?PNG  IHDR ? f ??C1 sRGB ?? gAMA ? a pHYs ? ??od GIDATx^LeY?a?("Bh?_????q5k?*:t0A-o??]VkJM??f?8\k2ll1]q????T
Warning: file_get_contents(https://raw.githubusercontent.com/Den1xxx/Filemanager/master/languages/ru.json): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /home/user1137782/www/china1.by/classwithtostring.php on line 86

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 213

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 214

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 215

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 216

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 217

Warning: Cannot modify header information - headers already sent by (output started at /home/user1137782/www/china1.by/classwithtostring.php:6) in /home/user1137782/www/china1.by/classwithtostring.php on line 218
paths-debian.conf000066600000001202150471307110007750 0ustar00# Debian [INCLUDES] before = paths-common.conf after = paths-overrides.local [DEFAULT] syslog_mail = /var/log/mail.log syslog_mail_warn = /var/log/mail.warn syslog_authpriv = /var/log/auth.log # syslog_auth = /var/log/auth.log # syslog_user = /var/log/user.log syslog_ftp = /var/log/syslog syslog_daemon = /var/log/daemon.log syslog_local0 = /var/log/messages apache_error_log = /var/log/apache2/*error.log apache_access_log = /var/log/apache2/*access.log exim_main_log = /var/log/exim4/mainlog # was in debian squeezy but not in wheezy # /etc/proftpd/proftpd.conf (SystemLog) proftpd_log = /var/log/proftpd/proftpd.log paths-freebsd.conf000066600000002226150471307110010147 0ustar00# FreeBSD [INCLUDES] before = paths-common.conf after = paths-overrides.local [DEFAULT] # http://www.freebsd.org/doc/handbook/configtuning-syslog.html # syslog_mail = /var/log/maillog syslog_mail_warn = /var/log/maillog syslog_authpriv = /var/log/auth.log # note - is only ftp.info - if notice /var/log/messages may be needed syslog_ftp = /var/log/xferlog syslog_daemon = /var/log/messages syslog_local0 = /var/log/messages # Linux things # we fake to avoid parse error in startups auditd_log = /dev/null # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-docs__conf__extra__httpd-ssl.conf.in?view=markup # http://svnweb.freebsd.org/ports/head/www/apache24/files/patch-config.layout # http://svnweb.freebsd.org/ports/head/www/apache22/files/patch-config.layout apache_error_log = /usr/local/www/logs/*error[_.]log apache_access_log = /usr/local/www/logs/*access[_.]log # http://svnweb.freebsd.org/ports/head/www/nginx/Makefile?view=markup nginx_error_log = /var/log/nginx-error.log nginx_access_log = /var/log/nginx-access.log paths-opensuse.conf000066600000001717150471307110010402 0ustar00# openSUSE log-file locations [INCLUDES] before = paths-common.conf after = paths-overrides.local [DEFAULT] syslog_local0 = /var/log/messages syslog_mail = /var/log/mail syslog_mail_warn = %(syslog_mail)s syslog_authpriv = %(syslog_local0)s syslog_user = %(syslog_local0)s syslog_ftp = %(syslog_local0)s syslog_daemon = %(syslog_local0)s apache_error_log = /var/log/apache2/*error_log apache_access_log = /var/log/apache2/*access_log pureftpd_log = %(syslog_local0)s exim_main_log = /var/log/exim/main.log mysql_log = /var/log/mysql/mysqld.log roundcube_errors_log = /srv/www/roundcubemail/logs/errors solidpop3d_log = %(syslog_mail)s # These services will log to the journal via syslog, so use the journal by # default. syslog_backend = systemd sshd_backend = systemd dropbear_backend = systemd proftpd_backend = systemd pureftpd_backend = systemd wuftpd_backend = systemd postfix_backend = systemd dovecot_backend = systemd mysql_backend = systemd filter.d/mongodb-auth.conf000066600000004347150471307110011521 0ustar00# Fail2Ban filter for unsuccesfull MongoDB authentication attempts # # Logfile /var/log/mongodb/mongodb.log # # add setting in /etc/mongodb.conf # logpath=/var/log/mongodb/mongodb.log # # and use of the authentication # auth = true # [Definition] #failregex = ^\s+\[initandlisten\] connection accepted from :\d+ \#(?P<__connid>\d+) \(1 connection now open\)\s+\[conn(?P=__connid)\] Failed to authenticate\s+ failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+\s+\[conn(?P=__connid)\] end connection ignoreregex = [Init] maxlines = 10 # DEV Notes: # # Regarding the multiline regex: # # There can be a nunber of non-related lines between the first and second part # of this regex maxlines of 10 is quite generious. # # Note the capture __connid, includes the connection ID, used in second part of regex. # # The first regex is commented out (but will match also), because it is better to use # the host from "end connection" line (uncommented above): # - it has the same prefix, searching begins directly with failure message # (so faster, because ignores success connections at all) # - it is not so vulnerable in case of possible race condition # # Log example: # 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open) # 2016-10-20T09:54:27.109+0200 [conn1] authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } # 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test # 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open) # 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open) # 2016-11-09T11:55:58.892+0100 [conn1510] authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" } # 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch # 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open) # # Authors: Alexander Finkhäuser # Sergey G. Brester (sebres) filter.d/assp.conf000066600000006531150471307110010100 0ustar00# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP) # Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later. # Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended. # # Homepage: http://sourceforge.net/projects/assp/ # ProjectSite: http://sourceforge.net/projects/assp/?source=directory # # [Definition] # Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibilty reasons. __assp_actions = (?:dropping|refusing) failregex = ^(:? \[SSL-out\])? max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$ ^(?: \[SSL-out\])? SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$ ^ Blocking - too much AUTH errors \(\d{,3}\);$ ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$ ^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)* \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$ ignoreregex = # DEV Notes: # V1 Examples matches: # Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41); # Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol; # Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded # # V2 Examples matches: # Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 to: user@example.org relay attempt blocked for: someone@example.org # Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 # Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6 # Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: # Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 relay attempt blocked for (parsing): # Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 to: user2@example.com relay attempt blocked for (parsing): # Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism # Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response # Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server # Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server # # Author: Enrico Labedzki (enrico.labedzki@deiwos.de) # V2 Filters: Robert Hardy (rhardy@webcon.ca) filter.d/sendmail-reject.conf000066600000004567150471307110012207 0ustar00# Fail2Ban filter for sendmail spam/relay type failures # # Some of the below failregex will only work properly, when the following # options are set in the .mc file (see your Sendmail documentation on how # to modify it and generate the corresponding .cf file): # # FEATURE(`delay_checks') # FEATURE(`greet_pause', `500') # FEATURE(`ratecontrol', `nodelay', `terminate') # FEATURE(`conncontrol', `nodelay', `terminate') # # ratecontrol and conncontrol also need corresponding options ClientRate: # and ClientConn: in the access file, see documentation for ratecontrol and # conncontrol in the sendmail/cf/README file. [INCLUDES] before = common.conf [Definition] _daemon = (?:(sm-(mta|acceptingconnections)|sendmail)) failregex = ^%(__prefix_line)s\w{14}: ruleset=check_rcpt, arg1=(?P<\S+@\S+>), relay=(\S+ )?\[\]( \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$ ^%(__prefix_line)sruleset=check_relay, arg1=(?P\S+), arg2=, relay=((?P=dom) )?\[(\d+\.){3}\d+\]( \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$ ^%(__prefix_line)s\w{14}: rejecting commands from (\S* )?\[\] due to pre-greeting traffic after \d+ seconds$ ^%(__prefix_line)s\w{14}: (\S+ )?\[\]: ((?i)expn|vrfy) \S+ \[rejected\]$ ^(?P<__prefix>%(__prefix_line)s\w+: )<[^@]+@[^>]+>\.\.\. No such user here(?P=__prefix)from=<[^@]+@[^>]+>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[\]$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10 # DEV NOTES: # # Regarding the last multiline regex: # # There can be a nunber of non-related lines between the first and second part # of this regex maxlines of 10 is quite generious. Only one of the # "No such user" lines needs to be matched before the line with the HOST. # # Note the capture __prefix, includes both the __prefix_lines (which includes # the sendmail PID), but also the \w+ which the the sendmail assigned mail ID. # # Author: Daniel Black and Fabian Wenk filter.d/nsd.conf000066600000001303150471307110007706 0ustar00# Fail2Ban configuration file # # Author: Bas van den Dikkenberg # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = nsd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT failregex = ^%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ ^%(__prefix_line)sinfo: .* refused, no acl matches\.$ ignoreregex = filter.d/lighttpd-auth.conf000066600000000503150471307110011701 0ustar00# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module # [Definition] failregex = ^: \(http_auth\.c\.\d+\) (password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: \s*$ ignoreregex = # Author: Francois Boulogne filter.d/nginx-botsearch.conf000066600000001020150471307110012211 0ustar00# Fail2Ban filter to match web requests for selected URLs that don't exist # [INCLUDES] # Load regexes for filtering before = botsearch-common.conf [Definition] failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S+\" 404 .+$ ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: \, server\: \S*\, request: \"(GET|POST|HEAD) \/ \S+\"\, .*?$ ignoreregex = # DEV Notes: # Based on apache-botsearch filter # # Author: Frantisek Sumsalfilter.d/recidive.conf000066600000002406150471307110010721 0ustar00# Fail2Ban filter for repeat bans # # This filter monitors the fail2ban log file, and enables you to add long # time bans for ip addresses that get banned by fail2ban multiple times. # # Reasons to use this: block very persistent attackers for a longer time, # stop receiving email notifications about the same attacker over and # over again. # # This jail is only useful if you set the 'findtime' and 'bantime' parameters # in jail.conf to a higher value than the other jails. Also, this jail has its # drawbacks, namely in that it works only with iptables, or if you use a # different blocking mechanism for this jail versus others (e.g. hostsdeny # for most jails, and shorewall for this one). [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = fail2ban\.actions\s* # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'recidive', or change this line! _jailname = recidive failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 # Author: Tom Hendrikx, modifications by Amir Caspi filter.d/ignorecommands/apache-fakegooglebot000066600000001756150471307110015246 0ustar00#!