maybe chmod 0644 'colordiffrc-gitdiff'
maybe chmod 0644 'colordiffrc-lightbg'
maybe chmod 0755 'conf.d'
+maybe chmod 0644 'conf.d/._cfg0000_fail2ban'
maybe chmod 0644 'conf.d/acpid'
maybe chmod 0644 'conf.d/apache2'
maybe chmod 0644 'conf.d/atd'
maybe chmod 0755 'etckeeper/vcs.d'
maybe chmod 0755 'etckeeper/vcs.d/50vcs-cmd'
maybe chmod 0755 'fail2ban'
+maybe chmod 0644 'fail2ban/._cfg0000_jail.conf'
+maybe chmod 0644 'fail2ban/._cfg0000_paths-debian.conf'
maybe chmod 0755 'fail2ban/action.d'
maybe chmod 0644 'fail2ban/action.d/apf.conf'
maybe chmod 0644 'fail2ban/action.d/badips.conf'
maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
maybe chmod 0644 'fail2ban/action.d/iptables.conf'
maybe chmod 0644 'fail2ban/action.d/mail-buffered.conf'
+maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf'
maybe chmod 0644 'fail2ban/action.d/mail-whois-lines.conf'
maybe chmod 0644 'fail2ban/action.d/mail-whois.conf'
maybe chmod 0644 'fail2ban/action.d/mail.conf'
maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf'
maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
+maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf'
maybe chmod 0644 'fail2ban/action.d/shorewall.conf'
maybe chmod 0644 'fail2ban/action.d/smtp.py'
maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf'
maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf'
maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf'
+maybe chmod 0644 'fail2ban/filter.d/apache-pass.conf'
maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf'
maybe chmod 0644 'fail2ban/filter.d/assp.conf'
maybe chmod 0644 'fail2ban/filter.d/asterisk.conf'
maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf'
maybe chmod 0644 'fail2ban/filter.d/exim.conf'
maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf'
+maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf'
maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf'
maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf'
maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
maybe chmod 0644 'logrotate.conf'
maybe chmod 0644 'logrotate.conf.orig'
maybe chmod 0755 'logrotate.d'
+maybe chmod 0644 'logrotate.d/._cfg0000_fail2ban'
maybe chmod 0644 'logrotate.d/.keep_app-admin_logrotate-0'
maybe chmod 0644 'logrotate.d/apache2'
maybe chmod 0644 'logrotate.d/clamav'
--- /dev/null
+# Config file for /etc/init.d/fail2ban
+#
+# For information on options, see "/usr/bin/fail2ban-client -h".
+
+FAIL2BAN_OPTIONS=""
+
+# Force execution of the server even if the socket already exists:
+#FAIL2BAN_OPTIONS="-x"
--- /dev/null
+#
+# WARNING: heavily refactored in 0.9.0 release. Please review and
+# customize settings for your setup.
+#
+# Changes: in most of the cases you should not modify this
+# file, but provide customizations in jail.local file,
+# or separate .conf files under jail.d/ directory, e.g.:
+#
+# HOW TO ACTIVATE JAILS:
+#
+# YOU SHOULD NOT MODIFY THIS FILE.
+#
+# It will probably be overwritten or improved in a distribution update.
+#
+# Provide customizations in a jail.local file or a jail.d/customisation.local.
+# For example to change the default bantime for all jails and to enable the
+# ssh-iptables jail the following (uncommented) would appear in the .local file.
+# See man 5 jail.conf for details.
+#
+# [DEFAULT]
+# bantime = 3600
+#
+# [sshd]
+# enabled = true
+#
+# See jail.conf(5) man page for more information
+
+
+
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+
+[INCLUDES]
+
+#before = paths-distro.conf
+before = paths-debian.conf
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+#
+# MISCELLANEOUS OPTIONS
+#
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime = 600
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = 600
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+# "backend" specifies the backend used to get files modification.
+# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# This option can be overridden in each jail as well.
+#
+# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
+# If pyinotify is not installed, Fail2ban will use auto.
+# gamin: requires Gamin (a file alteration monitor) to be installed.
+# If Gamin is not installed, Fail2ban will use auto.
+# polling: uses a polling algorithm which does not require external libraries.
+# systemd: uses systemd python library to access the systemd journal.
+# Specifying "logpath" is not valid for this backend.
+# See "journalmatch" in the jails associated filter config
+# auto: will try to use the following backends, in order:
+# pyinotify, gamin, polling.
