav O. Halchenko |
@ -0,0 +1,17 @@ |
|||||||
|
# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) |
||||||
|
# Detecting unauthorized access to the nrpe2 daemon |
||||||
|
# typically logged in /var/log/messages syslog |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
# Read syslog common prefixes |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
_daemon = nrpe |
||||||
|
failregex = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$ |
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Ivo Truxa - 2014/02/03 |
@ -0,0 +1,50 @@ |
|||||||
|
# Fail2Ban filter file for named (bind9). |
||||||
|
# |
||||||
|
|
||||||
|
# This filter blocks attacks against named (bind9) however it requires special |
||||||
|
# configuration on bind. |
||||||
|
# |
||||||
|
# By default, logging is off with bind9 installation. |
||||||
|
# |
||||||
|
# You will need something like this in your named.conf to provide proper logging. |
||||||
|
# |
||||||
|
# logging { |
||||||
|
# channel security_file { |
||||||
|
# file "/var/log/named/security.log" versions 3 size 30m; |
||||||
|
# severity dynamic; |
||||||
|
# print-time yes; |
||||||
|
# }; |
||||||
|
# category security { |
||||||
|
# security_file; |
||||||
|
# }; |
||||||
|
# }; |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Daemon name |
||||||
|
_daemon=named |
||||||
|
|
||||||
|
# Shortcuts for easier comprehension of the failregex |
||||||
|
|
||||||
|
__pid_re=(?:\[\d+\]) |
||||||
|
__daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? |
||||||
|
__daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) |
||||||
|
|
||||||
|
# hostname daemon_id spaces |
||||||
|
# this can be optional (for instance if we match named native log files) |
||||||
|
__line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? |
||||||
|
|
||||||
|
prefregex = ^%(__line_prefix)s(?: error:)?\s*client(?: @\S*)? <HOST>#\S+(?: \([\S.]+\))?: <F-CONTENT>.+</F-CONTENT>\s(?:denied|\(NOTAUTH\))\s*$ |
||||||
|
|
||||||
|
failregex = ^(?:view (?:internal|external): )?query(?: \(cache\))? |
||||||
|
^zone transfer |
||||||
|
^bad zone transfer request: '\S+/IN': non-authoritative zone |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# Trying to generalize the |
||||||
|
# structure which is general to capture general patterns in log |
||||||
|
# lines to cover different configurations/distributions |
||||||
|
# |
||||||
|
# Author: Yaroslav Halchenko |
@ -0,0 +1,23 @@ |
|||||||
|
# Fail2Ban filter to match web requests for selected URLs that don't exist |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Load regexes for filtering |
||||||
|
before = botsearch-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$ |
||||||
|
^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? |
||||||
|
^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# Based on apache-botsearch filter |
||||||
|
# |
||||||
|
# Author: Frantisek Sumsal |
@ -0,0 +1,17 @@ |
|||||||
|
# fail2ban filter configuration for nginx |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files |
||||||
|
# Extensive search of all nginx auth failures not done yet. |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,46 @@ |
|||||||
|
# Fail2ban filter configuration for nginx :: limit_req |
||||||
|
# used to ban hosts, that were failed through nginx by limit request processing rate |
||||||
|
# |
||||||
|
# Author: Serg G. Brester (sebres) |
||||||
|
# |
||||||
|
# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module` |
||||||
|
# and define `limit_req` and `limit_req_zone` as described in nginx documentation |
||||||
|
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html |
||||||
|
# |
||||||
|
# Example: |
||||||
|
# |
||||||
|
# http { |
||||||
|
# ... |
||||||
|
# limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s; |
||||||
|
# ... |
||||||
|
# # http, server, or location: |
||||||
|
# location ... { |
||||||
|
# limit_req zone=lr_zone burst=1 nodelay; |
||||||
|
# ... |
||||||
|
# } |
||||||
|
# ... |
||||||
|
# } |
||||||
|
# ... |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Specify following expression to define exact zones, if you want to ban IPs limited |
||||||
|
# from specified zones only. |
||||||
|
# Example: |
||||||
|
# |
||||||
|
# ngx_limit_req_zones = lr_zone|lr_zone2 |
||||||
|
# |
||||||
|
ngx_limit_req_zones = [^"]+ |
||||||
|
|
||||||
|
# Use following full expression if you should range limit request to specified |
||||||
|
# servers, requests, referrers etc. only : |
||||||
|
# |
||||||
|
# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ |
||||||
|
|
||||||
|
# Shortly, much faster and stable version of regexp: |
||||||
|
failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
@ -0,0 +1,31 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Author: Bas van den Dikkenberg |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = nsd |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Values: TEXT |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$ |
||||||
|
^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch |
||||||
|
{^LN-BEG} |
@ -0,0 +1,15 @@ |
|||||||
|
# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf: |
||||||
|
# |
||||||
|
# Block IPs trying to auth openhab by web or rest api |
||||||
|
# |
||||||
|
# Matches e.g. |
||||||
|
# 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 |
||||||
|
# 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384 |
||||||
|
|
||||||
|
[Definition] |
||||||
|
failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$ |
||||||
|
|
||||||
|
datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z |
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1,15 @@ |
|||||||
|
# Fail2Ban filter for Openwebmail |
||||||
|
# banning hosts with authentication errors in /var/log/openwebmail.log |
||||||
|
# OpenWebMail http://openwebmail.org |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$ |
||||||
|
^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Ivo Truxa (c) 2013 truXoft.com |
@ -0,0 +1,63 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# for Oracle IMS with XML logging |
||||||
|
# |
||||||
|
# Author: Joel Snyder/jms@opus1.com/2014-June-01 |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. |
||||||
|
# If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages |
||||||
|
# in the logfile. The host must be matched by a |
||||||
|
# group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is |
||||||
|
# only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
# |
||||||
|
# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: |
||||||
|
# |
||||||
|
# In OPTION.DAT you must have LOG_FORMAT=4 and |
||||||
|
# bit 5 of LOG_CONNECTION must be set. |
||||||
|
# |
||||||
|
# Many of these sub-fields are optional and can be turned on and off |
||||||
|
# by the system manager. We need the "tr" field |
||||||
|
# (transport information (present if bit 5 of LOG_CONNECTION is |
||||||
|
# set and transport information is available)). |
||||||
|
# "di" should be there by default if you have LOG_FORMAT=4. |
||||||
|
# Do not use "mi" as this is not included by default. |
||||||
|
# |
||||||
|
# Typical line IF YOU ARE USING TAGGING ! ! ! is: |
||||||
|
# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397" |
||||||
|
# sc="tcp_local" dr="+" ac="U" |
||||||
|
# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP" |
||||||
|
# mi="Bad password" |
||||||
|
# us="01ko8hqnoif09qx0np@imap.opus1.com" |
||||||
|
# di="535 5.7.8 Bad username or password (Authentication failed)."/> |
||||||
|
# Format is generally documented in the PORT_ACCESS mapping |
||||||
|
# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html |
||||||
|
# |
||||||
|
# All that would be on one line. |
||||||
|
# Note that you MUST have LOG_FORMAT=4 for this to work! |
||||||
|
# |
||||||
|
|
||||||
|
failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ |
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^<co ts="{DATE}"\s+ |
@ -0,0 +1,33 @@ |
|||||||
|
# Fail2Ban configuration file for generic PAM authentication errors |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# if you want to catch only login errors from specific daemons, use something like |
||||||
|
#_ttys_re=(?:ssh|pure-ftpd|ftp) |
||||||
|
# |
||||||
|
# Default: catch all failed logins |
||||||
|
_ttys_re=\S* |
||||||
|
|
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? |
||||||
|
_daemon = \S+ |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG} |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) |
||||||
|
# _daemon = \S*\(?pam_unix\)? |
||||||
|
# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ |
||||||
|
# |
||||||
|
# Author: Yaroslav Halchenko |
@ -0,0 +1,18 @@ |
|||||||
|
# Fail2Ban filter for perdition |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon=perdition.\S+ |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ |
||||||
|
^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Christophe Carles and Daniel Black |
@ -0,0 +1,23 @@ |
|||||||
|
# Fail2Ban filter for URLs with a URL as a script parameters |
||||||
|
# which can be an indication of a fopen url php injection |
||||||
|
# |
||||||
|
# Example of web requests in Apache access log: |
||||||
|
# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Version 2 |
||||||
|
# fixes the failregex so REFERERS that contain =http:// don't get blocked |
||||||
|
# (mentioned by "fasuto" (no real email provided... blog comment) in this entry: |
||||||
|
# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 |
||||||
|
# |
||||||
|
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> |
||||||
|
|
||||||
|
datepattern = ^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
@ -0,0 +1,18 @@ |
|||||||
|
# Fail2Ban filter for the phpMyAdmin-syslog |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = phpMyAdmin |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
|
||||||
|
# Author: Pavel Mihadyuk |
||||||
|
# Regex fixes: Serg G. Brester |
@ -0,0 +1,15 @@ |
|||||||
|
# Fail2Ban filter for failure attempts in Counter Strike-1.6 |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# Author: Pacop <pacoparu@gmail.com> |
||||||
|
|
@ -0,0 +1,80 @@ |
|||||||
|
# Fail2Ban filter for selected Postfix SMTP rejections |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])? |
||||||
|
_port = (?::\d+)? |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+) |