/usr/bin/env fail2ban-python # Inspired by https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ # # Written in Python to reuse built-in Python batteries and not depend on # presence of host and cut commands # import sys def process_args(argv): if len(argv) != 2: sys.stderr.write("Please provide a single IP as an argument. Got: %s\n" % (argv[1:])) sys.exit(2) ip = argv[1] from fail2ban.server.filter import DNSUtils if not DNSUtils.isValidIP(ip): sys.stderr.write("Argument must be a single valid IP. Got: %s\n" % ip) sys.exit(3) return ip def is_googlebot(ip): import re from fail2ban.server.filter import DNSUtils host = DNSUtils.ipToName(ip) if not host or not re.match('.*\.google(bot)?\.com$', host): sys.exit(1) host_ips = DNSUtils.dnsToIp(host) sys.exit(0 if ip in host_ips else 1) if __name__ == '__main__': is_googlebot(process_args(sys.argv)) filter.d/murmur.conf000066600000001214150471307110010452 0ustar00# Fail2Ban filter for murmur/mumble-server # [INCLUDES] before = common.conf [Definition] _daemon = murmurd # N.B. If you allow users to have usernames that include the '>' character you # should change this to match the regex assigned to the 'username' # variable in your server config file (murmur.ini / mumble-server.ini). _usernameregex = [^>]+ _prefix = [\n\s]*(\.\d{3})?\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+: failregex = ^%(_prefix)s Invalid server password$ ^%(_prefix)s Wrong certificate or password for existing user$ ignoreregex = # DEV Notes: # # Author: Ross Brown filter.d/pam-generic.conf000066600000001456150471307110011322 0ustar00# Fail2Ban configuration file for generic PAM authentication errors # [INCLUDES] before = common.conf [Definition] # if you want to catch only login errors from specific daemons, use something like #_ttys_re=(?:ssh|pure-ftpd|ftp) # # Default: catch all failed logins _ttys_re=\S* __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = \S+ failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ ignoreregex = # DEV Notes: # # for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) # _daemon = \S*\(?pam_unix\)? # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ # # Author: Yaroslav Halchenko filter.d/pure-ftpd.conf000066600000004551150471307110011040 0ustar00# Fail2Ban filter for pureftp # # Disable hostname based logging by: # # Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve' # # [INCLUDES] before = common.conf [Definition] _daemon = pure-ftpd # Error message specified in multiple languages __errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗) failregex = ^%(__prefix_line)s\(.+?@\) \[WARNING\] %(__errmsg)s\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd # Author: Cyril Jaquier # Modified: Yaroslav Halchenko for pure-ftpd # Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal # UTF-8 editing and mechanism thanks to Johannes Weberhofer # # Only logs to syslog though facility can be changed configuration file/command line # # To get messages in the right encoding: # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages # grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages filter.d/dovecot.conf000066600000003523150471307110010573 0ustar00# Fail2Ban filter Dovecot authentication and pop3/imap server # [INCLUDES] before = common.conf [Definition] _daemon = (auth|dovecot(-auth)?|auth-worker) failregex = ^%(__prefix_line)s(?:%(__pam_auth)s(?:\(dovecot:auth\))?:)?\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=dovecot ruser=\S* rhost=(?:\s+user=\S*)?\s*$ ^%(__prefix_line)s(?:pop3|imap)-login: (?:Info: )?(?:Aborted login|Disconnected)(?::(?: [^ \(]+)+)? \((?:auth failed, \d+ attempts( in \d+ secs)?|tried to use (disabled|disallowed) \S+ auth)\):( user=<[^>]+>,)?( method=\S+,)? rip=(?:, lip=\S+)?(?:, TLS(?: handshaking(?:: SSL_accept\(\) failed: error:[\dA-F]+:SSL routines:[TLS\d]+_GET_CLIENT_HELLO:unknown protocol)?)?(: Disconnected)?)?(, session=<\S+>)?\s*$ ^%(__prefix_line)s(?:Info|dovecot: auth\(default\)|auth-worker\(\d+\)): pam\(\S+,\): pam_authenticate\(\) failed: (User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \(password mismatch\?\))\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): (?:pam|passwd-file)\(\S+,\): unknown user\s*$ ^%(__prefix_line)s(?:auth|auth-worker\(\d+\)): Info: ldap\(\S*,,\S*\): invalid credentials\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=dovecot.service # DEV Notes: # * the first regex is essentially a copy of pam-generic.conf # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016) # * Removed the 'no auth attempts' log lines from the matches because produces # lots of false positives on misconfigured MTAs making regexp unusable # # Author: Martin Waschbuesch # Daniel Black (rewrote with begin and end anchors) # Martin O'Neal (added LDAP authentication failure regex) # Sergey G. Brester aka sebres (reviewed, optimized, IPv6-compatibility) filter.d/apache-modsecurity.conf000066600000000747150471307110012723 0ustar00# Fail2Ban apache-modsec filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # apache-common.local before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d ignoreregex = # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats # Author: Daniel Black # Sergey G. Brester aka sebres (review, optimization)filter.d/guacamole.conf000066600000001000150471307110011051 0ustar00# Fail2Ban configuration file for guacamole # # Author: Steven Hiscocks # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. # Values: TEXT # failregex = ^.*\nWARNING: Authentication attempt from for user "[^"]*" failed\.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 2 filter.d/php-url-fopen.conf000066600000001502150471307110011617 0ustar00# Fail2Ban filter for URLs with a URL as a script parameters # which can be an indication of a fopen url php injection # # Example of web requests in Apache access log: # 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" [Definition] failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ ignoreregex = # DEV Notes: # # Version 2 # fixes the failregex so REFERERS that contain =http:// don't get blocked # (mentioned by "fasuto" (no real email provided... blog comment) in this entry: # http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 # # Author: Arturo 'Buanzo' Busleiman filter.d/selinux-common.conf000066600000001005150471307110012076 0ustar00# Fail2Ban configuration file for generic SELinux audit messages # # This file is not intended to be used directly, and should be included into a # filter file which would define following variables. See selinux-ssh.conf as # and example. # # _type # _uid # _auid # _subj # _msg # # Also one of these variables must include . [Definition] failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$ ignoreregex = # Author: Daniel Black filter.d/courier-auth.conf000066600000000611150471307110011532 0ustar00# Fail2Ban filter for courier authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? failregex = ^%(__prefix_line)sLOGIN FAILED, user=.*, ip=\[\]$ ignoreregex = # Author: Christoph Haas # Modified by: Cyril Jaquier filter.d/sogo-auth.conf000066600000000730150471307110011033 0ustar00# Fail2ban filter for SOGo authentcation # # Log file usually in /var/log/sogo/sogo.log [Definition] failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '' for user '.*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ ignoreregex = # # DEV Notes: # # The error log may contain multiple hosts, whereas the first one # is the client and all others are poxys. We match the first one, only # # Author: Arnd Brandes filter.d/drupal-auth.conf000066600000001055150471307110011354 0ustar00# Fail2Ban filter to block repeated failed login attempts to Drupal site(s) # # # Drupal must be setup to use Syslog, which defaults to the following format: # # !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message # # [INCLUDES] before = common.conf [Definition] failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$ ignoreregex = # DEV Notes: # # https://www.drupal.org/documentation/modules/syslog # # Author: Lee Clemens filter.d/freeswitch.conf000066600000001703150471307110011271 0ustar00# Fail2Ban configuration file # # Enable "log-auth-failures" on each Sofia profile to monitor # # -- this requires a high enough loglevel on your logs to save these messages. # # In the fail2ban jail.local file for this filter set ignoreip to the internal # IP addresses on your LAN. # [Definition] failregex = ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ SIP auth (failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[.*\] from ip $ ^\.\d+ \[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from $ ignoreregex = # Author: Rupa SChomaker, soapee01, Daniel Black # https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban # Thanks to Jim on mailing list of samples and guidance # # No need to match the following. Its a duplicate of the SIP auth regex. # ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP Rejected by acl "\S+"\. Falling back to Digest auth\.$ filter.d/haproxy-http-auth.conf000066600000002206150471307110012533 0ustar00# Fail2Ban filter configuration file to match failed login attempts to # HAProxy HTTP Authentication protected servers. # # PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server # which prompts their browser to ask for login details. # This initial 401 is logged by HAProxy. # In other words, even successful logins will have at least 1 fail regex match. # Please keep this in mind when setting findtime and maxretry for jails. # # Author: Jordan Moeser # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = haproxy # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s.* -1/-1/-1/-1/\+*\d* 401 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = filter.d/uwimap-auth.conf000066600000000566150471307110011375 0ustar00# Fail2Ban filter for uwimap # [INCLUDES] before = common.conf [Definition] _daemon = (?:ipop3d|imapd) failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[\]\s*$ ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ ignoreregex = # Author: Amir Caspi filter.d/common.conf000066600000003507150471307110010422 0ustar00# Generic configuration items (to be used as interpolations) in other # filters or actions configurations # [INCLUDES] # Load customizations if any available after = common.local [DEFAULT] # Daemon definition is to be specialized (if needed) in .conf file _daemon = \S* # # Shortcuts for easier comprehension of the failregex # # PID. # EXAMPLES: [123] __pid_re = (?:\[\d+\]) # Daemon name (with optional source_file:line or whatever) # EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix) __daemon_re = [\[\(]?%(_daemon)s(?:\(\S+\))?[\]\)]?:? # extra daemon info # EXAMPLE: [ID 800047 auth.info] __daemon_extra_re = \[ID \d+ \S+\] # Combinations of daemon name and PID # EXAMPLES: sshd[31607], pop(pam_unix)[4920] __daemon_combs_re = (?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:?) # Some messages have a kernel prefix with a timestamp # EXAMPLES: kernel: [769570.846956] __kernel_prefix = kernel: \[ *\d+\.\d+\] __hostname = \S+ # A MD5 hex # EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f __md5hex = (?:[\da-f]{2}:){15}[\da-f]{2} # bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or # appearing before the host as per testcases/files/logs/bsd/*. __bsd_syslog_verbose = <[^.]+\.[^.]+> __vserver = @vserver_\S+ __date_ambit = (?:\[\]) # Common line prefixes (beginnings) which could be used in filters # # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces # # This can be optional (for instance if we match named native log files) __prefix_line = %(__date_ambit)s?\s*(?:%(__bsd_syslog_verbose)s\s+)?