+#
+# Note: if systemd backend is choses as the default but you enable a jail
+# for which logs are present only in its own log files, specify some other
+# backend for that jail (e.g. polling) and provide empty value for
+# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
+backend = auto
+
+# "usedns" specifies if jails should trust hostnames in logs,
+# warn when DNS lookups are performed, or ignore all hostnames in logs
+#
+# yes: if a hostname is encountered, a DNS lookup will be performed.
+# warn: if a hostname is encountered, a DNS lookup will be performed,
+# but it will be logged as a warning.
+# no: if a hostname is encountered, will not be used for banning,
+# but it will be logged as info.
+usedns = warn
+
+# "logencoding" specifies the encoding of the log files handled by the jail
+# This is used to decode the lines from the log file.
+# Typical examples: "ascii", "utf-8"
+#
+# auto: will use the system locale setting
+logencoding = auto
+
+# "enabled" enables the jails.
+# By default all jails are disabled, and it should stay this way.
+# Enable only relevant to your setup jails in your .local or jail.d/*.conf
+#
+# true: jail will be enabled and log files will get monitored for changes
+# false: jail is not enabled
+enabled = false
+
+
+# "filter" defines the filter to use by the jail.
+# By default jails have names matching their filter name
+#
+filter = %(__name__)s
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@localhost
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = INPUT
+
+# Ports to be banned
+# Usually should be overridden in a particular jail
+port = 0:65535
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = iptables-multiport
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
+#
+# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
+# to the destemail.
+action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+ xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
+
+# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+ %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
+
+# Report block via blocklist.de fail2ban reporting service API
+#
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+# [Init]
+# blocklist_de_apikey = {api key from registration]
+#
+action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
+
+# Report ban via badips.com, and use as blacklist
+#
+# See BadIPsAction docstring in config/action.d/badips.py for
+# documentation for this action.
+#
+# NOTE: This action relies on banaction being present on start and therefore
+# should be last action defined for a jail.
+#
+action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
+
+# Choose default action. To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(action_)s
+
+
+#
+# JAILS
+#
+
+#
+# SSH servers
+#
+
+[sshd]
+
+port = ssh
+logpath = %(sshd_log)s
+
+
+[sshd-ddos]
+# This jail corresponds to the standard configuration in Fail2ban.
+# The mail-whois action send a notification e-mail with a whois request
+# in the body.
+port = ssh
+logpath = %(sshd_log)s
+
+
+[dropbear]
+
+port = ssh
+logpath = %(dropbear_log)s
+
+
+[selinux-ssh]
+
+port = ssh
+logpath = %(auditd_log)s
+maxretry = 5
+
+
+#
+# HTTP servers
+#
+
+[apache-auth]
+
+port = http,https
+logpath = %(apache_error_log)s
+
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port = http,https
+logpath = %(apache_access_log)s
+bantime = 172800
+maxretry = 1
+
+
+[apache-noscript]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 6
+
+
+[apache-overflows]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-nohome]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-botsearch]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+
+[apache-fakegooglebot]
+
+port = http,https
+logpath = %(apache_access_log)s
+maxretry = 1
+ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+
+
+[apache-modsecurity]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 2
+
+[apache-shellshock]
+
+port = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+
+[nginx-http-auth]
+
+port = http,https
+logpath = %(nginx_error_log)s
+
+[nginx-botsearch]
+
+port = http,https
+logpath = %(nginx_error_log)s
+maxretry = 2
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+
+[php-url-fopen]
+
+port = http,https
+logpath = %(nginx_access_log)s
+ %(apache_access_log)s
+
+
+[suhosin]
+
+port = http,https
+logpath = %(suhosin_log)s
+