||||||
|
mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s |
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b) |
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b |
||||||
|
^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b |
||||||
|
^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s |
||||||
|
^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b |
||||||
|
^from [^[]*\[<HOST>\]%(_port)s:? |
||||||
|
|
||||||
|
mdpr-auth = warning: |
||||||
|
mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism) |
||||||
|
mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server) |
||||||
|
# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297). |
||||||
|
|
||||||
|
# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only: |
||||||
|
mdpr-rbl = %(mdpr-normal)s |
||||||
|
mdre-rbl = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b |
||||||
|
|
||||||
|
# Mode "rbl" currently included in mode "normal" (within 1st rule) |
||||||
|
mdpr-more = %(mdpr-normal)s |
||||||
|
mdre-more = %(mdre-normal)s |
||||||
|
|
||||||
|
mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+))) |
||||||
|
mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:? |
||||||
|
|
||||||
|
mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s) |
||||||
|
mdre-extra = %(mdre-auth)s |
||||||
|
%(mdre-normal)s |
||||||
|
|
||||||
|
mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s) |
||||||
|
mdre-aggressive = %(mdre-auth2)s |
||||||
|
%(mdre-normal)s |
||||||
|
|
||||||
|
mdpr-errors = too many errors after \S+ |
||||||
|
mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$ |
||||||
|
|
||||||
|
|
||||||
|
failregex = <mdre-<mode>> |
||||||
|
|
||||||
|
# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all) |
||||||
|
# Usage example (for jail.local): |
||||||
|
# [postfix] |
||||||
|
# mode = aggressive |
||||||
|
# |
||||||
|
# # or another jail (rewrite filter parameters of jail): |
||||||
|
# [postfix-rbl] |
||||||
|
# filter = postfix[mode=rbl] |
||||||
|
# |
||||||
|
# # jail to match "too many errors", related postconf `smtpd_hard_error_limit`: |
||||||
|
# # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message) |
||||||
|
# [postfix-many-errors] |
||||||
|
# filter = postfix[mode=errors] |
||||||
|
# maxretry = 1 |
||||||
|
# |
||||||
|
mode = more |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=postfix.service |
||||||
|
|
||||||
|
# Author: Cyril Jaquier |
@ -0,0 +1,33 @@ |
|||||||
|
# Fail2Ban filter for the Proftpd FTP daemon |
||||||
|
# |
||||||
|
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. |
||||||
|
# See: http://www.proftpd.org/docs/howto/DNS.html |
||||||
|
# When the default locale for your system is not en_US.UTF-8 |
||||||
|
# on Debian-based systems be sure to add this to /etc/default/proftpd |
||||||
|
# export LC_TIME="en_US.UTF-8" |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = proftpd |
||||||
|
|
||||||
|
__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded) |
||||||
|
|
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$ |
||||||
|
|
||||||
|
|
||||||
|
failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s |
||||||
|
^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted |
||||||
|
^Maximum login attempts \(\d+\) exceeded |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
[Init] |
||||||
|
journalmatch = _SYSTEMD_UNIT=proftpd.service |
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko |
||||||
|
# Daniel Black - hardening of regex |
@ -0,0 +1,40 @@ |
|||||||
|
# Fail2Ban filter for pureftp |
||||||
|
# |
||||||
|
# Disable hostname based logging by: |
||||||
|
# |
||||||
|
# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve' |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = pure-ftpd |
||||||
|
|
||||||
|
# Error message specified in multiple languages |
||||||
|
__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗) |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd |
||||||
|
|
||||||
|
# Author: Cyril Jaquier |
||||||
|
# Modified: Yaroslav Halchenko for pure-ftpd |
||||||
|
# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal |
||||||
|
# UTF-8 editing and mechanism thanks to Johannes Weberhofer |
||||||
|
# |
||||||
|
# Only logs to syslog though facility can be changed configuration file/command line |
||||||
|
# |
||||||
|
# To get messages in the right encoding: |
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages |
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages |
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages |
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages |
||||||
|
# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages |
@ -0,0 +1,31 @@ |
|||||||
|
# Fail2Ban filters for qmail RBL patches/fake proxies |
||||||
|
# |
||||||
|
# the default djb RBL implementation doesn't log any rejections |
||||||
|
# so is useless with this filter. |
||||||
|
# |
||||||
|
# One patch is here: |
||||||
|
# |
||||||
|
# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:qmail|rblsmtpd) |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$ |
||||||
|
^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$ |
||||||
|
^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# These seem to be for two or 3 different patches to qmail or rblsmtpd |
||||||
|
# so you'll probably only ever see one of these regex's that match. |
||||||
|
# |
||||||
|
# ref: https://github.com/fail2ban/fail2ban/pull/386 |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,38 @@ |
|||||||
|
# Fail2Ban filter for repeat bans |
||||||
|
# |
||||||
|
# This filter monitors the fail2ban log file, and enables you to add long |
||||||
|
# time bans for ip addresses that get banned by fail2ban multiple times. |
||||||
|
# |
||||||
|
# Reasons to use this: block very persistent attackers for a longer time, |
||||||
|
# stop receiving email notifications about the same attacker over and |
||||||
|
# over again. |
||||||
|
# |
||||||
|
# This jail is only useful if you set the 'findtime' and 'bantime' parameters |
||||||
|
# in jail.conf to a higher value than the other jails. Also, this jail has its |
||||||
|
# drawbacks, namely in that it works only with iptables, or if you use a |
||||||
|
# different blocking mechanism for this jail versus others (e.g. hostsdeny |
||||||
|
# for most jails, and shorewall for this one). |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:fail2ban(?:-server|\.actions)\s*) |
||||||
|
|
||||||
|
# The name of the jail that this filter is used for. In jail.conf, name the jail using |
||||||
|
# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]` |
||||||
|
_jailname = recidive |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$ |
||||||
|
|
||||||
|
datepattern = ^{DATE} |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 |
||||||
|
|
||||||
|
# Author: Tom Hendrikx, modifications by Amir Caspi |
@ -0,0 +1,39 @@ |
|||||||
|
# Fail2Ban configuration file for roundcube web server |
||||||
|
# |
||||||
|
# By default failed logins are printed to 'errors'. The first regex matches those |
||||||
|
# The second regex matches those printed to 'userlogins' |
||||||
|
# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php |
||||||
|
# |
||||||
|
# The logpath in your jail can be updated to userlogins if you wish |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$ |
||||||
|
^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$ |
||||||
|
|
||||||
|
ignoreregex = Could not connect to .* Connection refused |
||||||
|
|
||||||
|
journalmatch = SYSLOG_IDENTIFIER=roundcube |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 |
||||||
|
# |
||||||
|
# Part after <HOST> comes straight from IMAP server up until the " in ....." |
||||||
|
# Earlier versions didn't log the IMAP response hence optional. |
||||||
|
# |
||||||
|
# DoS resistance: |
||||||
|
# |
||||||
|
# Assume that the user can inject "from <HOST>" into the imap response |
||||||
|
# somehow. Write test cases around this to ensure that the combination of |
||||||
|
# arbitrary user input and IMAP response doesn't inject the wrong IP for |
||||||
|
# fail2ban |
||||||
|
# |
||||||
|
# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens |
@ -0,0 +1,31 @@ |
|||||||
|
# Fail2Ban configuration file |
||||||
|
# |
||||||
|
# Author: Simon Brown |
||||||
|
# |
||||||
|
# Filter for Mac OS X Screen Sharing service |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = screensharingd |
||||||
|
|
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failures messages in the logfile. The |
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can |
||||||
|
# be used for standard IP/hostname matching and is only an alias for |
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$ |
||||||
|
|
||||||
|
# Option: ignoreregex |
||||||
|
# Notes.: regex to ignore. If this regex matches, the line is ignored. |
||||||
|
# Values: TEXT |
||||||
|
# |
||||||
|
ignoreregex = |
@ -0,0 +1,23 @@ |
|||||||
|
# Fail2Ban configuration file for generic SELinux audit messages |
||||||
|
# |
||||||
|
# This file is not intended to be used directly, and should be included into a |
||||||
|
# filter file which would define following variables. See selinux-ssh.conf as |
||||||
|
# and example. |
||||||
|
# |
||||||
|
# _type |
||||||
|
# _uid |
||||||
|
# _auid |
||||||
|
# _subj |
||||||
|
# _msg |
||||||
|
# |
||||||
|
# Also one of these variables must include <HOST>. |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = EPOCH |
||||||
|
|
||||||
|
# Author: Daniel Black |
@ -0,0 +1,25 @@ |
|||||||
|
# Fail2Ban configuration file for SELinux ssh authentication errors |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
after = selinux-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_type = USER_(ERR|AUTH) |
||||||
|
_uid = 0 |
||||||
|
_auid = \d+ |
||||||
|
_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 |
||||||
|
|
||||||
|
_exe =/usr/sbin/sshd |
||||||
|
_terminal = ssh |
||||||
|
|
||||||
|
_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Note: USER_LOGIN is ignored as this is the duplicate messsage |
||||||
|
# ssh logs after 3 USER_AUTH failures. |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,25 @@ |
|||||||
|
# Fail2Ban filter for sendmail authentication failures |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:sendmail|sm-(?:mta|acceptingconnections)) |
||||||
