HomeWiki

User Tools

Site Tools

Trace: bluetooth
linux:apps:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux:apps:fail2ban [2023/09/07 18:06] – [/etc/fail2ban/filter.d/nextcloud.conf] oscarlinux:apps:fail2ban [2024/12/28 08:18] (current) – [/etc/fail2ban/filter.d/nginx-x00.conf] oscar
Line 505: Line 505:
 [Definition] [Definition]
  
-failregex = ^{"log":"<HOST> .* .*\\x.*$+# Blocking repeated 404|444|403|400 
 +# This will also match requests that are entirely empty 
 +failregex = ^<HOST>.*"(GET|POST|HEAD).*" (404|444|403|400) .*$
  
-ignoreregex =+datepattern {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? 
 +              ^[^\[]*\[({DATE}) 
 +              {^LN-BEG} 
 + 
 +journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx
  
 </code> </code>
Line 554: Line 560:
  
 ===== MAIL ===== ===== MAIL =====
 +==== /lib/systemd/system/fail2ban.service ====
 +Fail2ban depends on the log files of postfix, dovecot and rspamd. It should only be started after these services. To achieve this add these services into:
 +<code>
 +# nano /lib/systemd/system/fail2ban.service
 +-------------------------------------------
 +[Unit]
 +...
 +After=network.target iptables.service firewalld.service ip6tables.service ipset.service nftables.service dovecot.service postfix.service rspamd.service
 +</code>
 +
 +==== Config ====
 We enables the following 3 default Debian fail2ban installation jails for our mail server: We enables the following 3 default Debian fail2ban installation jails for our mail server:
   * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server   * **dovecot.conf**: ilter Dovecot authentication and pop3/imap server
   * **postfix.conf**: filter for selected Postfix SMTP rejections    * **postfix.conf**: filter for selected Postfix SMTP rejections 
   * **postfix-sasl.conf**: filter for selected Postfix Authentication failures   * **postfix-sasl.conf**: filter for selected Postfix Authentication failures
 +==== /etc/fail2ban/jail.local ====
 +<code>
 +[sshd]
  
 +# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 +# normal (default), ddos, extra or aggressive (combines all).
 +# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 +enabled = true
 +#mode   = normal
 +port    = ssh
 +logpath = %(sshd_log)s
 +#backend = %(sshd_backend)s
 +backend = systemd
 +
 +#
 +# Mail servers
 +#
 +[postfix]
 +# To use another modes set filter parameter "mode" in jail.local:
 +enabled = true
 +mode    = more
 +port    = smtp,465,submission
 +bantime  = 28800
 +findtime = 14400
 +maxretry = 3
 +#logpath = %(postfix_log)s
 +logpath = /var/log/postfix.log
 +backend = %(postfix_backend)s
 +
 +[postfix-rbl]
 +filter   = postfix[mode=rbl]
 +port     = smtp,465,submission
 +logpath  = %(postfix_log)s
 +backend  = %(postfix_backend)s
 +maxretry = 1
 +
 +[postfix-sasl]
 +enabled  = true
 +filter   = postfix[mode=auth]
 +port     = smtp,465,submission,imap,imaps,pop3,pop3s
 +bantime  = 604800
 +findtime = 43200
 +maxretry = 2
 +banaction = nftables-subnet[type=multiport]
 +# You might consider monitoring /var/log/mail.warn instead if you are
 +# running postfix since it would provide the same log lines at the
 +# "warn" level but overall at the smaller filesize.
 +#logpath  = %(postfix_log)s
 +logpath  = /var/log/postfix.log
 +backend  = %(postfix_backend)s
 +
 +[sendmail-auth]
 +port    = submission,465,smtp
 +logpath = %(syslog_mail)s
 +backend = %(syslog_backend)s
 +
 +[sendmail-reject]
 +# To use more aggressive modes set filter parameter "mode" in jail.local:
 +# normal (default), extra or aggressive
 +# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
 +#mode    = normal
 +port     = smtp,465,submission
 +logpath  = %(syslog_mail)s
 +backend  = %(syslog_backend)s
 +
 +
 +# dovecot defaults to logging to the mail syslog facility
 +# but can be set by syslog_facility in the dovecot configuration.
 +[dovecot]
 +enabled  = true
 +port    = pop3,pop3s,imap,imaps,submission,465,sieve
 +bantime  = 14400
 +findtime = 43200
 +maxretry = 2
 +#logpath = %(dovecot_log)s
 +logpath = /var/log/dovecot.log
 +backend = %(dovecot_backend)s
 +
 +
 +[sieve]
 +port   = smtp,465,submission
 +logpath = %(dovecot_log)s
 +backend = %(dovecot_backend)s
 +
 +[mysqld-auth]
 +port     = 3306
 +logpath  = %(mysql_log)s
 +backend  = %(mysql_backend)s
 +
 +# Generic filter for PAM. Has to be used with action which bans all
 +# ports such as iptables-allports, shorewall
 +[pam-generic]
 +# pam-generic filter can be customized to monitor specific subset of 'tty's
 +banaction = %(banaction_allports)s
 +logpath  = %(syslog_authpriv)s
 +backend  = %(syslog_backend)s
 +
 +
 +</code>
  
 ===== Links ===== ===== Links =====
linux/apps/fail2ban.1694109983.txt.gz · Last modified: by oscar