From 919fe92512d60093c8eaabe13f3a8359ae7372c2 Mon Sep 17 00:00:00 2001 From: Tomas Barton Date: Wed, 29 Apr 2020 16:31:52 +0200 Subject: [PATCH 1/3] Support overriding ssh port in default config - `fail2ban::port` function to simplify syntax - Include param tags --- REFERENCE.md | 290 ++++++++ functions/port.pp | 19 + manifests/define.pp | 11 + manifests/init.pp | 40 ++ manifests/jail.pp | 24 + spec/acceptance/class_spec.rb | 676 +++++++++++++++++- spec/functions/port_spec.rb | 12 + templates/CentOS/6/etc/fail2ban/jail.conf.epp | 270 +++---- templates/CentOS/7/etc/fail2ban/jail.conf.epp | 274 +++---- .../Debian/10/etc/fail2ban/jail.conf.epp | 293 ++++---- .../Debian/11/etc/fail2ban/jail.conf.epp | 288 ++++---- .../Debian/12/etc/fail2ban/jail.conf.epp | 372 +++++----- templates/Debian/8/etc/fail2ban/jail.conf.epp | 92 +-- templates/Debian/9/etc/fail2ban/jail.conf.epp | 296 ++++---- .../OpenSuSE/15/etc/fail2ban/jail.conf.epp | 198 ++--- templates/RedHat/6/etc/fail2ban/jail.conf.epp | 264 +++---- templates/RedHat/7/etc/fail2ban/jail.conf.epp | 268 +++---- templates/RedHat/8/etc/fail2ban/jail.conf.epp | 282 ++++---- templates/RedHat/9/etc/fail2ban/jail.conf.epp | 274 +++---- .../Ubuntu/16.04/etc/fail2ban/jail.conf.epp | 268 +++---- .../Ubuntu/18.04/etc/fail2ban/jail.conf.epp | 287 ++++---- .../Ubuntu/20.04/etc/fail2ban/jail.conf.epp | 305 ++++---- .../Ubuntu/22.04/etc/fail2ban/jail.conf.epp | 269 +++---- types/port.pp | 6 + 24 files changed, 3218 insertions(+), 2160 deletions(-) create mode 100644 functions/port.pp create mode 100644 spec/functions/port_spec.rb create mode 100644 types/port.pp diff --git a/REFERENCE.md b/REFERENCE.md index d7ce80e2..f0dbb36f 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -21,9 +21,14 @@ * [`fail2ban::define`](#fail2ban--define): == Define: fail2ban::define * [`fail2ban::jail`](#fail2ban--jail): Handles the jails. +### Functions + +* [`fail2ban::port`](#fail2ban--port): See https://puppet.com/docs/puppet/latest/lang_write_functions_in_puppet.html for more information on native puppet functions. Looks up fail + ### Data types * [`Fail2ban::Logpath`](#Fail2ban--Logpath): Describes logpath format allowed +* [`Fail2ban::Port`](#Fail2ban--Port): Port type * [`Fail2ban::Time`](#Fail2ban--Time): Describes time format allowed for bantime and findtime The time entries in fail2ban configuration (like findtime or bantime) can be provided ### Tasks @@ -77,8 +82,42 @@ The following parameters are available in the `fail2ban` class: * [`custom_jails`](#-fail2ban--custom_jails) * [`banaction`](#-fail2ban--banaction) * [`config_file_before`](#-fail2ban--config_file_before) +* [`package_name`](#-fail2ban--package_name) +* [`package_list`](#-fail2ban--package_list) +* [`package_ensure`](#-fail2ban--package_ensure) +* [`config_dir_path`](#-fail2ban--config_dir_path) * [`config_dir_filter_path`](#-fail2ban--config_dir_filter_path) +* [`config_dir_purge`](#-fail2ban--config_dir_purge) +* [`config_dir_recurse`](#-fail2ban--config_dir_recurse) +* [`config_dir_source`](#-fail2ban--config_dir_source) +* [`config_file_path`](#-fail2ban--config_file_path) +* [`config_file_owner`](#-fail2ban--config_file_owner) +* [`config_file_group`](#-fail2ban--config_file_group) +* [`config_file_mode`](#-fail2ban--config_file_mode) +* [`config_file_source`](#-fail2ban--config_file_source) +* [`config_file_string`](#-fail2ban--config_file_string) +* [`config_file_template`](#-fail2ban--config_file_template) +* [`config_file_notify`](#-fail2ban--config_file_notify) +* [`config_file_require`](#-fail2ban--config_file_require) +* [`config_file_hash`](#-fail2ban--config_file_hash) +* [`config_file_options_hash`](#-fail2ban--config_file_options_hash) +* [`manage_defaults`](#-fail2ban--manage_defaults) +* [`manage_firewalld`](#-fail2ban--manage_firewalld) +* [`service_ensure`](#-fail2ban--service_ensure) +* [`service_name`](#-fail2ban--service_name) +* [`service_enable`](#-fail2ban--service_enable) +* [`action`](#-fail2ban--action) +* [`bantime`](#-fail2ban--bantime) +* [`email`](#-fail2ban--email) +* [`sender`](#-fail2ban--sender) +* [`iptables_chain`](#-fail2ban--iptables_chain) +* [`jails`](#-fail2ban--jails) +* [`jails_config`](#-fail2ban--jails_config) +* [`maxretry`](#-fail2ban--maxretry) * [`default_backend`](#-fail2ban--default_backend) +* [`whitelist`](#-fail2ban--whitelist) +* [`custom_jails`](#-fail2ban--custom_jails) +* [`banaction`](#-fail2ban--banaction) * [`sendmail_config`](#-fail2ban--sendmail_config) * [`sendmail_actions`](#-fail2ban--sendmail_actions) @@ -352,6 +391,30 @@ Data type: `String[1]` +##### `package_name` + + + +Default value: `'fail2ban'` + +##### `package_list` + + + +Default value: `undef` + +##### `package_ensure` + + + +Default value: `'present'` + +##### `config_dir_path` + + + +Default value: `'/etc/fail2ban'` + ##### `config_dir_filter_path` Data type: `Stdlib::Absolutepath` @@ -360,6 +423,170 @@ Data type: `Stdlib::Absolutepath` Default value: `'/etc/fail2ban/filter.d'` +##### `config_dir_purge` + + + +Default value: `false` + +##### `config_dir_recurse` + + + +Default value: `true` + +##### `config_dir_source` + + + +Default value: `undef` + +##### `config_file_path` + + + +Default value: `'/etc/fail2ban/jail.conf'` + +##### `config_file_owner` + + + +Default value: `'root'` + +##### `config_file_group` + + + +Default value: `'root'` + +##### `config_file_mode` + + + +Default value: `'0644'` + +##### `config_file_source` + + + +Default value: `undef` + +##### `config_file_string` + + + +Default value: `undef` + +##### `config_file_template` + + + +Default value: `undef` + +##### `config_file_notify` + + + +Default value: `'Service[fail2ban]'` + +##### `config_file_require` + + + +Default value: `'Package[fail2ban]'` + +##### `config_file_hash` + + + +Default value: `{}` + +##### `config_file_options_hash` + + + +Default value: `{}` + +##### `manage_defaults` + + + +Default value: `'absent'` + +##### `manage_firewalld` + + + +Default value: `'absent'` + +##### `service_ensure` + + + +Default value: `'running'` + +##### `service_name` + + + +Default value: `'fail2ban'` + +##### `service_enable` + + + +Default value: `true` + +##### `action` + + + +Default value: `'action_mb'` + +##### `bantime` + + + +Default value: `432000` + +##### `email` + + + +Default value: `"fail2ban@${facts['networking']['domain']}"` + +##### `sender` + + + +Default value: `"fail2ban@${facts['networking']['fqdn']}"` + +##### `iptables_chain` + + + +Default value: `'INPUT'` + +##### `jails` + + + +Default value: `['ssh', 'ssh-ddos']` + +##### `jails_config` + +Data type: `Hash` + + + +Default value: `{}` + +##### `maxretry` + + + +Default value: `3` + ##### `default_backend` Data type: `Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']` @@ -368,6 +595,24 @@ Data type: `Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']` Default value: `'auto'` +##### `whitelist` + + + +Default value: `['127.0.0.1/8', '192.168.56.0/24']` + +##### `custom_jails` + + + +Default value: `{}` + +##### `banaction` + + + +Default value: `'iptables-multiport'` + ##### `sendmail_config` Data type: `Hash` @@ -507,6 +752,7 @@ The following parameters are available in the `fail2ban::jail` defined type: * [`enabled`](#-fail2ban--jail--enabled) * [`action`](#-fail2ban--jail--action) * [`filter`](#-fail2ban--jail--filter) +* [`logpath`](#-fail2ban--jail--logpath) * [`maxretry`](#-fail2ban--jail--maxretry) * [`findtime`](#-fail2ban--jail--findtime) * [`bantime`](#-fail2ban--jail--bantime) @@ -602,6 +848,12 @@ Data type: `String` Default value: `$title` +##### `logpath` + + + +Default value: `undef` + ##### `maxretry` Data type: `Integer` @@ -714,6 +966,38 @@ Data type: `Optional[String]` Default value: `$fail2ban::config_file_require` +## Functions + +### `fail2ban::port` + +Type: Puppet Language + +See https://puppet.com/docs/puppet/latest/lang_write_functions_in_puppet.html +for more information on native puppet functions. + +Looks up fail2ban::jails_config.{namespace} for port configuration + +#### `fail2ban::port(String $config_key, Fail2ban::Port $default_port)` + +See https://puppet.com/docs/puppet/latest/lang_write_functions_in_puppet.html +for more information on native puppet functions. + +Looks up fail2ban::jails_config.{namespace} for port configuration + +Returns: `String` actual config + +##### `config_key` + +Data type: `String` + + + +##### `default_port` + +Data type: `Fail2ban::Port` + + + ## Data types ### `Fail2ban::Logpath` @@ -722,6 +1006,12 @@ Describes logpath format allowed Alias of `Variant[String[1], Array[String[1]]]` +### `Fail2ban::Port` + +Port type + +Alias of `Variant[Integer, String, Tuple[Variant[Integer, String], 1, default]]` + ### `Fail2ban::Time` Describes time format allowed for bantime and findtime diff --git a/functions/port.pp b/functions/port.pp new file mode 100644 index 00000000..8b479f7a --- /dev/null +++ b/functions/port.pp @@ -0,0 +1,19 @@ +# See https://puppet.com/docs/puppet/latest/lang_write_functions_in_puppet.html +# for more information on native puppet functions. +# +# Looks up fail2ban::jails_config.{namespace} for port configuration +# +# @param config_key +# @param default_port +# @return actual config +function fail2ban::port(String $config_key, Fail2ban::Port $default_port) >> String { + $needle = "fail2ban::jails_config.${config_key}.port" + $result = lookup($needle, undef, undef, $default_port) + + case $result { + String : { $result } + Integer : { String($result) } + Array,Tuple : { join($result, ',') } + default : { raise(Puppet::ParseError, "Unsupported type in lookup result: ${result}.class") } + } +} diff --git a/manifests/define.pp b/manifests/define.pp index 424c0dc4..77c169dd 100644 --- a/manifests/define.pp +++ b/manifests/define.pp @@ -1,5 +1,16 @@ # == Define: fail2ban::define # +# @param config_file_path +# @param config_file_owner +# @param config_file_group +# @param config_file_mode +# @param config_file_source +# @param config_file_string +# @param config_file_template +# @param config_file_notify +# @param config_file_require +# @param config_file_options_hash +# define fail2ban::define ( Stdlib::Absolutepath $config_file_path = "${fail2ban::config_dir_path}/${title}", String $config_file_owner = $fail2ban::config_file_owner, diff --git a/manifests/init.pp b/manifests/init.pp index bff8dd75..5bcd009a 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -37,6 +37,45 @@ # @param custom_jails Determines which custom jails should be included # @param banaction Determines which action to perform when performing a global ban (not overridden in a specific jail). # +# @param config_file_before +# @param package_name +# @param package_list +# @param package_ensure +# @param config_dir_path +# @param config_dir_filter_path +# @param config_dir_purge +# @param config_dir_recurse +# @param config_dir_source +# @param config_file_path +# @param config_file_owner +# @param config_file_group +# @param config_file_mode +# @param config_file_source +# @param config_file_string +# @param config_file_template +# @param config_file_notify +# @param config_file_require +# @param config_file_hash +# @param config_file_options_hash +# @param manage_defaults +# @param manage_firewalld +# @param service_ensure +# @param service_name +# @param service_enable +# @param action +# @param bantime +# @param email +# @param sender +# @param iptables_chain +# @param jails +# @param jails_config +# @param maxretry +# @param default_backend +# @param whitelist +# @param custom_jails +# @param banaction +# @param sendmail_config +# @param sendmail_actions class fail2ban ( String[1] $config_file_before, @@ -77,6 +116,7 @@ String[1] $sender = "fail2ban@${facts['networking']['fqdn']}", String[1] $iptables_chain = 'INPUT', Array[String[1]] $jails = ['ssh', 'ssh-ddos'], + Hash $jails_config = {}, Integer[0] $maxretry = 3, Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto'] $default_backend = 'auto', Array $whitelist = ['127.0.0.1/8', '192.168.56.0/24'], diff --git a/manifests/jail.pp b/manifests/jail.pp index 7b14eafe..986edc4e 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -2,6 +2,30 @@ # # @param logpath Filename(s) of the log files to be monitored # +# @param filter_includes +# @param filter_failregex +# @param filter_ignoreregex +# @param filter_maxlines +# @param filter_datepattern +# @param filter_additional_config +# @param enabled +# @param action +# @param filter +# @param logpath +# @param maxretry +# @param findtime +# @param bantime +# @param port +# @param backend +# @param journalmatch +# @param ignoreip +# @param config_dir_filter_path +# @param config_file_owner +# @param config_file_group +# @param config_file_mode +# @param config_file_source +# @param config_file_notify +# @param config_file_require define fail2ban::jail ( Optional[String] $filter_includes = undef, Optional[String] $filter_failregex = undef, diff --git a/spec/acceptance/class_spec.rb b/spec/acceptance/class_spec.rb index c5797dc3..dd4d6916 100644 --- a/spec/acceptance/class_spec.rb +++ b/spec/acceptance/class_spec.rb @@ -17,6 +17,11 @@ ssh_jail = 'ssh' end +def fail2ban_is_at_least(version) + res = shell('fail2ban-server --version | awk \'/Fail2Ban v/ {print substr($2,2); EXIT}\'') + Gem::Version.new(res.stdout) >= Gem::Version.new(version) +end + # Ensure the ssh log file is created, otherwise the service doesn't start completely shell("touch #{ssh_log_file}") @@ -278,9 +283,9 @@ class { 'fail2ban': } EOS apply_manifest(pp, catch_failures: true) + # fail2ban-client supports fetching config since version 0.9 - fail2ban_version = shell('fail2ban-server --version | head -n1 | awk \'{print $2}\' | cut -c 2- | tail -n1') - if