|
# "\w{14,20}" will give support for IDs from 14 up to 20 characters long |
||||||
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? |
||||||
|
addr = (?:IPv6:<IP6>|<IP4>) |
||||||
|
|
||||||
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ |
||||||
|
^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$ |
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=sendmail.service |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,68 @@ |
|||||||
|
# Fail2Ban filter for sendmail spam/relay type failures |
||||||
|
# |
||||||
|
# Some of the below failregex will only work properly, when the following |
||||||
|
# options are set in the .mc file (see your Sendmail documentation on how |
||||||
|
# to modify it and generate the corresponding .cf file): |
||||||
|
# |
||||||
|
# FEATURE(`delay_checks') |
||||||
|
# FEATURE(`greet_pause', `500') |
||||||
|
# FEATURE(`ratecontrol', `nodelay', `terminate') |
||||||
|
# FEATURE(`conncontrol', `nodelay', `terminate') |
||||||
|
# |
||||||
|
# ratecontrol and conncontrol also need corresponding options ClientRate: |
||||||
|
# and ClientConn: in the access file, see documentation for ratecontrol and |
||||||
|
# conncontrol in the sendmail/cf/README file. |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) |
||||||
|
__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? |
||||||
|
addr = (?:IPv6:<IP6>|<IP4>) |
||||||
|
|
||||||
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ |
||||||
|
^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ |
||||||
|
^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$ |
||||||
|
^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$ |
||||||
|
^<[^@]+@[^>]+>\.\.\. No such user here$ |
||||||
|
^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$ |
||||||
|
|
||||||
|
mdre-normal = |
||||||
|
|
||||||
|
mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection |
||||||
|
|
||||||
|
mdre-aggressive = %(mdre-extra)s |
||||||
|
|
||||||
|
failregex = %(cmnfailre)s |
||||||
|
<mdre-<mode>> |
||||||
|
|
||||||
|
# Parameter "mode": normal (default), extra or aggressive |
||||||
|
# Usage example (for jail.local): |
||||||
|
# [sendmail-reject] |
||||||
|
# filter = sendmail-reject[mode=extra] |
||||||
|
# |
||||||
|
mode = normal |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
journalmatch = SYSLOG_IDENTIFIER=sm-mta + _SYSTEMD_UNIT=sendmail.service |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# |
||||||
|
# Regarding the multiline regex: |
||||||
|
# |
||||||
|
# "No such user" lines generate a failure and needs to be matched together with |
||||||
|
# another line with the HOST, therefore no-failure line was added as regex, that |
||||||
|
# contains HOST (see line with tag <F-NOFAIL>). |
||||||
|
# |
||||||
|
# Note the capture <F-MLFID>, includes both the __prefix_lines (which includes |
||||||
|
# the sendmail PID), but also the `\w{14}` which the the sendmail assigned |
||||||
|
# mail ID (todo: check this is necessary, possible obsolete). |
||||||
|
# |
||||||
|
# Author: Daniel Black, Fabian Wenk and Sergey Brester aka sebres. |
||||||
|
# Rewritten using prefregex by Serg G. Brester. |
@ -0,0 +1,18 @@ |
|||||||
|
# Fail2Ban filter for sieve authentication failures |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:cyrus/)?(?:tim)?sieved? |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Jan Wagner <waja@cyconet.org> |
@ -0,0 +1,25 @@ |
|||||||
|
# slapd (Stand-alone LDAP Daemon) openldap daemon filter |
||||||
|
# |
||||||
|
# Detecting invalid credentials: error code 49 |
||||||
|
# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = slapd |
||||||
|
|
||||||
|
failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
[Init] |
||||||
|
|
||||||
|
# "maxlines" is number of log lines to buffer for multi-line regex searches |
||||||
|
maxlines = 20 |
||||||
|
|
||||||
|
# Author: Andrii Melnyk |
@ -0,0 +1,9 @@ |
|||||||
|
# Fail2Ban filter for SoftEtherVPN |
||||||
|
# Detecting unauthorized access to SoftEtherVPN |
||||||
|
# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$ |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2ban filter for SOGo authentcation |
||||||
|
# |
||||||
|
# Log file usually in /var/log/sogo/sogo.log |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ |
||||||
|
|
||||||
|
ignoreregex = "^<ADDR>" |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? |
||||||
|
{^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)? |
||||||
|
^[^\[]*\[({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# |
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# The error log may contain multiple hosts, whereas the first one |
||||||
|
# is the client and all others are poxys. We match the first one, only |
||||||
|
# |
||||||
|
# Author: Arnd Brandes |
@ -0,0 +1,32 @@ |
|||||||
|
# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts |
||||||
|
# |
||||||
|
# Doesn't currently provide PAM support as PAM log messages don't include rhost as |
||||||
|
# remote IP. |
||||||
|
# |
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = solid-pop3d |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$ |
||||||
|
^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$ |
||||||
|
^%(__prefix_line)sroot login not allowed - <HOST>$ |
||||||
|
^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# solid-pop3d needs to be compiled with --enable-logextend to support |
||||||
|
# IP addresses in log messages. |
||||||
|
# |
||||||
|
# solid-pop3d-0.15/src/main.c contains all authentication errors |
||||||
|
# except for PAM authentication messages ( src/authenticate.c ) |
||||||
|
# |
||||||
|
# A pam authentication failure message (note no IP for rhost). |
||||||
|
# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques |
||||||
|
# |
||||||
|
# Authors: Daniel Black |
@ -0,0 +1,16 @@ |
|||||||
|
# Fail2Ban filter for Squid attempted proxy bypasses |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$ |
||||||
|
^\s+\d\s<HOST>\s+NONE/405 .*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = {^LN-BEG}Epoch |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# Author: Daniel Black |
||||||
|
|
@ -0,0 +1,12 @@ |
|||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# |
||||||
|
# Author: Daniel Black |
@ -0,0 +1,136 @@ |
|||||||
|
# Fail2Ban filter for openssh |
||||||
|
# |
||||||
|
# If you want to protect OpenSSH from being bruteforced by password |
||||||
|
# authentication then get public key authentication working before disabling |
||||||
|
# PasswordAuthentication in sshd_config. |
||||||
|
# |
||||||
|
# |
||||||
|
# "Connection from <HOST> port \d+" requires LogLevel VERBOSE in sshd_config |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
_daemon = sshd |
||||||
|
|
||||||
|
# optional prefix (logged from several ssh versions) like "error: ", "error: PAM: " or "fatal: " |
||||||
|
__pref = (?:(?:error|fatal): (?:PAM: )?)? |
||||||
|
# optional suffix (logged from several ssh versions) like " [preauth]" |
||||||
|
#__suff = (?: port \d+)?(?: \[preauth\])?\s* |
||||||
|
__suff = (?: (?:port \d+|on \S+|\[preauth\])){0,3}\s* |
||||||
|
__on_port_opt = (?: (?:port \d+|on \S+)){0,2} |
||||||
|
# close by authenticating user: |
||||||
|
__authng_user = (?: (?:invalid|authenticating) user <F-USER>\S+|.*?</F-USER>)? |
||||||
|
|
||||||
|
# for all possible (also future) forms of "no matching (cipher|mac|MAC|compression method|key exchange method|host key type) found", |
||||||
|
# see ssherr.c for all possible SSH_ERR_..._ALG_MATCH errors. |
||||||
|
__alg_match = (?:(?:\w+ (?!found\b)){0,2}\w+) |
||||||
|
|
||||||
|
# PAM authentication mechanism, can be overridden, e. g. `filter = sshd[__pam_auth='pam_ldap']`: |
||||||
|
__pam_auth = pam_[a-z]+ |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID>%(__pref)s<F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
cmnfailre = ^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \S+)?%(__suff)s$ |
||||||
|
^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>%(__suff)s$ |
||||||
|
<cmnfailre-failed-pub-<publickey>> |
||||||
|
^Failed <cmnfailed> for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) |
||||||
|
^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST> |
||||||
|
^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because not in any group%(__suff)s$ |
||||||
|
^refused connect from \S+ \(<HOST>\) |
||||||
|
^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*3: .*: Auth fail%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups%(__suff)s$ |
||||||
|
^<F-NOFAIL>%(__pam_auth)s\(sshd:auth\):\s+authentication failure;</F-NOFAIL>(?:\s+(?:(?:logname|e?uid|tty)=\S*)){0,4}\s+ruser=<F-ALT_USER>\S*</F-ALT_USER>\s+rhost=<HOST>(?:\s+user=<F-USER>\S*</F-USER>)?%(__suff)s$ |
||||||
|
^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?%(__suff)s$ |
||||||
|
^User <F-USER>\S+|.*?</F-USER> not allowed because account is locked%(__suff)s |
||||||
|
^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+</F-USER> <HOST>%(__on_port_opt)s:\s*Change of username or service not allowed:\s*.*\[preauth\]\s*$ |
||||||
|
^Disconnecting: Too many authentication failures(?: for <F-USER>\S+|.*?</F-USER>)?%(__suff)s$ |
||||||
|
^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>%(__on_port_opt)s:\s*11: |
||||||
|
<mdre-<mode>-other> |
||||||
|
^<F-MLFFORGET><F-MLFGAINED>Accepted \w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\S+</F-USER> from <HOST>(?:\s|$) |
||||||
|
|
||||||
|
cmnfailed-any = \S+ |
||||||
|
cmnfailed-ignore = \b(?!publickey)\S+ |
||||||
|
cmnfailed-invalid = <cmnfailed-ignore> |
||||||
|
cmnfailed-nofail = (?:<F-NOFAIL>publickey</F-NOFAIL>|\S+) |
||||||
|
cmnfailed = <cmnfailed-<publickey>> |
||||||
|
|
||||||
|
mdre-normal = |
||||||
|
# used to differentiate "connection closed" with and without `[preauth]` (fail/nofail cases in ddos mode) |
||||||
|
mdre-normal-other = ^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)%(__authng_user)s <HOST>(?:%(__suff)s|\s*)$ |
||||||
|
|
||||||
|
mdre-ddos = ^Did not receive identification string from <HOST> |
||||||
|
^kex_exchange_identification: (?:[Cc]lient sent invalid protocol identifier|[Cc]onnection closed by remote host) |
||||||
|
^Bad protocol version identification '.*' from <HOST> |
||||||
|