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port = http,https
+logpath = %(lighttpd_error_log)s
+
+
+#
+# Webmail and groupware servers
+#
+
+[roundcube-auth]
+
+port = http,https
+logpath = logpath = %(roundcube_errors_log)s
+
+
+[openwebmail]
+
+port = http,https
+logpath = /var/log/openwebmail.log
+
+
+[horde]
+
+port = http,https
+logpath = /var/log/horde/horde.log
+
+
+[groupoffice]
+
+port = http,https
+logpath = /home/groupoffice/log/info.log
+
+
+[sogo-auth]
+# Monitor SOGo groupware server
+# without proxy this would be:
+# port = 20000
+port = http,https
+logpath = /var/log/sogo/sogo.log
+
+
+[tine20]
+
+logpath = /var/log/tine20/tine20.log
+port = http,https
+maxretry = 5
+
+
+#
+# Web Applications
+#
+#
+
+[drupal-auth]
+
+port = http,https
+logpath = %(syslog_daemon)s
+
+[guacamole]
+
+port = http,https
+logpath = /var/log/tomcat*/catalina.out
+
+[monit]
+#Ban clients brute-forcing the monit gui login
+filter = monit
+port = 2812
+logpath = /var/log/monit
+
+
+[webmin-auth]
+
+port = 10000
+logpath = %(syslog_authpriv)s
+
+
+[froxlor-auth]
+
+port = http,https
+logpath = %(syslog_authpriv)s
+
+
+#
+# HTTP Proxy servers
+#
+#
+
+[squid]
+
+port = 80,443,3128,8080
+logpath = /var/log/squid/access.log
+
+
+[3proxy]
+
+port = 3128
+logpath = /var/log/3proxy.log
+
+
+#
+# FTP servers
+#
+
+
+[proftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(proftpd_log)s
+
+
+[pure-ftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(pureftpd_log)s
+maxretry = 6
+
+
+[gssftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(syslog_daemon)s
+maxretry = 6
+
+
+[wuftpd]
+
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(wuftpd_log)s
+maxretry = 6
+
+
+[vsftpd]
+# or overwrite it in jails.local to be
+# logpath = %(syslog_authpriv)s
+# if you want to rely on PAM failed login attempts
+# vsftpd's failregex should match both of those formats
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(vsftpd_log)s
+
+
+#
+# Mail servers
+#
+
+# ASSP SMTP Proxy Jail
+[assp]
+
+port = smtp,465,submission
+logpath = /root/path/to/assp/logs/maillog.txt
+
+
+[courier-smtp]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[postfix]
+
+port = smtp,465,submission
+logpath = %(postfix_log)s
+
+
+[postfix-rbl]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+maxretry = 1
+
+
+[sendmail-auth]
+
+port = submission,465,smtp
+logpath = %(syslog_mail)s
+
+
+[sendmail-reject]
+
+port = smtp,465,submission
+logpath = %(syslog_mail)s
+
+
+[qmail-rbl]
+
+filter = qmail
+port = smtp,465,submission
+logpath = /service/qmail/log/main/current
+
+
+# dovecot defaults to logging to the mail syslog facility
+# but can be set by syslog_facility in the dovecot configuration.
+[dovecot]
+
+port = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+
+
+[sieve]
+
+port = smtp,465,submission
+logpath = %(dovecot_log)s
+
+
+[solid-pop3d]
+
+port = pop3,pop3s
+logpath = %(solidpop3d_log)s
+
+
+[exim]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[exim-spam]
+
+port = smtp,465,submission
+logpath = %(exim_main_log)s
+
+
+[kerio]
+
+port = imap,smtp,imaps,465
+logpath = /opt/kerio/mailserver/store/logs/security.log
+
+
+#
+# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
+# all relevant ports get banned
+#
+
+[courier-auth]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[postfix-sasl]
+
+port = smtp,465,submission,imap3,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath = %(postfix_log)s
+
+
+[perdition]
+
+port = imap3,imaps,pop3,pop3s
+logpath = %(syslog_mail)s
+
+
+[squirrelmail]
+
+port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+
+
+[cyrus-imap]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+[uwimap-auth]
+
+port = imap3,imaps
+logpath = %(syslog_mail)s
+
+
+#
+#
+# DNS servers
+#
+
+
+# !!! WARNING !!!
+# Since UDP is connection-less protocol, spoofing of IP and imitation
+# of illegal actions is way too simple. Thus enabling of this filter
+# might provide an easy way for implementing a DoS against a chosen
+# victim. See
+# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
+# Please DO NOT USE this jail unless you know what you are doing.
+#
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
+# [named-refused-udp]
+#
+# filter = named-refused
+# port = domain,953
+# protocol = udp
+# logpath = /var/log/named/security.log
+
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks TCP traffic for DNS requests.