Gem::Version.new(fail2ban_version.stdout) >= Gem::Version.new('0.9.0') + if fail2ban_is_at_least('0.9.0') fail2ban_status = shell('fail2ban-client get sshd action sendmail-buffered actionstart') expect(fail2ban_status.output).to contain %r{^\n$} else @@ -289,5 +294,672 @@ class { 'fail2ban': end end end + + context 'when overriding default port configuration' do + before(:all) do + pp = <<-EOS + class { 'fail2ban': } + EOS + yaml = <<~EOS + fail2ban::jails_config: + ssh: + port: ssh,2200 + dropbear: + port: + - ssh + - 2201 + selinux-ssh: + port: + - 'ssh' + - '2202' + apache-auth: + port: 81 + apache-badbots: + port: 82 + apache-noscript: + port: + - 81 + - 443 + apache-overflows: + port: '80,443' + apache-nohome: + port: '80,443' + apache-botsearch: + port: '80,443' + apache-fakegooglebot: + port: '80,443' + apache-modsecurity: + port: '80,443' + apache-shellshock: + port: '80,443' + nginx-http-auth: + port: '80,443' + nginx-limit-req: + port: '80,443' + nginx-botsearch: + port: '80,443' + php-url-fopen: + port: '80,443' + suhosin: + port: '80,443' + lighttpd-auth: + port: '80,443' + roundcube-auth: + port: '80,443' + openwebmail: + port: '80,443' + horde: + port: '80,443' + groupoffice: + port: '80,443' + sogo-auth: + port: '80,443' + tine20: + port: '80,443' + drupal-auth: + port: '80,443' + guacamole: + port: '80,443' + monit: + port: '2811' + webmin-auth: + port: '10001' + froxlor-auth: + port: '80,443' + squid: + port: '3128' + 3proxy: + port: '3129' + proftpd: + port: '21' + pure-ftpd: + port: '21' + gssftpd: + port: '21' + wuftpd: + port: '21' + vsftpd: + port: '24' + assp: + port: '25,465' + courier-smtp: + port: '26' + postfix: + port: '27' + postfix-rbl: + port: '28' + sendmail-auth: + port: '29' + sendmail-reject: + port: '30' + qmail-rbl: + port: 31 + dovecot: + port: 32 + sieve: + port: 33 + solid-pop3d: + port: 34 + exim: + port: 35 + exim-spam: + port: 36 + kerio: + port: 37 + courier-auth: + port: 38 + courierauth: + port: 39 + postfix-sasl: + port: 40 + perdition: + port: 41 + squirrelmail: + port: 42 + cyrus-imap: + port: 43 + uwimap-auth: + port: 44 + named-refused-tcp: + port: 45 + named-refused: + port: 46 + nsd: + port: 47 + asterisk: + port: 48 + asterisk-tcp: + port: 49 + asterisk-udp: + port: 50 + freeswitch: + port: 51 + mysqld-auth: + port: 52 + mongodb-auth: + port: 54 + ejabberd-auth: + port: 55 + EOS + shell "echo \"#{yaml}\" > /etc/puppetlabs/code/environments/production/data/common.yaml" + + apply_manifest(pp, catch_failures: true) + end + + # fail2ban version check must be inside "it" block, + # so that the variable will be evaluated + # after package installation + it 'is expected to modify sshd port' do + r = if fact('os.family') == 'Debian' && fact('os.release.major') == '8' + # Debian 8 is calling jail `ssh` instead of `sshd` + shell("grep \"\\[ssh\\]\" -A 10 #{config_file_path}") + else + shell("grep \"\\[sshd\\]\" -A 10 #{config_file_path}") + end + expect(r.stdout).to match %r{^port\s+=\s+ssh,2200$} + end + + it 'is expected to modify lighttpd-auth port' do + if fail2ban_is_at_least('0.8.7') + shell("grep \"\\[lighttpd-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify roundcube-auth port' do + if fail2ban_is_at_least('0.8.9') + shell("grep \"\\[roundcube-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify apache-nohome port' do + if fail2ban_is_at_least('0.8.10') + shell("grep \"\\[apache-nohome\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify suhosin port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[suhosin\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify selinux-ssh port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[selinux-ssh\\]\" -A 5 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+ssh,2202$} + end + end + end + + it 'is expected to modify apache-auth port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[apache-auth\\]\" -A 5 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+81$} + end + end + end + + it 'is expected to modify horde port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[horde\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify groupoffice port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[groupoffice\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify openwebmail port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[openwebmail\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify apache-botsearch port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[apache-botsearch\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify apache-shellshock port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[apache-shellshock\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify tine20 port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[tine20\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify nginx-botsearch port' do + if fail2ban_is_at_least('0.9.2') + shell("grep \"\\[nginx-botsearch\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify nginx-limit-req port' do + case fact('os.family') + when 'Debian' + if fail2ban_is_at_least('0.9.4') + shell("grep \"\\[nginx-limit-req\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + when 'RedHat' + if fact('os.release.major').to_i >= 8 + shell("grep \"\\[nginx-limit-req\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + end + + it 'is expected to modify apache-badbots port' do + if fail2ban_is_at_least('0.9.4') + shell("grep \"\\[apache-badbots\\]\" -A 7 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+82$} + end + end + end + + it 'is expected to modify apache-fakegooglebot port' do + if fail2ban_is_at_least('0.9.6') + shell("grep \"\\[apache-fakegooglebot\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify dropbear port' do + shell("grep \"\\[dropbear\\]\" -A 5 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+ssh,2201$} + end + end + + it 'is expected to modify apache-modsecurity port' do + shell("grep \"\\[apache-modsecurity\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + + it 'is expected to modify nginx-http-auth port' do + shell("grep \"\\[nginx-http-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + + it 'is expected to modify apache-noscript port' do + shell("grep \"\\[apache-noscript\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+81,443$} + end + end + + it 'is expected to modify apache-overflows port' do + shell("grep \"\\[apache-overflows\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + + it 'is expected to modify sogo-auth port' do + shell("grep \"\\[sogo-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + + it 'is expected to modify php-url-fopen port' do + shell("grep \"\\[php-url-fopen\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + + it 'is expected to modify drupal-auth port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[drupal-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify guacamole port' do + if fail2ban_is_at_least('0.9.0') + shell("grep \"\\[guacamole\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify monit port' do + if fail2ban_is_at_least('0.9.1') + shell("grep \"\\[monit\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+2811$} + end + end + end + + it 'is expected to modify webmin-auth port' do + # since 0.8.9 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[webmin-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+10001$} + end + end + end + + it 'is expected to modify froxlor-auth port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[froxlor-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+80,443$} + end + end + end + + it 'is expected to modify squid port' do + # since 0.8.12 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[squid\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+3128$} + end + end + end + + it 'is expected to modify 3proxy port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[3proxy\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+3129$} + end + end + end + + it 'is expected to modify proftpd port' do + shell("grep \"\\[proftpd\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+21$} + end + end + + it 'is expected to modify pure-ftpd port' do + shell("grep \"\\[pure-ftpd\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+21$} + end + end + + it 'is expected to modify gssftpd port' do + # since 0.8.11 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[gssftpd\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+21$} + end + end + end + + it 'is expected to modify wuftpd port' do + shell("grep \"\\[wuftpd\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+21$} + end + end + + it 'is expected to modify vsftpd port' do + # since 0.8.1 + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[vsftpd\\]\" -A 10 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+24$} + end + end + end + + it 'is expected to modify assp port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[assp\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+25,465$} + end + end + end + + it 'is expected to modify courier-smtp port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[courier-smtp\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+26$} + end + end + end + + it 'is expected to modify postfix port' do + shell("grep \"\\[postfix\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+27$} + end + end + + it 'is expected to modify postfix-rbl port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[postfix-rbl\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+28$} + end + end + end + + it 'is expected to modify sendmail-auth port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[sendmail-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+29$} + end + end + end + + it 'is expected to modify sendmail-reject port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[sendmail-reject\\]\" -A 10 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+30$} + end + end + end + + it 'is expected to modify qmail-rbl port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[qmail-rbl\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+31$} + end + end + end + + it 'is expected to modify dovecot port' do + shell("grep \"\\[dovecot\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+32$} + end + end + + it 'is expected to modify sieve port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[sieve\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+33$} + end + end + end + + it 'is expected to modify solid-pop3d port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[solid-pop3d\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+34$} + end + end + end + + it 'is expected to modify exim port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[exim\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+35$} + end + end + end + + it 'is expected to modify exim-spam port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[exim-spam\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+36$} + end + end + end + + it 'is expected to modify kerio port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[kerio\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+37$} + end + end + end + + it 'is expected to modify courier-auth port' do + if fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[courierauth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+39$} + end + else + shell("grep \"\\[courier-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+38$} + end + end + end + + it 'is expected to modify postfix-sasl port' do + if fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[sasl\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+40$} + end + else + shell("grep \"\\[postfix-sasl\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+40$} + end + end + end + + it 'is expected to modify perdition port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[perdition\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+41$} + end + end + end + + it 'is expected to modify squirrelmail port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[squirrelmail\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+42$} + end + end + end + + it 'is expected to modify cyrus-imap port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[cyrus-imap\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+43$} + end + end + end + + it 'is expected to modify uwimap-auth port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[uwimap-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+44$} + end + end + end + + it 'is expected to modify named-refused port' do + if fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[named-refused-tcp\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+45$} + end + else + shell("grep \"\\[named-refused\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+46$} + end + end + end + + it 'is expected to modify nsd port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[nsd\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+47$} + end + end + end + + it 'is expected to modify asterisk port' do + if fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[asterisk-tcp\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+49$} + end + + shell("grep \"\\[asterisk-udp\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+50$} + end + else + shell("grep \"\\[asterisk\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+48$} + end + end + end + + it 'is expected to modify freeswitch port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[freeswitch\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+51$} + end + end + end + + it 'is expected to modify mysqld-auth port' do + unless fact('os.family') == 'Debian' && fact('os.release.major') == '8' + shell("grep \"\\[mysqld-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+52$} + end + end + end + + it 'is expected to modify mongodb-auth port' do + if fail2ban_is_at_least('0.9.6') && fact('os.name') != 'CentOS' + shell("grep \"\\[mongodb-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+54$} + end + end + end + + it 'is expected to modify ejabberd-auth port' do + shell("grep \"\\[ejabberd-auth\\]\" -A 6 #{config_file_path}") do |r| + expect(r.stdout).to match %r{^port\s+=\s+55$} + end + end + end end end diff --git a/spec/functions/port_spec.rb b/spec/functions/port_spec.rb new file mode 100644 index 00000000..d5750734 --- /dev/null +++ b/spec/functions/port_spec.