^<F-NOFAIL>SSH: Server;Ltype:</F-NOFAIL> (?:Authname|Version|Kex);Remote: <HOST>-\d+;[A-Z]\w+: |
||||||
|
^Read from socket failed: Connection <F-MLFFORGET>reset</F-MLFFORGET> by peer |
||||||
|
# same as mdre-normal-other, but as failure (without <F-NOFAIL>) and [preauth] only: |
||||||
|
mdre-ddos-other = ^<F-MLFFORGET>(Connection (?:closed|reset)|Disconnected)</F-MLFFORGET> (?:by|from)%(__authng_user)s <HOST>%(__on_port_opt)s\s+\[preauth\]\s*$ |
||||||
|
|
||||||
|
mdre-extra = ^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>%(__on_port_opt)s:\s*14: No(?: supported)? authentication methods available |
||||||
|
^Unable to negotiate with <HOST>%(__on_port_opt)s: no matching <__alg_match> found. |
||||||
|
^Unable to negotiate a <__alg_match> |
||||||
|
^no matching <__alg_match> found: |
||||||
|
# part of mdre-ddos-other, but user name is supplied (invalid/authenticating) on [preauth] phase only: |
||||||
|
mdre-extra-other = ^<F-MLFFORGET>Disconnected</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\S+|.*?</F-USER> <HOST>%(__on_port_opt)s \[preauth\]\s*$ |
||||||
|
|
||||||
|
mdre-aggressive = %(mdre-ddos)s |
||||||
|
%(mdre-extra)s |
||||||
|
# mdre-extra-other is fully included within mdre-ddos-other: |
||||||
|
mdre-aggressive-other = %(mdre-ddos-other)s |
||||||
|
|
||||||
|
# Parameter "publickey": nofail (default), invalid, any, ignore |
||||||
|
publickey = nofail |
||||||
|
# consider failed publickey for invalid users only: |
||||||
|
cmnfailre-failed-pub-invalid = ^Failed publickey for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>%(__on_port_opt)s(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$) |
||||||
|
# consider failed publickey for valid users too (don't need RE, see cmnfailed): |
||||||
|
cmnfailre-failed-pub-any = |
||||||
|
# same as invalid, but consider failed publickey for valid users too, just as no failure (helper to get IP and user-name only, see cmnfailed): |
||||||
|
cmnfailre-failed-pub-nofail = <cmnfailre-failed-pub-invalid> |
||||||
|
# don't consider failed publickey as failures (don't need RE, see cmnfailed): |
||||||
|
cmnfailre-failed-pub-ignore = |
||||||
|
|
||||||
|
cfooterre = ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST> |
||||||
|
|
||||||
|
failregex = %(cmnfailre)s |
||||||
|
<mdre-<mode>> |
||||||
|
%(cfooterre)s |
||||||
|
|
||||||
|
# Parameter "mode": normal (default), ddos, extra or aggressive (combines all) |
||||||
|
# Usage example (for jail.local): |
||||||
|
# [sshd] |
||||||
|
# mode = extra |
||||||
|
# # or another jail (rewrite filter parameters of jail): |
||||||
|
# [sshd-aggressive] |
||||||
|
# filter = sshd[mode=aggressive] |
||||||
|
# |
||||||
|
mode = normal |
||||||
|
|
||||||
|
#filter = sshd[mode=aggressive] |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
maxlines = 1 |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because |
||||||
|
# it is coming before use of <HOST> which is not hard-anchored at the end as well, |
||||||
|
# and later catch-all's could contain user-provided input, which need to be greedily |
||||||
|
# matched away first. |
||||||
|
# |
||||||
|
# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black and Sergey Brester aka sebres |
||||||
|
# Rewritten using prefregex (and introduced "mode" parameter) by Serg G. Brester. |
@ -0,0 +1,13 @@ |
|||||||
|
# Fail2ban filter for stunnel |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV NOTES: |
||||||
|
# |
||||||
|
# Author: Daniel Black |
||||||
|
# |
||||||
|
# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 |
@ -0,0 +1,28 @@ |
|||||||
|
# Fail2Ban filter for suhosian PHP hardening |
||||||
|
# |
||||||
|
# This occurs with lighttpd or directly from the plugin |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:lighttpd|suhosin) |
||||||
|
|
||||||
|
|
||||||
|
_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '<HOST>', file '[^']*'(?:, line \d+)?\)$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 |
||||||
|
# |
||||||
|
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar> |
@ -0,0 +1,24 @@ |
|||||||
|
# Fail2Ban filter for Tine 2.0 authentication |
||||||
|
# |
||||||
|
# Enable logging with: |
||||||
|
# $config['info_log']='/var/log/tine20/tine20.log'; |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from <HOST> failed \(-[13]\)!$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
datepattern = ^[^-]+ -- [^-]+ -- - ({DATE}) |
||||||
|
{^LN-BEG} |
||||||
|
|
||||||
|
# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 |
||||||
|
# Editor: Daniel Black |
||||||
|
# Advisor: Lars Kneschke |
||||||
|
# |
||||||
|
# Usernames can contain spaces. |
||||||
|
# |
||||||
|
# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 |
||||||
|
# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php |
||||||
|
# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 |
@ -0,0 +1,76 @@ |
|||||||
|
# Fail2ban filter configuration for traefik :: auth |
||||||
|
# used to ban hosts, that were failed through traefik |
||||||
|
# |
||||||
|
# Author: CrazyMax |
||||||
|
# |
||||||
|
# To use 'traefik-auth' filter you have to configure your Traefik instance to write |
||||||
|
# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs |
||||||
|
# into a log file on host and specifiy users for Basic Authentication |
||||||
|
# https://docs.traefik.io/configuration/entrypoints/#basic-authentication |
||||||
|
# |
||||||
|
# Example: |
||||||
|
# |
||||||
|
# version: "3.2" |
||||||
|
# |
||||||
|
# services: |
||||||
|
# traefik: |
||||||
|
# image: traefik:latest |
||||||
|
# command: |
||||||
|
# - "--loglevel=INFO" |
||||||
|
# - "--accesslog=true" |
||||||
|
# - "--accessLog.filePath=/var/log/access.log" |
||||||
|
# # - "--accessLog.filters.statusCodes=400-499" |
||||||
|
# - "--defaultentrypoints=http,https" |
||||||
|
# - "--entryPoints=Name:http Address::80" |
||||||
|
# - "--entryPoints=Name:https Address::443 TLS" |
||||||
|
# - "--docker.domain=example.com" |
||||||
|
# - "--docker.watch=true" |
||||||
|
# - "--docker.exposedbydefault=false" |
||||||
|
# - "--api=true" |
||||||
|
# - "--api.dashboard=true" |
||||||
|
# ports: |
||||||
|
# - target: 80 |
||||||
|
# published: 80 |
||||||
|
# protocol: tcp |
||||||
|
# mode: host |
||||||
|
# - target: 443 |
||||||
|
# published: 443 |
||||||
|
# protocol: tcp |
||||||
|
# mode: host |
||||||
|
# labels: |
||||||
|
# - "traefik.enable=true" |
||||||
|
# - "traefik.port=8080" |
||||||
|
# - "traefik.backend=traefik" |
||||||
|
# - "traefik.frontend.rule=Host:traefik.example.com" |
||||||
|
# - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/" |
||||||
|
# volumes: |
||||||
|
# - "/var/log/traefik:/var/log" |
||||||
|
# - "/var/run/docker.sock:/var/run/docker.sock" |
||||||
|
# restart: always |
||||||
|
# |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# Parameter "method" can be used to specifiy request method |
||||||
|
req-method = \S+ |
||||||
|
# Usage example (for jail.local): |
||||||
|
# filter = traefik-auth[req-method="GET|POST|HEAD"] |
||||||
|
|
||||||
|
failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Parameter "mode": normal (default), ddos or aggressive |
||||||
|
# Usage example (for jail.local): |
||||||
|
# [traefik-auth] |
||||||
|
# mode = aggressive |
||||||
|
# # or another jail (rewrite filter parameters of jail): |
||||||
|
# [traefik-auth-ddos] |
||||||
|
# filter = traefik-auth[mode=ddos] |
||||||
|
# |
||||||
|
mode = normal |
||||||
|
|
||||||
|
# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode): |
||||||
|
usrre-normal = (?!- )<F-USER>\S+</F-USER> |
||||||
|
usrre-ddos = - |
||||||
|
usrre-aggressive = <F-USER>\S+</F-USER> |
@ -0,0 +1,17 @@ |
|||||||
|
# Fail2Ban filter for uwimap |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = (?:ipop3d|imapd) |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ |
||||||
|
^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Amir Caspi |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2Ban filter for vsftp |
||||||
|
# |
||||||
|
# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch |
||||||
|
# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the |
||||||
|
# incoming ip address rather than domain names. |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? |
||||||
|
_daemon = vsftpd |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ |
||||||
|
^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,) |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Cyril Jaquier |
||||||
|
# Documentation from fail2ban wiki |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2Ban filter for webmin |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = webmin |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$ |
||||||
|
^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 |
||||||
|
# webmin[29544]: Invalid login as root from 86.0.6.217 |
||||||
|
# |
||||||
|
# Rule Author: Delvit Guillaume |
@ -0,0 +1,22 @@ |
|||||||
|
# Fail2Ban configuration file for wuftpd |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = wu-ftpd |
||||||
|
__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:? |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$ |
||||||
|
^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ |
||||||
|
|
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Author: Yaroslav Halchenko |
@ -0,0 +1,29 @@ |
|||||||
|
# Fail2Ban filter for xinetd failures |
||||||
|
# |
||||||
|
# Cfr.: /var/log/(daemon\.|sys)log |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
# Read common prefixes. If any customizations available -- read them from |
||||||
|
# common.local |
||||||
|
before = common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = xinetd |
||||||
|
|
||||||
|
prefregex = ^%(__prefix_line)sFAIL: <F-CONTENT>.+</F-CONTENT>$ |
||||||
|
|
||||||
|
failregex = ^\S+ address from=<HOST>$ |
||||||
|
^\S+ libwrap from=<HOST>$ |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# |
||||||
|
# libwrap => tcp wrappers: hosts.(allow|deny) |
||||||
|
# address => xinetd: deny_from|only_from |
||||||
|
# |
||||||
|
# Author: Guido Bozzetto |
@ -0,0 +1,34 @@ |
|||||||
|
# Fail2Ban filter for ZNC (requires adminlog module) |
||||||
|
# |
||||||
|
# to use this module, enable the adminlog module from within ZNC and point |
||||||
|
# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log). |
||||||
|
|