+
+[named-refused]
+
+port = domain,953
+logpath = /var/log/named/security.log
+
+
+[nsd]
+
+port = 53
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+logpath = /var/log/nsd.log
+
+
+#
+# Miscellaneous
+#
+
+[asterisk]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/asterisk/messages
+maxretry = 10
+
+
+[freeswitch]
+
+port = 5060,5061
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+ %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
+logpath = /var/log/freeswitch.log
+maxretry = 10
+
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warning = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+
+port = 3306
+logpath = %(mysql_log)s
+maxretry = 5
+
+
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+# is not at DEBUG level -- which might then cause fail2ban to fall into
+# an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+# to maintain entries for failed logins for sufficient amount of time
+[recidive]
+
+logpath = /var/log/fail2ban.log
+banaction = iptables-allports
+bantime = 604800 ; 1 week
+findtime = 86400 ; 1 day
+maxretry = 5
+
+
+# Generic filter for PAM. Has to be used with action which bans all
+# ports such as iptables-allports, shorewall
+
+[pam-generic]
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+banaction = iptables-allports
+logpath = %(syslog_authpriv)s
+
+
+[xinetd-fail]
+
+banaction = iptables-multiport-log
+logpath = %(syslog_daemon)s
+maxretry = 2
+
+
+# stunnel - need to set port for this
+[stunnel]
+
+logpath = /var/log/stunnel4/stunnel.log
+
+
+[ejabberd-auth]
+
+port = 5222
+logpath = /var/log/ejabberd/ejabberd.log
+
+
+[counter-strike]
+
+logpath = /opt/cstrike/logs/L[0-9]*.log
+# Firewall: http://www.cstrike-planet.com/faq/6
+tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
+udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
+action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
+ %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
+
+# consider low maxretry and a long bantime
+# nobody except your own Nagios server should ever probe nrpe
+[nagios]
+
+enabled = false
+logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
+maxretry = 1
+
+
+[oracleims]
+# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
+enabled = false
+logpath = /opt/sun/comms/messaging64/log/mail.log_current
+maxretry = 6
+banaction = iptables-allports
+
+[directadmin]
+enabled = false
+logpath = /var/log/directadmin/login.log
+port = 2222
+
+[portsentry]
+enabled = false
+logpath = /var/lib/portsentry/portsentry.history
+maxretry = 1
+
+[pass2allow-ftp]
+# this pass2allow example allows FTP traffic after successful HTTP authentication
+port = ftp,ftp-data,ftps,ftps-data
+# knocking_url variable must be overridden to some secret value in filter.d/apache-pass.local
+filter = apache-pass
+# access log of the website with HTTP auth
+logpath = %(apache_access_log)s
+blocktype = RETURN
+returntype = DROP
+bantime = 3600
+maxretry = 1
+findtime = 1
--- /dev/null
+# Debian
+
+[INCLUDES]
+
+before = paths-common.conf
+
+after = paths-overrides.local
+
+
+[DEFAULT]
+
+syslog_mail = /var/log/mail.log
+
+syslog_mail_warn = /var/log/mail.warn
+
+syslog_authpriv = /var/log/auth.log
+
+# syslog_auth = /var/log/auth.log
+#
+syslog_user = /var/log/user.log
+
+syslog_ftp = /var/log/syslog
+
+syslog_daemon = /var/log/daemon.log
+
+syslog_local0 = /var/log/messages
+
+
+apache_error_log = /var/log/apache2/*error.log
+
+apache_access_log = /var/log/apache2/*access.log
+
+exim_main_log = /var/log/exim4/mainlog
+
+# was in debian squeezy but not in wheezy
+# /etc/proftpd/proftpd.conf (SystemLog)
+proftpd_log = /var/log/proftpd/proftpd.log
from fail2ban.server.actions import ActionBase
from fail2ban.version import version as f2bVersion
+
class BadIPsAction(ActionBase):
"""Fail2Ban action which reports bans to badips.com, and also
blacklist bad IPs listed on badips.com by using another action's
#
# Author: Mike Rushton
#
-# Referenced from from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
+# IMPORTANT
#
-# To get your Cloudflare API key: https://www.cloudflare.com/my-account
+# Please set jail.local's permission to 640 because it contains your CF API key.
#
+# This action depends on curl.
+# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
+#
+# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account
[Definition]
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionban = curl https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
+actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
+
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# <time> unix timestamp of the ban time
# Values: CMD
#
-actionunban = curl https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
-
+actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
[Init]
-# Default Cloudflare API token
-cftoken =
+# If you like to use this action with mailing whois lines, you could use the composite action
+# action_cf_mwl predefined in jail.conf, just define in your jail:
+#
+# action = %(action_cf_mwl)s
+# # Your CF account e-mail
+# cfemail =
+# # Your CF API Key
+# cfapikey =
+
+cftoken =
-# Default Cloudflare username
-cfuser =
+cfuser =
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N f2b-<name>
- iptables -A f2b-<name> -j RETURN
-
iptables -I <chain> -p <protocol> -j f2b-<name>
+actionstart = <iptables> -N f2b-<name>
+ <iptables> -A f2b-<name> -j <returntype>
+
<iptables> -I <chain> -p <protocol> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> -j f2b-<name>
- iptables -F f2b-<name>
- iptables -X f2b-<name>
+actionstop =
<iptables> -D <chain> -p <protocol> -j f2b-<name>
+ <iptables> -F f2b-<name>
+ <iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
# REJECT, REJECT --reject-with icmp-port-unreachable
# Values: STRING
blocktype = REJECT --reject-with icmp-port-unreachable
+
+# Option: returntype
+# Note: This is the default rule on "actionstart". This should be RETURN
+# in all (blocking) actions, except REJECT in allowing actions.
+# Values: STRING
+returntype = RETURN
+
+# Option: lockingopt
+# Notes.: Option was introduced to iptables to prevent multiple instances from
+# running concurrently and causing irratic behavior. -w was introduced
+# in iptables 1.4.20, so might be absent on older systems
+# See https://github.com/fail2ban/fail2ban/issues/1122
+# Values: STRING
+lockingopt = -w
+
+# Option: iptables
+# Notes.: Actual command to be executed, including common to all calls options
+# Values: STRING
+iptables = iptables <lockingopt>
# Values: CMD
#
actionstart = ipset --create f2b-<name> iphash
-
iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop =
<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset --flush f2b-<name>
ipset --destroy f2b-<name>
# Values: CMD
#
actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
- iptables -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
+ <iptables> -I <chain> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop = iptables -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop = <iptables> -D <chain> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name>
ipset destroy f2b-<name>
# Values: CMD
#
actionstart = ipset create f2b-<name> hash:ip timeout <bantime>
-
iptables -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
+actionstop =
<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
ipset flush f2b-<name>
ipset destroy f2b-<name>
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N f2b-<name>
- iptables -A f2b-<name> -j RETURN
-
iptables -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
- iptables -N f2b-<name>-log
- iptables -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
- iptables -A f2b-<name>-log -j <blocktype>
+actionstart = <iptables> -N f2b-<name>
+ <iptables> -A f2b-<name> -j <returntype>
+
<iptables> -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ <iptables> -N f2b-<name>-log
+ <iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
+ <iptables> -A f2b-<name>-log -j <blocktype>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
- iptables -F f2b-<name>
- iptables -F f2b-<name>-log
- iptables -X f2b-<name>
- iptables -X f2b-<name>-log
+actionstop =
<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ <iptables> -F f2b-<name>
+ <iptables> -F f2b-<name>-log
+ <iptables> -X f2b-<name>
+ <iptables> -X f2b-<name>-log
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L f2b-<name>-log >/dev/null
+actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = iptables -D f2b-<name> -s <ip> -j f2b-<name>-log
+actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
[Init]
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N f2b-<name>
- iptables -A f2b-<name> -j RETURN
-
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+actionstart = <iptables> -N f2b-<name>
+ <iptables> -A f2b-<name> -j <returntype>
+
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
- iptables -F f2b-<name>
- iptables -X f2b-<name>
+actionstop =
<iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
+ <iptables> -F f2b-<name>
+ <iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N f2b-<name>
- iptables -A f2b-<name> -j RETURN
-
iptables -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+actionstart = <iptables> -N f2b-<name>