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +require 'spec_helper' + +describe 'fail2ban::port' do + it { is_expected.to run.with_params('ssh', '22').and_return('22') } + it { is_expected.to run.with_params('ssh', 22).and_return('22') } + it { is_expected.to run.with_params('ssh', '22,22000').and_return('22,22000') } + it { is_expected.to run.with_params('ssh', %w[22 22001]).and_return('22,22001') } + it { is_expected.to run.with_params(nil).and_raise_error(ArgumentError) } + it { is_expected.to run.with_params('ssh', {}).and_raise_error(ArgumentError) } +end diff --git a/templates/CentOS/6/etc/fail2ban/jail.conf.epp b/templates/CentOS/6/etc/fail2ban/jail.conf.epp index e4db45d7..f08e5e08 100644 --- a/templates/CentOS/6/etc/fail2ban/jail.conf.epp +++ b/templates/CentOS/6/etc/fail2ban/jail.conf.epp @@ -185,8 +185,8 @@ action = %(<%= $fail2ban::action %>)s # [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s @@ -195,19 +195,19 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> logpath = %(sshd_log)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s maxretry = 5 @@ -217,77 +217,77 @@ maxretry = 5 # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> +logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -296,23 +296,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> # Same as above for Apache's mod_auth # It catches wrong authentifications -port = http,https +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -321,42 +321,42 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] -enabled = <%= "sogo-auth" in $fail2ban::jails %> +enabled = <%= 'sogo-auth' in $fail2ban::jails %> # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -port = http,https +port = <%= fail2ban::port('sogo-auth', 'http,https') %> logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> maxretry = 5 @@ -366,33 +366,33 @@ maxretry = 5 # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -filter = monit -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +filter = monit +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s # @@ -401,14 +401,14 @@ logpath = %(syslog_authpriv)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -418,28 +418,28 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s maxretry = 6 @@ -449,8 +449,8 @@ maxretry = 6 # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -460,84 +460,84 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(syslog_mail)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -547,14 +547,14 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -562,26 +562,26 @@ logpath = %(postfix_log)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap3,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap3,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s [squirrelmail] -enabled = <%= "squierrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squierrelmail', 'smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap3,imaps') %> logpath = %(syslog_mail)s @@ -612,16 +612,16 @@ logpath = %(syslog_mail)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -630,8 +630,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -640,8 +640,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -661,8 +661,8 @@ maxretry = 10 # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s maxretry = 5 @@ -707,8 +707,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/CentOS/7/etc/fail2ban/jail.conf.epp b/templates/CentOS/7/etc/fail2ban/jail.conf.epp index e4db45d7..cd78c724 100644 --- a/templates/CentOS/7/etc/fail2ban/jail.conf.epp +++ b/templates/CentOS/7/etc/fail2ban/jail.conf.epp @@ -185,8 +185,8 @@ action = %(<%= $fail2ban::action %>)s # [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s @@ -195,19 +195,19 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> logpath = %(sshd_log)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s maxretry = 5 @@ -217,77 +217,77 @@ maxretry = 5 # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> +logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -296,23 +296,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> # Same as above for Apache's mod_auth # It catches wrong authentifications -port = http,https +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -321,42 +321,42 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] -enabled = <%= "sogo-auth" in $fail2ban::jails %> +enabled = <%= 'sogo-auth' in $fail2ban::jails %> # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -port = http,https +port = <%= fail2ban::port('sogo-auth', 'http,https') %> logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> maxretry = 5 @@ -366,33 +366,33 @@ maxretry = 5 # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -filter = monit -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +filter = monit +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s # @@ -401,14 +401,14 @@ logpath = %(syslog_authpriv)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -418,28 +418,28 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s maxretry = 6 @@ -449,8 +449,8 @@ maxretry = 6 # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -460,84 +460,84 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(syslog_mail)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -547,41 +547,41 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s +logpath = %(postfix_log)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap3,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap3,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s [squirrelmail] -enabled = <%= "squierrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap3,imaps') %> logpath = %(syslog_mail)s @@ -612,16 +612,16 @@ logpath = %(syslog_mail)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -630,8 +630,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -640,8 +640,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -661,8 +661,8 @@ maxretry = 10 # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s maxretry = 5 @@ -707,8 +707,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Debian/10/etc/fail2ban/jail.conf.epp b/templates/Debian/10/etc/fail2ban/jail.conf.epp index 0a502906..7157a261 100644 --- a/templates/Debian/10/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/10/etc/fail2ban/jail.conf.epp @@ -198,11 +198,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` -# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in # corresponding jail.d/my-jail.local file). # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] @@ -243,28 +243,28 @@ action = %(<%= $fail2ban::action %>)s [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> +enabled = <%= 'ssh' in $fail2ban::jails %> # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -port = ssh +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -274,16 +274,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 @@ -291,39 +291,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -331,23 +331,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -355,24 +355,24 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -383,24 +383,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -410,8 +410,8 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s @@ -419,39 +419,39 @@ logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -461,38 +461,38 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s # @@ -502,15 +502,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -521,44 +521,44 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -569,15 +569,15 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -585,16 +585,16 @@ backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: mode = more -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -602,8 +602,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -613,17 +613,17 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -631,46 +631,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -681,51 +681,50 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -filter = postfix[mode=auth] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s -backend = %(postfix_backend)s +logpath = %(postfix_log)s +backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -758,17 +757,17 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -778,8 +777,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -789,8 +788,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -811,8 +810,8 @@ maxretry = 10 # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -820,8 +819,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -871,8 +870,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Debian/11/etc/fail2ban/jail.conf.epp b/templates/Debian/11/etc/fail2ban/jail.conf.epp index fc3b0d6d..2f230b2a 100644 --- a/templates/Debian/11/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/11/etc/fail2ban/jail.conf.epp @@ -109,9 +109,6 @@ findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = <%= $fail2ban::maxretry %> -# "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). -maxmatches = %(maxretry)s - # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". # This option can be overridden in each jail as well. @@ -284,28 +281,28 @@ action = %(<%= $fail2ban::action %>)s [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> +enabled = <%= 'ssh' in $fail2ban::jails %> # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -port = ssh +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -315,56 +312,56 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s -bantime = 48h +bantime = 172800 maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> +logpath = %(apache_er<%= fail2ban::port('apache-botsearch', 'http,https') %>ror_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -372,48 +369,48 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab -banaction = %(banaction_allports)s +action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -424,24 +421,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -451,8 +448,8 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s @@ -460,22 +457,22 @@ logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> logpath = /home/groupoffice/log/info.log @@ -483,16 +480,16 @@ logpath = /home/groupoffice/log/info.log # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -502,38 +499,36 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> logpath = /var/log/tomcat*/catalina.out -#logpath = /var/log/guacamole.log [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit - /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -545,15 +540,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -564,44 +559,44 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -612,15 +607,15 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -628,17 +623,16 @@ backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: mode = more -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission -logpath = %(postfix_log)s -backend = %(postfix_backend)s +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> +logpath = %(postfix_log)s +backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -filter = postfix[mode=rbl] -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -646,8 +640,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -657,17 +651,17 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -675,46 +669,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -725,51 +719,50 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -filter = postfix[mode=auth] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s -backend = %(postfix_backend)s +logpath = %(postfix_log)s +backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -802,15 +795,15 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/nsd.log @@ -822,8 +815,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/asterisk/messages @@ -832,8 +825,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/freeswitch.log @@ -861,8 +854,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -870,8 +863,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -921,8 +914,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log @@ -930,6 +923,7 @@ logpath = /var/log/ejabberd/ejabberd.log enabled = <%= "counter-strike" in $fail2ban::jails %> logpath = /opt/cstrike/logs/L[0-9]*.log +# Firewall: http://www.cstrike-planet.com/faq/6 tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] @@ -1054,9 +1048,3 @@ enabled = <%= "zoneminder" in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s -[traefik-auth] -enabled = <%= "traefik-auth" in $fail2ban::jails %> -# to use 'traefik-auth' filter you have to configure your Traefik instance, -# see `filter.d/traefik-auth.conf` for details and service example. -port = http,https -logpath = /var/log/traefik/access.log diff --git a/templates/Debian/12/etc/fail2ban/jail.conf.epp b/templates/Debian/12/etc/fail2ban/jail.conf.epp index 5acfeb7f..5a76d535 100644 --- a/templates/Debian/12/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/12/etc/fail2ban/jail.conf.epp @@ -46,19 +46,19 @@ before = paths-debian.conf # MISCELLANEOUS OPTIONS # -# "bantime.increment" allows to use database for searching of previously banned ip's to increase