kolan
/
etc-config
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fail2ban local config added.

This commit is contained in:
Kolan Sh 2014-08-12 11:03:55 +04:00
parent af2b6b6077
commit 1bcc957a32
6 changed files with 251 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
fail2ban/filter.d/lighttpd-fastcgi.conf Normal file
View File

@ -0,0 +1,18 @@
# Fail2Ban configuration file
#
# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
#
[Definition]
# Option: failregex
# Notes.: regex to match ALERTS as notified by lighttpd's FastCGI Module
# Values: TEXT
#
failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

12
fail2ban/filter.d/nginx-auth.conf Normal file
View File

@ -0,0 +1,12 @@
#
# Auth filter /etc/fail2ban/filter.d/nginx-auth.conf:
#
# Blocks IPs that fail to authenticate using basic authentication
#
[Definition]
failregex = no user/password was provided for basic authentication.*client: <HOST>
user .* was not found in.*client: <HOST>
user .* password mismatch.*client: <HOST>
ignoreregex =

9
fail2ban/filter.d/nginx-login.conf Normal file
View File

@ -0,0 +1,9 @@
#
# Login filter /etc/fail2ban/filter.d/nginx-login.conf:
#
# Blocks IPs that fail to authenticate using web application's log in page
#
# Scan access log for HTTP 200 + POST /sessions => failed log in
[Definition]
failregex = ^<HOST> -.*POST /sessions HTTP/1\.." 200
ignoreregex =

10
fail2ban/filter.d/nginx-noscript.conf Normal file
View File

@ -0,0 +1,10 @@
# Noscript filter /etc/fail2ban/filter.d/nginx-noscript.conf:
#
# Block IPs trying to execute scripts such as .php, .pl, .exe and other funny scripts.
#
# Matches e.g.
# 192.168.1.1 - - "GET /something.php
#
[Definition]
failregex = ^<HOST> -.*GET.*(\.php|\.asp|\.exe|\.pl|\.cgi|\scgi)
ignoreregex =

10
fail2ban/filter.d/nginx-proxy.conf Normal file
View File

@ -0,0 +1,10 @@
# Proxy filter /etc/fail2ban/filter.d/proxy.conf:
#
# Block IPs trying to use server as proxy.
#
# Matches e.g.
# 192.168.1.1 - - "GET http://www.something.com/
#
[Definition]
failregex = ^<HOST> -.*GET http.*
ignoreregex =