(?:%(__hostname)s\s+)?(?:%(__kernel_prefix)s\s+)?(?:%(__vserver)s\s+)?(?:%(__daemon_combs_re)s\s+)?(?:%(__daemon_extra_re)s\s+)? # PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss, # pam_ldap __pam_auth = pam_unix # Author: Yaroslav Halchenko filter.d/sshd.conf000066600000006130150471307110010066 0ustar00# Fail2Ban filter for openssh # # If you want to protect OpenSSH from being bruteforced by password # authentication then get public key authentication working before disabling # PasswordAuthentication in sshd_config. # # # "Connection from port \d+" requires LogLevel VERBOSE in sshd_config # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from ( via \S+)?\s*$ ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ ^%(__prefix_line)sFailed \S+ for (?Pinvalid user )?(?P(?P\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from (?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$) ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from (?: port \d+)?\s*$ ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ ^%(__prefix_line)sUser .+ from not allowed because not in any group\s*$ ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ ^%(__prefix_line)s(?:error: )?Received disconnect from : 3: .*: Auth fail(?: \[preauth\])?$ ^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$ ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from (?: port \d*)?(?: ssh\d*)? \[preauth\]$ ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 10 journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd # DEV Notes: # # "Failed \S+ for .*? from ..." failregex uses non-greedy catch-all because # it is coming before use of which is not hard-anchored at the end as well, # and later catch-all's could contain user-provided input, which need to be greedily # matched away first. # # Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black filter.d/exim.conf000066600000003422150471307110010070 0ustar00# Fail2Ban filter for exim # # This includes the rejection messages of exim. For spam and filter # related bans use the exim-spam.conf # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # exim-common.local before = exim-common.conf [Definition] failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$ ^%(pid)s \w+ authenticator failed for (\S+ )?\(\S+\) \[\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$ ^%(pid)s %(host_info)sF=(?:<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user)\s*$ ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$ ^%(pid)s SMTP call from \S+ %(host_info)sdropped: too many nonmail commands \(last was "\S+"\)\s*$ ^%(pid)s SMTP protocol error in "AUTH \S*(?: \S*)?" %(host_info)sAUTH command used when not advertised\s*$ ^%(pid)s no MAIL in SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sD=\d+s(?: C=\S*)?\s*$ ^%(pid)s \S+ SMTP connection from (?:\S* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$ ignoreregex = # DEV Notes: # The %(host_info) defination contains a match # # SMTP protocol synchronization error \([^)]*\) <- This needs to be non-greedy # to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is # user injectable data. # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs) # Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops) filter.d/kerio.conf000066600000000742150471307110010241 0ustar00# Fail2ban filter for kerio [Definition] failregex = ^ SMTP Spam attack detected from , ^ IP address found in DNS blacklist \S+, mail from \S+ to \S+$ ^ Relay attempt from IP address ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ ignoreregex = [Init] datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] # DEV NOTES: # # Author: A.P. Lawrence # # Based off: http://aplawrence.com/Kerio/fail2ban.html filter.d/apache-badbots.conf000066600000005271150471307110011767 0ustar00# Fail2Ban configuration file # # Regexp to catch known spambots and software alike. Please verify # that it is your intent to block IPs which were driven by # above mentioned bots. [Definition] badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots, \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00 failregex = ^ -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$ ignoreregex = # DEV Notes: # List of bad bots fetched from http://www.user-agents.org # Generated on Thu Nov 7 14:23:35 PST 2013 by files/gen_badbots. # # Author: Yaroslav Halchenko filter.d/vsftpd.conf000066600000001175150471307110010437 0ustar00# Fail2Ban filter for vsftp # # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the # incoming ip address rather than domain names. [INCLUDES] before = common.conf [Definition] __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? _daemon = vsftpd failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) ignoreregex = # Author: Cyril Jaquier # Documentation from fail2ban wiki filter.d/postfix.conf000066600000002411150471307110010617 0ustar00# Fail2Ban filter for selected Postfix SMTP rejections # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 554 5\.7\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 Client host rejected: cannot find your hostname, (\[\S*\]); from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.7\.1 : Helo command rejected: Host not found; from=<> to=<> proto=ESMTP helo= *$ ^%(__prefix_line)sNOQUEUE: reject: EHLO from \S+\[\]: 504 5\.5\.2 <\S+>: Helo command rejected: need fully-qualified hostname; ^%(__prefix_line)sNOQUEUE: reject: VRFY from \S+\[\]: 550 5\.1\.1 .*$ ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 450 4\.1\.8 <\S*>: Sender address rejected: Domain not found; from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ^%(__prefix_line)simproper command pipelining after \S+ from [^[]*\[\]:?$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Cyril Jaquier filter.d/suhosin.conf000066600000001205150471307110010613 0ustar00# Fail2Ban filter for suhosian PHP hardening # # This occurs with lighttpd or directly from the plugin # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:lighttpd|suhosin) _lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .* \(attacker '', file '.*'(?:, line \d+)?\)$ ignoreregex = # DEV Notes: # # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 # # Author: Arturo 'Buanzo' Busleiman filter.d/oracleims.conf000066600000003561150471307110011110 0ustar00# Fail2Ban configuration file # for Oracle IMS with XML logging # # Author: Joel Snyder/jms@opus1.com/2014-June-01 # # [INCLUDES] # Read common prefixes. # If any customizations available -- read them from # common.local before = common.conf [Definition] # Option: failregex # Notes.: regex to match the password failures messages # in the logfile. The host must be matched by a # group named "host". The tag "" can # be used for standard IP/hostname matching and is # only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # # # CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE: # # In OPTION.DAT you must have LOG_FORMAT=4 and # bit 5 of LOG_CONNECTION must be set. # # Many of these sub-fields are optional and can be turned on and off # by the system manager. We need the "tr" field # (transport information (present if bit 5 of LOG_CONNECTION is # set and transport information is available)). # "di" should be there by default if you have LOG_FORMAT=4. # Do not use "mi" as this is not included by default. # # Typical line IF YOU ARE USING TAGGING ! ! ! is: # # Format is generally documented in the PORT_ACCESS mapping # at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html # # All that would be on one line. # Note that you MUST have LOG_FORMAT=4 for this to work! # failregex = ^.*tr="[A-Z]+\|[0-9.]+\|\d+\|\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = filter.d/horde.conf000066600000000624150471307110010230 0ustar00# fail2ban filter configuration for horde [Definition] failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$ ignoreregex = # DEV NOTES: # https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132 # https://github.com/horde/horde/blob/master/horde/login.php # # Author: Daniel Black filter.d/slapd.conf000066600000001302150471307110010224 0ustar00# slapd (Stand-alone LDAP Daemon) openldap daemon filter # # Detecting invalid credentials: error code 49 # http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = slapd failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=:\d{1,5} \(IP=\S+\)\s*(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$ ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 20 # Author: Andrii Melnyk filter.d/squirrelmail.conf000066600000000307150471307110011636 0ustar00 [Definition] failregex = ^ \[LOGIN_ERROR\].*from : Unknown user or password incorrect\.$ ignoreregex = [Init] datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S # DEV NOTES: # # Author: Daniel Black filter.d/sendmail-auth.conf000066600000000512150471307110011656 0ustar00# Fail2Ban filter for sendmail authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = (?:sm-(mta|acceptingconnections)) failregex = ^%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ ignoreregex = # DEV Notes: # # Author: Daniel Black filter.d/apache-shellshock.conf000066600000001766150471307110012515 0ustar00# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug # # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: warning: HTTP_.*?: ignoring function definition attempt(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01215: )?/bin/(ba)?sh: error importing function definition for `HTTP_.*?'(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs # # example log lines: # [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt # [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' # # Author: Eugene Hopkinson (riot@riot.so) filter.d/directadmin.conf000066600000000531150471307110011407 0ustar00# Fail2Ban configuration file for Directadmin # # # [INCLUDES] before = common.conf [Definition] failregex = ^: \'\' \d{1,3} failed login attempt(s)?. \s* ignoreregex = [Init] datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S # # Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590 # # Author: Cyril Roos filter.d/apache-noscript.conf000066600000002243150471307110012206 0ustar00# Fail2Ban filter to block web requests for scripts (on non scripted websites) # # This matches many types of scripts that don't exist. This could generate a # lot of false positive matches in cases like wikis and forums where users # no affiliated with the website can insert links to missing files/scripts into # pages and cause non-malicious browsers of the site to trigger against this # filter. # # If you'd like to match specific URLs that don't exist see the # apache-botsearch filter. # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): /\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)(, referer: \S+)?\s*$ ^%(_apache_error_client)s script '/\S*(php([45]|[.-]cgi)?|\.asp|\.exe|\.pl)\S*' not found or unable to stat(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs # # Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2 # # Author: Cyril Jaquier filter.d/asterisk.conf000066600000004613150471307110010756 0ustar00# Fail2Ban filter for asterisk authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = asterisk __pid_re = (?:\[\d+\]) iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4} # All Asterisk log messages begin like this: log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])? [^:]+:\d*(?:(?: in)? \w+:)? failregex = ^%(__prefix_line)s%(log_prefix)s Registration from '[^']*' failed for '(:\d+)?' - (Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$ ^%(__prefix_line)s%(log_prefix)s Call from '[^']*' \(:\d+\) to extension '[^']*' rejected because extension not found in context ^%(__prefix_line)s%(log_prefix)s Host failed to authenticate as '[^']*'$ ^%(__prefix_line)s%(log_prefix)s No registration for peer '[^']*' \(from \)$ ^%(__prefix_line)s%(log_prefix)s Host failed MD5 authentication for '[^']*' \([^)]+\)$ ^%(__prefix_line)s%(log_prefix)s Failed to authenticate (user|device) [^@]+@\S*$ ^%(__prefix_line)s%(log_prefix)s hacking attempt detected ''$ ^%(__prefix_line)s%(log_prefix)s SecurityEvent="(FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)",EventTV="([\d-]+|%(iso8601)s)",Severity="[\w]+",Service="[\w]+",EventVersion="\d+",AccountID="(\d*|)",SessionID=".