+ <iptables> -A f2b-<name> -j <returntype>
+
<iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
- iptables -F f2b-<name>
- iptables -X f2b-<name>
+actionstop =
<iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
+ <iptables> -F f2b-<name>
+ <iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
# own rules. The 3600 second timeout is independent and acts as a
# safeguard in case the fail2ban process dies unexpectedly. The
# shorter of the two timeouts actually matters.
-actionstart = if [ `id -u` -eq 0 ];then iptables -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = echo / > /proc/net/xt_recent/f2b-<name>
- if [ `id -u` -eq 0 ];then iptables -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
+ if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name f2b-<name> -j <blocktype>;fi
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
-actionstart = iptables -N f2b-<name>
- iptables -A f2b-<name> -j RETURN
-
iptables -I <chain> -p <protocol> --dport <port> -j f2b-<name>
+actionstart = <iptables> -N f2b-<name>
+ <iptables> -A f2b-<name> -j <returntype>
+
<iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
-actionstop =
iptables -D <chain> -p <protocol> --dport <port> -j f2b-<name>
- iptables -F f2b-<name>
- iptables -X f2b-<name>
+actionstop =
<iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
+ <iptables> -F f2b-<name>
+ <iptables> -X f2b-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain> | grep -q 'f2b-<name>[ \t]'
+actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban = iptables -I f2b-<name> 1 -s <ip> -j <blocktype>
+actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban = iptables -D f2b-<name> -s <ip> -j <blocktype>
+actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
[Init]
--- /dev/null
+# Fail2Ban configuration file
+#
+# Common settings for mail actions
+#
+# Users can override the defaults in mail-whois-common.local
+
+[INCLUDES]
+
+# Load customizations if any available
+after = mail-whois-common.local
+
+[DEFAULT]
+#original character set of whois output will be sent to mail program
+_whois = whois <ip> || echo "missing whois program"
+
+# use heuristics to convert charset of whois output to a target
+# character set before sending it to a mail program
+# make sure you have 'file' and 'iconv' commands installed when opting for that
+_whois_target_charset = UTF-8
+_whois_convert_charset = whois <ip> |
+ { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; }
+
+# choose between _whois and _whois_convert_charset in mail-whois-common.local
+# or other *.local which include mail-whois-common.conf.
+_whois_command = %(_whois)s
+#_whois_command = %(_whois_convert_charset)s
+
+[Init]
# Modified-By: Yaroslav Halchenko to include grepping on IP over log files
#
+[INCLUDES]
+
+before = mail-whois-common.conf
+
[Definition]
# Option: actionstart
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
- `whois <ip> || echo missing whois program`\n\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n\n
Lines containing IP:<ip> in <logpath>\n
- `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
+ `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
+
+# Number of log lines to include in the email
+#
+grepopts = -m 1000
#
#
+[INCLUDES]
+
+before = mail-whois-common.conf
+
[Definition]
# Option: actionstart
actionban = printf %%b "Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
- `whois <ip> || echo missing whois program`\n
+ Here is more information about <ip> :\n
+ `%(_whois_command)s`\n
Regards,\n
Fail2Ban"|mail -s "[Fail2Ban] <name>: banned <ip> from `uname -n`" <dest>
# Values: CMD
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck =
+actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionban =
+actionban =
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# Tags: See jail.conf(5) man page
# Values: CMD
#
-actionunban =
+actionunban =
[Init]
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
http://bgp.he.net/ip/<ip>
http://www.projecthoneypot.org/ip_<ip>
http://whois.domaintools.com/<ip>\n\n
AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-`
hostname: `host -t A <ip> 2>&1`\n\n
Lines containing IP:<ip> in <logpath>\n
- `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
+ `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Path to the log files which contain relevant lines for the abuser IP
#
logpath = /dev/null
+
+# Number of log lines to include in the email
+#
+grepopts = -m 1000
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
`/usr/bin/whois <ip>`\n\n
Matches for <name> with <ipjailfailures> failures IP:<ip>\n
<ipjailmatches>\n\n
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
`/usr/bin/whois <ip>`\n\n
Matches with <ipfailures> failures IP:<ip>\n
<ipmatches>\n\n
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
`/usr/bin/whois <ip> || echo missing whois program`\n\n
Lines containing IP:<ip> in <logpath>\n
- `grep -E '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
+ `grep -E <grepopts> '(^|[^0-9])<ip>([^0-9]|$)' <logpath>`\n\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
#
logpath = /dev/null
+# Number of log lines to include in the email
+#
+grepopts = -m 1000
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
`/usr/bin/whois <ip>`\n\n
Matches:\n
<matches>\n\n
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
- Here is more information about <ip>:\n
+ Here is more information about <ip> :\n
`/usr/bin/whois <ip> || echo missing whois program`\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f <sender> <dest>
# Values: CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
- Date: `LC_TIME=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
From: <sendername> <<sender>>
To: <dest>\n
Hi,\n
--- /dev/null
+# Fail2Ban configuration file
+#
+# Author: Eduardo Diaz
+#
+# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
+# for shorewall
+#
+# Use this setting in jail.conf to modify use this action instead of a
+# default one
+#
+# banaction = shorewall-ipset-proto6
+#
+# This requires the program ipset which is normally in package called ipset.
+#
+# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
+# kernels, and you need Shorewall >= 4.5.5 to use this action.
+#
+# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
+# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
+# new shorewall rule to ban an IP address, that rule will affect only new
+# connections. So if the attacker goes on trying using the same connection
+# he could even log in. In order to get the same behavior of the iptable
+# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
+# file should me modified with "BLACKLISTNEWONLY=No".