192
fail2ban/jail.local Normal file
View File

@ -0,0 +1,192 @@
[DEFAULT]
ignoreip = 127.0.0.1/8 192.168.1.0/24
bantime = 20
findtime = 20
maxretry = 3
backend = auto
destemail = backbone@backbone.ws
banaction = iptables-multiport
mta = sendmail
protocol = tcp
[ssh-iptables]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, dest=backbone@backbone.ws]
logpath = /var/log/messages
[ssh-ddos]
enabled = true
action = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
sendmail-whois[name=SSH-DDOS, dest=backbone@backbone.ws]
logpath = /var/log/messages
[pure-ftpd]
enabled = true
action = iptables[name=pureftpd, port=ftp, protocol=tcp]
sendmail-whois[name=Pure-FTPd, dest=backbone@backbone.ws]
# logpath = /var/log/pureftpd.log
logpath = /var/log/messages
[sendmail-auth]
enabled = true
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
sendmail-whois[name=Sendmail-Auth, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[sendmail-reject]
enabled = true
action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
sendmail-whois[name=Sendmail-Reject, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[nginx-http-auth]
enabled = true
action = iptables-multiport[name=nginx-http-auth,port="80,443"]
sendmail-whois[name=Nginx-Http-Auth, dest=backbone@backbone.ws]
logpath = /var/log/nginx/error_log
[squid]
enabled = true
action = iptables-multiport[name=squid,port="80,443,8080"]
sendmail-whois[name=Squid, dest=backbone@backbone.ws]
logpath = /var/log/squid/access.log
[postfix-tcpwrapper]
enabled = true
action = hostsdeny[file=/not/a/standard/path/hosts.deny]
sendmail-whois[name=Postfix-TCPWrapper, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[php-url-fopen]
enabled = true
action = iptables-multiport[name=php-url-open, port="http,https"]
sendmail-whois[name=PHP-URL-Fopen, dest=backbone@backbone.ws]
logpath = /var/log/lighttpd/access.log
[lighttpd-auth]
enabled = true
action = iptables-multiport[name=lighttpd-auth, port="http,https"]
sendmail-whois[name=Lighttpd-Auth, dest=backbone@backbone.ws]
logpath = /var/log/lighttpd/error.log
[named-refused-tcp]
enabled = true
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
sendmail-whois[name=Named, dest=backbone@backbone.ws]
logpath = /var/log/messages
[nsd]
enabled = true
action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
sendmail-whois[name=Nsd, dest=backbone@backbone.ws]
logpath = /var/log/messages
[ejabberd-auth]
enabled = true
action = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]
sendmail-whois[name=Ejabberd-Auth, dest=backbone@backbone.ws]
logpath = /var/log/jabber/ejabberd.log
[recidive]
enabled = true
action = iptables-allports[name=recidive,protocol=all]
sendmail-whois[name=Recidive, dest=backbone@backbone.ws]
[exim]
enabled = true
action = iptables-multiport[name=exim,port="25,465,587"]
sendmail-whois[name=Exim, dest=backbone@backbone.ws]
logpath = /var/log/exim/exim_main.log
[exim-spam]
enabled = true
action = iptables-multiport[name=exim-spam,port="25,465,587"]
sendmail-whois[name=Exim-Spam, dest=backbone@backbone.ws]
logpath = /var/log/exim/exim_main.log
[perdition]
enabled = true
action = iptables-multiport[name=perdition,port="110,143,993,995"]
sendmail-whois[name=Perdition, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[dovecot]
enabled = true
action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
sendmail-whois[name=Dovecot, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[dovecot-auth]
enabled = true
action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
sendmail-whois[name=Dovecot-Auth, dest=backbone@backbone.ws]
logpath = /var/log/dovecot.log
[solid-pop3d]
enabled = true
action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
sendmail-whois[name=Solid-POP3d, dest=backbone@backbone.ws]
logpath = /var/log/mail.log
[ssh-blocklist]
enabled = true
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH-Blocklist, dest=backbone@backbone.ws]
logpath = /var/log/messages
# Kolan: Additional filters/rules
[nginx-auth]
enabled = true
filter = nginx-auth
action = iptables-multiport[name=nginx-auth, port="http,https", protocol=tcp]
sendmail-whois[name=Nginx-Auth, dest=backbone@backbone.ws]
logpath = /var/log/nginx/localhost.error_log
bantime = 3600
maxretry = 3
[nginx-login]
enabled = true
filter = nginx-login
action = iptables-multiport[name=nginx-login, port="http,https", protocol=tcp]
sendmail-whois[name=Nginx-Login, dest=backbone@backbone.ws]
logpath = /var/log/nginx*/*access*log
bantime = 600
maxretry = 6
[nginx-badbots]
enabled = true
filter = apache-badbots
action = iptables-multiport[name=nginx-badbots, port="http,https", protocol=tcp]
sendmail-whois[name=Nginx-BadBots, dest=backbone@backbone.ws]
logpath = /var/log/nginx*/*access*log
bantime = 86400
maxretry = 1
[nginx-noscript]
enabled = true
filter = nginx-noscript
action = iptables-multiport[name=nginx-noscript, port="http,https", protocol=tcp]
sendmail-whois[name=Nginx-Noscript, dest=backbone@backbone.ws]
logpath = /var/log/nginx*/*access*log
maxretry = 6
bantime = 86400
[nginx-proxy]
enabled = true
filter = nginx-proxy
action = iptables-multiport[name=nginx-proxy, port="http,https", protocol=tcp]
sendmail-whois[name=Nginx-Proxy, dest=backbone@backbone.ws]
logpath = /var/log/nginx*/*access*log
maxretry = 0
bantime = 86400
[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
action = iptables-multiport[name=lighttpd-fastcgi, port="http,https", protocol=tcp]
sendmail-whois[name=Lighttpd-FastCGI, dest=backbone@backbone.ws]
logpath = /var/log/lighttpd/error.log
maxretry = 2