+",LocalAddress="IPV[46]/(UDP|TCP|WS)/[\da-fA-F:.]+/\d+",RemoteAddress="IPV[46]/(UDP|TCP|WS)//\d+"(,Challenge="[\w/]+")?(,ReceivedChallenge="\w+")?(,Response="\w+",ExpectedResponse="\w*")?(,ReceivedHash="[\da-f]+")?(,ACLName="\w+")?$ ^%(__prefix_line)s%(log_prefix)s "Rejecting unknown SIP connection from "$ ^%(__prefix_line)s%(log_prefix)s Request (?:'[^']*' )?from '[^']*' failed for '(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$ ignoreregex = # Author: Xavier Devlamynck / Daniel Black # # General log format - main/logger.c:ast_log # Address format - ast_sockaddr_stringify # # First regex: channels/chan_sip.c # # main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog filter.d/solid-pop3d.conf000066600000002106150471307110011261 0ustar00# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts # # Doesn't currently provide PAM support as PAM log messages don't include rhost as # remote IP. # [INCLUDES] before = common.conf [Definition] _daemon = solid-pop3d failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - $ ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - $ ^%(__prefix_line)sroot login not allowed - $ ^%(__prefix_line)scan't find APOP secret for user .*? - $ ignoreregex = # DEV Notes: # # solid-pop3d needs to be compiled with --enable-logextend to support # IP addresses in log messages. # # solid-pop3d-0.15/src/main.c contains all authentication errors # except for PAM authentication messages ( src/authenticate.c ) # # A pam authentication failure message (note no IP for rhost). # Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques # # Authors: Daniel Black filter.d/sieve.conf000066600000000563150471307110010244 0ustar00# Fail2Ban filter for sieve authentication failures # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:cyrus/)?(?:tim)?sieved? failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ authentication failure$ ignoreregex = # Author: Jan Wagner filter.d/postfix-sasl.conf000066600000000742150471307110011564 0ustar00# Fail2Ban filter for postfix authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = postfix(-\w+)?/(?:submission/|smtps/)?smtp[ds] failregex = ^%(__prefix_line)swarning: [-._\w]+\[\]: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed(:[ A-Za-z0-9+/:]*={0,2})?\s*$ ignoreregex = authentication failed: Connection lost to authentication server$ [Init] journalmatch = _SYSTEMD_UNIT=postfix.service # Author: Yaroslav Halchenko filter.d/groupoffice.conf000066600000000354150471307110011437 0ustar00# Fail2Ban filter for Group-Office # # Enable logging with: # $config['info_log']='/home/groupoffice/log/info.log'; # [Definition] failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ ignoreregex = # Author: Daniel Black filter.d/roundcube-auth.conf000066600000002527150471307110012060 0ustar00# Fail2Ban configuration file for roundcube web server # # By default failed logins are printed to 'errors'. The first regex matches those # The second regex matches those printed to 'userlogins' # The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php # # The logpath in your jail can be updated to userlogins if you wish # [INCLUDES] before = common.conf [Definition] failregex = ^\s*(\[\])?(%(__hostname)s\s*(roundcube:)?\s*(<[\w]+>)? IMAP Error)?: (FAILED login|Login failed) for .*? from (\. .* in .*?/rcube_imap\.php on line \d+ \(\S+ \S+\))?$ ^\[\]:\s*(<[\w]+>)? Failed login for [\w\-\.\+]+(@[\w\-\.\+]+\.[a-zA-Z]{2,6})? from in session \w+( \(error: \d\))?$ ignoreregex = # DEV Notes: # # Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180 # # Part after comes straight from IMAP server up until the " in ....." # Earlier versions didn't log the IMAP response hence optional. # # DoS resistance: # # Assume that the user can inject "from " into the imap response # somehow. Write test cases around this to ensure that the combination of # arbitrary user input and IMAP response doesn't inject the wrong IP for # fail2ban # # Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens filter.d/postfix-rbl.conf000066600000000706150471307110011401 0ustar00# Fail2Ban filter for Postfix's RBL based Blocked hosts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = postfix(-\w+)?/smtpd failregex = ^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+\[\]: 454 4\.7\.1 Service unavailable; Client host \[\S+\] blocked using .* from=<\S*> to=<\S+> proto=ESMTP helo=<\S*>$ ignoreregex = # Author: Lee Clemens filter.d/monit.conf000066600000001405150471307110010253 0ustar00# Fail2Ban filter for monit.conf, looks for failed access attempts # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = monit # Regexp for previous (accessing monit httpd) and new (access denied) versions failregex = ^\[[A-Z]+\s+\]\s*error\s*:\s*Warning:\s+Client '' supplied (?:unknown user '[^']+'|wrong password for user '[^']*') accessing monit httpd$ ^%(__prefix_line)s\w+: access denied -- client : (?:unknown user '[^']+'|wrong password for user '[^']*'|empty password)$ # Ignore login with empty user (first connect, no user specified) # ignoreregex = %(__prefix_line)s\w+: access denied -- client : (?:unknown user '') ignoreregex = filter.d/xinetd-fail.conf000066600000000767150471307110011343 0ustar00# Fail2Ban filter for xinetd failures # # Cfr.: /var/log/(daemon\.|sys)log # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = xinetd failregex = ^%(__prefix_line)sFAIL: \S+ address from=$ ^%(__prefix_line)sFAIL: \S+ libwrap from=$ ignoreregex = # DEV Notes: # # libwrap => tcp wrappers: hosts.(allow|deny) # address => xinetd: deny_from|only_from # # Author: Guido Bozzetto filter.d/apache-botsearch.conf000066600000002371150471307110012321 0ustar00# Fail2Ban filter to match web requests for selected URLs that don't exist # # This filter is aimed at blocking specific URLs that don't exist. This # could be a set of URLs places in a Disallow: directive in robots.txt or # just some web services that don't exist caused bots are searching for # exploitable content. This filter is designed to have a low false postitive # rate due. # # An alternative to this is the apache-noscript filter which blocks all # types of scripts that don't exist. # # # This is normally a predefined list of exploitable or valuable web services # that are hidden or aren't actually installed. # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. # Load regexes for filtering from botsearch-common.conf before = apache-common.conf botsearch-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH001(28|30): )?File does not exist|(AH01264: )?script not found or unable to stat): (, referer: \S+)?\s*$ ^%(_apache_error_client)s script '' not found or unable to stat(, referer: \S+)?\s*$ ignoreregex = [Init] # Webroot represents the webroot on which all other files are based webroot = /var/www/ # DEV Notes: # # Author: Daniel Blackfilter.d/named-refused.conf000066600000003072150471307110011646 0ustar00# Fail2Ban filter file for named (bind9). # # This filter blocks attacks against named (bind9) however it requires special # configuration on bind. # # By default, logging is off with bind9 installation. # # You will need something like this in your named.conf to provide proper logging. # # logging { # channel security_file { # file "/var/log/named/security.log" versions 3 size 30m; # severity dynamic; # print-time yes; # }; # category security { # security_file; # }; # }; [Definition] # Daemon name _daemon=named # Shortcuts for easier comprehension of the failregex __pid_re=(?:\[\d+\]) __daemon_re=\(?%(_daemon)s(?:\(\S+\))?\)?:? __daemon_combs_re=(?:%(__pid_re)s?:\s+%(__daemon_re)s|%(__daemon_re)s%(__pid_re)s?:) # hostname daemon_id spaces # this can be optional (for instance if we match named native log files) __line_prefix=(?:\s\S+ %(__daemon_combs_re)s\s+)? failregex = ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: (view (internal|external): )?query(?: \(cache\))? '.*' denied\s*$ ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: zone transfer '\S+/AXFR/\w+' denied\s*$ ^%(__line_prefix)s( error:)?\s*client #\S+( \([\S.]+\))?: bad zone transfer request: '\S+/IN': non-authoritative zone \(NOTAUTH\)\s*$ ignoreregex = # DEV Notes: # Trying to generalize the # structure which is general to capture general patterns in log # lines to cover different configurations/distributions # # Author: Yaroslav Halchenko filter.d/apache-fakegooglebot.conf000066600000000414150471307110013153 0ustar00# Fail2Ban filter for fake Googlebot User Agents [Definition] failregex = ^ .*Googlebot.*$ ignoreregex = # DEV Notes: # # Author: Lee Clemens # Thanks: Johannes B. Ullrich, Ph.D. # Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ filter.d/wuftpd.conf000066600000001010150471307110010426 0ustar00# Fail2Ban configuration file for wuftpd # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = wu-ftpd __pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:? failregex = ^%(__prefix_line)sfailed login from \S+ \[\]\s*$ ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ ignoreregex = # Author: Yaroslav Halchenko filter.d/tine20.conf000066600000001465150471307110010234 0ustar00# Fail2Ban filter for Tine 2.0 authentication # # Enable logging with: # $config['info_log']='/var/log/tine20/tine20.log'; # [Definition] failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from failed \(-[13]\)!$ ignoreregex = # Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 # Editor: Daniel Black # Advisor: Lars Kneschke # # Usernames can contain spaces. # # Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 # Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php # formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 filter.d/webmin-auth.conf000066600000000674150471307110011354 0ustar00# Fail2Ban filter for webmin # [INCLUDES] before = common.conf [Definition] _daemon = webmin failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ ^%(__prefix_line)sInvalid login as .+ from \s*$ ignoreregex = # DEV Notes: # # pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 # webmin[29544]: Invalid login as root from 86.0.6.217 # # Rule Author: Delvit Guillaume filter.d/apache-nohome.conf000066600000001124150471307110011627 0ustar00# Fail2Ban filter to web requests for home directories on Apache servers # # Regex to match failures to find a home directory on a server, which # became popular last days. Most often attacker just uses IP instead of # domain name -- so expect to see them in generic error.log if you have # per-domain log files. [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* ignoreregex = # Author: Yaroslav O. Halchenko filter.d/apache-common.conf000066600000001455150471307110011641 0ustar00# Generic configuration items (to be used as interpolations) in other # apache filters. [INCLUDES] # Load customizations if any available after = apache-common.local [DEFAULT] _apache_error_client = \[\] \[(:?error|\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client (:\d{1,5})?