a +# "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... #bantime.increment = true -# "bantime.rndtime" is the max number of seconds using for mixing with random time +# "bantime.rndtime" is the max number of seconds using for mixing with random time # to prevent "clever" botnets calculate exact time IP can be unbanned again: -#bantime.rndtime = +#bantime.rndtime = # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) -#bantime.maxtime = +#bantime.maxtime = # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, -# default value of factor is 1 and with default value of formula, the ban time +# default value of factor is 1 and with default value of formula, the ban time # grows by 1, 2, 4, 8, 16 ... #bantime.factor = 1 @@ -69,17 +69,17 @@ before = paths-debian.conf # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) -# "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding +# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding # previously ban count and given "bantime.factor" (for multipliers default is 1); -# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, +# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours #bantime.multipliers = 1 2 4 8 16 32 64 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day #bantime.multipliers = 1 5 30 60 300 720 1440 2880 -# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed -# cross over all jails, if false (default), only current jail of the ban IP will be searched +# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed +# cross over all jails, if false (dafault), only current jail of the ban IP will be searched #bantime.overalljails = false # -------------------- @@ -284,28 +284,28 @@ action = %(<%= $fail2ban::action %>)s [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> +enabled = <%= 'ssh' in $fail2ban::jails %> # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -port = ssh +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -315,16 +315,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 @@ -332,39 +332,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot @@ -372,58 +372,57 @@ ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegoogleb [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab banaction = %(banaction_allports)s logpath = /opt/openhab/logs/request.log - # To use more aggressive http-auth modes set filter parameter "mode" in jail.local: # normal (default), aggressive (combines all), auth or fallback # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details. [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> # mode = normal -port = http,https +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s [nginx-bad-request] -enabled = <%= "nginx-bad-request" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-bad-request' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-bad-request', 'http,https') %> logpath = %(nginx_access_log)s # Ban attackers that try to use PHP's URL-fopen() functionality @@ -432,24 +431,24 @@ logpath = %(nginx_access_log)s [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -459,8 +458,8 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s @@ -468,22 +467,22 @@ logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> logpath = /home/groupoffice/log/info.log @@ -491,16 +490,16 @@ logpath = /home/groupoffice/log/info.log # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -510,38 +509,36 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> logpath = /var/log/tomcat*/catalina.out -#logpath = /var/log/guacamole.log [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit - /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -553,15 +550,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -572,44 +569,44 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -620,15 +617,15 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -636,17 +633,16 @@ backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: mode = more -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -filter = postfix[mode=rbl] -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -654,8 +650,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -665,17 +661,17 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -683,46 +679,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -733,51 +729,50 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -filter = postfix[mode=auth] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s -backend = %(postfix_backend)s +logpath = %(postfix_log)s +backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -810,14 +805,15 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -port = 53 +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/nsd.log @@ -829,8 +825,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/asterisk/messages @@ -839,8 +835,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] logpath = /var/log/freeswitch.log @@ -868,26 +864,24 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s - [mssql-auth] # Default configuration for Microsoft SQL Server for Linux # See the 'mssql-conf' manpage how to change logpath or port -enabled = <%= "mssql-auth" in $fail2ban::jails %> +enabled = <%= 'mssql-auth' in $fail2ban::jails %> logpath = /var/opt/mssql/log/errorlog -port = 1433 +port = <%= fail2ban::port('mssql-auth', 1433) %> filter = mssql-auth - # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -912,11 +906,11 @@ findtime = 1d [pam-generic] -enabled = <%= "pam-generic" in $fail2ban::jails %> +enabled = <%= "pam-generic" in $fail2ban::jails %> # pam-generic filter can be customized to monitor specific subset of 'tty's banaction = %(banaction_allports)s -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s [xinetd-fail] @@ -931,58 +925,58 @@ maxretry = 2 # stunnel - need to set port for this [stunnel] -enabled = <%= "stunnel" in $fail2ban::jails %> +enabled = <%= 'stunnel' in $fail2ban::jails %> logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log [counter-strike] - -enabled = <%= "counter-strike" in $fail2ban::jails %> +enabled = <%= 'counter-strike' in $fail2ban::jails %> logpath = /opt/cstrike/logs/L[0-9]*.log -tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 -udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 -action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] +# Firewall: http://www.cstrike-planet.com/faq/6 +tcpport = <%= fail2ban::port('counter-strike_tcp', '27030,27031,27032,27033,27034,27035,27036,27037,27038,27039') %> +udpport = <%= fail2ban::port('counter-strike_udp', '1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015') %> +action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] [softethervpn] -enabled = <%= "softethervpn" in $fail2ban::jails %> -port = 500,4500 +enabled = <%= 'softethervpn' in $fail2ban::jails %> +port = <%= fail2ban::port('softethervpn', '500,4500') %> protocol = udp logpath = /usr/local/vpnserver/security_log/*/sec.log [gitlab] -enabled = <%= "gitlab" in $fail2ban::jails %> -port = http,https +enabled = <%= 'gitlab' in $fail2ban::jails %> +port = <%= fail2ban::port('gitlab', 'http,https') %> logpath = /var/log/gitlab/gitlab-rails/application.log [grafana] -enabled = <%= "grafana" in $fail2ban::jails %> -port = http,https +enabled = <%= 'grafana' in $fail2ban::jails %> +port = <%= fail2ban::port('grafana', 'http,https') %> logpath = /var/log/grafana/grafana.log [bitwarden] -enabled = <%= "bitwarden" in $fail2ban::jails %> -port = http,https +enabled = <%= 'bitwarden' in $fail2ban::jails %> +port = <%= fail2ban::port('bitwarden', 'http,https') %> logpath = /home/*/bwdata/logs/identity/Identity/log.txt [centreon] -enabled = <%= "centreon" in $fail2ban::jails %> -port = http,https +enabled = <%= 'centreon' in $fail2ban::jails %> +port = <%= fail2ban::port('centreon', 'http,https') %> logpath = /var/log/centreon/login.log # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] -enabled = <%= "nagios" in $fail2ban::jails %> +enabled = <%= 'nagios' in $fail2ban::jails %> logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1 @@ -990,15 +984,15 @@ maxretry = 1 [oracleims] # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above -enabled = <%= "oracleims" in $fail2ban::jails %> -logpath = /opt/sun/comms/messaging64/log/mail.log_current +enabled = <%= "oracleims" in $fail2ban::jails %> +logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s [directadmin] -enabled = <%= "directadmin" in $fail2ban::jails %> +enabled = <%= 'directadmin' in $fail2ban::jails %> logpath = /var/log/directadmin/login.log -port = 2222 +port = <%= fail2ban::port('directadmin', 2222) %> [portsentry] @@ -1008,7 +1002,7 @@ maxretry = 1 [pass2allow-ftp] # this pass2allow example allows FTP traffic after successful HTTP authentication -enabled = <%= "pass2allow-ftp" in $fail2ban::jails %> +enabled = <%= "pass2allow-ftp" in $fail2ban::jails %> port = ftp,ftp-data,ftps,ftps-data # knocking_url variable must be overridden to some secret value in jail.local knocking_url = /knocking/ @@ -1044,38 +1038,38 @@ logencoding = utf-8 # logs to a syslog server which would then write them to disk. # See "haproxy-http-auth" filter for a brief cautionary note when setting # maxretry and findtime. -enabled = <%= "haproxy-http-auth" in $fail2ban::jails %> +enabled = <%= 'haproxy-http-auth' in $fail2ban::jails %> logpath = /var/log/haproxy.log [slapd] -enabled = <%= "slapd" in $fail2ban::jails %> -port = ldap,ldaps +enabled = <%= 'slapd' in $fail2ban::jails %> +port = <%= fail2ban::port('slapd', 'ldap,ldaps') %> logpath = /var/log/slapd.log [domino-smtp] -enabled = <%= "domino-smtp" in $fail2ban::jails %> -port = smtp,ssmtp +enabled = <%= 'domino-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('domino-smtp', 'smtp,ssmtp') %> logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log [phpmyadmin-syslog] -enabled = <%= "phpmyadmin-syslog" in $fail2ban::jails %> -port = http,https +enabled = <%= 'phpmyadmin-syslog' in $fail2ban::jails %> +port = <%= fail2ban::port('phpmyadmin-syslog', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [zoneminder] -enabled = <%= "zoneminder" in $fail2ban::jails %> +enabled = <%= 'zoneminder' in $fail2ban::jails %> # Zoneminder HTTP/HTTPS web interface auth # Logs auth failures to apache2 error log -port = http,https +port = <%= fail2ban::port('zoneminder', 'http,https') %> logpath = %(apache_error_log)s [traefik-auth] -enabled = <%= "traefik-auth" in $fail2ban::jails %> +enabled = <%= 'traefik-auth' in $fail2ban::jails %> # to use 'traefik-auth' filter you have to configure your Traefik instance, # see `filter.d/traefik-auth.conf` for details and service example. -port = http,https +port = <%= fail2ban::port('traefik-auth', 'http,https') %> logpath = /var/log/traefik/access.log [scanlogd] @@ -1084,6 +1078,6 @@ logpath = %(syslog_local0)s banaction = %(banaction_allports)s [monitorix] -enabled = <%= "monitorix" in $fail2ban::jails %> -port = 8080 +enabled = <%= 'monitorix' in $fail2ban::jails %> +port = <%= fail2ban::port('monitorix', 8080) %> logpath = /var/log/monitorix-httpd diff --git a/templates/Debian/8/etc/fail2ban/jail.conf.epp b/templates/Debian/8/etc/fail2ban/jail.conf.epp index 6fec28ca..983ba634 100644 --- a/templates/Debian/8/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/8/etc/fail2ban/jail.conf.epp @@ -136,16 +136,16 @@ action = %(<%= $fail2ban::action %>)s [ssh] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> filter = sshd logpath = /var/log/auth.log maxretry = 6 [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> filter = dropbear logpath = /var/log/auth.log maxretry = 6 @@ -242,33 +242,33 @@ maxretry = 6 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> filter = apache-noscript logpath = /var/log/apache*/*error.log maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> filter = apache-overflows logpath = /var/log/apache*/*error.log maxretry = 2 [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> filter = apache-modsecurity -port = http,https +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = /var/log/apache*/*error.log maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> +enabled = <%= 'apache-nohome' in $fail2ban::jails %> filter = apache-nohome -port = http,https +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = /var/log/apache*/*error.log maxretry = 2 @@ -278,8 +278,8 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> filter = php-url-fopen logpath = /var/www/*/logs/access_log @@ -301,32 +301,32 @@ logpath = /var/log/lighttpd/error.log [lighttpd-auth] -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> filter = suhosin logpath = /var/log/lighttpd/error.