+#
+#
+# Enable shorewall to use a blacklist using iptables creating a file
+# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and
+# similar lines for every jail. To enable restoring you ipset you
+# must set SAVE_IPSETS=Yes in shorewall.conf . You can read more
+# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html
+#
+# To force creation of the ipset in the case that somebody deletes the
+# ipset create a file /etc/shorewall/initdone and add one line for
+# every ipset (this files are in Perl) and add 1 at the end of the file.
+# The example:
+# system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 ");
+# 1;
+#
+# To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped
+# # One line of every ipset
+# system("/usr/sbin/ipset -quiet destroy f2b-ssh ");
+# 1; # This must go to the end of the file if not shorewall compilation fails
+#
+
+
+[Definition]
+
+# Option: actionstart
+# Notes.: command executed once at the start of Fail2Ban.
+# Values: CMD
+#
+actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
+ then ipset -quiet -exist create f2b-<name> hash:ip timeout <bantime>;
+ fi
+
+# Option: actionstop
+# Notes.: command executed once at the end of Fail2Ban
+# Values: CMD
+#
+actionstop = ipset flush f2b-<name>
+
+# Option: actionban
+# Notes.: command executed when banning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
+
+# Option: actionunban
+# Notes.: command executed when unbanning an IP. Take care that the
+# command is executed with Fail2Ban user rights.
+# Tags: See jail.conf(5) man page
+# Values: CMD
+#
+actionunban = ipset del f2b-<name> <ip> -exist
+
+[Init]
+
+# Option: bantime
+# Notes: specifies the bantime in seconds (handled internally rather than by fail2ban)
+# Values: [ NUM ] Default: 600
+#
+bantime = 600
%(ipjailmatches)s
"""
+
class SMTPAction(ActionBase):
"""Fail2Ban action which sends emails to inform on jail starting,
stopping and bans.
# Author: Yaroslav Halchenko
#
+[INCLUDES]
+
+before = iptables-common.conf
[Definition]
# Notes.: command executed once before each actionban command
# Values: CMD
#
-actioncheck = iptables -n -L <chain>
+actioncheck = <iptables> -n -L <chain>
# Option: actionban
# Notes.: command executed when banning an IP.
# Values: CMD
#
actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
- iptables -I <chain> 1 -s <ip> -j <blocktype>
+ <iptables> -I <chain> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP.
# Values: CMD
#
actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
- iptables -D <chain> -s <ip> -j <blocktype> || :
+ <iptables> -D <chain> -s <ip> -j <blocktype> || :
[Init]
# Fail2Ban action for sending xarf Login-Attack messages to IP owner
#
-# IMPORTANT:
-#
+# IMPORTANT:
+#
# Emailing a IP owner of abuse is a serious complain. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
REPORTID=<time>@`uname -n`
TLP=<tlp>
PORT=<port>
- DATE=`LC_TIME=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
+ DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
if [ ! -z "$ADDRESSES" ]; then
(printf -- %%b "<header>\n<message>\n<report>\n";
date '+Note: Local timezone is %%z (%%Z)';
report = --Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--Abuse-bfbb0f920793ac03cb8634bde14d8a1e\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
# Option: Message
-# Notes: This can be modified by the users
+# Notes: This can be modified by the users
message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
# Option: loglines
# Option: tlp
# Notes.: Traffic light protocol defining the sharing of this information.
# http://www.trusted-introducer.org/ISTLPv11.pdf
-# green is share to those involved in network security but it is not
+# green is share to those involved in network security but it is not
# to be released to the public.
tlp = green
badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider
badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 +http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, +http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
-failregex = ^<HOST> -.*"(GET|POST).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
+failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
ignoreregex =
--- /dev/null
+# Fail2Ban Apache pass filter
+# This filter is for access.log, NOT for error.log
+#
+# The knocking request must have a referer.
+
+[INCLUDES]
+
+before = apache-common.conf
+
+[Definition]
+
+failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
+
+ignoreregex =
+
+[Init]
+
+knocking_url = /knocking/
+
+# Author: Viktor Szépe
__pid_re = (?:\[\d+\])
+iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
+
# All Asterisk log messages begin like this:
log_prefix= (?:NOTICE|SECURITY)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)?