||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
logtype = file |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
_daemon = znc |
||||||
|
|
||||||
|
# Prefix for different logtype (file, journal): |
||||||
|
# |
||||||
|
__prefix_file = (?:\[\]\s+)? |
||||||
|
__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+ |
||||||
|
__prefix_journal = %(__prefix_short)s |
||||||
|
|
||||||
|
__prefix_line = <__prefix_<logtype>> |
||||||
|
|
||||||
|
failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR> |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc |
||||||
|
|
||||||
|
# DEV Notes: |
||||||
|
# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR> |
||||||
|
# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4 |
||||||
|
# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4 |
||||||
|
# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4 |
||||||
|
# |
||||||
|
# Author: Tobias Girstmair (//gir.st/) |
@ -0,0 +1,21 @@ |
|||||||
|
# Fail2Ban filter for Zoneminder login failures |
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
before = apache-common.conf |
||||||
|
|
||||||
|
[Definition] |
||||||
|
|
||||||
|
# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php |
||||||
|
# |
||||||
|
# |
||||||
|
# Option: failregex |
||||||
|
# Notes.: regex to match the password failure messages in the logfile. |
||||||
|
|
||||||
|
failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\] |
||||||
|
|
||||||
|
ignoreregex = |
||||||
|
|
||||||
|
# Notes: |
||||||
|
# Tested on Zoneminder 1.29.0 |
||||||
|
# |
||||||
|
# Author: John Marzella |
@ -0,0 +1,964 @@ |
|||||||
|
# |
||||||
|
# WARNING: heavily refactored in 0.9.0 release. Please review and |
||||||
|
# customize settings for your setup. |
||||||
|
# |
||||||
|
# Changes: in most of the cases you should not modify this |
||||||
|
# file, but provide customizations in jail.local file, |
||||||
|
# or separate .conf files under jail.d/ directory, e.g.: |
||||||
|
# |
||||||
|
# HOW TO ACTIVATE JAILS: |
||||||
|
# |
||||||
|
# YOU SHOULD NOT MODIFY THIS FILE. |
||||||
|
# |
||||||
|
# It will probably be overwritten or improved in a distribution update. |
||||||
|
# |
||||||
|
# Provide customizations in a jail.local file or a jail.d/customisation.local. |
||||||
|
# For example to change the default bantime for all jails and to enable the |
||||||
|
# ssh-iptables jail the following (uncommented) would appear in the .local file. |
||||||
|
# See man 5 jail.conf for details. |
||||||
|
# |
||||||
|
# [DEFAULT] |
||||||
|
# bantime = 1h |
||||||
|
# |
||||||
|
# [sshd] |
||||||
|
# enabled = true |
||||||
|
# |
||||||
|
# See jail.conf(5) man page for more information |
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# Comments: use '#' for comment lines and ';' (following a space) for inline comments |
||||||
|
|
||||||
|
|
||||||
|
[INCLUDES] |
||||||
|
|
||||||
|
#before = paths-distro.conf |
||||||
|
before = paths-debian.conf |
||||||
|
|
||||||
|
# The DEFAULT allows a global definition of the options. They can be overridden |
||||||
|
# in each jail afterwards. |
||||||
|
|
||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
# |
||||||
|
# MISCELLANEOUS OPTIONS |
||||||
|
# |
||||||
|
|
||||||
|
# "bantime.increment" allows to use database for searching of previously banned ip's to increase a |
||||||
|
# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... |
||||||
|
#bantime.increment = true |
||||||
|
|
||||||
|
# "bantime.rndtime" is the max number of seconds using for mixing with random time |
||||||
|
# to prevent "clever" botnets calculate exact time IP can be unbanned again: |
||||||
|
#bantime.rndtime = |
||||||
|
|
||||||
|
# "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) |
||||||
|
#bantime.maxtime = |
||||||
|
|
||||||
|
# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, |
||||||
|
# default value of factor is 1 and with default value of formula, the ban time |
||||||
|
# grows by 1, 2, 4, 8, 16 ... |
||||||
|
#bantime.factor = 1 |
||||||
|
|
||||||
|
# "bantime.formula" used by default to calculate next value of ban time, default value below, |
||||||
|
# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... |
||||||
|
#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor |
||||||
|
# |
||||||
|
# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : |
||||||
|
#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) |
||||||
|
|
||||||
|
# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding |
||||||
|
# previously ban count and given "bantime.factor" (for multipliers default is 1); |
||||||
|
# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, |
||||||
|
# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours |
||||||
|
#bantime.multipliers = 1 2 4 8 16 32 64 |
||||||
|
# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, |
||||||
|
# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day |
||||||
|
#bantime.multipliers = 1 5 30 60 300 720 1440 2880 |
||||||
|
|
||||||
|
# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed |
||||||
|
# cross over all jails, if false (dafault), only current jail of the ban IP will be searched |
||||||
|
#bantime.overalljails = false |
||||||
|
|
||||||
|
# -------------------- |
||||||
|
|
||||||
|
# "ignoreself" specifies whether the local resp. own IP addresses should be ignored |
||||||
|
# (default is true). Fail2ban will not ban a host which matches such addresses. |
||||||
|
#ignoreself = true |
||||||
|
|
||||||
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban |
||||||
|
# will not ban a host which matches an address in this list. Several addresses |
||||||
|
# can be defined using space (and/or comma) separator. |
||||||
|
#ignoreip = 127.0.0.1/8 ::1 |
||||||
|
|
||||||
|
# External command that will take an tagged arguments to ignore, e.g. <ip>, |
||||||
|
# and return true if the IP is to be ignored. False otherwise. |
||||||
|
# |
||||||
|
# ignorecommand = /path/to/command <ip> |
||||||
|
ignorecommand = |
||||||
|
|
||||||
|
# "bantime" is the number of seconds that a host is banned. |
||||||
|
bantime = 10m |
||||||
|
|
||||||
|
# A host is banned if it has generated "maxretry" during the last "findtime" |
||||||
|
# seconds. |
||||||
|
findtime = 10m |
||||||
|
|
||||||
|
# "maxretry" is the number of failures before a host get banned. |
||||||
|
maxretry = 5 |
||||||
|
|
||||||
|
# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions). |
||||||
|
maxmatches = %(maxretry)s |
||||||
|
|
||||||
|
# "backend" specifies the backend used to get files modification. |
||||||
|
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". |
||||||
|
# This option can be overridden in each jail as well. |
||||||
|
# |
||||||
|
# pyinotify: requires pyinotify (a file alteration monitor) to be installed. |
||||||
|
# If pyinotify is not installed, Fail2ban will use auto. |
||||||
|
# gamin: requires Gamin (a file alteration monitor) to be installed. |
||||||
|
# If Gamin is not installed, Fail2ban will use auto. |
||||||
|
# polling: uses a polling algorithm which does not require external libraries. |
||||||
|
# systemd: uses systemd python library to access the systemd journal. |
||||||
|
# Specifying "logpath" is not valid for this backend. |
||||||
|
# See "journalmatch" in the jails associated filter config |
||||||
|
# auto: will try to use the following backends, in order: |
||||||
|
# pyinotify, gamin, polling. |
||||||
|
# |
||||||
|
# Note: if systemd backend is chosen as the default but you enable a jail |
||||||
|
# for which logs are present only in its own log files, specify some other |
||||||
|
# backend for that jail (e.g. polling) and provide empty value for |
||||||
|
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 |
||||||
|
backend = auto |
||||||
|
|
||||||
|
# "usedns" specifies if jails should trust hostnames in logs, |
||||||
|
# warn when DNS lookups are performed, or ignore all hostnames in logs |
||||||
|
# |
||||||
|
# yes: if a hostname is encountered, a DNS lookup will be performed. |
||||||
|
# warn: if a hostname is encountered, a DNS lookup will be performed, |
||||||
|
# but it will be logged as a warning. |
||||||
|
# no: if a hostname is encountered, will not be used for banning, |
||||||
|
# but it will be logged as info. |
||||||
|
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) |
||||||
|
usedns = warn |
||||||
|
|
||||||
|
# "logencoding" specifies the encoding of the log files handled by the jail |
||||||
|
# This is used to decode the lines from the log file. |
||||||
|
# Typical examples: "ascii", "utf-8" |
||||||
|
# |
||||||
|
# auto: will use the system locale setting |
||||||
|
logencoding = auto |
||||||
|
|
||||||
|
# "enabled" enables the jails. |
||||||
|
# By default all jails are disabled, and it should stay this way. |
||||||
|
# Enable only relevant to your setup jails in your .local or jail.d/*.conf |
||||||
|
# |
||||||
|
# true: jail will be enabled and log files will get monitored for changes |
||||||
|
# false: jail is not enabled |
||||||
|
enabled = false |
||||||
|
|
||||||
|
|
||||||
|
# "mode" defines the mode of the filter (see corresponding filter implementation for more info). |
||||||
|
mode = normal |
||||||
|
|
||||||
|
# "filter" defines the filter to use by the jail. |
||||||
|
# By default jails have names matching their filter name |
||||||
|
# |
||||||
|
filter = %(__name__)s[mode=%(mode)s] |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# ACTIONS |
||||||
|
# |
||||||
|
|
||||||
|
# Some options used for actions |
||||||
|
|
||||||
|
# Destination email address used solely for the interpolations in |
||||||
|
# jail.{conf,local,d/*} configuration files. |
||||||
|
destemail = root@localhost |
||||||
|
|
||||||
|
# Sender email address used solely for some actions |
||||||
|
sender = root@<fq-hostname> |
||||||
|
|
||||||
|
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the |
||||||
|
# mailing. Change mta configuration parameter to mail if you want to |
||||||
|
# revert to conventional 'mail'. |
||||||
|
mta = sendmail |
||||||
|
|
||||||
|
# Default protocol |
||||||
|
protocol = tcp |
||||||
|
|
||||||
|
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain |
||||||
|
chain = <known/chain> |
||||||
|
|
||||||
|
# Ports to be banned |
||||||
|
# Usually should be overridden in a particular jail |
||||||