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> filter = nginx-http-auth -port = http,https +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = /var/log/nginx/*error*.log # Monitor roundcube server [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> filter = roundcube-auth -port = http,https +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = /var/log/roundcube/userlogins [sogo-auth] -enabled = <%= "sogo-auth" in $fail2ban::jails %> +enabled = <%= 'sogo-auth' in $fail2ban::jails %> filter = sogo-auth -port = http, https +port = <%= fail2ban::port('sogo-auth', 'http,https') %> # without proxy this would be: # port = 20000 logpath = /var/log/sogo/sogo.log @@ -338,8 +338,8 @@ logpath = /var/log/sogo/sogo.log [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> filter = vsftpd logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be @@ -351,8 +351,8 @@ maxretry = 6 [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> filter = proftpd logpath = /var/log/proftpd/proftpd.log maxretry = 6 @@ -360,8 +360,8 @@ maxretry = 6 [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> filter = pure-ftpd logpath = /var/log/syslog maxretry = 6 @@ -369,8 +369,8 @@ maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> filter = wuftpd logpath = /var/log/syslog maxretry = 6 @@ -382,8 +382,8 @@ maxretry = 6 [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,ssmtp,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> filter = postfix logpath = /var/log/mail.log @@ -403,16 +403,16 @@ logpath = /var/log/mail.log [courierauth] -enabled = <%= "courierauth" in $fail2ban::jails %> -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +enabled = <%= 'courierauth' in $fail2ban::jails %> +port = <%= fail2ban::port('courierauth', 'smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s') %> filter = courierlogin logpath = /var/log/mail.log [sasl] -enabled = <%= "sasl" in $fail2ban::jails %> -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +enabled = <%= 'sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s') %> filter = postfix-sasl # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the @@ -421,8 +421,8 @@ logpath = /var/log/mail.log [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s') %> filter = dovecot logpath = /var/log/mail.log @@ -473,8 +473,8 @@ logpath = /var/log/mysqld.log [named-refused-tcp] -enabled = <%= "named-refused-tcp" in $fail2ban::jails %> -port = domain,953 +enabled = <%= 'named-refused-tcp' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused-tcp', 'domain,953') %> protocol = tcp filter = named-refused logpath = /var/log/named/security.log @@ -490,9 +490,9 @@ action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", p [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> filter = ejabberd-auth -port = xmpp-client +port = <%= fail2ban::port('ejabberd-auth', 'xmpp-client') %> protocol = tcp logpath = /var/log/ejabberd/ejabberd.log @@ -501,17 +501,17 @@ logpath = /var/log/ejabberd/ejabberd.log # see https://github.com/fail2ban/fail2ban/issues/37 [asterisk-tcp] -enabled = <%= "asterisk-tcp" in $fail2ban::jails %> +enabled = <%= 'asterisk-tcp' in $fail2ban::jails %> filter = asterisk -port = 5060,5061 +port = <%= fail2ban::port('asterisk-tcp', '5060,5061') %> protocol = tcp logpath = /var/log/asterisk/messages [asterisk-udp] -enabled = <%= "asterisk-udp" in $fail2ban::jails %> +enabled = <%= 'asterisk-udp' in $fail2ban::jails %> filter = asterisk -port = 5060,5061 +port = <%= fail2ban::port('asterisk-udp', '5060,5061') %> protocol = udp logpath = /var/log/asterisk/messages diff --git a/templates/Debian/9/etc/fail2ban/jail.conf.epp b/templates/Debian/9/etc/fail2ban/jail.conf.epp index 0e697077..d95299e9 100644 --- a/templates/Debian/9/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/9/etc/fail2ban/jail.conf.epp @@ -191,7 +191,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] @@ -229,8 +229,8 @@ action = %(<%= $fail2ban::action %>)s [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s @@ -240,23 +240,23 @@ backend = %(sshd_backend)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -266,16 +266,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 @@ -283,39 +283,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -323,23 +323,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -347,24 +347,24 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -375,24 +375,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -402,46 +402,46 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -451,38 +451,38 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s # @@ -492,15 +492,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -511,44 +511,44 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -559,31 +559,31 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -591,25 +591,25 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -617,45 +617,45 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -666,50 +666,50 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s -backend = %(postfix_backend)s +logpath = %(postfix_log)s +backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -742,17 +742,17 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -762,8 +762,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -773,8 +773,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -795,8 +795,8 @@ maxretry = 10 # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -804,8 +804,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -855,8 +855,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/OpenSuSE/15/etc/fail2ban/jail.conf.epp b/templates/OpenSuSE/15/etc/fail2ban/jail.conf.epp index f586de1f..655e9926 100644 --- a/templates/OpenSuSE/15/etc/fail2ban/jail.conf.epp +++ b/templates/OpenSuSE/15/etc/fail2ban/jail.conf.epp @@ -255,21 +255,21 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> +enabled = <%= 'ssh' in $fail2ban::jails %> port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> +enabled = <%= 'dropbear' in $fail2ban::jails %> port = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> port = ssh logpath = %(auditd_log)s @@ -279,7 +279,7 @@ logpath = %(auditd_log)s # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> +enabled = <%= 'apache-auth' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s @@ -287,7 +287,7 @@ logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> +enabled = <%= 'apache-badbots' in $fail2ban::jails %> port = http,https logpath = %(apache_access_log)s bantime = 48h @@ -295,34 +295,34 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> +enabled = <%= 'apache-noscript' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> +enabled = <%= 'apache-overflows' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> +enabled = <%= 'apache-nohome' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> port = http,https logpath = %(apache_access_log)s maxretry = 1 @@ -330,28 +330,28 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> port = http,https logpath = %(nginx_error_log)s @@ -360,12 +360,12 @@ logpath = %(nginx_error_log)s # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> port = http,https logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> port = http,https logpath = %(nginx_error_log)s maxretry = 2 @@ -376,14 +376,14 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> port = http,https logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> +enabled = <%= 'suhosin' in $fail2ban::jails %> port = http,https logpath = %(suhosin_log)s @@ -391,7 +391,7 @@ logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> port = http,https logpath = %(lighttpd_error_log)s @@ -401,7 +401,7 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> port = http,https logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. @@ -409,19 +409,19 @@ logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> +enabled = <%= 'openwebmail' in $fail2ban::jails %> port = http,https logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> +enabled = <%= 'horde' in $fail2ban::jails %> port = http,https logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> +enabled = <%= 'groupoffice' in $fail2ban::jails %> port = http,https logpath = /home/groupoffice/log/info.log @@ -430,13 +430,13 @@ logpath = /home/groupoffice/log/info.log # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> +enabled = <%= 'sogo-auth' in $fail2ban::jails %> port = http,https logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log port = http,https @@ -447,32 +447,32 @@ port = http,https # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> +enabled = <%= 'drupal-auth' in $fail2ban::jails %> port = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> +enabled = <%= 'guacamole' in $fail2ban::jails %> port = http,https logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> +enabled = <%= 'monit' in $fail2ban::jails %> port = 2812 logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> +enabled = <%= 'webmin-auth' in $fail2ban::jails %> port = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> port = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -484,13 +484,13 @@ backend = %(syslog_backend)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> +enabled = <%= 'squid' in $fail2ban::jails %> port = 80,443,3128,8080 logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> +enabled = <%= '3proxy' in $fail2ban::jails %> port = 3128 logpath = /var/log/3proxy.log @@ -501,29 +501,29 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -533,8 +533,8 @@ backend = %(wuftpd_backend)s # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -544,39 +544,39 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -586,58 +586,58 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -647,16 +647,16 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -665,28 +665,28 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squierrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -718,16 +718,16 @@ backend = %(syslog_backend)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/lib/named/log/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/lib/named/log/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -736,8 +736,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -746,8 +746,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -767,8 +767,8 @@ maxretry = 10 # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -776,8 +776,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -822,8 +822,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/RedHat/6/etc/fail2ban/jail.conf.epp b/templates/RedHat/6/etc/fail2ban/jail.conf.epp index 9c8c2637..3727f11b 100644 --- a/templates/RedHat/6/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/6/etc/fail2ban/jail.conf.epp @@ -215,8 +215,8 @@ action = %(<%= $fail2ban::action %>)s # [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> filter = sshd logpath = %(sshd_log)s @@ -226,21 +226,21 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the boidy. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> filter = sshd logpath = %(sshd_log)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> filter = sshd logpath = %(dropbear_log)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> filter = sshd logpath = %(auditd_log)s maxretry = 5 @@ -251,77 +251,77 @@ maxretry = 5 # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> +logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> port = http,https logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -330,23 +330,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -355,42 +355,42 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = /var/log/roundcube/userlogins [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> maxretry = 5 @@ -400,26 +400,26 @@ maxretry = 5 # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -filter = monit -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +filter = monit +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s @@ -429,14 +429,14 @@ logpath = %(syslog_authpriv)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log # @@ -445,28 +445,28 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s maxretry = 6 @@ -476,8 +476,8 @@ maxretry = 6 # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -487,84 +487,84 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(syslog_mail)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -574,14 +574,14 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -589,26 +589,26 @@ logpath = %(postfix_log)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap3,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap3,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap3,imaps') %> logpath = %(syslog_mail)s @@ -639,16 +639,16 @@ logpath = %(syslog_mail)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -657,8 +657,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -667,8 +667,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -688,8 +688,8 @@ maxretry = 10 # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s maxretry = 5 @@ -734,8 +734,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/RedHat/7/etc/fail2ban/jail.conf.epp b/templates/RedHat/7/etc/fail2ban/jail.conf.epp index 9c8c2637..57f3e12a 100644 --- a/templates/RedHat/7/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/7/etc/fail2ban/jail.conf.epp @@ -215,8 +215,8 @@ action = %(<%= $fail2ban::action %>)s # [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> filter = sshd logpath = %(sshd_log)s @@ -226,21 +226,21 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the boidy. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> filter = sshd logpath = %(sshd_log)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> filter = sshd logpath = %(dropbear_log)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> filter = sshd logpath = %(auditd_log)s maxretry = 5 @@ -251,77 +251,77 @@ maxretry = 5 # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> +logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -330,23 +330,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -355,42 +355,42 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = /var/log/roundcube/userlogins [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> maxretry = 5 @@ -400,26 +400,26 @@ maxretry = 5 # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -filter = monit -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +filter = monit +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s @@ -429,14 +429,14 @@ logpath = %(syslog_authpriv)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log # @@ -445,28 +445,28 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s maxretry = 6 @@ -476,8 +476,8 @@ maxretry = 6 # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -487,84 +487,84 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(syslog_mail)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -574,41 +574,41 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = %(postfix_log)s +logpath = %(postfix_log)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap3,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap3,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap3,imaps') %> logpath = %(syslog_mail)s @@ -639,16 +639,16 @@ logpath = %(syslog_mail)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -657,8 +657,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -667,8 +667,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -688,8 +688,8 @@ maxretry = 10 # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s maxretry = 5 @@ -734,8 +734,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/RedHat/8/etc/fail2ban/jail.conf.epp b/templates/RedHat/8/etc/fail2ban/jail.conf.epp index b84da181..9ac2e07e 100644 --- a/templates/RedHat/8/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/8/etc/fail2ban/jail.conf.epp @@ -255,22 +255,22 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -279,80 +279,80 @@ logpath = %(auditd_log)s # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` @@ -360,13 +360,13 @@ logpath = %(nginx_error_log)s # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -376,23 +376,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -401,44 +401,44 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -447,34 +447,34 @@ port = http,https # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -485,14 +485,14 @@ backend = %(syslog_backend)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 -logpath = /var/log/squid/access.log +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> +logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -502,29 +502,29 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -534,8 +534,8 @@ backend = %(wuftpd_backend)s # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -545,39 +545,39 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -587,58 +587,58 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -648,16 +648,16 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -666,28 +666,28 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squierrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -719,17 +719,17 @@ backend = %(syslog_backend)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] -logpath = /var/log/nsd.log +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log # @@ -737,8 +737,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -747,8 +747,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -775,8 +775,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -784,8 +784,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -830,8 +830,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/RedHat/9/etc/fail2ban/jail.conf.epp b/templates/RedHat/9/etc/fail2ban/jail.conf.epp index b84da181..5a7c8c36 100644 --- a/templates/RedHat/9/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/9/etc/fail2ban/jail.conf.epp @@ -255,22 +255,22 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -279,80 +279,80 @@ logpath = %(auditd_log)s # [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` @@ -360,13 +360,13 @@ logpath = %(nginx_error_log)s # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -376,23 +376,23 @@ maxretry = 2 # of usage in production environments. [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -401,28 +401,28 @@ logpath = %(lighttpd_error_log)s # [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> logpath = /home/groupoffice/log/info.log @@ -430,15 +430,15 @@ logpath = /home/groupoffice/log/info.log # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -447,34 +447,34 @@ port = http,https # [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -485,14 +485,14 @@ backend = %(syslog_backend)s # [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 -logpath = /var/log/squid/access.log +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> +logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -502,29 +502,29 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -534,8 +534,8 @@ backend = %(wuftpd_backend)s # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -545,39 +545,39 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -587,58 +587,58 @@ backend = %(syslog_backend)s # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -648,16 +648,16 @@ logpath = /opt/kerio/mailserver/store/logs/security.log # [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -666,28 +666,28 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squierrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -719,17 +719,17 @@ backend = %(syslog_backend)s # This jail blocks TCP traffic for DNS requests. [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] -logpath = /var/log/nsd.log +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +logpath = /var/log/nsd.log # @@ -737,8 +737,8 @@ logpath = /var/log/nsd.log # [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -747,8 +747,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -775,8 +775,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # [mysqld] # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -784,8 +784,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -830,8 +830,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp index 02b02ed9..7d4cb3b4 100644 --- a/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp @@ -188,7 +188,7 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action. Create a file jail.d/blocklist_de.local containing # [Init] @@ -222,8 +222,8 @@ action = %(<%= $fail2ban::action %>)s [sshd] -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s maxretry = 6 @@ -233,23 +233,23 @@ maxretry = 6 # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = ssh +port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> logpath = %(sshd_log)s maxretry = 6 [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s maxretry = 6 [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s maxretry = 5 @@ -260,8 +260,8 @@ maxretry = 5 [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 @@ -269,8 +269,8 @@ maxretry = 6 [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 172800 maxretry = 1 @@ -278,40 +278,40 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s maxretry = 6 [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -319,28 +319,28 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -350,24 +350,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -377,46 +377,46 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server -enabled = <%= "sogo-auth" in $fail2ban::jails %> +enabled = <%= 'sogo-auth' in $fail2ban::jails %> # without proxy this would be: # port = 20000 -port = http,https -logpath = /var/log/sogo/sogo.log +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> +enabled = <%= 'tine20' in $fail2ban::jails %> logpath = /var/log/tine20/tine20.log -port = http,https +port = <%= fail2ban::port('tine20', 'http,https') %> maxretry = 5 @@ -427,36 +427,36 @@ maxretry = 5 [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> logpath = %(syslog_daemon)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -filter = monit -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +filter = monit +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s # @@ -466,15 +466,15 @@ logpath = %(syslog_authpriv)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -485,32 +485,32 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s maxretry = 6 [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s maxretry = 6 [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s maxretry = 6 [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s maxretry = 6 @@ -520,8 +520,8 @@ maxretry = 6 # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -enabled = <%= "vsftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'vsftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s maxretry = 6 @@ -533,8 +533,8 @@ maxretry = 6 # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt @@ -547,38 +547,38 @@ logpath = %(syslog_mail)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(syslog_mail)s maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -586,43 +586,43 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] -enabled = <%= "exim" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -633,15 +633,15 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courierauth" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s -logpath = %(syslog_mail)s +enabled = <%= "courier-auth" in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap3,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s [postfix-sasl] -enabled = <%= "sasl" in $fail2ban::jails %> -port = smtp,465,submission,imap3,imaps,pop3,pop3s +enabled = <%= 'sasl' in $fail2ban::jails %> +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -650,29 +650,29 @@ logpath = %(postfix_log)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap3,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap3,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap3,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap3,imaps') %> logpath = %(syslog_mail)s @@ -704,17 +704,17 @@ logpath = %(syslog_mail)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -724,8 +724,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -735,8 +735,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -757,8 +757,8 @@ maxretry = 10 # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s maxretry = 5 @@ -807,8 +807,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Ubuntu/18.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/18.04/etc/fail2ban/jail.conf.epp index cd5c3947..fef82e30 100644 --- a/templates/Ubuntu/18.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/18.04/etc/fail2ban/jail.conf.epp @@ -200,11 +200,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` -# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in # corresponding jail.d/my-jail.local file). # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] @@ -249,24 +249,24 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -276,16 +276,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 @@ -293,39 +293,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -333,23 +333,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -357,24 +357,24 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -385,24 +385,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -412,8 +412,8 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s @@ -421,39 +421,39 @@ logpath = %(roundcube_errors_log)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -463,38 +463,38 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s # @@ -504,15 +504,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -523,44 +523,44 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -571,34 +571,34 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> # To use another modes set filter parameter "mode" in jail.local: mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -606,29 +606,29 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> # To use more aggressive modes set filter parameter "mode" in jail.local: # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -636,45 +636,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] +enabled = <%= 'exim' in $fail2ban::jails %> # see filter.d/exim.conf for further modes supported from filter: #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -685,17 +686,17 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] enabled = <%= "postfix-sasl" in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -705,31 +706,31 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -762,17 +763,17 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] - %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] + %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -782,8 +783,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -793,8 +794,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -815,8 +816,8 @@ maxretry = 10 # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -824,8 +825,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -875,8 +876,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Ubuntu/20.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/20.04/etc/fail2ban/jail.conf.epp index 73f0b6ac..937acd33 100644 --- a/templates/Ubuntu/20.