284 lines
6.0 KiB
Plaintext
284 lines
6.0 KiB
Plaintext
[DEFAULT]
|
|
bantime.overalljails = true
|
|
ignoreself = true
|
|
ignoreip = localhost 127.0.0.1/8 192.168.0.0/16 10.42.0.0/16 ::1 servzero.net 72.167.35.184 2603:3:6103:80c0:: b.servzero.net 75.135.92.147
|
|
bantime = 15m
|
|
findtime = 60m
|
|
maxretry = 3
|
|
backend = auto
|
|
usedns = warn
|
|
port = 0:65535
|
|
banaction = iptables-multiport
|
|
banaction_allports = iptables-allports
|
|
allowipv6 = auto
|
|
|
|
[recidive]
|
|
filter = recidive
|
|
bantime = 60m
|
|
findtime = 60m
|
|
maxretry = 3
|
|
enabled = true
|
|
|
|
[sshd]
|
|
mode = normal
|
|
port = ssh
|
|
logpath = %(sshd_log)s
|
|
backend = systemd
|
|
enabled = true
|
|
|
|
[portsentry]
|
|
logpath = /var/lib/portsentry/portsentry.history
|
|
maxretry = 3
|
|
backend = systemd
|
|
#enabled = true
|
|
|
|
[ufw]
|
|
enabled = true
|
|
filter = ufw.f2b
|
|
backend = systemd
|
|
action = iptables-allports
|
|
logpath = /var/log/ufw.log
|
|
maxretry = 3
|
|
bantime = 15m
|
|
|
|
[suricata]
|
|
enabled = true
|
|
filter = suricata.f2b
|
|
logpath = /var/log/suricata/fast.log
|
|
|
|
[murmur]
|
|
# AKA mumble-server
|
|
port = 64738
|
|
action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
|
|
%(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
|
|
logpath = /var/log/mumble-server/mumble-server.log
|
|
backend = systemd
|
|
#enabled = true
|
|
|
|
[ejabberd-auth]
|
|
port = 5222, 5280
|
|
logpath = /var/log/ejabberd/ejabberd.log
|
|
#enabled = true
|
|
|
|
[apache-auth]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
#enabled = true
|
|
|
|
[apache-common]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
#enabled = true
|
|
|
|
[apache-pass]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
#enabled = true
|
|
|
|
[apache-badbots]
|
|
# Ban hosts which agent identifies spammer robots crawling the web
|
|
# for email addresses. The mail outputs are buffered.
|
|
port = http,https
|
|
logpath = %(apache_access_log)s
|
|
bantime = 48h
|
|
maxretry = 1
|
|
#backend = systemd
|
|
#enabled = true
|
|
|
|
[apache-noscript]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
#enabled = true
|
|
|
|
[apache-overflows]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
maxretry = 2
|
|
#enabled = true
|
|
|
|
[apache-nohome]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
maxretry = 2
|
|
#enabled = true
|
|
|
|
[apache-botsearch]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
maxretry = 2
|
|
#enabled = true
|
|
|
|
[apache-fakegooglebot]
|
|
port = http,https
|
|
logpath = %(apache_access_log)s
|
|
maxretry = 1
|
|
#ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
|
|
#backend = systemd
|
|
#enabled = true
|
|
|
|
[apache-modsecurity]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
maxretry = 2
|
|
#enabled = true
|
|
|
|
[apache-shellshock]
|
|
port = http,https
|
|
logpath = %(apache_error_log)s
|
|
maxretry = 1
|
|
#enabled = true
|
|
|
|
[nginx-http-auth]
|
|
#enabled = true
|
|
port = http,https,9443
|
|
logpath = /var/log/nginx/error.log
|
|
#maxretry = 3
|
|
#findtime = 10m
|
|
#bantime = 1h
|
|
|
|
[nginx-badbots]
|
|
#enabled = true
|
|
port = http,https,9443
|
|
logpath = /var/log/nginx/access.log
|
|
|
|
[nginx-limit-req]