|
port = 0:65535 |
||||||
|
|
||||||
|
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 |
||||||
|
fail2ban_agent = Fail2Ban/%(fail2ban_version)s |
||||||
|
|
||||||
|
# |
||||||
|
# Action shortcuts. To be used to define action parameter |
||||||
|
|
||||||
|
# Default banning action (e.g. iptables, iptables-new, |
||||||
|
# iptables-multiport, shorewall, etc) It is used to define |
||||||
|
# action_* variables. Can be overridden globally or per |
||||||
|
# section within jail.local file |
||||||
|
banaction = iptables-multiport |
||||||
|
banaction_allports = iptables-allports |
||||||
|
|
||||||
|
# The simplest action to take: ban only |
||||||
|
action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] |
||||||
|
|
||||||
|
# ban & send an e-mail with whois report to the destemail. |
||||||
|
action_mw = %(action_)s |
||||||
|
%(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] |
||||||
|
|
||||||
|
# ban & send an e-mail with whois report and relevant log lines |
||||||
|
# to the destemail. |
||||||
|
action_mwl = %(action_)s |
||||||
|
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] |
||||||
|
|
||||||
|
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action |
||||||
|
# |
||||||
|
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines |
||||||
|
# to the destemail. |
||||||
|
action_xarf = %(action_)s |
||||||
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] |
||||||
|
|
||||||
|
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines |
||||||
|
# to the destemail. |
||||||
|
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] |
||||||
|
%(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] |
||||||
|
|
||||||
|
# Report block via blocklist.de fail2ban reporting service API |
||||||
|
# |
||||||
|
# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. |
||||||
|
# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation |
||||||
|
# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` |
||||||
|
# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in |
||||||
|
# corresponding jail.d/my-jail.local file). |
||||||
|
# |
||||||
|
action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] |
||||||
|
|
||||||
|
# Report ban via badips.com, and use as blacklist |
||||||
|
# |
||||||
|
# See BadIPsAction docstring in config/action.d/badips.py for |
||||||
|
# documentation for this action. |
||||||
|
# |
||||||
|
# NOTE: This action relies on banaction being present on start and therefore |
||||||
|
# should be last action defined for a jail. |
||||||
|
# |
||||||
|
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] |
||||||
|
# |
||||||
|
# Report ban via badips.com (uses action.d/badips.conf for reporting only) |
||||||
|
# |
||||||
|
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] |
||||||
|
|
||||||
|
# Report ban via abuseipdb.com. |
||||||
|
# |
||||||
|
# See action.d/abuseipdb.conf for usage example and details. |
||||||
|
# |
||||||
|
action_abuseipdb = abuseipdb |
||||||
|
|
||||||
|
# Choose default action. To change, just override value of 'action' with the |
||||||
|
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local |
||||||
|
# globally (section [DEFAULT]) or per specific section |
||||||
|
action = %(action_)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# JAILS |
||||||
|
# |
||||||
|
|
||||||
|
# |
||||||
|
# SSH servers |
||||||
|
# |
||||||
|
|
||||||
|
[sshd] |
||||||
|
|
||||||
|
# To use more aggressive sshd modes set filter parameter "mode" in jail.local: |
||||||
|
# normal (default), ddos, extra or aggressive (combines all). |
||||||
|
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. |
||||||
|
#mode = normal |
||||||
|
port = ssh |
||||||
|
logpath = %(sshd_log)s |
||||||
|
backend = %(sshd_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[dropbear] |
||||||
|
|
||||||
|
port = ssh |
||||||
|
logpath = %(dropbear_log)s |
||||||
|
backend = %(dropbear_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[selinux-ssh] |
||||||
|
|
||||||
|
port = ssh |
||||||
|
logpath = %(auditd_log)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# HTTP servers |
||||||
|
# |
||||||
|
|
||||||
|
[apache-auth] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
|
||||||
|
|
||||||
|
[apache-badbots] |
||||||
|
# Ban hosts which agent identifies spammer robots crawling the web |
||||||
|
# for email addresses. The mail outputs are buffered. |
||||||
|
port = http,https |
||||||
|
logpath = %(apache_access_log)s |
||||||
|
bantime = 48h |
||||||
|
maxretry = 1 |
||||||
|
|
||||||
|
|
||||||
|
[apache-noscript] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
|
||||||
|
|
||||||
|
[apache-overflows] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
[apache-nohome] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
[apache-botsearch] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
[apache-fakegooglebot] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_access_log)s |
||||||
|
maxretry = 1 |
||||||
|
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip> |
||||||
|
|
||||||
|
|
||||||
|
[apache-modsecurity] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
[apache-shellshock] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
maxretry = 1 |
||||||
|
|
||||||
|
|
||||||
|
[openhab-auth] |
||||||
|
|
||||||
|
filter = openhab |
||||||
|
banaction = %(banaction_allports)s |
||||||
|
logpath = /opt/openhab/logs/request.log |
||||||
|
|
||||||
|
|
||||||
|
[nginx-http-auth] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(nginx_error_log)s |
||||||
|
|
||||||
|
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` |
||||||
|
# and define `limit_req` and `limit_req_zone` as described in nginx documentation |
||||||
|
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html |
||||||
|
# or for example see in 'config/filter.d/nginx-limit-req.conf' |
||||||
|
[nginx-limit-req] |
||||||
|
port = http,https |
||||||
|
logpath = %(nginx_error_log)s |
||||||
|
|
||||||
|
[nginx-botsearch] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(nginx_error_log)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
# Ban attackers that try to use PHP's URL-fopen() functionality |
||||||
|
# through GET/POST variables. - Experimental, with more than a year |
||||||
|
# of usage in production environments. |
||||||
|
|
||||||
|
[php-url-fopen] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(nginx_access_log)s |
||||||
|
%(apache_access_log)s |
||||||
|
|
||||||
|
|
||||||
|
[suhosin] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(suhosin_log)s |
||||||
|
|
||||||
|
|
||||||
|
[lighttpd-auth] |
||||||
|
# Same as above for Apache's mod_auth |
||||||
|
# It catches wrong authentifications |
||||||
|
port = http,https |
||||||
|
logpath = %(lighttpd_error_log)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Webmail and groupware servers |
||||||
|
# |
||||||
|
|
||||||
|
[roundcube-auth] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(roundcube_errors_log)s |
||||||
|
# Use following line in your jail.local if roundcube logs to journal. |
||||||
|
#backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[openwebmail] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = /var/log/openwebmail.log |
||||||
|
|
||||||
|
|
||||||
|
[horde] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = /var/log/horde/horde.log |
||||||
|
|
||||||
|
|
||||||
|
[groupoffice] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = /home/groupoffice/log/info.log |
||||||
|
|
||||||
|
|
||||||
|
[sogo-auth] |
||||||
|
# Monitor SOGo groupware server |
||||||
|
# without proxy this would be: |
||||||
|
# port = 20000 |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/sogo/sogo.log |
||||||
|
|
||||||
|
|
||||||
|
[tine20] |
||||||
|
|
||||||
|
logpath = /var/log/tine20/tine20.log |
||||||
|
port = http,https |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Web Applications |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[drupal-auth] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(syslog_daemon)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
[guacamole] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = /var/log/tomcat*/catalina.out |
||||||
|
#logpath = /var/log/guacamole.log |
||||||
|
|
||||||
|
[monit] |
||||||
|
#Ban clients brute-forcing the monit gui login |
||||||
|
port = 2812 |
||||||
|
logpath = /var/log/monit |
||||||
|
/var/log/monit.log |
||||||
|
|
||||||
|
|
||||||
|
[webmin-auth] |
||||||
|
|
||||||
|
port = 10000 |
||||||
|
logpath = %(syslog_authpriv)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[froxlor-auth] |
||||||
|
|
||||||
|
port = http,https |
||||||
|
logpath = %(syslog_authpriv)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# HTTP Proxy servers |
||||||
|
# |
||||||
|
# |
||||||
|
|
||||||
|
[squid] |
||||||
|
|
||||||
|
port = 80,443,3128,8080 |
||||||
|
logpath = /var/log/squid/access.log |
||||||
|
|
||||||
|
|
||||||
|
[3proxy] |
||||||
|
|
||||||
|
port = 3128 |
||||||
|
logpath = /var/log/3proxy.log |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# FTP servers |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
[proftpd] |
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
logpath = %(proftpd_log)s |
||||||
|
backend = %(proftpd_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[pure-ftpd] |
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
logpath = %(pureftpd_log)s |
||||||
|
backend = %(pureftpd_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[gssftpd] |
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
logpath = %(syslog_daemon)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[wuftpd] |
||||||
|
|
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
logpath = %(wuftpd_log)s |
||||||
|
backend = %(wuftpd_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[vsftpd] |
||||||
|
# or overwrite it in jails.local to be |
||||||
|
# logpath = %(syslog_authpriv)s |
||||||
|
# if you want to rely on PAM failed login attempts |
||||||
|
# vsftpd's failregex should match both of those formats |
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
logpath = %(vsftpd_log)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Mail servers |
||||||
|
# |
||||||
|
|
||||||
|
# ASSP SMTP Proxy Jail |
||||||
|
[assp] |
||||||
|
|
||||||
|
port = smtp,465,submission |
||||||
|
