From 3ef1e08a32b0795004f3efc1019e76605c6b516c Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Sat, 20 Aug 2022 18:08:46 +0100 Subject: [PATCH] Various updates to the fail2ban configuration. * Update paths. * Update safe IPs. * Update ban time and detection thresholds. * Update email addresses. * Add more jails. --- base-files/fail2ban/fail2ban.local | 4 +- base-files/fail2ban/jail.local | 54 ++++++++++++++++------- base-files/fail2ban/paths-overrides.local | 4 +- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/base-files/fail2ban/fail2ban.local b/base-files/fail2ban/fail2ban.local index a92c9e5..4163111 100644 --- a/base-files/fail2ban/fail2ban.local +++ b/base-files/fail2ban/fail2ban.local @@ -35,14 +35,14 @@ logtarget = syslog[facility=LOCAL0] # communicate with the server afterwards. # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock # -socket = /var/run/fail2ban.sock +socket = /run/fail2ban.sock # Option: pidfile # Notes.: Set the PID file. This is used to store the process ID of the # fail2ban server. # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid # -pidfile = /var/run/fail2ban.pid +pidfile = /run/fail2ban.pid # Options: dbfile # Notes.: Set the file for the fail2ban persistent data to be stored. diff --git a/base-files/fail2ban/jail.local b/base-files/fail2ban/jail.local index c07fde4..1957b72 100644 --- a/base-files/fail2ban/jail.local +++ b/base-files/fail2ban/jail.local @@ -7,14 +7,14 @@ # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban # will not ban a host which matches an address in this list. Several addresses # can be defined using space (and/or comma) separator. -ignoreip = 127.0.0.1/8 212.78.94.73 216.119.155.57 216.119.155.58 216.119.155.59 216.119.155.60 216.119.155.61 216.119.155.62 91.109.244.7 91.109.244.8 91.109.244.9 91.109.244.10 91.109.244.11 185.176.90.169 82.163.78.10 ::1 2a02:2498:e004:2a::/64 2a02:2498:1:227::/64 2a07:4580:b0d:57f::169 2a02:2498:e004:1:216:3eff:fe69:98ba afterdark.org.uk +ignoreip = 127.0.0.1/8,::1 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 5.101.171.210/28,2a01:a500:2981:1::/64 91.109.244.7,91.109.244.8,91.109.244.9,91.109.244.10,91.109.244.11,2a02:2498:1:227::/64 88.80.191.137,2a01:7e00::f03c:93ff:fe86:afae 185.176.90.169,2a07:4580:b0d:57f::169 afterdark.org.uk # "bantime" is the number of seconds that a host is banned. -bantime = 12h +bantime = 2d # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. -findtime = 2h +findtime = 8h # "maxretry" is the number of failures before a host get banned. maxretry = 3 @@ -28,7 +28,7 @@ maxretry = 3 # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) -usedns = warn +usedns = yes # # ACTIONS @@ -38,24 +38,46 @@ usedns = warn # Destination email address used solely for the interpolations in # jail.{conf,local,d/*} configuration files. -destemail = root@localhost +destemail = sysadmin@slackware.network # Sender email address used solely for some actions -sender = root@ +sender = noreply@slackware.network # # JAILS # +# FIXME: Enable the correct jails for host. +[dovecot] +enabled = no +filter = dovecot +port = imap2,imaps,pop3,pop3s +logpath = /var/log/imapd +mode = normal + +[exim] +enabled = no +filter = exim +port = smtp,smtps,submission +logpath = /var/log/smtp +mode = normal + +[proftpd] +enabled = no +filter = proftpd +port = ftp,ftps +logfile = /var/log/ftpd + +[roundcube] +enabled = no +filter = roundcube-auth +port = http,https +logfile = /data/sites/webmail.slackware.network/logs/roundcube/userlogins.log +maxretry = 10 + [sshd] - -# To use more aggressive sshd modes set filter parameter "mode" in jail.local: -# normal (default), ddos, extra or aggressive (combines all). -# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. -#mode = normal +# Modes are: normal (default), ddos, extra or aggressive (combines all). enabled = yes -port = 9922 - -#[apache-auth] -#enabled = yes -# +filter = sshd +port = ssh,9922 +mode = aggressive diff --git a/base-files/fail2ban/paths-overrides.local b/base-files/fail2ban/paths-overrides.local index b03f63e..20ef917 100644 --- a/base-files/fail2ban/paths-overrides.local +++ b/base-files/fail2ban/paths-overrides.local @@ -18,8 +18,6 @@ syslog_local0 = /var/log/messages apache_error_log = /var/log/httpd -# apache_access_log = /var/log/httpd/*access.log +apache_access_log = -# Default for Slackware provided below, -# please change according to your proftpd config file. proftpd_log = /var/log/ftpd