# ======================================== # Fail2Ban: /etc/fail2ban/jail.local # Complete configuration for Debian (XFCE) # Revision: 251213 # ======================================== [INCLUDES] before = paths-debian.conf [DEFAULT] ignorecommand = # Reseaux a ignorer (ne seront jamais bannis) ignoreip = 127.0.0.1/8 ::1 192.168.0.0/24 # IPv6 allowipv6 = auto # Parametres de base bantime = 86400 # 1 day (en secondes) findtime = 1800 # 30 min maxretry = 3 maxmatches = %(maxretry)s banaction = iptables-multiport # Bannissement progressif (recidive) bantime.increment = true bantime.factor = 1 # formule personnalisee : adapte la duree en fonction du nombre de bans bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor bantime.multipliers = 1 2 4 8 16 32 64 128 256 512 1024 # Actions et notifications # action_mwl envoie un e-mail avec whois + log excerpt (si dispo) action = %(action_mwl)s destemail = root@localhost sender = fail2ban@localhost mta = sendmail # Backend et logs # systemd est recommande sur Debian moderne backend = systemd logtarget = /var/log/fail2ban.log # Base de donnees interne dbfile = /var/lib/fail2ban/fail2ban.sqlite3 dbpurgeage = 86400 # DNS lookups (warn, no, or yes). warn evite d'augmenter trop la latence usedns = warn # ---------------------------------------------- # Main jails (enabled/disabled by default) # Enable only what you need (set enabled = true) # ---------------------------------------------- [sshd] # SSH service enabled = true port = ssh filter = sshd # Sur Debian classique, le log SSH est /var/log/auth.log # Si vous utilisez Raspberry Pi OS, commenter la ligne ci-dessous : logpath = /var/log/auth.log backend = systemd maxretry = 3 [recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log bantime = 604800 # 1 week findtime = 86400 # 1 day action = %(action_mwl)s # -------------------------------------------------------------- # Examples of useful jails # Disabled by default (change enabled = false -> true to enable) # -------------------------------------------------------------- [dropbear] port = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] port = ssh logpath = %(auditd_log)s [apache-auth] # Tentatives d'auth sur les sites Apache enabled = false filter = apache-auth logpath = /var/log/apache2/*error.log maxretry = 3 [apache-badbots] # Bots malicieux connus (liste dans filtres) enabled = false filter = apache-badbots logpath = /var/log/apache2/*access.log maxretry = 1 [apache-noscript] port = http,https logpath = %(apache_error_log)s [apache-overflows] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] # Detecte robots / scanners cherchant des vulnerabilites (WordPress, etc.) enabled = false filter = apache-botsearch # Adapt to your environment: Debian apache2 access logs logpath = /var/log/apache2/*access.log maxretry = 2 bantime = 86400 [apache-fakegooglebot] port = http,https logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot [apache-modsecurity] port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] port = http,https logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] filter = openhab banaction = %(banaction_allports)s logpath = /opt/openhab/logs/request.log [nginx-http-auth] enabled = false filter = nginx-http-auth logpath = /var/log/nginx/error.log maxretry = 3 [nginx-limit-req] port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] port = http,https logpath = %(nginx_error_log)s [nginx-bad-request] port = http,https logpath = %(nginx_access_log)s [nginx-forbidden] port = http,https logpath = %(nginx_error_log)s [php-url-fopen] port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] port = http,https logpath = %(suhosin_log)s [lighttpd-auth] port = http,https logpath = %(lighttpd_error_log)s [roundcube-auth] port = http,https logpath = %(roundcube_errors_log)s [openwebmail] port = http,https logpath = /var/log/openwebmail.log [horde] port = http,https logpath = /var/log/horde/horde.log [groupoffice] port = http,https logpath = /home/groupoffice/log/info.log [sogo-auth] port = http,https logpath = /var/log/sogo/sogo.log [tine20] logpath = /var/log/tine20/tine20.log port = http,https [drupal-auth] port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] port = http,https logpath = /var/log/tomcat*/catalina.out [monit] port = 2812 logpath = /var/log/monit /var/log/monit.log [webmin-auth] port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [squid] port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] port = 3128 logpath = /var/log/3proxy.log [proftpd] enabled = false filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 3 [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] port = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] enabled = false filter = vsftpd logpath = /var/log/vsftpd.log maxretry = 3 [assp] port = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] # Pour serveurs mail Postfix enabled = false filter = postfix logpath = /var/log/mail.log maxretry = 3 [postfix-rbl] filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] port = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] port = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] filter = qmail port = smtp,465,submission logpath = /service/qmail/log/main/current [dovecot] enabled = false filter = dovecot logpath = /var/log/mail.log maxretry = 3 [sieve] port = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] port = pop3,pop3s logpath = %(solidpop3d_log)s [exim] port = smtp,465,submission logpath = %(exim_main_log)s [exim-spam] port = smtp,465,submission logpath = %(exim_main_log)s [kerio] port = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [perdition] port = imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] port = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s [named-refused] port = domain,953 logpath = /var/log/named/security.log [nsd] port = 53 action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/nsd.log [asterisk] port = 5060,5061 action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] port = 5060,5061 action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/freeswitch.log maxretry = 10 [znc-adminlog] port = 6667 logpath = /var/lib/znc/moddata/adminlog/znc.log [mysqld-auth] port = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s [mssql-auth] logpath = /var/opt/mssql/log/errorlog port = 1433 filter = mssql-auth [mongodb-auth] port = 27017 logpath = /var/log/mongodb/mongodb.log [pam-generic] # Utilise le filtre pam-generic pour tentatives d'auth PAM enabled = false filter = pam-generic logpath = /var/log/auth.log bantime = 3600 maxretry = 3 [xinetd-fail] banaction = iptables-multiport-log logpath = %(syslog_daemon)s backend = %(syslog_backend)s maxretry = 2 [samba] enabled = false filter = samba logpath = /var/log/samba/log.* maxretry = 3 [stunnel] # Jail pour stunnel : adapter le logpath selon l'installation enabled = false filter = stunnel # chemin commun : /var/log/stunnel4/*.log ; sinon surveillez auth/daemon logpath = /var/log/stunnel4/*.log maxretry = 3 [ejabberd-auth] port = 5222 logpath = /var/log/ejabberd/ejabberd.log [counter-strike] logpath = /opt/cstrike/logs/L[0-9]*.log tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] [softethervpn] port = 500,4500 protocol = udp logpath = /usr/local/vpnserver/security_log/*/sec.log [gitlab] port = http,https logpath = /var/log/gitlab/gitlab-rails/application.log [grafana] port = http,https logpath = /var/log/grafana/grafana.log [bitwarden] port = http,https logpath = /home/*/bwdata/logs/identity/Identity/log.txt [centreon] port = http,https logpath = /var/log/centreon/login.log [nagios] logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 [oracleims] logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] logpath = /var/log/directadmin/login.log port = 2222 [portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1 [pass2allow-ftp] port = ftp,ftp-data,ftps,ftps-data knocking_url = /knocking/ filter = apache-pass[knocking_url="%(knocking_url)s"] logpath = %(apache_access_log)s blocktype = RETURN returntype = DROP action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, actionstart_on_demand=false, actionrepair_on_unban=true] bantime = 1h maxretry = 1 findtime = 1 [murmur] port = 64738 action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/mumble-server/mumble-server.log [screensharingd] logpath = /var/log/system.log logencoding = utf-8 [haproxy-http-auth] logpath = /var/log/haproxy.log [slapd] port = ldap,ldaps logpath = /var/log/slapd.log [domino-smtp] port = smtp,ssmtp logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log [phpmyadmin-syslog] port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [routeros-auth] port = ssh,http,https logpath = /var/log/MikroTik/router.log [zoneminder] port = http,https logpath = %(apache_error_log)s [traefik-auth] port = http,https logpath = /var/log/traefik/access.log [scanlogd] logpath = %(syslog_local0)s banaction = %(banaction_allports)s [monitorix] port = 8080 logpath = /var/log/monitorix-httpd [dante] port = 1080 logpath = %(syslog_daemon)s # -------------------------------------------------------------------------------------------------------------------------- # USEFUL COMMANDS: # sudo cp /etc/fail2ban/jail.local /etc/fail2ban/jail.local.bak # sudo mv /tmp/jail.local.new /etc/fail2ban/jail.local # sudo fail2ban-client -d # debug / check configuration # sudo systemctl restart fail2ban # sudo fail2ban-client status # sudo fail2ban-client status sshd # NOTES: # - Only activate the jails you use to avoid false positives and unnecessary overhead. # - On systems that exclusively use systemd/journal, it is often preferable to use `backend = systemd` # and let fail2ban read the log (so no explicit logpath is needed). # - To test a jail without waiting, you can create a test rule (e.g., `block 127.0.0.2` via fail2ban-client) # or set a `maxretry/bantime` timeout. # - Filters (the `.conf` files in `/etc/fail2ban/filter.d/`) must exist for each activated jail; check them before enabling. # --------------------------------------------------------------------------------------------------------------------------