f2bcfg/jail.local

[DEFAULT]
bantime.overalljails = true
ignoreself = true
ignoreip = localhost 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 10.42.0.0/16 ::1 servzero.net 72.167.35.184 2603:3:6103:80c0:: b.servzero.net 75.135.92.147 
bantime  = 15m
findtime  = 60m
maxretry = 3
backend = auto
usedns = warn
port = 0:65535
banaction = iptables-multiport
banaction_allports = iptables-allports
allowipv6 = auto

[recidive]
filter = recidive
bantime = 60m
findtime = 60m
maxretry = 3
enabled = true

[sshd]
mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = systemd
enabled = true

[ufw]
enabled = true
filter = ufw.f2b
backend = systemd
action = iptables-allports
logpath = /var/log/ufw.log
maxretry = 3
bantime = 15m

[portsentry]
logpath  = /var/lib/portsentry/portsentry.history
maxretry = 3
backend = systemd
#enabled = true

[suricata]
enabled = true
filter = suricata.f2b
logpath = /var/log/suricata/fast.log

[gitea]
#enabled = true
filter = gitea.f2b
logpath = /var/snap/gitea/common/log/gitea.log
maxretry = 3
#findtime = 3600
#bantime = 900
action = iptables-allports

[murmur]
# AKA mumble-server
port     = 64738
action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
logpath  = /var/log/mumble-server/mumble-server.log
backend = systemd
#enabled = true

[ejabberd-auth]
port    = 5222, 5280
logpath = /var/log/ejabberd/ejabberd.log
#enabled = true

[apache-auth]
port     = http,https
logpath  = %(apache_error_log)s
#enabled = true

[apache-common]
port     = http,https
logpath  = %(apache_error_log)s
#enabled = true

[apache-pass]
port     = http,https
logpath  = %(apache_error_log)s
#enabled = true

[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port     = http,https
logpath  = %(apache_access_log)s
bantime  = 48h
maxretry = 1
#backend = systemd
#enabled = true

[apache-noscript]
port     = http,https
logpath  = %(apache_error_log)s
#enabled = true

[apache-overflows]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
#enabled = true

[apache-nohome]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
#enabled = true

[apache-botsearch]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
#enabled = true

[apache-fakegooglebot]
port     = http,https
logpath  = %(apache_access_log)s
maxretry = 1
#ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
#backend = systemd
#enabled = true

[apache-modsecurity]
port     = http,https
logpath  = %(apache_error_log)s
maxretry = 2
#enabled = true

[apache-shellshock]
port    = http,https
logpath = %(apache_error_log)s
maxretry = 1
#enabled = true

[nginx-http-auth]
#enabled = true
port = http,https,9443
logpath = /var/log/nginx/error.log
#maxretry = 3
#findtime = 10m
#bantime = 1h

[nginx-badbots]
#enabled = true
port = http,https,9443
logpath = /var/log/nginx/access.log

[nginx-limit-req]
#enabled = true
port = http,https,9443
logpath = /var/log/nginx/access.log

# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port    = http,https
logpath = %(nginx_access_log)s
          %(apache_access_log)s
#enabled = true

[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port    = http,https
logpath = %(lighttpd_error_log)s
#enabled = true

[cockpit]
#enabled = true
port = cockpit
filter = cockpit.f2b
logpath = /var/log/cockpit/cockpit.log
maxretry = 3
bantime = 600

[webmin-auth]
port    = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#enabled = true

# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warnings = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port     = 3306
logpath  = %(mysql_log)s
backend  = %(mysql_backend)s
#enabled = true

[phpmyadmin-syslog]
port    = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#enabled = true

[sendmail-auth]
port    = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#enabled = true

[sendmail-reject]
# To use more aggressive modes set filter parameter "mode" in jail.local:
# normal (default), extra or aggressive
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
#mode    = normal
port     = smtp,465,submission
logpath  = %(syslog_mail)s
backend  = %(syslog_backend)s
#enabled = true

[postfix]
# To use another modes set filter parameter "mode" in jail.local:
mode    = more
port    = smtp,465,submission
logpath = %(postfix_log)s
backend = systemd
#enabled = true

[postfix-rbl]
filter   = postfix[mode=rbl]
port     = smtp,465,submission
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
maxretry = 1
#enabled = true

[postfix-sasl]
filter   = postfix[mode=auth]
port     = smtp,465,submission,imap,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath  = %(postfix_log)s
backend  = %(postfix_backend)s
#enabled = true

[squirrelmail]
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
#enabled = true

#[nmap-scan]
#enabled = true
#filter = nmap-scan
#backend = systemd
#logpath = /var/log/syslog
#bantime = 60       
#findtime = 60         
#maxretry = 3           
#maxmatches = 3
#banaction = iptables-allports
#port = all