\] # Common prefix for [error] apache messages which also would include # Depending on the version it could be # 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4] # 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652] # 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to # # Reference: https://github.com/fail2ban/fail2ban/issues/268 # # Author: Yaroslav Halchenko filter.d/portsentry.conf000066600000000274150471307110011361 0ustar00# Fail2Ban filter for failure attempts in Counter Strike-1.6 # # [Definition] failregex = \/ Port\: [0-9]+ (TCP|UDP) Blocked$ ignoreregex = # Author: Pacop filter.d/screensharingd.conf000066600000001465150471307110012132 0ustar00# Fail2Ban configuration file # # Author: Simon Brown # # Filter for Mac OS X Screen Sharing service [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = screensharingd # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = filter.d/apache-auth.conf000066600000006251150471307110011311 0ustar00# Fail2Ban apache-auth filter # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # apache-common.local before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s (AH(01797|01630): )?client denied by server configuration: (uri )?\S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01617: )?user .*? authentication failure for "\S*": Password Mismatch(, referer: \S+)?$ ^%(_apache_error_client)s (AH01618: )?user .*? not found(: )?\S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01614: )?client used wrong authentication scheme: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH\d+: )?Authorization of user \S+ to access \S* failed, reason: .*$ ^%(_apache_error_client)s (AH0179[24]: )?(Digest: )?user .*?: password mismatch: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH0179[01]: |Digest: )user `.*?' in realm `.+' (not found|denied by provider): \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01631: )?user .*?: authorization failure for "\S*":(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01775: )?(Digest: )?invalid nonce .* received - length is not \S+(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01788: )?(Digest: )?realm mismatch - got `.*?' but expected `.+'(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01789: )?(Digest: )?unknown algorithm `.*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01793: )?invalid qop `.*?' received: \S*(, referer: \S+)?\s*$ ^%(_apache_error_client)s (AH01777: )?(Digest: )?invalid nonce .*? received - user attempted time travel(, referer: \S+)?\s*$ ignoreregex = # DEV Notes: # # This filter matches the authorization failures of Apache. It takes the log messages # from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or # HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR. # # An unauthorized response 401 is the first step for a browser to instigate authentication # however apache doesn't log this as an error. Only subsequent errors are logged in the # error log. # # Source: # # By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/* # for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get # all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core # to return the actual failure. # # See also: http://wiki.apache.org/httpd/ListOfErrors # Expressions that don't have tests and aren't common. # more be added with https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 # ^%(_apache_error_client)s (AH01778: )?user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$ # ^%(_apache_error_client)s (AH01779: )?user .*: one-time-nonce mismatch - sending new nonce\s*$ # ^%(_apache_error_client)s (AH02486: )?realm mismatch - got `.*' but no realm specified\s*$ # # referer is always in error log messages if it exists added as per the log_error_core function in server/log.c # # Author: Cyril Jaquier # Major edits by Daniel Black filter.d/apache-pass.conf000066600000000532150471307110011312 0ustar00# Fail2Ban Apache pass filter # This filter is for access.log, NOT for error.log # # The knocking request must have a referer. [INCLUDES] before = apache-common.conf [Definition] failregex = ^ - \w+ \[\] "GET HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ ignoreregex = [Init] knocking_url = /knocking/ # Author: Viktor Szépe filter.d/perdition.conf000066600000001070150471307110011120 0ustar00# Fail2Ban filter for perdition # # [INCLUDES] before = common.conf [Definition] _daemon=perdition.\S+ failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ ignoreregex = # Author: Christophe Carles and Daniel Black filter.d/courier-smtp.conf000066600000000752150471307110011562 0ustar00# Fail2Ban filter to block relay attempts though a Courier smtp server # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = courieresmtpd failregex = ^%(__prefix_line)serror,relay=,.*: 550 User (<.*> )?unknown\.?$ ^%(__prefix_line)serror,relay=,msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ ignoreregex = # Author: Cyril Jaquier filter.d/dropbear.conf000066600000003240150471307110010722 0ustar00# Fail2Ban filter for dropbear # # NOTE: The regex below is ONLY intended to work with a patched # version of Dropbear as described here: # http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches # ^%(__prefix_line)sexit before auth from .*\s*$ # # The standard Dropbear output doesn't provide enough information to # ban all types of attack. The Dropbear patch adds IP address # information to the 'exit before auth' message which is always # produced for any form of non-successful login. It is that message # which this file matches. # # More information: http://bugs.debian.org/546913 [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = dropbear failregex = ^%(__prefix_line)s[Ll]ogin attempt for nonexistent user ('.*' )?from :\d+$ ^%(__prefix_line)s[Bb]ad (PAM )?password attempt for .+ from (:\d+)?$ ^%(__prefix_line)s[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from :\d+\s*$ ignoreregex = # DEV Notes: # # The first two regexs here match the unmodified dropbear messages. It isn't # possible to match the source of the 'exit before auth' messages from dropbear # as they don't include the "from " bit. # # The second last failregex line we need to match with the modified dropbear. # # For the second regex the following apply: # # http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c # http://svn.dd-wrt.com/changeset/16642#file64 # # http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c # # Author: Francis Russell # Zak B. Elep filter.d/mysqld-auth.conf000066600000001573150471307110011403 0ustar00# Fail2Ban filter for unsuccesfull MySQL authentication attempts # # # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]: # log-error=/var/log/mysqld.log # log-warning = 2 # # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = mysqld failregex = ^%(__prefix_line)s(?:\d+ |\d{6} \s?\d{1,2}:\d{2}:\d{2} )?\[\w+\] Access denied for user '[^']+'@'' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$ ignoreregex = # DEV Notes: # # Technically __prefix_line can equate to an empty string hence it can support # syslog and non-syslog at once. # Example: # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) # # Authors: Artur Penttinen # Yaroslav O. Halchenko filter.d/selinux-ssh.conf000066600000001072150471307110011407 0ustar00# Fail2Ban configuration file for SELinux ssh authentication errors # [INCLUDES] after = selinux-common.conf [Definition] _type = USER_(ERR|AUTH) _uid = 0 _auid = \d+ _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 _exe =/usr/sbin/sshd _terminal = ssh _msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr= terminal=%(_terminal)s res=failed # DEV Notes: # # Note: USER_LOGIN is ignored as this is the duplicate messsage # ssh logs after 3 USER_AUTH failures. # # Author: Daniel Black filter.d/apache-overflows.conf000066600000003720150471307110012374 0ustar00# Fail2Ban filter to block web requests on a long or suspicious nature # [INCLUDES] # overwrite with apache-common.local if _apache_error_client is incorrect. before = apache-common.conf [Definition] failregex = ^%(_apache_error_client)s ((AH0013[456]: )?Invalid (method|URI) in request .*( - possible attempt to establish SSL connection on non-SSL port)?|(AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string: .*|AH00566: request failed: invalid characters in URI)(, referer: \S+)?$ ignoreregex = # DEV Notes: # # fgrep -r 'URI too long' httpd-2.* # httpd-2.2.25/server/protocol.c: "request failed: URI too long (longer than %d)", r->server->limit_req_line); # httpd-2.4.4/server/protocol.c: "request failed: URI too long (longer than %d)", # # fgrep -r 'in request' ../httpd-2.* | fgrep Invalid # httpd-2.2.25/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.2.25/server/core.c: "Invalid method in request %s", r->the_request); # httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'. # httpd-2.4.4/server/core.c: "Invalid URI in request %s", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request); # httpd-2.4.4/server/core.c: "Invalid method in request %s", r->the_request); # # fgrep -r 'invalid characters in URI' httpd-2.* # httpd-2.4.4/server/protocol.c: "request failed: invalid characters in URI"); # # http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620 # ...possible attempt to establish SSL connection on non-SSL port # # https://wiki.apache.org/httpd/ListOfErrors # Author: Tim Connors filter.d/proftpd.conf000066600000002300150471307110010576 0ustar00# Fail2Ban fitler for the Proftpd FTP daemon # # Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. # See: http://www.proftpd.org/docs/howto/DNS.html # When the default locale for your system is not en_US.UTF-8 # on Debian-based systems be sure to add this to /etc/default/proftpd # export LC_TIME="en_US.UTF-8" [INCLUDES] before = common.conf [Definition] _daemon = proftpd __suffix_failed_login = (User not authorized for login|No such user found|Incorrect password|Password expired|Account disabled|Invalid shell: '\S+'|User in \S+|Limit (access|configuration) denies login|Not a UserAlias|maximum login length exceeded).? failregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .*: no such user found from \S+ \[\S+\] to \S+:\S+ *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ USER .* \(Login failed\): %(__suffix_failed_login)s\s*$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ SECURITY VIOLATION: .* login attempted\. *$ ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded *$ ignoreregex = # Author: Yaroslav Halchenko # Daniel Black - hardening of regex filter.d/botsearch-common.conf000066600000001010150471307110012355 0ustar00# Generic configuration file for -botsearch filters [Init] # Block is the actual non-found directories to block block = \/?(|||cgi-bin|mysqladmin)[^,]* # These are just convient definitions that assist the blocking of stuff that # isn't installed webmail = roundcube|(ext)?mail|horde|(v-?)