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/20.04/etc/fail2ban/jail.conf.epp @@ -48,19 +48,19 @@ before = paths-debian.conf # MISCELLANEOUS OPTIONS # -# "bantime.increment" allows to use database for searching of previously banned ip's to increase a +# "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... #bantime.increment = true -# "bantime.rndtime" is the max number of seconds using for mixing with random time +# "bantime.rndtime" is the max number of seconds using for mixing with random time # to prevent "clever" botnets calculate exact time IP can be unbanned again: -#bantime.rndtime = +#bantime.rndtime = # "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further) -#bantime.maxtime = +#bantime.maxtime = # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, -# default value of factor is 1 and with default value of formula, the ban time +# default value of factor is 1 and with default value of formula, the ban time # grows by 1, 2, 4, 8, 16 ... #bantime.factor = 1 @@ -71,16 +71,16 @@ before = paths-debian.conf # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) -# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding +# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding # previously ban count and given "bantime.factor" (for multipliers default is 1); -# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, +# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours #bantime.multipliers = 1 2 4 8 16 32 64 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day #bantime.multipliers = 1 5 30 60 300 720 1440 2880 -# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed +# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed # cross over all jails, if false (dafault), only current jail of the ban IP will be searched #bantime.overalljails = false @@ -241,11 +241,11 @@ action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] # Report block via blocklist.de fail2ban reporting service API -# +# # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` -# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in +# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in # corresponding jail.d/my-jail.local file). # action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] @@ -290,24 +290,24 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -317,16 +317,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 @@ -334,39 +334,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -374,23 +374,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https -logpath = %(apache_error_log)s +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> +logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -398,24 +398,24 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s -# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` +# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` # and define `limit_req` and `limit_req_zone` as described in nginx documentation # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -426,24 +426,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -453,48 +453,48 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -504,39 +504,39 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https -logpath = /var/log/tomcat*/catalina.out +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> +logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 -logpath = /var/log/monit +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> +logpath = /var/log/monit /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_authpriv)s -backend = %(syslog_backend)s +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> +logpath = %(syslog_authpriv)s +backend = %(syslog_backend)s # @@ -546,15 +546,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -565,32 +565,32 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -598,12 +598,12 @@ backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -614,34 +614,34 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> # To use another modes set filter parameter "mode" in jail.local: mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -649,8 +649,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -658,21 +658,21 @@ backend = %(syslog_backend)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> # To use more aggressive modes set filter parameter "mode" in jail.local: # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -680,45 +680,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] +enabled = <%= 'exim' in $fail2ban::jails %> # see filter.d/exim.conf for further modes supported from filter: #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -729,17 +730,17 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s -logpath = %(syslog_mail)s -backend = %(syslog_backend)s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> +logpath = %(syslog_mail)s +backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -749,31 +750,31 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -806,16 +807,16 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -826,8 +827,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -837,8 +838,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -867,8 +868,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -876,8 +877,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -926,8 +927,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/templates/Ubuntu/22.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/22.04/etc/fail2ban/jail.conf.epp index 73f0b6ac..86631132 100644 --- a/templates/Ubuntu/22.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/22.04/etc/fail2ban/jail.conf.epp @@ -290,24 +290,24 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -317,16 +317,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 @@ -334,39 +334,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -374,23 +374,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -398,8 +398,8 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` @@ -408,14 +408,14 @@ logpath = %(nginx_error_log)s # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -426,24 +426,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -453,48 +453,48 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -504,37 +504,37 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -546,15 +546,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -565,32 +565,32 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -598,12 +598,12 @@ backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -614,34 +614,34 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> # To use another modes set filter parameter "mode" in jail.local: mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -649,8 +649,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -658,21 +658,21 @@ backend = %(syslog_backend)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> # To use more aggressive modes set filter parameter "mode" in jail.local: # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -680,45 +680,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -729,17 +730,17 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -749,31 +750,31 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -806,16 +807,16 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -826,8 +827,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -837,8 +838,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -867,8 +868,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -876,8 +877,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -926,8 +927,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log diff --git a/types/port.pp b/types/port.pp new file mode 100644 index 00000000..d6b6fa4c --- /dev/null +++ b/types/port.pp @@ -0,0 +1,6 @@ +# Port type +type Fail2ban::Port = Variant[ + Integer, + String, + Tuple[Variant[Integer, String], 1, default] + ] From 79f90d9c44ea690f4a80ca66cb6fcd49c7a067b1 Mon Sep 17 00:00:00 2001 From: Tomas Barton Date: Thu, 26 Sep 2024 14:19:07 +0200 Subject: [PATCH 2/3] Fix ssh-ddos --- templates/CentOS/6/etc/fail2ban/jail.conf.epp | 2 +- templates/CentOS/7/etc/fail2ban/jail.conf.epp | 2 +- templates/Debian/9/etc/fail2ban/jail.conf.epp | 2 +- templates/RedHat/6/etc/fail2ban/jail.conf.epp | 2 +- templates/RedHat/7/etc/fail2ban/jail.conf.epp | 2 +- templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/templates/CentOS/6/etc/fail2ban/jail.conf.epp b/templates/CentOS/6/etc/fail2ban/jail.conf.epp index f08e5e08..8a6a034f 100644 --- a/templates/CentOS/6/etc/fail2ban/jail.conf.epp +++ b/templates/CentOS/6/etc/fail2ban/jail.conf.epp @@ -195,7 +195,7 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> logpath = %(sshd_log)s diff --git a/templates/CentOS/7/etc/fail2ban/jail.conf.epp b/templates/CentOS/7/etc/fail2ban/jail.conf.epp index cd78c724..9a99f91d 100644 --- a/templates/CentOS/7/etc/fail2ban/jail.conf.epp +++ b/templates/CentOS/7/etc/fail2ban/jail.conf.epp @@ -195,7 +195,7 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> logpath = %(sshd_log)s diff --git a/templates/Debian/9/etc/fail2ban/jail.conf.epp b/templates/Debian/9/etc/fail2ban/jail.conf.epp index d95299e9..8f4eaf99 100644 --- a/templates/Debian/9/etc/fail2ban/jail.conf.epp +++ b/templates/Debian/9/etc/fail2ban/jail.conf.epp @@ -240,7 +240,7 @@ backend = %(sshd_backend)s # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s diff --git a/templates/RedHat/6/etc/fail2ban/jail.conf.epp b/templates/RedHat/6/etc/fail2ban/jail.conf.epp index 3727f11b..a59c80cd 100644 --- a/templates/RedHat/6/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/6/etc/fail2ban/jail.conf.epp @@ -226,7 +226,7 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the boidy. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> filter = sshd logpath = %(sshd_log)s diff --git a/templates/RedHat/7/etc/fail2ban/jail.conf.epp b/templates/RedHat/7/etc/fail2ban/jail.conf.epp index 57f3e12a..1c479981 100644 --- a/templates/RedHat/7/etc/fail2ban/jail.conf.epp +++ b/templates/RedHat/7/etc/fail2ban/jail.conf.epp @@ -226,7 +226,7 @@ logpath = %(sshd_log)s # The mail-whois action send a notification e-mail with a whois request # in the boidy. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> filter = sshd logpath = %(sshd_log)s diff --git a/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp index 7d4cb3b4..6d0e7001 100644 --- a/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/16.04/etc/fail2ban/jail.conf.epp @@ -233,7 +233,7 @@ maxretry = 6 # The mail-whois action send a notification e-mail with a whois request # in the body. enabled = <%= "ssh-ddos" in $fail2ban::jails %> -port = <%= lookup('fail2ban::jails_config.ssh-ddos.port', String, undef, 'ssh') %> +port = <%= fail2ban::port('ssh-ddos', 'ssh') %> logpath = %(sshd_log)s maxretry = 6 From 4a8baa4645003c5a8e10f7333f99d7fdb3c77620 Mon Sep 17 00:00:00 2001 From: Tomas Barton Date: Thu, 26 Sep 2024 14:21:19 +0200 Subject: [PATCH 3/3] Update Ubuntu 24.04 --- .../Ubuntu/24.04/etc/fail2ban/jail.conf.epp | 269 +++++++++--------- 1 file changed, 135 insertions(+), 134 deletions(-) diff --git a/templates/Ubuntu/24.04/etc/fail2ban/jail.conf.epp b/templates/Ubuntu/24.04/etc/fail2ban/jail.conf.epp index 73f0b6ac..86631132 100644 --- a/templates/Ubuntu/24.04/etc/fail2ban/jail.conf.epp +++ b/templates/Ubuntu/24.04/etc/fail2ban/jail.conf.epp @@ -290,24 +290,24 @@ action = %(<%= $fail2ban::action %>)s # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal -enabled = <%= "ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('ssh', 'ssh') %> logpath = %(sshd_log)s backend = %(sshd_backend)s [dropbear] -enabled = <%= "dropbear" in $fail2ban::jails %> -port = ssh +enabled = <%= 'dropbear' in $fail2ban::jails %> +port = <%= fail2ban::port('dropbear', 'ssh') %> logpath = %(dropbear_log)s backend = %(dropbear_backend)s [selinux-ssh] -enabled = <%= "selinux-ssh" in $fail2ban::jails %> -port = ssh +enabled = <%= 'selinux-ssh' in $fail2ban::jails %> +port = <%= fail2ban::port('selinux-ssh', 'ssh') %> logpath = %(auditd_log)s @@ -317,16 +317,16 @@ logpath = %(auditd_log)s [apache-auth] -enabled = <%= "apache-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-auth', 'http,https') %> logpath = %(apache_error_log)s [apache-badbots] # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. -enabled = <%= "apache-badbots" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-badbots' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-badbots', 'http,https') %> logpath = %(apache_access_log)s bantime = 48h maxretry = 1 @@ -334,39 +334,39 @@ maxretry = 1 [apache-noscript] -enabled = <%= "apache-noscript" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-noscript' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-noscript', 'http,https') %> logpath = %(apache_error_log)s [apache-overflows] -enabled = <%= "apache-overflows" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-overflows' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-overflows', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-nohome] -enabled = <%= "apache-nohome" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-nohome' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-nohome', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-botsearch] -enabled = <%= "apache-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-botsearch', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-fakegooglebot] -enabled = <%= "apache-fakegooglebot" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-fakegooglebot' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-fakegooglebot', 'http,https') %> logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot @@ -374,23 +374,23 @@ ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot [apache-modsecurity] -enabled = <%= "apache-modsecurity" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-modsecurity' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-modsecurity', 'http,https') %> logpath = %(apache_error_log)s maxretry = 2 [apache-shellshock] -enabled = <%= "apache-shellshock" in $fail2ban::jails %> -port = http,https +enabled = <%= 'apache-shellshock' in $fail2ban::jails %> +port = <%= fail2ban::port('apache-shellshock', 'http,https') %> logpath = %(apache_error_log)s maxretry = 1 [openhab-auth] -enabled = <%= "openhab-auth" in $fail2ban::jails %> +enabled = <%= 'openhab-auth' in $fail2ban::jails %> filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log @@ -398,8 +398,8 @@ logpath = /opt/openhab/logs/request.log [nginx-http-auth] -enabled = <%= "nginx-http-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-http-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-http-auth', 'http,https') %> logpath = %(nginx_error_log)s # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` @@ -408,14 +408,14 @@ logpath = %(nginx_error_log)s # or for example see in 'config/filter.d/nginx-limit-req.conf' [nginx-limit-req] -enabled = <%= "nginx-limit-req" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-limit-req' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-limit-req', 'http,https') %> logpath = %(nginx_error_log)s [nginx-botsearch] -enabled = <%= "nginx-botsearch" in $fail2ban::jails %> -port = http,https +enabled = <%= 'nginx-botsearch' in $fail2ban::jails %> +port = <%= fail2ban::port('nginx-botsearch', 'http,https') %> logpath = %(nginx_error_log)s maxretry = 2 @@ -426,24 +426,24 @@ maxretry = 2 [php-url-fopen] -enabled = <%= "php-url-fopen" in $fail2ban::jails %> -port = http,https +enabled = <%= 'php-url-fopen' in $fail2ban::jails %> +port = <%= fail2ban::port('php-url-fopen', 'http,https') %> logpath = %(nginx_access_log)s %(apache_access_log)s [suhosin] -enabled = <%= "suhosin" in $fail2ban::jails %> -port = http,https +enabled = <%= 'suhosin' in $fail2ban::jails %> +port = <%= fail2ban::port('suhosin', 'http,https') %> logpath = %(suhosin_log)s [lighttpd-auth] # Same as above for Apache's mod_auth # It catches wrong authentifications -enabled = <%= "lighttpd-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'lighttpd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('lighttpd-auth', 'http,https') %> logpath = %(lighttpd_error_log)s @@ -453,48 +453,48 @@ logpath = %(lighttpd_error_log)s [roundcube-auth] -enabled = <%= "roundcube-auth" in $fail2ban::jails %> -port = http,https -logpath = %(roundcube_errors_log)s +enabled = <%= 'roundcube-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('roundcube-auth', 'http,https') %> +logpath = %(roundcube_errors_log)s # Use following line in your jail.local if roundcube logs to journal. #backend = %(syslog_backend)s [openwebmail] -enabled = <%= "openwebmail" in $fail2ban::jails %> -port = http,https -logpath = /var/log/openwebmail.log +enabled = <%= 'openwebmail' in $fail2ban::jails %> +port = <%= fail2ban::port('openwebmail', 'http,https') %> +logpath = /var/log/openwebmail.log [horde] -enabled = <%= "horde" in $fail2ban::jails %> -port = http,https -logpath = /var/log/horde/horde.log +enabled = <%= 'horde' in $fail2ban::jails %> +port = <%= fail2ban::port('horde', 'http,https') %> +logpath = /var/log/horde/horde.log [groupoffice] -enabled = <%= "groupoffice" in $fail2ban::jails %> -port = http,https -logpath = /home/groupoffice/log/info.log +enabled = <%= 'groupoffice' in $fail2ban::jails %> +port = <%= fail2ban::port('groupoffice', 'http,https') %> +logpath = /home/groupoffice/log/info.log [sogo-auth] # Monitor SOGo groupware server # without proxy this would be: # port = 20000 -enabled = <%= "sogo-auth" in $fail2ban::jails %> -port = http,https -logpath = /var/log/sogo/sogo.log +enabled = <%= 'sogo-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sogo-auth', 'http,https') %> +logpath = /var/log/sogo/sogo.log [tine20] -enabled = <%= "tine20" in $fail2ban::jails %> -logpath = /var/log/tine20/tine20.log -port = http,https +enabled = <%= 'tine20' in $fail2ban::jails %> +logpath = /var/log/tine20/tine20.log +port = <%= fail2ban::port('tine20', 'http,https') %> # @@ -504,37 +504,37 @@ port = http,https [drupal-auth] -enabled = <%= "drupal-auth" in $fail2ban::jails %> -port = http,https -logpath = %(syslog_daemon)s -backend = %(syslog_backend)s +enabled = <%= 'drupal-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('drupal-auth', 'http,https') %> +logpath = %(syslog_daemon)s +backend = %(syslog_backend)s [guacamole] -enabled = <%= "guacamole" in $fail2ban::jails %> -port = http,https +enabled = <%= 'guacamole' in $fail2ban::jails %> +port = <%= fail2ban::port('guacamole', 'http,https') %> logpath = /var/log/tomcat*/catalina.out [monit] #Ban clients brute-forcing the monit gui login -enabled = <%= "monit" in $fail2ban::jails %> -port = 2812 +enabled = <%= 'monit' in $fail2ban::jails %> +port = <%= fail2ban::port('monit', 2812) %> logpath = /var/log/monit /var/log/monit.log [webmin-auth] -enabled = <%= "webmin-auth" in $fail2ban::jails %> -port = 10000 +enabled = <%= 'webmin-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('webmin-auth', 10000) %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s [froxlor-auth] -enabled = <%= "froxlor-auth" in $fail2ban::jails %> -port = http,https +enabled = <%= 'froxlor-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('froxlor-auth', 'http,https') %> logpath = %(syslog_authpriv)s backend = %(syslog_backend)s @@ -546,15 +546,15 @@ backend = %(syslog_backend)s [squid] -enabled = <%= "squid" in $fail2ban::jails %> -port = 80,443,3128,8080 +enabled = <%= 'squid' in $fail2ban::jails %> +port = <%= fail2ban::port('squid', '80,443,3128,8080') %> logpath = /var/log/squid/access.log [3proxy] -enabled = <%= "3proxy" in $fail2ban::jails %> -port = 3128 +enabled = <%= '3proxy' in $fail2ban::jails %> +port = <%= fail2ban::port('3proxy', 3128) %> logpath = /var/log/3proxy.log @@ -565,32 +565,32 @@ logpath = /var/log/3proxy.log [proftpd] -enabled = <%= "proftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'proftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('proftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(proftpd_log)s backend = %(proftpd_backend)s [pure-ftpd] -enabled = <%= "pure-ftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'pure-ftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('pure-ftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s [gssftpd] -enabled = <%= "gssftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'gssftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('gssftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(syslog_daemon)s backend = %(syslog_backend)s [wuftpd] -enabled = <%= "wuftpd" in $fail2ban::jails %> -port = ftp,ftp-data,ftps,ftps-data +enabled = <%= 'wuftpd' in $fail2ban::jails %> +port = <%= fail2ban::port('wuftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s @@ -598,12 +598,12 @@ backend = %(wuftpd_backend)s [vsftpd] -enabled = <%= "vsftpd" in $fail2ban::jails %> +enabled = <%= 'vsftpd' in $fail2ban::jails %> # or overwrite it in jails.local to be # logpath = %(syslog_authpriv)s # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats -port = ftp,ftp-data,ftps,ftps-data +port = <%= fail2ban::port('vsftpd', 'ftp,ftp-data,ftps,ftps-data') %> logpath = %(vsftpd_log)s @@ -614,34 +614,34 @@ logpath = %(vsftpd_log)s # ASSP SMTP Proxy Jail [assp] -enabled = <%= "assp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'assp' in $fail2ban::jails %> +port = <%= fail2ban::port('assp', 'smtp,465,submission') %> logpath = /root/path/to/assp/logs/maillog.txt [courier-smtp] -enabled = <%= "courier-smtp" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'courier-smtp' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-smtp', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix] -enabled = <%= "postfix" in $fail2ban::jails %> +enabled = <%= 'postfix' in $fail2ban::jails %> # To use another modes set filter parameter "mode" in jail.local: mode = more -port = smtp,465,submission +port = <%= fail2ban::port('postfix', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] -enabled = <%= "postfix-rbl" in $fail2ban::jails %> +enabled = <%= 'postfix-rbl' in $fail2ban::jails %> filter = postfix[mode=rbl] -port = smtp,465,submission +port = <%= fail2ban::port('postfix-rbl', 'smtp,465,submission') %> logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 @@ -649,8 +649,8 @@ maxretry = 1 [sendmail-auth] -enabled = <%= "sendmail-auth" in $fail2ban::jails %> -port = submission,465,smtp +enabled = <%= 'sendmail-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('sendmail-auth', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -658,21 +658,21 @@ backend = %(syslog_backend)s [sendmail-reject] -enabled = <%= "sendmail-reject" in $fail2ban::jails %> +enabled = <%= 'sendmail-reject' in $fail2ban::jails %> # To use more aggressive modes set filter parameter "mode" in jail.local: # normal (default), extra or aggressive # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. #mode = normal -port = smtp,465,submission +port = <%= fail2ban::port('sendmail-reject', 'smtp,465,submission') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [qmail-rbl] -enabled = <%= "qmail-rbl" in $fail2ban::jails %> +enabled = <%= 'qmail-rbl' in $fail2ban::jails %> filter = qmail -port = smtp,465,submission +port = <%= fail2ban::port('qmail-rbl', 'smtp,465,submission') %> logpath = /service/qmail/log/main/current @@ -680,45 +680,46 @@ logpath = /service/qmail/log/main/current # but can be set by syslog_facility in the dovecot configuration. [dovecot] -enabled = <%= "dovecot" in $fail2ban::jails %> -port = pop3,pop3s,imap,imaps,submission,465,sieve +enabled = <%= 'dovecot' in $fail2ban::jails %> +port = <%= fail2ban::port('dovecot', 'pop3,pop3s,imap,imaps,submission,465,sieve') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [sieve] -enabled = <%= "sieve" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'sieve' in $fail2ban::jails %> +port = <%= fail2ban::port('sieve', 'smtp,465,submission') %> logpath = %(dovecot_log)s backend = %(dovecot_backend)s [solid-pop3d] -enabled = <%= "solid-pop3d" in $fail2ban::jails %> -port = pop3,pop3s +enabled = <%= 'solid-pop3d' in $fail2ban::jails %> +port = <%= fail2ban::port('solid-pop3d', 'pop3,pop3s') %> logpath = %(solidpop3d_log)s [exim] # see filter.d/exim.conf for further modes supported from filter: #mode = normal -port = smtp,465,submission +enabled = <%= 'exim' in $fail2ban::jails %> +port = <%= fail2ban::port('exim', 'smtp,465,submission') %> logpath = %(exim_main_log)s [exim-spam] -enabled = <%= "exim-spam" in $fail2ban::jails %> -port = smtp,465,submission +enabled = <%= 'exim-spam' in $fail2ban::jails %> +port = <%= fail2ban::port('exim-spam', 'smtp,465,submission') %> logpath = %(exim_main_log)s [kerio] -enabled = <%= "kerio" in $fail2ban::jails %> -port = imap,smtp,imaps,465 +enabled = <%= 'kerio' in $fail2ban::jails %> +port = <%= fail2ban::port('kerio', 'imap,smtp,imaps,465') %> logpath = /opt/kerio/mailserver/store/logs/security.log @@ -729,17 +730,17 @@ logpath = /opt/kerio/mailserver/store/logs/security.log [courier-auth] -enabled = <%= "courier-auth" in $fail2ban::jails %> -port = smtp,465,submission,imap,imaps,pop3,pop3s +enabled = <%= 'courier-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('courier-auth', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [postfix-sasl] -enabled = <%= "postfix-sasl" in $fail2ban::jails %> +enabled = <%= 'postfix-sasl' in $fail2ban::jails %> filter = postfix[mode=auth] -port = smtp,465,submission,imap,imaps,pop3,pop3s +port = <%= fail2ban::port('postfix-sasl', 'smtp,465,submission,imap,imaps,pop3,pop3s') %> # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. @@ -749,31 +750,31 @@ backend = %(postfix_backend)s [perdition] -enabled = <%= "perdition" in $fail2ban::jails %> -port = imap,imaps,pop3,pop3s +enabled = <%= 'perdition' in $fail2ban::jails %> +port = <%= fail2ban::port('perdition', 'imap,imaps,pop3,pop3s') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [squirrelmail] -enabled = <%= "squirrelmail" in $fail2ban::jails %> -port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks +enabled = <%= 'squirrelmail' in $fail2ban::jails %> +port = <%= fail2ban::port('squirrelmail', 'smtp,465,submission,imap2,imap,imaps,pop3,pop3s,http,https,socks') %> logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log [cyrus-imap] -enabled = <%= "cyrus-imap" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'cyrus-imap' in $fail2ban::jails %> +port = <%= fail2ban::port('cyrus-imap', 'imap3,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s [uwimap-auth] -enabled = <%= "uwimap-auth" in $fail2ban::jails %> -port = imap,imaps +enabled = <%= 'uwimap-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('uwimap-auth', 'imap,imaps') %> logpath = %(syslog_mail)s backend = %(syslog_backend)s @@ -806,16 +807,16 @@ backend = %(syslog_backend)s [named-refused] -enabled = <%= "named-refused" in $fail2ban::jails %> -port = domain,953 -logpath = /var/log/named/security.log +enabled = <%= 'named-refused' in $fail2ban::jails %> +port = <%= fail2ban::port('named-refused', 'domain,953') %> +logpath = /var/log/named/security.log [nsd] -enabled = <%= "nsd" in $fail2ban::jails %> -port = 53 -action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] +enabled = <%= 'nsd' in $fail2ban::jails %> +port = <%= fail2ban::port('nsd', 53) %> +action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log @@ -826,8 +827,8 @@ logpath = /var/log/nsd.log [asterisk] -enabled = <%= "asterisk" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'asterisk' in $fail2ban::jails %> +port = <%= fail2ban::port('asterisk', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -837,8 +838,8 @@ maxretry = 10 [freeswitch] -enabled = <%= "freeswitch" in $fail2ban::jails %> -port = 5060,5061 +enabled = <%= 'freeswitch' in $fail2ban::jails %> +port = <%= fail2ban::port('freeswitch', '5060,5061') %> action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] @@ -867,8 +868,8 @@ logpath = /var/lib/znc/moddata/adminlog/znc.log # log-error=/var/log/mysqld.log [mysqld-auth] -enabled = <%= "mysqld-auth" in $fail2ban::jails %> -port = 3306 +enabled = <%= 'mysqld-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mysqld-auth', 3306) %> logpath = %(mysql_log)s backend = %(mysql_backend)s @@ -876,8 +877,8 @@ backend = %(mysql_backend)s # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') [mongodb-auth] # change port when running with "--shardsvr" or "--configsvr" runtime operation -enabled = <%= "mongodb-auth" in $fail2ban::jails %> -port = 27017 +enabled = <%= 'mongodb-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('mongodb-auth', 27017) %> logpath = /var/log/mongodb/mongodb.log @@ -926,8 +927,8 @@ logpath = /var/log/stunnel4/stunnel.log [ejabberd-auth] -enabled = <%= "ejabberd-auth" in $fail2ban::jails %> -port = 5222 +enabled = <%= 'ejabberd-auth' in $fail2ban::jails %> +port = <%= fail2ban::port('ejabberd-auth', 5222) %> logpath = /var/log/ejabberd/ejabberd.log