logpath = /root/path/to/assp/logs/maillog.txt |
||||||
|
|
||||||
|
|
||||||
|
[courier-smtp] |
||||||
|
|
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[postfix] |
||||||
|
# To use another modes set filter parameter "mode" in jail.local: |
||||||
|
mode = more |
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(postfix_log)s |
||||||
|
backend = %(postfix_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[postfix-rbl] |
||||||
|
|
||||||
|
filter = postfix[mode=rbl] |
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(postfix_log)s |
||||||
|
backend = %(postfix_backend)s |
||||||
|
maxretry = 1 |
||||||
|
|
||||||
|
|
||||||
|
[sendmail-auth] |
||||||
|
|
||||||
|
port = submission,465,smtp |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[sendmail-reject] |
||||||
|
# To use more aggressive modes set filter parameter "mode" in jail.local: |
||||||
|
# normal (default), extra or aggressive |
||||||
|
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. |
||||||
|
#mode = normal |
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[qmail-rbl] |
||||||
|
|
||||||
|
filter = qmail |
||||||
|
port = smtp,465,submission |
||||||
|
logpath = /service/qmail/log/main/current |
||||||
|
|
||||||
|
|
||||||
|
# dovecot defaults to logging to the mail syslog facility |
||||||
|
# but can be set by syslog_facility in the dovecot configuration. |
||||||
|
[dovecot] |
||||||
|
|
||||||
|
port = pop3,pop3s,imap,imaps,submission,465,sieve |
||||||
|
logpath = %(dovecot_log)s |
||||||
|
backend = %(dovecot_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[sieve] |
||||||
|
|
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(dovecot_log)s |
||||||
|
backend = %(dovecot_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[solid-pop3d] |
||||||
|
|
||||||
|
port = pop3,pop3s |
||||||
|
logpath = %(solidpop3d_log)s |
||||||
|
|
||||||
|
|
||||||
|
[exim] |
||||||
|
# see filter.d/exim.conf for further modes supported from filter: |
||||||
|
#mode = normal |
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(exim_main_log)s |
||||||
|
|
||||||
|
|
||||||
|
[exim-spam] |
||||||
|
|
||||||
|
port = smtp,465,submission |
||||||
|
logpath = %(exim_main_log)s |
||||||
|
|
||||||
|
|
||||||
|
[kerio] |
||||||
|
|
||||||
|
port = imap,smtp,imaps,465 |
||||||
|
logpath = /opt/kerio/mailserver/store/logs/security.log |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so |
||||||
|
# all relevant ports get banned |
||||||
|
# |
||||||
|
|
||||||
|
[courier-auth] |
||||||
|
|
||||||
|
port = smtp,465,submission,imap,imaps,pop3,pop3s |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[postfix-sasl] |
||||||
|
|
||||||
|
filter = postfix[mode=auth] |
||||||
|
port = smtp,465,submission,imap,imaps,pop3,pop3s |
||||||
|
# You might consider monitoring /var/log/mail.warn instead if you are |
||||||
|
# running postfix since it would provide the same log lines at the |
||||||
|
# "warn" level but overall at the smaller filesize. |
||||||
|
logpath = %(postfix_log)s |
||||||
|
backend = %(postfix_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[perdition] |
||||||
|
|
||||||
|
port = imap,imaps,pop3,pop3s |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[squirrelmail] |
||||||
|
|
||||||
|
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks |
||||||
|
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log |
||||||
|
|
||||||
|
|
||||||
|
[cyrus-imap] |
||||||
|
|
||||||
|
port = imap,imaps |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[uwimap-auth] |
||||||
|
|
||||||
|
port = imap,imaps |
||||||
|
logpath = %(syslog_mail)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# |
||||||
|
# DNS servers |
||||||
|
# |
||||||
|
|
||||||
|
|
||||||
|
# !!! WARNING !!! |
||||||
|
# Since UDP is connection-less protocol, spoofing of IP and imitation |
||||||
|
# of illegal actions is way too simple. Thus enabling of this filter |
||||||
|
# might provide an easy way for implementing a DoS against a chosen |
||||||
|
# victim. See |
||||||
|
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html |
||||||
|
# Please DO NOT USE this jail unless you know what you are doing. |
||||||
|
# |
||||||
|
# IMPORTANT: see filter.d/named-refused for instructions to enable logging |
||||||
|
# This jail blocks UDP traffic for DNS requests. |
||||||
|
# [named-refused-udp] |
||||||
|
# |
||||||
|
# filter = named-refused |
||||||
|
# port = domain,953 |
||||||
|
# protocol = udp |
||||||
|
# logpath = /var/log/named/security.log |
||||||
|
|
||||||
|
# IMPORTANT: see filter.d/named-refused for instructions to enable logging |
||||||
|
# This jail blocks TCP traffic for DNS requests. |
||||||
|
|
||||||
|
[named-refused] |
||||||
|
|
||||||
|
port = domain,953 |
||||||
|
logpath = /var/log/named/security.log |
||||||
|
|
||||||
|
|
||||||
|
[nsd] |
||||||
|
|
||||||
|
port = 53 |
||||||
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] |
||||||
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"] |
||||||
|
logpath = /var/log/nsd.log |
||||||
|
|
||||||
|
|
||||||
|
# |
||||||
|
# Miscellaneous |
||||||
|
# |
||||||
|
|
||||||
|
[asterisk] |
||||||
|
|
||||||
|
port = 5060,5061 |
||||||
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] |
||||||
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"] |
||||||
|
logpath = /var/log/asterisk/messages |
||||||
|
maxretry = 10 |
||||||
|
|
||||||
|
|
||||||
|
[freeswitch] |
||||||
|
|
||||||
|
port = 5060,5061 |
||||||
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] |
||||||
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"] |
||||||
|
logpath = /var/log/freeswitch.log |
||||||
|
maxretry = 10 |
||||||
|
|
||||||
|
|
||||||
|
# enable adminlog; it will log to a file inside znc's directory by default. |
||||||
|
[znc-adminlog] |
||||||
|
|
||||||
|
port = 6667 |
||||||
|
logpath = /var/lib/znc/moddata/adminlog/znc.log |
||||||
|
|
||||||
|
|
||||||
|
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or |
||||||
|
# equivalent section: |
||||||
|
# log-warnings = 2 |
||||||
|
# |
||||||
|
# for syslog (daemon facility) |
||||||
|
# [mysqld_safe] |
||||||
|
# syslog |
||||||
|
# |
||||||
|
# for own logfile |
||||||
|
# [mysqld] |
||||||
|
# log-error=/var/log/mysqld.log |
||||||
|
[mysqld-auth] |
||||||
|
|
||||||
|
port = 3306 |
||||||
|
logpath = %(mysql_log)s |
||||||
|
backend = %(mysql_backend)s |
||||||
|
|
||||||
|
|
||||||
|
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') |
||||||
|
[mongodb-auth] |
||||||
|
# change port when running with "--shardsvr" or "--configsvr" runtime operation |
||||||
|
port = 27017 |
||||||
|
logpath = /var/log/mongodb/mongodb.log |
||||||
|
|
||||||
|
|
||||||
|
# Jail for more extended banning of persistent abusers |
||||||
|
# !!! WARNINGS !!! |
||||||
|
# 1. Make sure that your loglevel specified in fail2ban.conf/.local |
||||||
|
# is not at DEBUG level -- which might then cause fail2ban to fall into |
||||||
|
# an infinite loop constantly feeding itself with non-informative lines |
||||||
|
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) |
||||||
|
# to maintain entries for failed logins for sufficient amount of time |
||||||
|
[recidive] |
||||||
|
|
||||||
|
logpath = /var/log/fail2ban.log |
||||||
|
banaction = %(banaction_allports)s |
||||||
|
bantime = 1w |
||||||
|
findtime = 1d |
||||||
|
|
||||||
|
|
||||||
|
# Generic filter for PAM. Has to be used with action which bans all |
||||||
|
# ports such as iptables-allports, shorewall |
||||||
|
|
||||||
|
[pam-generic] |
||||||
|
# pam-generic filter can be customized to monitor specific subset of 'tty's |
||||||
|
banaction = %(banaction_allports)s |
||||||
|
logpath = %(syslog_authpriv)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[xinetd-fail] |
||||||
|
|
||||||
|
banaction = iptables-multiport-log |
||||||
|
logpath = %(syslog_daemon)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
|
||||||
|
# stunnel - need to set port for this |
||||||
|
[stunnel] |
||||||
|
|
||||||
|
logpath = /var/log/stunnel4/stunnel.log |
||||||
|
|
||||||
|
|
||||||
|
[ejabberd-auth] |
||||||
|
|
||||||
|
port = 5222 |
||||||
|
logpath = /var/log/ejabberd/ejabberd.log |
||||||
|
|
||||||
|
|
||||||
|
[counter-strike] |
||||||
|
|
||||||
|
logpath = /opt/cstrike/logs/L[0-9]*.log |
||||||
|
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 |
||||||
|
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 |
||||||
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] |
||||||
|
%(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] |
||||||
|
|
||||||
|
[softethervpn] |
||||||
|
port = 500,4500 |
||||||
|
protocol = udp |
||||||
|
logpath = /usr/local/vpnserver/security_log/*/sec.log |
||||||
|
|
||||||
|
[gitlab] |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/gitlab/gitlab-rails/application.log |
||||||
|
|
||||||
|
[grafana] |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/grafana/grafana.log |
||||||
|
|
||||||
|
[bitwarden] |
||||||
|
port = http,https |
||||||
|
logpath = /home/*/bwdata/logs/identity/Identity/log.txt |
||||||
|
|
||||||
|
[centreon] |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/centreon/login.log |
||||||
|
|
||||||
|
# consider low maxretry and a long bantime |
||||||
|
# nobody except your own Nagios server should ever probe nrpe |
||||||
|
[nagios] |
||||||
|
|
||||||
|
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility |
||||||
|
backend = %(syslog_backend)s |
||||||
|
maxretry = 1 |
||||||
|
|
||||||
|
|
||||||
|
[oracleims] |
||||||
|
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above |
||||||
|
logpath = /opt/sun/comms/messaging64/log/mail.log_current |
||||||
|
banaction = %(banaction_allports)s |
||||||
|
|
||||||
|
[directadmin] |
||||||
|
logpath = /var/log/directadmin/login.log |
||||||
|
port = 2222 |
||||||
|
|
||||||
|
[portsentry] |
||||||
|
logpath = /var/lib/portsentry/portsentry.history |
||||||
|
maxretry = 1 |
||||||
|
|
||||||
|
[pass2allow-ftp] |
||||||
|
# this pass2allow example allows FTP traffic after successful HTTP authentication |
||||||
|
port = ftp,ftp-data,ftps,ftps-data |
||||||
|
# knocking_url variable must be overridden to some secret value in jail.local |
||||||
|
knocking_url = /knocking/ |
||||||
|
filter = apache-pass[knocking_url="%(knocking_url)s"] |
||||||
|
# access log of the website with HTTP auth |
||||||