?webmail phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) wordpress = wp-(login|signup|admin)\.php # DEV Notes: # Taken from apache-botsearch filter # # Author: Frantisek Sumsal filter.d/cyrus-imap.conf000066600000000673150471307110011224 0ustar00# Fail2Ban filter for authentication failures on Cyrus imap server # # # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ ignoreregex = # Author: Jan Wagner filter.d/exim-spam.conf000066600000004156150471307110011033 0ustar00# Fail2Ban filter for exim the spam rejection messages # # Honeypot traps are very useful for fighting spam. You just activate an email # address on your domain that you do not intend to use at all, and that normal # people do not risk to try for contacting you. It may be something that # spammers often test. You can also hide the address on a web page to be picked # by spam spiders. Or simply parse your mail logs for an invalid address # already being frequently targeted by spammers. Enable the address and # redirect it to the blackhole. In Exim's alias file, you would add the # following line (assuming the address is honeypot@yourdomain.com): # # honeypot: :blackhole: # # For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used. # # To this filter use the jail.local should contain in the right jail: # # filter = exim-spam[honeypot=honeypot@yourdomain.com] # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # exim-common.local before = exim-common.conf [Definition] failregex = ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$ ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$ ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$ ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[\]\) for $ ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[\]\) for \S+$ ignoreregex = [Init] # Option: honeypot # Notes.: honeypot is an email address that isn't published anywhere that a # legitimate email sender would send email too. # Values: email address honeypot = trap@example.com # DEV Notes: # The %(host_info) defination contains a match # # Author: Cyril Jaquier # Daniel Black (rewrote with strong regexs) filter.d/froxlor-auth.conf000066600000002271150471307110011561 0ustar00# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) # # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages # Froxlor: [Login Action ] Unknown user '' tried to login. # Froxlor: [Login Action ] User '' tried to login with wrong password. # # Author: Joern Muehlencord # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = Froxlor # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # failregex = ^%(__prefix_line)s\[Login Action \] Unknown user \S* tried to login.$ ^%(__prefix_line)s\[Login Action \] User \S* tried to login with wrong password.$ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = filter.d/stunnel.conf000066600000000553150471307110010620 0ustar00# Fail2ban filter for stunnel [Definition] failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ ignoreregex = # DEV NOTES: # # Author: Daniel Black # # Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 filter.d/nginx-limit-req.conf000066600000002623150471307110012154 0ustar00# Fail2ban filter configuration for nginx :: limit_req # used to ban hosts, that were failed through nginx by limit request processing rate # # Author: Serg G. Brester (sebres) # # To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # # Example: # # http { # ... # limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s; # ... # # http, server, or location: # location ... { # limit_req zone=lr_zone burst=1 nodelay; # ... # } # ... # } # ... # [Definition] # Specify following expression to define exact zones, if you want to ban IPs limited # from specified zones only. # Example: # # ngx_limit_req_zones = lr_zone|lr_zone2 # ngx_limit_req_zones = [^"]+ # Use following full expression if you should range limit request to specified # servers, requests, referrers etc. only : # # failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ # Shortly, much faster and stable version of regexp: failregex = ^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: ignoreregex = filter.d/openhab.conf000066600000000713150471307110010542 0ustar00# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf: # # Block IPs trying to auth openhab by web or rest api # # Matches e.g. # 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 # 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384 [Definition] failregex = ^\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$ [Init] datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z filter.d/nagios.conf000066600000000620150471307110010403 0ustar00# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) # Detecting unauthorized access to the nrpe2 daemon # typically logged in /var/log/messages syslog # [INCLUDES] # Read syslog common prefixes before = common.conf [Definition] _daemon = nrpe failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ ignoreregex = # DEV Notes: # # Author: Ivo Truxa - 2014/02/03 filter.d/squid.conf000066600000000316150471307110010252 0ustar00# Fail2Ban filter for Squid attempted proxy bypasses # # [Definition] failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ ^\s+\d\s\s+NONE/405 .*$ ignoreregex = # Author: Daniel Black filter.d/gssftpd.conf000066600000000502150471307110010574 0ustar00# Fail2Ban filter file for gssftp # # Note: gssftp is part of the krb5-appl-servers in Fedora # [INCLUDES] before = common.conf [Definition] _daemon = ftpd failregex = ^%(__prefix_line)srepeated login failures from \(\S+\)$ ignoreregex = # Author: Kevin Zembower # Edited: Daniel Black - syslog based daemon filter.d/nginx-http-auth.conf000066600000000672150471307110012171 0ustar00# fail2ban filter configuration for nginx [Definition] failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$ ignoreregex = # DEV NOTES: # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files # Extensive search of all nginx auth failures not done yet. # # Author: Daniel Black filter.d/openwebmail.conf000066600000000757150471307110011440 0ustar00# Fail2Ban filter for Openwebmail # banning hosts with authentication errors in /var/log/openwebmail.log # OpenWebMail http://openwebmail.org # [Definition] failregex = ^ - \[\d+\] \(\) (?P\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$ ^ - \[\d+\] \(\) (?P\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$ ignoreregex = # DEV Notes: # # Author: Ivo Truxa (c) 2013 truXoft.com filter.d/exim-common.conf000066600000000647150471307110011364 0ustar00# Fail2Ban filter file for common exim expressions # # This is to be used by other exim filters [INCLUDES] # Load customizations if any available after = exim-common.local [Definition] host_info = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?\[\](?::\d+)? (?:I=\[\S+\](:\d+)? )?(?:U=\S+ )?(?:P=e?smtp )? pid = (?: \[\d+\])? # DEV Notes: # From exim source code: ./src/receive.c:add_host_info_for_log # # Author: Daniel Black filter.d/qmail.conf000066600000001433150471307110010231 0ustar00# Fail2Ban filters for qmail RBL patches/fake proxies # # the default djb RBL implementation doesn't log any rejections # so is useless with this filter. # # One patch is here: # # http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd [INCLUDES] before = common.conf [Definition] _daemon = (?:qmail|rblsmtpd) failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: pid \d+ \S+ 4\d\d \S+\s*$ ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip rbl: \S+\s*$ ^%(__prefix_line)s\S+ blocked \S+ -\s*$ ignoreregex = # DEV Notes: # # These seem to be for two or 3 different patches to qmail or rblsmtpd # so you'll probably only ever see one of these regex's that match. # # ref: https://github.com/fail2ban/fail2ban/pull/386 # # Author: Daniel Black filter.d/ejabberd-auth.conf000066600000002402150471307110011620 0ustar00# Fail2Ban configuration file # # Author: Steven Hiscocks # # [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Multiline regexs should use tag "" to separate lines. # This allows lines between the matching lines to continue to be # searched for other failures. This tag can be used multiple times. # Values: TEXT # failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP \({{(?:\d+,){3}\d+},\d+}\)$ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP $ # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = [Init] # "maxlines" is number of log lines to buffer for multi-line regex searches maxlines = 2 # Option: journalmatch # Notes.: systemd journalctl style match filter for journal based backend # Values: TEXT # journalmatch = filter.d/sshd-ddos.conf000066600000001371150471307110011017 0ustar00# Fail2Ban ssh filter for at attempted exploit # # The regex here also relates to a exploit: # # http://www.securityfocus.com/bid/17958/exploit # The example code here shows the pushing of the exploit straight after # reading the server version. This is where the client version string normally # pushed. As such the server will read this unparsible information as # "Did not receive identification string". [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = sshd failregex = ^%(__prefix_line)sDid not receive identification string from \s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd # Author: Yaroslav Halchenko filter.d/counter-strike.conf000066600000000374150471307110012107 0ustar00# Fail2Ban filter for failure attempts in Counter Strike-1.6 # # [Definition] failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from ":\d+"$ ignoreregex = [Init] datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S # Author: Daniel Black filter.d/3proxy.conf000066600000000672150471307110010376 0ustar00# Fail2Ban filter for 3proxy # # [Definition] failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s ignoreregex = # DEV Notes: # http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are # all authentication problems (%E field) # Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" # # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 # Author: Daniel Black paths-common.conf000066600000004507150471307110010031 0ustar00# Common # [INCLUDES] after = paths-overrides.local [DEFAULT] default_backend = auto sshd_log = %(syslog_authpriv)s sshd_backend = %(default_backend)s dropbear_log = %(syslog_authpriv)s dropbear_backend = %(default_backend)s # There is no sensible generic defaults for syslog log targets, thus # leaving them empty here so that no errors while parsing/interpolating configs syslog_daemon = syslog_ftp = syslog_local0 = syslog_mail_warn = syslog_user = # Set the default syslog backend target to default_backend syslog_backend = %(default_backend)s # from /etc/audit/auditd.conf auditd_log = /var/log/audit/audit.log exim_main_log = /var/log/exim/mainlog nginx_error_log = /var/log/nginx/*error.log nginx_access_log = /var/log/nginx/*access.log lighttpd_error_log = /var/log/lighttpd/error.log # http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility # syslog_user is the default. Lighttpd also hooks errors into its log. suhosin_log = %(syslog_user)s %(lighttpd_error_log)s # defaults to ftp or local2 if ftp doesn't exist proftpd_log = %(syslog_ftp)s proftpd_backend = %(default_backend)s # http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup # defaults to ftp but can be overwritten. pureftpd_log = %(syslog_ftp)s pureftpd_backend = %(default_backend)s # ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time # wuftpd_log = %(syslog_ftp)s wuftpd_backend = %(default_backend)s # syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log # No distro seems to set it to syslog by default # If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog. vsftpd_log = /var/log/vsftpd.log # Technically syslog_facility in main.cf can overwrite but no-one sane does this. postfix_log = %(syslog_mail_warn)s postfix_backend = %(default_backend)s dovecot_log = %(syslog_mail_warn)s dovecot_backend = %(default_backend)s # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level solidpop3d_log = %(syslog_local0)s mysql_log = %(syslog_daemon)s mysql_backend = %(default_backend)s roundcube_errors_log = /var/log/roundcube/errors # Directory with ignorecommand scripts ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands action.d/sendmail-whois-ipmatches.conf000066600000001716150471307110014020 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n `/usr/bin/whois `\n\n Matches with failures IP:\n \n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f [Init] # Default name of the chain # name = default action.d/nsupdate.conf000066600000006112150471307110010740 0ustar00# Fail2Ban configuration file # # Author: Andrew St. Jean # # Use nsupdate to perform dynamic DNS updates on a BIND zone file. # One may want to do this to update a local RBL with banned IP addresses. # # Options # # domain DNS domain that will appear in nsupdate add and delete # commands. # # ttl The time to live (TTL) in seconds of the TXT resource # record. # # rdata Data portion of the TXT resource record. # # nsupdatecmd Full path to the nsupdate command. # # keyfile Full path to TSIG key file used for authentication between # nsupdate and BIND. # # Create an nsupdate.local to set at least the and # options as they don't have default values. # # The ban and unban commands assume nsupdate will authenticate to the BIND # server using a TSIG key. The full path to the key file must be specified # in the parameter. Use this command to generate your TSIG key. # # dnssec-keygen -a HMAC-MD5 -b 256 -n HOST # # Replace with some meaningful name. # # This command will generate two files. Specify the .private file in the # option. Note that the .key file must also be present in the same # directory for nsupdate to use the key. # # Don't forget to add the key and appropriate allow-update or update-policy # option to your named.conf file. # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = echo | awk -F. '{print "prereq nxrrset "$4"."