#[scanlogd]
#logpath = %(syslog_local0)s
#banaction = %(banaction_allports)s
#backend = systemd
#enabled = true

#[snort-tcp]
#enabled  = true
#filter   = snort
#action   = iptables-multiport[name=SnortTCP, port="0:65535", protocol=tcp]
#logpath  = /var/log/snort/snort.alert.fast
#maxretry = 3
#bantime  = 3600
#datepattern = %%m/%%d-%%H:%%M:%%S.%%f

#[snort-udp]
#enabled  = true
#filter   = snort
#action   = iptables-multiport[name=SnortUDP, port="0:65535", protocol=udp]
#logpath  = /var/log/snort/snort.alert.fast
#maxretry = 3
#bantime  = 3600
#datepattern = %%m/%%d-%%H:%%M:%%S.%%f
Upload files to "f2bcfg" 2026-05-11 20:48:09 +00:00			`[DEFAULT]`
			`bantime.overalljails = true`
			`ignoreself = true`
Update f2bcfg/jail.local 2026-05-18 12:12:50 +00:00			`ignoreip = localhost 127.0.0.1/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 10.42.0.0/16 ::1 servzero.net 72.167.35.184 2603:3:6103:80c0:: b.servzero.net 75.135.92.147`
Upload files to "f2bcfg" 2026-05-11 20:48:09 +00:00			`bantime = 15m`
			`findtime = 60m`
			`maxretry = 3`
			`backend = auto`
			`usedns = warn`
			`port = 0:65535`
			`banaction = iptables-multiport`
			`banaction_allports = iptables-allports`
			`allowipv6 = auto`

			`[recidive]`
			`filter = recidive`
			`bantime = 60m`
			`findtime = 60m`
			`maxretry = 3`
			`enabled = true`

			`[sshd]`
			`mode = normal`
			`port = ssh`
			`logpath = %(sshd_log)s`
			`backend = systemd`
			`enabled = true`

			`[ufw]`
			`enabled = true`
			`filter = ufw.f2b`
			`backend = systemd`
			`action = iptables-allports`
			`logpath = /var/log/ufw.log`
			`maxretry = 3`
			`bantime = 15m`

Update f2bcfg/jail.local 2026-05-16 00:19:00 +00:00			`[portsentry]`
			`logpath = /var/lib/portsentry/portsentry.history`
			`maxretry = 3`
			`backend = systemd`
			`#enabled = true`

Upload files to "f2bcfg" 2026-05-11 20:48:09 +00:00			`[suricata]`
			`enabled = true`
			`filter = suricata.f2b`
			`logpath = /var/log/suricata/fast.log`

Update f2bcfg/jail.local 2026-05-16 00:19:00 +00:00			`[gitea]`
Update f2bcfg/jail.local 2026-05-16 00:22:43 +00:00			`#enabled = true`
Update f2bcfg/jail.local 2026-05-16 00:19:00 +00:00			`filter = gitea.f2b`
			`logpath = /var/snap/gitea/common/log/gitea.log`
			`maxretry = 3`
			`#findtime = 3600`
			`#bantime = 900`
			`action = iptables-allports`

Upload files to "f2bcfg" 2026-05-11 20:48:09 +00:00			`[murmur]`
			`# AKA mumble-server`
			`port = 64738`
			`action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]`
			`%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]`
			`logpath = /var/log/mumble-server/mumble-server.log`
			`backend = systemd`
			`#enabled = true`

			`[ejabberd-auth]`
			`port = 5222, 5280`
			`logpath = /var/log/ejabberd/ejabberd.log`
			`#enabled = true`

			`[apache-auth]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`#enabled = true`

			`[apache-common]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`#enabled = true`

			`[apache-pass]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`#enabled = true`

			`[apache-badbots]`
			`# Ban hosts which agent identifies spammer robots crawling the web`
			`# for email addresses. The mail outputs are buffered.`
			`port = http,https`
			`logpath = %(apache_access_log)s`
			`bantime = 48h`
			`maxretry = 1`
			`#backend = systemd`
			`#enabled = true`

			`[apache-noscript]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`#enabled = true`

			`[apache-overflows]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`maxretry = 2`
			`#enabled = true`

			`[apache-nohome]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`maxretry = 2`
			`#enabled = true`

			`[apache-botsearch]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`maxretry = 2`
			`#enabled = true`

			`[apache-fakegooglebot]`
			`port = http,https`
			`logpath = %(apache_access_log)s`
			`maxretry = 1`
			`#ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>`
			`#backend = systemd`
			`#enabled = true`

			`[apache-modsecurity]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`maxretry = 2`
			`#enabled = true`

			`[apache-shellshock]`
			`port = http,https`
			`logpath = %(apache_error_log)s`
			`maxretry = 1`
			`#enabled = true`

