[DEFAULT] bantime.overalljails = true ignoreself = true ignoreip = localhost 127.0.0.1/8 192.168.0.0/16 10.42.0.0/16 ::1 servzero.net 72.167.35.184 2603:3:6103:80c0:: b.servzero.net 75.135.92.147 bantime = 15m findtime = 60m maxretry = 3 backend = auto usedns = warn port = 0:65535 banaction = iptables-multiport banaction_allports = iptables-allports allowipv6 = auto [recidive] filter = recidive bantime = 60m findtime = 60m maxretry = 3 enabled = true [sshd] mode = normal port = ssh logpath = %(sshd_log)s backend = systemd enabled = true [ufw] enabled = true filter = ufw.f2b backend = systemd action = iptables-allports logpath = /var/log/ufw.log maxretry = 3 bantime = 15m [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 3 backend = systemd #enabled = true [suricata] enabled = true filter = suricata.f2b logpath = /var/log/suricata/fast.log [gitea] enabled = true filter = gitea.f2b logpath = /var/snap/gitea/common/log/gitea.log maxretry = 3 #findtime = 3600 #bantime = 900 action = iptables-allports [murmur] # AKA mumble-server port = 64738 action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/mumble-server/mumble-server.log backend = systemd #enabled = true [ejabberd-auth] port = 5222, 5280 logpath = /var/log/ejabberd/ejabberd.log #enabled = true [apache-auth] port = http,https logpath = %(apache_error_log)s #enabled = true [apache-common] port = http,https logpath = %(apache_error_log)s #enabled = true [apache-pass] port = http,https logpath = %(apache_error_log)s #enabled = true [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. port = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1 #backend = systemd #enabled = true [apache-noscript] port = http,https logpath = %(apache_error_log)s #enabled = true [apache-overflows] port = http,https logpath = %(apache_error_log)s maxretry = 2 #enabled = true [apache-nohome] port = http,https logpath = %(apache_error_log)s maxretry = 2 #enabled = true [apache-botsearch] port = http,https logpath = %(apache_error_log)s maxretry = 2 #enabled = true [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 1 #ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot #backend = systemd #enabled = true [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 #enabled = true [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 #enabled = true [nginx-http-auth] #enabled = true port = http,https,9443 logpath = /var/log/nginx/error.log #maxretry = 3 #findtime = 10m #bantime = 1h [nginx-badbots] #enabled = true port = http,https,9443 logpath = /var/log/nginx/access.log [nginx-limit-req] #enabled = true port = http,https,9443 logpath = /var/log/nginx/access.log # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s #enabled = true [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications port = http,https logpath = %(lighttpd_error_log)s #enabled = true [cockpit] #enabled = true port = cockpit filter = cockpit.f2b logpath = /var/log/cockpit/cockpit.log maxretry = 3 bantime = 600 [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s #enabled = true # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or # equivalent section: # log-warnings = 2 # # for syslog (daemon facility) # [mysqld_safe] # syslog # # for own logfile # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s #enabled = true [phpmyadmin-syslog] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s #enabled = true [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s #enabled = true [sendmail-reject] # To use more aggressive modes set filter parameter "mode" in jail.local: # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s #enabled = true [postfix] # To use another modes set filter parameter "mode" in jail.local: mode = more port = smtp,465,submission logpath = %(postfix_log)s backend = systemd #enabled = true [postfix-rbl] filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 #enabled = true [postfix-sasl] filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. logpath = %(postfix_log)s backend = %(postfix_backend)s #enabled = true [squirrelmail] port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log #enabled = true #[nmap-scan] #enabled = true #filter = nmap-scan #backend = systemd #logpath = /var/log/syslog #bantime = 60 #findtime = 60 #maxretry = 3 #maxmatches = 3 #banaction = iptables-allports #port = all #[scanlogd] #logpath = %(syslog_local0)s #banaction = %(banaction_allports)s #backend = systemd #enabled = true #[snort-tcp] #enabled = true #filter = snort #action = iptables-multiport[name=SnortTCP, port="0:65535", protocol=tcp] #logpath = /var/log/snort/snort.alert.fast #maxretry = 3 #bantime = 3600 #datepattern = %%m/%%d-%%H:%%M:%%S.%%f #[snort-udp] #enabled = true #filter = snort #action = iptables-multiport[name=SnortUDP, port="0:65535", protocol=udp] #logpath = /var/log/snort/snort.alert.fast #maxretry = 3 #bantime = 3600 #datepattern = %%m/%%d-%%H:%%M:%%S.%%f