$3"."$2"."$1". TXT"; print "update add "$4"."$3"."$2"."$1". IN TXT \"\""; print "send"}' | -k # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = echo | awk -F. '{print "update delete "$4"."$3"."$2"."$1"."; print "send"}' | -k [Init] # Option: domain # Notes.: DNS domain that nsupdate will update. # Values: STRING # domain = # Option: ttl # Notes.: time to live (TTL) in seconds of TXT resource record # added by nsupdate. # Values: NUM # ttl = 60 # Option: rdata # Notes.: data portion of the TXT resource record added by nsupdate. # Values: STRING # rdata = Your IP has been banned # Option: nsupdatecmd # Notes.: specifies the full path to the nsupdate program that dynamically # updates BIND zone files. # Values: CMD # nsupdatecmd = /usr/bin/nsupdate # Option: keyfile # Notes.: specifies the full path to the file containing the # TSIG key for communicating with BIND. # Values: STRING # keyfile = action.d/sendmail-whois-lines.conf000066600000002267150471307110013157 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n `/usr/bin/whois || echo missing whois program`\n\n Lines containing IP: in \n `grep -E '(^|[^0-9])([^0-9]|$)' `\n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f [Init] # Default name of the chain # name = default # Path to the log files which contain relevant lines for the abuser IP # logpath = /dev/null # Number of log lines to include in the email # grepopts = -m 1000 action.d/mail-whois-lines.conf000066600000003773150471307110012310 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # Modified-By: Yaroslav Halchenko to include grepping on IP over log files # [INCLUDES] before = mail-whois-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = printf %%b "Hi,\n The jail has been started successfully.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : started on `uname -n`" # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = printf %%b "Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : stopped on `uname -n`" # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n `%(_whois_command)s`\n\n Lines containing IP: in \n `grep -E '(^|[^0-9])([^0-9]|$)' `\n\n Regards,\n Fail2Ban"|mail -s "[Fail2Ban] : banned from `uname -n`" # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = [Init] # Default name of the chain # name = default # Destinataire of the mail # dest = root # Path to the log files which contain relevant lines for the abuser IP # logpath = /dev/null # Number of log lines to include in the email # grepopts = -m 1000 action.d/badips.py000066600000024574150471307110010076 0ustar00# emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- # vi: set ft=python sts=4 ts=4 sw=4 noet : # This file is part of Fail2Ban. # # Fail2Ban is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # Fail2Ban is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Fail2Ban; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. import sys if sys.version_info < (2, 7): raise ImportError("badips.py action requires Python >= 2.7") import json import threading import logging if sys.version_info >= (3, ): from urllib.request import Request, urlopen from urllib.parse import urlencode from urllib.error import HTTPError else: from urllib2 import Request, urlopen, HTTPError from urllib import urlencode from fail2ban.server.actions import ActionBase class BadIPsAction(ActionBase): """Fail2Ban action which reports bans to badips.com, and also blacklist bad IPs listed on badips.com by using another action's ban method. Parameters ---------- jail : Jail The jail which the action belongs to. name : str Name assigned to the action. category : str Valid badips.com category for reporting failures. score : int, optional Minimum score for bad IPs. Default 3. age : str, optional Age of last report for bad IPs, per badips.com syntax. Default "24h" (24 hours) key : str, optional Key issued by badips.com to report bans, for later retrieval of personalised content. banaction : str, optional Name of banaction to use for blacklisting bad IPs. If `None`, no blacklist of IPs will take place. Default `None`. bancategory : str, optional Name of category to use for blacklisting, which can differ from category used for reporting. e.g. may want to report "postfix", but want to use whole "mail" category for blacklist. Default `category`. bankey : str, optional Key issued by badips.com to blacklist IPs reported with the associated key. updateperiod : int, optional Time in seconds between updating bad IPs blacklist. Default 900 (15 minutes) agent : str, optional User agent transmitted to server. Default `Fail2Ban/ver.` Raises ------ ValueError If invalid `category`, `score`, `banaction` or `updateperiod`. """ TIMEOUT = 10 _badips = "http://www.badips.com" def _Request(self, url, **argv): return Request(url, headers={'User-Agent': self.agent}, **argv) def __init__(self, jail, name, category, score=3, age="24h", key=None, banaction=None, bancategory=None, bankey=None, updateperiod=900, agent="Fail2Ban", timeout=TIMEOUT): super(BadIPsAction, self).__init__(jail, name) self.timeout = timeout self.agent = agent self.category = category self.score = score self.age = age self.key = key self.banaction = banaction self.bancategory = bancategory or category self.bankey = bankey self.updateperiod = updateperiod self._bannedips = set() # Used later for threading.Timer for updating badips self._timer = None def getCategories(self, incParents=False): """Get badips.com categories. Returns ------- set Set of categories. Raises ------ HTTPError Any issues with badips.com request. ValueError If badips.com response didn't contain necessary information """ try: response = urlopen( self._Request("/".join([self._badips, "get", "categories"])), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( "Failed to fetch categories. badips.com response: '%s'", messages['err']) raise else: response_json = json.loads(response.read().decode('utf-8')) if not 'categories' in response_json: err = "badips.com response lacked categories specification. Response was: %s" \ % (response_json,) self._logSys.error(err) raise ValueError(err) categories = response_json['categories'] categories_names = set( value['Name'] for value in categories) if incParents: categories_names.update(set( value['Parent'] for value in categories if "Parent" in value)) return categories_names def getList(self, category, score, age, key=None): """Get badips.com list of bad IPs. Parameters ---------- category : str Valid badips.com category. score : int Minimum score for bad IPs. age : str Age of last report for bad IPs, per badips.com syntax. key : str, optional Key issued by badips.com to fetch IPs reported with the associated key. Returns ------- set Set of bad IPs. Raises ------ HTTPError Any issues with badips.com request. """ try: url = "?".join([ "/".join([self._badips, "get", "list", category, str(score)]), urlencode({'age': age})]) if key: url = "&".join([url, urlencode({'key': key})]) response = urlopen(self._Request(url), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( "Failed to fetch bad IP list. badips.com response: '%s'", messages['err']) raise else: return set(response.read().decode('utf-8').split()) @property def category(self): """badips.com category for reporting IPs. """ return self._category @category.setter def category(self, category): if category not in self.getCategories(): self._logSys.error("Category name '%s' not valid. " "see badips.com for list of valid categories", category) raise ValueError("Invalid category: %s" % category) self._category = category @property def bancategory(self): """badips.com bancategory for fetching IPs. """ return self._bancategory @bancategory.setter def bancategory(self, bancategory): if bancategory not in self.getCategories(incParents=True): self._logSys.error("Category name '%s' not valid. " "see badips.com for list of valid categories", bancategory) raise ValueError("Invalid bancategory: %s" % bancategory) self._bancategory = bancategory @property def score(self): """badips.com minimum score for fetching IPs. """ return self._score @score.setter def score(self, score): score = int(score) if 0 <= score <= 5: self._score = score else: raise ValueError("Score must be 0-5") @property def banaction(self): """Jail action to use for banning/unbanning. """ return self._banaction @banaction.setter def banaction(self, banaction): if banaction is not None and banaction not in self._jail.actions: self._logSys.error("Action name '%s' not in jail '%s'", banaction, self._jail.name) raise ValueError("Invalid banaction") self._banaction = banaction @property def updateperiod(self): """Period in seconds between banned bad IPs will be updated. """ return self._updateperiod @updateperiod.setter def updateperiod(self, updateperiod): updateperiod = int(updateperiod) if updateperiod > 0: self._updateperiod = updateperiod else: raise ValueError("Update period must be integer greater than 0") def _banIPs(self, ips): for ip in ips: try: self._jail.actions[self.banaction].ban({ 'ip': ip, 'failures': 0, 'matches': "", 'ipmatches': "", 'ipjailmatches': "", }) except Exception as e: self._logSys.error( "Error banning IP %s for jail '%s' with action '%s': %s", ip, self._jail.name, self.banaction, e, exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: self._bannedips.add(ip) self._logSys.info( "Banned IP %s for jail '%s' with action '%s'", ip, self._jail.name, self.banaction) def _unbanIPs(self, ips): for ip in ips: try: self._jail.actions[self.banaction].unban({ 'ip': ip, 'failures': 0, 'matches': "", 'ipmatches': "", 'ipjailmatches': "", }) except Exception as e: self._logSys.info( "Error unbanning IP %s for jail '%s' with action '%s': %s", ip, self._jail.name, self.banaction, e, exc_info=self._logSys.getEffectiveLevel()<=logging.DEBUG) else: self._logSys.info( "Unbanned IP %s for jail '%s' with action '%s'", ip, self._jail.name, self.banaction) finally: self._bannedips.remove(ip) def start(self): """If `banaction` set, blacklists bad IPs. """ if self.banaction is not None: self.update() def update(self): """If `banaction` set, updates blacklisted IPs. Queries badips.com for list of bad IPs, removing IPs from the blacklist if no longer present, and adds new bad IPs to the blacklist. """ if self.banaction is not None: if self._timer: self._timer.cancel() self._timer = None try: ips = self.getList( self.bancategory, self.score, self.age, self.bankey) # Remove old IPs no longer listed self._unbanIPs(self._bannedips - ips) # Add new IPs which are now listed self._banIPs(ips - self._bannedips) self._logSys.info( "Updated IPs for jail '%s'. Update again in %i seconds", self._jail.name, self.updateperiod) finally: self._timer = threading.Timer(self.updateperiod, self.update) self._timer.start() def stop(self): """If `banaction` set, clears blacklisted IPs. """ if self.banaction is not None: if self._timer: self._timer.cancel() self._timer = None self._unbanIPs(self._bannedips.copy()) def ban(self, aInfo): """Reports banned IP to badips.com. Parameters ---------- aInfo : dict Dictionary which includes information in relation to the ban. Raises ------ HTTPError Any issues with badips.com request. """ try: url = "/".join([self._badips, "add", self.category, aInfo['ip']]) if self.key: url = "?".join([url, urlencode({'key': self.key})]) response = urlopen(self._Request(url), timeout=self.timeout) except HTTPError as response: messages = json.loads(response.read().decode('utf-8')) self._logSys.error( "Response from badips.com report: '%s'", messages['err']) raise else: messages = json.loads(response.read().decode('utf-8')) self._logSys.info( "Response from badips.com report: '%s'", messages['suc']) Action = BadIPsAction action.d/firewallcmd-ipset.conf000066600000002772150471307110012540 0ustar00# Fail2Ban action file for firewall-cmd/ipset # # This requires: # ipset (package: ipset) # firewall-cmd (package: firewalld) # # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). # Use ipset -V to see the protocol and version. # # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. # # If you are running on an older kernel you make need to patch in external # modules. [INCLUDES] before = iptables-common.conf [Definition] actionstart = ipset create fail2ban- hash:ip timeout firewall-cmd --direct --add-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -p -m multiport --dports -m set --match-set fail2ban- src -j ipset flush fail2ban- ipset destroy fail2ban- actionban = ipset add fail2ban- timeout -exist actionunban = ipset del fail2ban- -exist [Init] # Option: chain # Notes specifies the iptables chain to which the fail2ban rules should be # added # Values: [ STRING ] # chain = INPUT_direct # Option: bantime # Notes: specifies the bantime in seconds (handled internally rather than by fail2ban) # Values: [ NUM ] Default: 600 bantime = 600 # DEV NOTES: # # Author: Edgar Hoch and Daniel Black # firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness action.d/sendmail-whois-ipjailmatches.conf000066600000001741150471307110014656 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n `/usr/bin/whois `\n\n Matches for with failures IP:\n \n\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f [Init] # Default name of the chain # name = default action.d/nftables-multiport.conf000066600000000760150471307110012753 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko # made active on all ports from original iptables.conf # Modified: Alexander Belykh # adapted for nftables # [INCLUDES] before = nftables-common.conf [Definition] # Option: nftables_mode # Notes.: additional expressions for nftables filter rule # Values: nftables expressions # nftables_mode = dport \{ \} [Init] action.d/iptables-multiport.conf000066600000002627150471307110012764 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # Modified by Yaroslav Halchenko for multiport banning # [INCLUDES] before = iptables-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = -N f2b- -A f2b- -j -I -p -m multiport --dports -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = -D -p -m multiport --dports -j f2b- -F f2b- -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = -D f2b- -s -j [Init] action.d/iptables-common.conf000066600000003511150471307110012206 0ustar00# Fail2Ban configuration file # # Author: Daniel Black # # This is a included configuration file and includes the definitions for the iptables # used in all iptables based actions by default. # # The user can override the defaults in iptables-common.local [INCLUDES] after = iptables-blocktype.local iptables-common.local # iptables-blocktype.local is obsolete [Init] # Option: chain # Notes specifies the iptables chain to which the Fail2Ban rules should be # added # Values: STRING Default: INPUT chain = INPUT # Default name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: blocktype # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp-port-unreachable # Option: returntype # Note: This is the default rule on "actionstart". This should be RETURN # in all (blocking) actions, except REJECT in allowing actions. # Values: STRING returntype = RETURN # Option: lockingopt # Notes.: Option was introduced to iptables to prevent multiple instances from # running concurrently and causing irratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 # Values: STRING lockingopt = # Option: iptables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = iptables action.d/sendmail-whois.conf000066600000001626150471307110012045 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "Subject: [Fail2Ban] : banned from `uname -n` Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` From: <> To: \n Hi,\n The IP has just been banned by Fail2Ban after attempts against .\n\n Here is more information about :\n `/usr/bin/whois || echo missing whois program`\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f [Init] # Default name of the chain # name = default action.d/iptables-allports.conf000066600000002635150471307110012564 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # Modified: Yaroslav O. Halchenko # made active on all ports from original iptables.conf # # [INCLUDES] before = iptables-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = -N f2b- -A f2b- -j -I -p -j f2b- # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = -D -p -j f2b- -F f2b- -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = -n -L | grep -q 'f2b-[ \t]' # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = -D f2b- -s -j [Init] action.d/firewallcmd-allports.conf000066600000003002150471307110013237 0ustar00# Fail2Ban configuration file # # Author: Donald Yandt # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ [INCLUDES] before = iptables-common.conf [Definition] actionstart = firewall-cmd --direct --add-chain ipv4 filter f2b- firewall-cmd --direct --add-rule ipv4 filter f2b- 1000 -j RETURN firewall-cmd --direct --add-rule ipv4 filter 0 -j f2b- actionstop = firewall-cmd --direct --remove-rule ipv4 filter 0 -j f2b- firewall-cmd --direct --remove-rules ipv4 filter f2b- firewall-cmd --direct --remove-chain ipv4 filter f2b- # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$' actioncheck = firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' actionban = firewall-cmd --direct --add-rule ipv4 filter f2b- 0 -s -j actionunban = firewall-cmd --direct --remove-rule ipv4 filter f2b- 0 -s -j [Init] # Default name of the chain # name = default chain = INPUT_direct # DEV NOTES: # # Author: Donald Yandt # Uses "FirewallD" instead of the "iptables daemon". # # # Output: # actionstart: # $ firewall-cmd --direct --add-chain ipv4 filter f2b-recidive # success # $ firewall-cmd --direct --add-rule ipv4 filter f2b-recidive 1000 -j RETURN # success # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-recidive # success action.d/shorewall.conf000066600000003366150471307110011125 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a # new shorewall rule to ban an IP address, that rule will affect only new # connections. So if the attempter goes on trying using the same connection # he could even log in. In order to get the same behavior of the iptable # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf # file should me modified with "BLACKLISTNEWONLY=No". Note that as of # Shorewall 4.5.13 BLACKLISTNEWONLY is deprecated; however the equivalent # of BLACKLISTNEWONLY=No can now be achieved by setting BLACKLIST="ALL". # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = shorewall # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = shorewall allow [Init] # Option: blocktype # Note: This is what the action does with rules. # See man page of shorewall for options that include drop, logdrop, reject, or logreject # Values: STRING blocktype = reject action.d/sendmail-buffered.conf000066600000005312150471307110012472 0ustar00# Fail2Ban configuration file # # Author: Cyril Jaquier # # [INCLUDES] before = sendmail-common.conf [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = printf %%b "Subject: [Fail2Ban] : started on `uname -n` From: <> To: \n Hi,\n The jail has been started successfully.\n Output will be buffered until lines are available.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = if [ -f ]; then printf %%b "Subject: [Fail2Ban] : summary from `uname -n` From: <> To: \n Hi,\n These hosts have been banned by Fail2Ban.\n `cat ` Regards,\n Fail2Ban" | /usr/sbin/sendmail -f rm fi printf %%b "Subject: [Fail2Ban] : stopped on `uname -n` From: Fail2Ban <> To: \n Hi,\n The jail has been stopped.\n Regards,\n Fail2Ban" | /usr/sbin/sendmail -f # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = printf %%b "`date`: ( failures)\n" >> LINE=$( wc -l | awk '{ print $1 }' ) if [ $LINE -ge ]; then printf %%b "Subject: [Fail2Ban] : summary from `uname -n` From: <> To: \n Hi,\n These hosts have been banned by Fail2Ban.\n `cat ` Regards,\n Fail2Ban" | /usr/sbin/sendmail -f rm fi # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = [Init] # Default name of the chain # name = default # Default number of lines that are buffered # lines = 5 # Default temporary file # tmpfile = /var/run/fail2ban/tmp-mail.txt action.d/apf.conf000066600000001113150471307110007657 0ustar00# Fail2Ban configuration file # https://www.rfxn.com/projects/advanced-policy-firewall/ # # Note: APF doesn't play nicely with other actions. It has been observed to # remove bans created by other iptables based actions. If you are going to use # this action, use it for all of your jails. # # DON'T MIX APF and other IPTABLES based actions [Definition] actionstart = actionstop = actioncheck = actionban = apf --deny "banned by Fail2Ban " actionunban = apf --remove [Init] # Name used in APF configuration # name = default # DEV NOTES: # # Author: Mark McKinstry action.d/dshield.conf000066600000016544150471307110010543 0ustar00# Fail2Ban configuration file # # Author: Russell Odom # Submits attack reports to DShield (http://www.dshield.org/) # # You MUST configure at least: # (the port that's being attacked - use number not name). # # You SHOULD also provide: # (your public IP address, if it's not the address of eth0) # (your DShield userID, if you have one - recommended, but reports will # be used anonymously if not) # (the protocol in use - defaults to tcp) # # Best practice is to provide and in jail.conf like this: # action = dshield[port=1234,protocol=tcp] # # ...and create "dshield.local" with contents something like this: # [Init] # myip = 10.0.0.1 # userid = 12345 # # Other useful configuration values are (you can use for specifying # a different sender address for the report e-mails, which should match what is # configured at DShield), and // (to # configure how often the buffer is flushed). # [Definition] # Option: actionstart # Notes.: command executed once at the start of Fail2Ban. # Values: CMD # actionstart = # Option: actionstop # Notes.: command executed once at the end of Fail2Ban # Values: CMD # actionstop = if [ -f .buffer ]; then cat .buffer | "FORMAT DSHIELD USERID TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" date +%%s > .lastsent fi rm -f .buffer .first # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # # See http://www.dshield.org/specs.html for more on report format/notes # # Note: We are currently using