Mercurial > repos > other > Puppet
annotate modules/fail2ban/files/jail.local @ 292:3e04f35dd0af
Turn Fail2ban setup into a module
We now:
* Don't have a large class outside a module
* Build "bad SSH users" config from a list
(easier to understand/see diffs in than a long line)
* Use modern EPP files
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sat, 18 Jan 2020 15:17:03 +0000 |
parents | common/fail2ban/jail.local@23c4f6a38b57 |
children | a79ad974a548 |
rev | line source |
---|---|
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
6
diff
changeset
|
1 # Disable ssh-iptables because some versions auto-enable it |
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
6
diff
changeset
|
2 # and we want to use our own version (which may use non-iptables) |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
3 [ssh-iptables] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
4 enabled = false |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
5 |
35
1bb941522ebf
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
IBBoard <dev@ibboard.co.uk>
parents:
6
diff
changeset
|
6 [ssh-firewall-ban] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
7 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
8 filter = sshd |
171
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
9 action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
10 logpath = /var/log/secure |
197
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
11 maxretry = 3 |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
12 bantime = 604800 |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
13 |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
14 [ssh-user-instaban] |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
15 enabled = true |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
16 filter = ibb-sshd-bad-user |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
17 action = firewall-ban[name=SSH-Instaban,chain=Fail2Ban,port=222] |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
18 logpath = /var/log/secure |
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
19 maxretry = 1 |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
20 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
21 |
171
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
22 [ssh-key-ban] |
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
23 enabled = true |
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
24 filter = ibb-sshd |
196
d3ef339b53a6
Separate the two Fail2ban SSH rules in iptables
IBBoard <dev@ibboard.co.uk>
parents:
195
diff
changeset
|
25 action = firewall-ban[name=SSH-Key,chain=Fail2Ban,port=222] |
171
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
26 logpath = /var/log/secure |
197
23c4f6a38b57
Make Fail2Ban SSH rules more agressive
IBBoard <dev@ibboard.co.uk>
parents:
196
diff
changeset
|
27 maxretry = 3 |
175
c76ba5e3685f
Add a find time to custom SSH rule as it is low and slow
IBBoard <dev@ibboard.co.uk>
parents:
171
diff
changeset
|
28 findtime = 604800 |
171
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
29 bantime = 604800 |
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
30 |
103a3630e9b2
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
IBBoard <dev@ibboard.co.uk>
parents:
71
diff
changeset
|
31 |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
32 [apache-badbots] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
33 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
34 filter = apache-badbots |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
35 action = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
36 logpath = /var/log/apache/access_*.log |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
37 findtime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
38 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
39 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
40 [apache-instaban] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
41 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
42 maxretry = 1 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
43 filter = ibb-apache-exploits-instaban |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
44 action = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
45 logpath = /var/log/apache/access_*.log |
187
6c260427a94c
Reduce Apache Instaban ban duration to reduce reboot time
IBBoard <dev@ibboard.co.uk>
parents:
175
diff
changeset
|
46 findtime = 86400 |
6c260427a94c
Reduce Apache Instaban ban duration to reduce reboot time
IBBoard <dev@ibboard.co.uk>
parents:
175
diff
changeset
|
47 bantime = 86400 |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
48 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
49 [apache-auth] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
50 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
51 maxretry = 5 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
52 filter = apache-auth |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
53 action = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
54 logpath = /var/log/apache/error_*.log |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
55 findtime = 86400 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
56 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
57 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
58 [repeat-offenders] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
59 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
60 maxretry = 2 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
61 filter = ibb-repeat-offender |
195
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
62 action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
63 logpath = /var/log/fail2ban.log |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
64 findtime = 2592000 |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
65 bantime = 2592000 |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
66 |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
67 [repeat-offenders-ssh] |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
68 enabled = true |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
69 maxretry = 2 |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
70 filter = ibb-repeat-offender-ssh |
f70831cc2864
Separate out SSH repeats from web/email repeats
IBBoard <dev@ibboard.co.uk>
parents:
189
diff
changeset
|
71 action = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
72 logpath = /var/log/fail2ban.log |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
73 findtime = 2592000 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
74 bantime = 2592000 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
75 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
76 [spam-email] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
77 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
78 maxretry = 1 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
79 filter = ibb-postfix-spammers |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
80 action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
81 logpath = /var/log/maillog |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
82 findtime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
83 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
84 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
85 [mail-abuse] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
86 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
87 maxretry = 1 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
88 filter = ibb-postfix-malicious |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
89 action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
90 logpath = /var/log/maillog |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
91 findtime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
92 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
93 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
94 [mail-rejected] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
95 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
96 maxretry = 10 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
97 filter = ibb-postfix |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
98 action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
99 logpath = /var/log/maillog |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
100 findtime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
101 bantime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
102 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
103 [sasl] |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
104 enabled = true |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
105 maxretry = 10 |
189
3c03d3d03656
Switch to new Postfix SASL filter (no longer a separate file)
IBBoard <dev@ibboard.co.uk>
parents:
187
diff
changeset
|
106 filter = postfix[mode=auth] |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
107 action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"] |
0
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
108 logpath = /var/log/maillog |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
109 findtime = 604800 |
956e484adc12
Initial public release of Puppet configs
IBBoard <dev@ibboard.co.uk>
parents:
diff
changeset
|
110 bantime = 604800 |
6
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
111 |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
112 [shellshock] |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
113 enabled = true |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
114 maxretry = 1 |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
115 filter = ibb-apache-shellshock |
64
3bb824dabaae
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
IBBoard <dev@ibboard.co.uk>
parents:
63
diff
changeset
|
116 action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"] |
6
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
117 logpath = /var/log/apache/access_*.log |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
118 findtime = 604800 |
b7c30595c97a
Add "Shellshock" exploit Fail2ban rule
IBBoard <dev@ibboard.co.uk>
parents:
0
diff
changeset
|
119 bantime = 604800 |