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Host <HOST> failed MD5 authentication for '[^']*' \([^)]+\)$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s hacking attempt detected '<HOST>'$
- ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="[\d-]+",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="\d*",SessionID="0x[\da-f]+",LocalAddress="IPV[46]/(UD|TC)P/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UD|TC)P/<HOST>/\d+"(,Challenge="\w+",ReceivedChallenge="\w+")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
+ ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|<unknown>)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)/<HOST>/\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$
^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )Ext\. s: "Rejecting unknown SIP connection from <HOST>"$
ignoreregex =
failregex = ^%(__prefix_line)s(%(__pam_auth)s(\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=<HOST>(\s+user=\S*)?\s*$
^%(__prefix_line)s(pop3|imap)-login: (Info: )?(Aborted login|Disconnected)(: Inactivity)? \(((auth failed, \d+ attempts)( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<\S*>,)?( method=\S+,)? rip=<HOST>(, lip=(\d{1,3}\.){3}\d{1,3})?(, TLS( handshaking(: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$
^%(__prefix_line)s(Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,<HOST>\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$
- ^%(__prefix_line)sauth-worker\(\d+\): pam\(\S+,<HOST>\): unknown user\s*$
+ ^%(__prefix_line)s(auth|auth-worker\(\d+\)): (pam|passwd-file)\(\S+,<HOST>\): unknown user\s*$
ignoreregex =
--- /dev/null
+# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
+#
+# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
+# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
+# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
+#
+# Author: Joern Muehlencord
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = Froxlor
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = ^%(__prefix_line)s\[Login Action <HOST>\] Unknown user \S* tried to login.$
+ ^%(__prefix_line)s\[Login Action <HOST>\] User \S* tried to login with wrong password.$
+
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
+
[Definition]
-failregex = ^<HOST> \- \S+ \[\] \"(GET|POST) \/<block> \S+\" 404 .+$
- ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST) \/<block> \S+\"\, .*?$
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) \/<block> \S+\" 404 .+$
+ ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: <HOST>\, server\: \S*\, request: \"(GET|POST|HEAD) \/<block> \S+\"\, .*?$
ignoreregex =
#
# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
# See: http://www.proftpd.org/docs/howto/DNS.html
+# When the default locale for your system is not en_US.UTF-8
+# on Debian-based systems be sure to add this to /etc/default/proftpd
+# export LC_TIME="en_US.UTF-8"
[INCLUDES]
# Fail2Ban configuration file for roundcube web server
#
+# By default failed logins are printed to 'errors'. The first regex matches those
+# The second regex matches those printed to 'userlogins'
+# The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
#
+# The logpath in your jail can be updated to userlogins if you wish
#
[INCLUDES]
[Definition]
-failregex = ^\s*(\[\])?(%(__hostname)s roundcube: IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
+failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from <HOST>(\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$
+ ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from <HOST> in session \w+( \(error: \d\))?$
ignoreregex =
# DEV Notes:
# arbitrary user input and IMAP response doesn't inject the wrong IP for
# fail2ban
#
-# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black
+# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
mysql_log = %(syslog_daemon)s
+roundcube_errors_log = /var/log/roundcube/errors
+
# Directory with ignorecommand scripts
ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
exim_main_log = /var/log/exim/main.log
mysql_log = /var/lib/mysql/mysqld.log
+
+roundcube_errors_log = /var/log/roundcubemail/errors
# bug 347477
rm -rf /run/fail2ban/fail2ban.sock || return 1
fi
- ${FAIL2BAN} start &> /dev/null
+ ${FAIL2BAN} start
eend $? "Failed to start fail2ban"
}
stop() {
ebegin "Stopping fail2ban"
- ${FAIL2BAN} stop &> /dev/null
+ ${FAIL2BAN} stop
eend $? "Failed to stop fail2ban"
}
reload() {
ebegin "Reloading fail2ban"
- ${FAIL2BAN} reload > /dev/null
+ ${FAIL2BAN} reload
eend $? "Failed to reload fail2ban"
}
--- /dev/null
+#
+# Gentoo:
+# http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/net-analyzer/fail2ban/files/fail2ban-logrotate?view=markup
+#
+# Debian:
+# https://github.com/fail2ban/fail2ban/blob/debian/debian/fail2ban.logrotate
+#
+# Fedora view:
+# http://pkgs.fedoraproject.org/cgit/fail2ban.git/tree/fail2ban-logrotate
+
+/var/log/fail2ban.log {
+ missingok
+ postrotate
+ /usr/bin/fail2ban-client flushlogs 1>/dev/null || true
+ endscript
+}
projects / config / uhu1 / etc.git / commitdiff