|
logpath = %(apache_access_log)s |
||||||
|
blocktype = RETURN |
||||||
|
returntype = DROP |
||||||
|
action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, |
||||||
|
actionstart_on_demand=false, actionrepair_on_unban=true] |
||||||
|
bantime = 1h |
||||||
|
maxretry = 1 |
||||||
|
findtime = 1 |
||||||
|
|
||||||
|
|
||||||
|
[murmur] |
||||||
|
# AKA mumble-server |
||||||
|
port = 64738 |
||||||
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] |
||||||
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"] |
||||||
|
logpath = /var/log/mumble-server/mumble-server.log |
||||||
|
|
||||||
|
|
||||||
|
[screensharingd] |
||||||
|
# For Mac OS Screen Sharing Service (VNC) |
||||||
|
logpath = /var/log/system.log |
||||||
|
logencoding = utf-8 |
||||||
|
|
||||||
|
[haproxy-http-auth] |
||||||
|
# HAProxy by default doesn't log to file you'll need to set it up to forward |
||||||
|
# logs to a syslog server which would then write them to disk. |
||||||
|
# See "haproxy-http-auth" filter for a brief cautionary note when setting |
||||||
|
# maxretry and findtime. |
||||||
|
logpath = /var/log/haproxy.log |
||||||
|
|
||||||
|
[slapd] |
||||||
|
port = ldap,ldaps |
||||||
|
logpath = /var/log/slapd.log |
||||||
|
|
||||||
|
[domino-smtp] |
||||||
|
port = smtp,ssmtp |
||||||
|
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log |
||||||
|
|
||||||
|
[phpmyadmin-syslog] |
||||||
|
port = http,https |
||||||
|
logpath = %(syslog_authpriv)s |
||||||
|
backend = %(syslog_backend)s |
||||||
|
|
||||||
|
|
||||||
|
[zoneminder] |
||||||
|
# Zoneminder HTTP/HTTPS web interface auth |
||||||
|
# Logs auth failures to apache2 error log |
||||||
|
port = http,https |
||||||
|
logpath = %(apache_error_log)s |
||||||
|
|
||||||
|
[traefik-auth] |
||||||
|
# to use 'traefik-auth' filter you have to configure your Traefik instance, |
||||||
|
# see `filter.d/traefik-auth.conf` for details and service example. |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/traefik/access.log |
@ -0,0 +1,84 @@ |
|||||||
|
[DEFAULT] |
||||||
|
|
||||||
|
ignoreip = 127.0.0.1/8 IP |
||||||
|
bantime = 3600 |
||||||
|
findtime = 3600 |
||||||
|
#mta = mail |
||||||
|
#destemail = |
||||||
|
#sendername = Fail2BanAlerts |
||||||
|
#action = %(action_mwl)s |
||||||
|
|
||||||
|
[nginx-http-auth] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
filter = nginx-http-auth |
||||||
|
port = http,https |
||||||
|
logpath = /var/log/nginx/*error.log |
||||||
|
bantime = 259200 |
||||||
|
|
||||||
|
#[nginx-badbots] |
||||||
|
|
||||||
|
#enabled = true |
||||||
|
#port = http,https |
||||||
|
#filter = nginx-badbots |
||||||
|
#logpath = /var/log/nginx/access.log |
||||||
|
#maxretry = 2 |
||||||
|
|
||||||
|
[nginx-badbots] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
port = http,https |
||||||
|
filter = nginx-badbots |
||||||
|
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*" 437 |
||||||
|
#ignoreregex = |
||||||
|
backend = auto |
||||||
|
logpath = /var/log/nginx/*access.log |
||||||
|
bantime = 259200 |
||||||
|
maxretry= 1 |
||||||
|
|
||||||
|
[nginx-nohome] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
port = http,https |
||||||
|
filter = nginx-nohome |
||||||
|
logpath = /var/log/nginx/*access.log |
||||||
|
bantime = 259200 |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
[nginx-noproxy] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
port = http,https |
||||||
|
filter = nginx-noproxy |
||||||
|
logpath = /var/log/nginx/*access.log |
||||||
|
bantime = 259200 |
||||||
|
maxretry = 2 |
||||||
|
|
||||||
|
[nginx-req-limit] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
filter = nginx-req-limit |
||||||
|
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] |
||||||
|
logpath = /var/log/nginx/*error.log |
||||||
|
findtime = 600 |
||||||
|
bantime = 259200 |
||||||
|
maxretry = 10 |
||||||
|
|
||||||
|
[nginx-conn-limit] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
filter = nginx-conn-limit |
||||||
|
action = iptables-multiport[name=ConnLimit, port="http,https", protocol=tcp] |
||||||
|
logpath = /var/log/nginx/*error.log |
||||||
|
findtime = 300 |
||||||
|
bantime = 259200 |
||||||
|
maxretry = 100 |
||||||
|
|
||||||
|
[ssh] |
||||||
|
|
||||||
|
enabled = true |
||||||
|
port = SSH_PORT |
||||||
|
filter = sshd |
||||||
|
logpath = /var/log/auth.log |
||||||
|
maxretry = 3 |
||||||
|
bantime = -1 |
@ -0,0 +1,10 @@ |
|||||||
|
|
||||||
|
# New server |
||||||
|
[newserver] |
||||||
|
192.168.1.201 |
||||||
|
|
||||||
|
# Variables that will be applied to server |
||||||
|
[newserver:vars] |
||||||
|
ansible_ssh_user=vagrant |
||||||
|
ansible_ssh_private_key_file=~/.vagrant.d/insecure_private_key |
||||||
|
ansible_ssh_common_args='-o StrictHostKeyChecking=no' |
@ -0,0 +1,175 @@ |
|||||||
|
--- |
||||||
|
- hosts: newserver |
||||||
|
become: true |
||||||
|
remote_user: admin |
||||||
|
|
||||||
|
vars_files: |
||||||
|
- secrets.yaml |
||||||
|
|
||||||
|
tasks: |
||||||
|
######################################## CONFIG BASE ######################################## |
||||||
|
|
||||||
|
- name: Ensure group Docker exists |
||||||
|
group: |
||||||
|
name: docker |
||||||
|
state: present |
||||||
|
|
||||||
|
- name: Create user admin |
||||||
|
user: |
||||||
|
name: admin |
||||||
|
password: "{{ admin_password }}" |
||||||
|
groups: |
||||||
|
- docker |
||||||
|
- sudo |
||||||
|
state: present |
||||||
|
shell: /bin/bash |
||||||
|
system: no |
||||||
|
createhome: yes |
||||||
|
home: /home/admin |
||||||
|
|
||||||
|
- name: Create workspace folder |
||||||
|
file: |
||||||
|
path: "{{ item }}" |
||||||
|
state: directory |
||||||
|
owner: admin |
||||||
|
group: admin |
||||||
|
mode: 0751 |
||||||
|
with_items: |
||||||
|
- /workspace/jellyfin/ |
||||||
|
- /workspace/syncthing/ |
||||||
|
|
||||||
|
|
||||||
|
################# GIT ################# |
||||||
|
|
||||||
|
- name: Git install |
||||||
|
apt: |
||||||
|
pkg: git |
||||||
|
state: present |
||||||
|
update_cache: yes |
||||||
|
|
||||||
|
################# NGINX ################# |
||||||
|
|
||||||
|
- name: Ensure nginx is at the latest version |
||||||
|
apt: name=nginx state=latest |
||||||
|
- name: start nginx |
||||||
|
service: |
||||||
|
name: nginx |
||||||
|
state: started |
||||||
|
|
||||||
|
################# DOCKER ################# |
||||||
|
|
||||||
|
- name: Apt update |
||||||
|
apt: |
||||||
|
name: aptitude |
||||||
|
state: latest |
||||||
|
update_cache: true |
||||||
|
|
||||||
|
- name: Install required system packages for Docker |
||||||
|
apt: |
||||||
|
pkg: |
||||||
|
- apt-transport-https |
||||||
|
- ca-certificates |
||||||
|
- curl |
||||||
|
- software-properties-common |
||||||
|
- python3-pip |
||||||
|
- virtualenv |
||||||
|
- python3-setuptools |
||||||
|
state: latest |
||||||
|
update_cache: true |
||||||
|
|
||||||
|
- name: Add Docker GPG apt Key |
||||||
|
apt_key: |
||||||
|
url: https://download.docker.com/linux/ubuntu/gpg |
||||||
|
state: present |
||||||
|
|
||||||
|
- name: Add Docker Repository |
||||||
|
apt_repository: |
||||||
|
repo: deb https://download.docker.com/linux/ubuntu focal stable |
||||||
|
state: present |
||||||
|
|
||||||
|
- name: Install Docker-ce |
||||||
|
apt: |
||||||
|
name: docker-ce |
||||||
|
state: latest |
||||||
|
update_cache: true |
||||||
|
|
||||||
|
- name: Install Docker Module for Python |
||||||
|
pip: |
||||||
|
name: docker |
||||||
|
|
||||||
|
################# DOCKER COMPOSE ################# |
||||||
|
|
||||||
|
- name: Install Docker-compose |
||||||
|
remote_user: admin |
||||||
|
get_url: |
||||||
|
url : https://github.com/docker/compose/releases/download/1.29.2/docker-compose-Linux-x86_64 |
||||||
|
dest: /usr/local/bin/docker-compose |
||||||
|
mode: 'u+x,g+x' |
||||||
|
|
||||||
|
- name: Change Docker-compose folder file permission |
||||||
|
file: |
||||||
|
path: /usr/local/bin/docker-compose |
||||||
|
owner: admin |
||||||
|
group: admin |
||||||
|
|
||||||
|
################# CERTBOT ################# |
||||||
|
|
||||||
|
- name: Install Certbot |
||||||
|
apt: |
||||||
|
pkg: python3-certbot-nginx |
||||||
|
state: latest |
||||||
|
|
||||||
|
################# FAIL2BAN ################# |
||||||
|
|
||||||
|
- name: Install apt fail2ban packages |
||||||
|
apt: |
||||||
|
name: fail2ban |
||||||
|
state: latest |
||||||
|
update_cache: yes |
||||||
|
cache_valid_time: 3600 |
||||||
|
|
||||||
|
|
||||||
|
- name: Override the basic Fail2ban configuration |
||||||
|
copy: |
||||||
|
src: "{{ item.src }}" |
||||||
|
dest: "{{ item.dest }}" |
||||||
|
owner: root |
||||||
|
group: root |
||||||
|
mode: 0644 |
||||||
|
with_items: |
||||||
|
- { src: ./fail2ban-conf/jail.local, dest: /etc/fail2ban } |
||||||
|
- { src: ./fail2ban-conf/jail.conf, dest: /etc/fail2ban } |
||||||
|
- { src: ./fail2ban-conf/filter.d, dest: /etc/fail2ban } |
||||||
|
|
||||||
|
- name: Restart Fail2ban service |
||||||
|
service: |
||||||
|
name: fail2ban |
||||||
|
state: restarted |
||||||
|
|
||||||
|
|
||||||
|
######################################## INSTALL STACK ######################################## |
||||||
|
|
||||||
|
# - name: Copy Nginx configs |
||||||
|
|
||||||
|
|
||||||
|
# - name: Copy volumes of /data/ |
||||||
|
|
||||||
|
|
||||||
|
- name: Git pull stack |
||||||
|
become: yes |
||||||
|
git: |
||||||
|
repo: "{{ item.src }}" |
||||||
|
dest: "{{ item.dest }}" |
||||||
|
with_items: |
||||||
|
- { src: 'https://git.gregandev.fr/gregandev/jellyfin.git', dest: '/workspace/jellyfin/' } |
||||||
|
- { src: 'https://git.gregandev.fr/gregandev/syncthing.git', dest: '/workspace/syncthing' } |
||||||
|
|
||||||
|
# ERROR PULLING IMAGES ... |
||||||
|
- name: Run container |
||||||
|
become: True |
||||||
|
shell: |
||||||
|
cmd: "docker-compose -f docker-compose.yml up -d" |
||||||
|
chdir: "{{ item }}" |
||||||
|
with_items: |
||||||
|
- /workspace/jellyfin |
||||||
|
- /workspace/syncthing |
@ -0,0 +1,6 @@ |
|||||||
|
# password encoded with MKpaswwords for Ansible (mdp admin) |
||||||
|
admin_password: $6$zs1lCREIwXN8GY5m$h3RdrV8xXSvTl5qjrMWNGyoh97XtM92cP1twdakOy//QSIueMeqyeEs30MNbYRu9FpD28vMwYPE/SqDuRuml50 |
||||||
|
destination: /workspace/ |
||||||
|
new-server-ssh-key: |
||||||
|
gitlab-user: |
||||||
|
gitlab-token: |
Loading…
Reference in new issue