			`[nginx-http-auth]`
			`#enabled = true`
			`port = http,https,9443`
			`logpath = /var/log/nginx/error.log`
			`#maxretry = 3`
			`#findtime = 10m`
			`#bantime = 1h`

			`[nginx-badbots]`
			`#enabled = true`
			`port = http,https,9443`
			`logpath = /var/log/nginx/access.log`

			`[nginx-limit-req]`
			`#enabled = true`
			`port = http,https,9443`
			`logpath = /var/log/nginx/access.log`

			`# Ban attackers that try to use PHP's URL-fopen() functionality`
			`# through GET/POST variables. - Experimental, with more than a year`
			`# of usage in production environments.`
			`[php-url-fopen]`
			`port = http,https`
			`logpath = %(nginx_access_log)s`
			`%(apache_access_log)s`
			`#enabled = true`

			`[lighttpd-auth]`
			`# Same as above for Apache's mod_auth`
			`# It catches wrong authentifications`
			`port = http,https`
			`logpath = %(lighttpd_error_log)s`
			`#enabled = true`

			`[cockpit]`
			`#enabled = true`
			`port = cockpit`
			`filter = cockpit.f2b`
			`logpath = /var/log/cockpit/cockpit.log`
			`maxretry = 3`
			`bantime = 600`

			`[webmin-auth]`
			`port = 10000`
			`logpath = %(syslog_authpriv)s`
			`backend = %(syslog_backend)s`
			`#enabled = true`

			`# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or`
			`# equivalent section:`
			`# log-warnings = 2`
			`#`
			`# for syslog (daemon facility)`
			`# [mysqld_safe]`
			`# syslog`
			`#`
			`# for own logfile`
			`# [mysqld]`
			`# log-error=/var/log/mysqld.log`
			`[mysqld-auth]`
			`port = 3306`
			`logpath = %(mysql_log)s`
			`backend = %(mysql_backend)s`
			`#enabled = true`

			`[phpmyadmin-syslog]`
			`port = http,https`
			`logpath = %(syslog_authpriv)s`
			`backend = %(syslog_backend)s`
			`#enabled = true`

			`[sendmail-auth]`
			`port = submission,465,smtp`
			`logpath = %(syslog_mail)s`
			`backend = %(syslog_backend)s`
			`#enabled = true`

			`[sendmail-reject]`
			`# To use more aggressive modes set filter parameter "mode" in jail.local:`
			`# normal (default), extra or aggressive`
			`# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.`
			`#mode = normal`
			`port = smtp,465,submission`
			`logpath = %(syslog_mail)s`
			`backend = %(syslog_backend)s`
			`#enabled = true`

			`[postfix]`
			`# To use another modes set filter parameter "mode" in jail.local:`
			`mode = more`
			`port = smtp,465,submission`
			`logpath = %(postfix_log)s`
			`backend = systemd`
			`#enabled = true`

			`[postfix-rbl]`
			`filter = postfix[mode=rbl]`
			`port = smtp,465,submission`
			`logpath = %(postfix_log)s`
			`backend = %(postfix_backend)s`
			`maxretry = 1`
			`#enabled = true`

			`[postfix-sasl]`
			`filter = postfix[mode=auth]`
			`port = smtp,465,submission,imap,imaps,pop3,pop3s`
			`# You might consider monitoring /var/log/mail.warn instead if you are`
			`# running postfix since it would provide the same log lines at the`
			`# "warn" level but overall at the smaller filesize.`
			`logpath = %(postfix_log)s`
			`backend = %(postfix_backend)s`
			`#enabled = true`

			`[squirrelmail]`
			`port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks`
			`logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log`
			`#enabled = true`

			`#[nmap-scan]`
			`#enabled = true`
			`#filter = nmap-scan`
			`#backend = systemd`
			`#logpath = /var/log/syslog`
			`#bantime = 60`
			`#findtime = 60`
			`#maxretry = 3`
			`#maxmatches = 3`
			`#banaction = iptables-allports`
			`#port = all`

			`#[scanlogd]`
			`#logpath = %(syslog_local0)s`
			`#banaction = %(banaction_allports)s`
			`#backend = systemd`
			`#enabled = true`

			`#[snort-tcp]`
			`#enabled = true`
			`#filter = snort`
			`#action = iptables-multiport[name=SnortTCP, port="0:65535", protocol=tcp]`
			`#logpath = /var/log/snort/snort.alert.fast`
			`#maxretry = 3`
			`#bantime = 3600`
			`#datepattern = %%m/%%d-%%H:%%M:%%S.%%f`

			`#[snort-udp]`
			`#enabled = true`
			`#filter = snort`
			`#action = iptables-multiport[name=SnortUDP, port="0:65535", protocol=udp]`
			`#logpath = /var/log/snort/snort.alert.fast`
			`#maxretry = 3`
			`#bantime = 3600`
			`#datepattern = %%m/%%d-%%H:%%M:%%S.%%f`