Upload files to "f2bcfg"

f2bcfg/jail.local

@@ -0,0 +1,283 @@
+[DEFAULT]
+bantime.overalljails = true
+ignoreself = true
+ignoreip = localhost 127.0.0.1/8 192.168.0.0/16 10.42.0.0/16 ::1 servzero.net 72.167.35.184 2603:3:6103:80c0:: b.servzero.net 75.135.92.147 
+bantime  = 15m
+findtime  = 60m
+maxretry = 3
+backend = auto
+usedns = warn
+port = 0:65535
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+allowipv6 = auto
+
+[recidive]
+filter = recidive
+bantime = 60m
+findtime = 60m
+maxretry = 3
+enabled = true
+
+[sshd]
+mode   = normal
+port    = ssh
+logpath = %(sshd_log)s
+backend = systemd
+enabled = true
+
+[portsentry]
+logpath  = /var/lib/portsentry/portsentry.history
+maxretry = 3
+backend = systemd
+#enabled = true
+
+[ufw]
+enabled = true
+filter = ufw.f2b
+backend = systemd
+action = iptables-allports
+logpath = /var/log/ufw.log
+maxretry = 3
+bantime = 15m
+
+[suricata]
+enabled = true
+filter = suricata.f2b
+logpath = /var/log/suricata/fast.log
+
+[murmur]
+# AKA mumble-server
+port     = 64738
+action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
+           %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
+logpath  = /var/log/mumble-server/mumble-server.log
+backend = systemd
+#enabled = true
+
+[ejabberd-auth]
+port    = 5222, 5280
+logpath = /var/log/ejabberd/ejabberd.log
+#enabled = true
+
+[apache-auth]
+port     = http,https
+logpath  = %(apache_error_log)s
+#enabled = true
+
+[apache-common]
+port     = http,https
+logpath  = %(apache_error_log)s
+#enabled = true
+
+[apache-pass]
+port     = http,https
+logpath  = %(apache_error_log)s
+#enabled = true
+
+[apache-badbots]
+# Ban hosts which agent identifies spammer robots crawling the web
+# for email addresses. The mail outputs are buffered.
+port     = http,https
+logpath  = %(apache_access_log)s
+bantime  = 48h
+maxretry = 1
+#backend = systemd
+#enabled = true
+
+[apache-noscript]
+port     = http,https
+logpath  = %(apache_error_log)s
+#enabled = true
+
+[apache-overflows]
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+#enabled = true
+
+[apache-nohome]
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+#enabled = true
+
+[apache-botsearch]
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+#enabled = true
+
+[apache-fakegooglebot]
+port     = http,https
+logpath  = %(apache_access_log)s
+maxretry = 1
+#ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
+#backend = systemd
+#enabled = true
+
+[apache-modsecurity]
+port     = http,https
+logpath  = %(apache_error_log)s
+maxretry = 2
+#enabled = true
+
+[apache-shellshock]
+port    = http,https
+logpath = %(apache_error_log)s
+maxretry = 1
+#enabled = true
+
+[nginx-http-auth]
+#enabled = true
+port = http,https,9443
+logpath = /var/log/nginx/error.log
+#maxretry = 3
+#findtime = 10m
+#bantime = 1h
+
+[nginx-badbots]
+#enabled = true
+port = http,https,9443
+logpath = /var/log/nginx/access.log
+
+[nginx-limit-req]
+#enabled = true
+port = http,https,9443
+logpath = /var/log/nginx/access.log
+
+# Ban attackers that try to use PHP's URL-fopen() functionality
+# through GET/POST variables. - Experimental, with more than a year
+# of usage in production environments.
+[php-url-fopen]
+port    = http,https
+logpath = %(nginx_access_log)s
+          %(apache_access_log)s
+#enabled = true
+
+[lighttpd-auth]
+# Same as above for Apache's mod_auth
+# It catches wrong authentifications
+port    = http,https
+logpath = %(lighttpd_error_log)s
+#enabled = true
+
+[cockpit]
+#enabled = true
+port = cockpit
+filter = cockpit.f2b
+logpath = /var/log/cockpit/cockpit.log
+maxretry = 3
+bantime = 600
+
+[webmin-auth]
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+#enabled = true
+
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+# log-warnings = 2
+#
+# for syslog (daemon facility)
+# [mysqld_safe]
+# syslog
+#
+# for own logfile
+# [mysqld]
+# log-error=/var/log/mysqld.log
+[mysqld-auth]
+port     = 3306
+logpath  = %(mysql_log)s
+backend  = %(mysql_backend)s
+#enabled = true
+
+[phpmyadmin-syslog]
+port    = http,https
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+#enabled = true
+
+[sendmail-auth]
+port    = submission,465,smtp
+logpath = %(syslog_mail)s
+backend = %(syslog_backend)s
+#enabled = true
+
+[sendmail-reject]
+# To use more aggressive modes set filter parameter "mode" in jail.local:
+# normal (default), extra or aggressive
+# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
+#mode    = normal
+port     = smtp,465,submission
+logpath  = %(syslog_mail)s
+backend  = %(syslog_backend)s
+#enabled = true
+
+[postfix]
+# To use another modes set filter parameter "mode" in jail.local:
+mode    = more
+port    = smtp,465,submission
+logpath = %(postfix_log)s
+backend = systemd
+#enabled = true
+
+[postfix-rbl]
+filter   = postfix[mode=rbl]
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+maxretry = 1
+#enabled = true
+
+[postfix-sasl]
+filter   = postfix[mode=auth]
+port     = smtp,465,submission,imap,imaps,pop3,pop3s
+# You might consider monitoring /var/log/mail.warn instead if you are
+# running postfix since it would provide the same log lines at the
+# "warn" level but overall at the smaller filesize.
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+#enabled = true
+
+[squirrelmail]
+port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
+logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
+#enabled = true
+
+#[nmap-scan]
+#enabled = true
+#filter = nmap-scan
+#backend = systemd
+#logpath = /var/log/syslog
+#bantime = 60       
+#findtime = 60         
+#maxretry = 3           
+#maxmatches = 3
+#banaction = iptables-allports
+#port = all
+
+#[scanlogd]
+#logpath = %(syslog_local0)s
+#banaction = %(banaction_allports)s
+#backend = systemd
+#enabled = true
+
+#[snort-tcp]
+#enabled  = true
+#filter   = snort
+#action   = iptables-multiport[name=SnortTCP, port="0:65535", protocol=tcp]
+#logpath  = /var/log/snort/snort.alert.fast
+#maxretry = 3
+#bantime  = 3600
+#datepattern = %%m/%%d-%%H:%%M:%%S.%%f
+
+#[snort-udp]
+#enabled  = true
+#filter   = snort
+#action   = iptables-multiport[name=SnortUDP, port="0:65535", protocol=udp]
+#logpath  = /var/log/snort/snort.alert.fast
+#maxretry = 3
+#bantime  = 3600
+#datepattern = %%m/%%d-%%H:%%M:%%S.%%f

f2bcfg/suricata.f2b.conf

@@ -0,0 +1,11 @@
+
+[INCLUDES]
+before = common.conf
+
+[DEFAULT]
+_daemon = suricata
+
+[Definition]
+datepattern = ^%%m/%%d/%%Y-%%H:%%M:%%S
+failregex = .*Priority: 1.* <HOST>:[0-9]* ->
+ignoreregex =

f2bcfg/ufw.f2b.conf

@@ -0,0 +1,3 @@
+[Definition]
+failregex = [UFW BLOCK].+SRC=<HOST> DST
+ignoreregex =