|
|
#enabled = true
|
|
port = http,https,9443
|
|
logpath = /var/log/nginx/access.log
|
|
|
|
# Ban attackers that try to use PHP's URL-fopen() functionality
|
|
# through GET/POST variables. - Experimental, with more than a year
|
|
# of usage in production environments.
|
|
[php-url-fopen]
|
|
port = http,https
|
|
logpath = %(nginx_access_log)s
|
|
%(apache_access_log)s
|
|
#enabled = true
|
|
|
|
[lighttpd-auth]
|
|
# Same as above for Apache's mod_auth
|
|
# It catches wrong authentifications
|
|
port = http,https
|
|
logpath = %(lighttpd_error_log)s
|
|
#enabled = true
|
|
|
|
[cockpit]
|
|
#enabled = true
|
|
port = cockpit
|
|
filter = cockpit.f2b
|
|
logpath = /var/log/cockpit/cockpit.log
|
|
maxretry = 3
|
|
bantime = 600
|
|
|
|
[webmin-auth]
|
|
port = 10000
|
|
logpath = %(syslog_authpriv)s
|
|
backend = %(syslog_backend)s
|
|
#enabled = true
|
|
|
|
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
|
|
# equivalent section:
|
|
# log-warnings = 2
|
|
#
|
|
# for syslog (daemon facility)
|
|
# [mysqld_safe]
|
|
# syslog
|
|
#
|
|
# for own logfile
|
|
# [mysqld]
|
|
# log-error=/var/log/mysqld.log
|
|
[mysqld-auth]
|
|
port = 3306
|
|
logpath = %(mysql_log)s
|
|
backend = %(mysql_backend)s
|
|
#enabled = true
|
|
|
|
[phpmyadmin-syslog]
|
|
port = http,https
|
|
logpath = %(syslog_authpriv)s
|
|
backend = %(syslog_backend)s
|
|
#enabled = true
|
|
|
|
[sendmail-auth]
|
|
port = submission,465,smtp
|
|
logpath = %(syslog_mail)s
|
|
backend = %(syslog_backend)s
|
|
#enabled = true
|
|
|
|
[sendmail-reject]
|
|
# To use more aggressive modes set filter parameter "mode" in jail.local:
|
|
# normal (default), extra or aggressive
|
|
# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
|
|
#mode = normal
|
|
port = smtp,465,submission
|
|
logpath = %(syslog_mail)s
|
|
backend = %(syslog_backend)s
|
|
#enabled = true
|
|
|
|
[postfix]
|
|
# To use another modes set filter parameter "mode" in jail.local:
|
|
mode = more
|
|
port = smtp,465,submission
|
|
logpath = %(postfix_log)s
|
|
backend = systemd
|
|
#enabled = true
|
|
|
|
[postfix-rbl]
|
|
filter = postfix[mode=rbl]
|
|
port = smtp,465,submission
|
|
logpath = %(postfix_log)s
|
|
backend = %(postfix_backend)s
|
|
maxretry = 1
|
|
#enabled = true
|
|
|
|
[postfix-sasl]
|
|
filter = postfix[mode=auth]
|
|
port = smtp,465,submission,imap,imaps,pop3,pop3s
|
|
# You might consider monitoring /var/log/mail.warn instead if you are
|
|
# running postfix since it would provide the same log lines at the
|
|
# "warn" level but overall at the smaller filesize.
|
|
logpath = %(postfix_log)s
|
|
backend = %(postfix_backend)s
|
|
#enabled = true
|
|
|
|
[squirrelmail]
|
|
port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
|
|
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
|
|
#enabled = true
|
|
|
|
#[nmap-scan]
|
|
#enabled = true
|
|
#filter = nmap-scan
|
|
#backend = systemd
|
|
#logpath = /var/log/syslog
|
|
#bantime = 60
|
|
#findtime = 60
|
|
#maxretry = 3
|
|
#maxmatches = 3
|
|
#banaction = iptables-allports
|
|
#port = all
|
|
|
|
#[scanlogd]
|
|
#logpath = %(syslog_local0)s
|
|
#banaction = %(banaction_allports)s
|
|
#backend = systemd
|
|
#enabled = true
|
|
|
|
#[snort-tcp]
|
|
#enabled = true
|
|
#filter = snort
|
|
#action = iptables-multiport[name=SnortTCP, port="0:65535", protocol=tcp]
|
|
#logpath = /var/log/snort/snort.alert.fast
|
|
#maxretry = 3
|
|
#bantime = 3600
|
|
#datepattern = %%m/%%d-%%H:%%M:%%S.%%f
|
|
|
|
#[snort-udp]
|
|
#enabled = true
|
|
#filter = snort
|
|
#action = iptables-multiport[name=SnortUDP, port="0:65535", protocol=udp]
|
|
#logpath = /var/log/snort/snort.alert.fast
|
|
#maxretry = 3
|
|
#bantime = 3600
|
|
#datepattern = %%m/%%d-%%H:%%M:%%S.%%f
|