mailinabox/conf/fail2ban/jail.local

# Fail2Ban configuration file for Mail-in-a-Box

[DEFAULT]
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
# ping services over the public interface so we should whitelist that address of
# ours too. The string is substituted during installation.
ignoreip = 127.0.0.1/8 PUBLIC_IP

action = %(action_mwl)s

# JAILS
# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses

[ssh]
maxretry = 7
bantime = 3600
# action = sendmail-whois-lines[name=ssh, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
	
[ssh-ddos]
enabled  = true
# action = sendmail-whois-lines[name=ssh-ddos, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]

[sasl]
enabled  = true
# action   = sendmail-whois-lines[name=sasl, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]


[nginx]

enabled  = true
filter   = nginx-http-auth
port     = http,https
# action   = sendmail-whois-lines[name=nginx-http-auth, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]

[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
# action   = sendmail-whois-lines[name=nginx-badbots, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
logpath  = /var/log/nginx/access.log
maxretry = 2

[dovecot]
enabled  = true
filter   = dovecotimap
findtime = 30
maxretry = 20
# action   = sendmail-whois-lines[name=dovecot, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]

[recidive]
enabled  = true
maxretry = 10
action   = iptables-allports[name=recidive]
#		sendmail-whois-lines[name=recidive, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]

# In the recidive section of jail.conf the action contains:
#
# action   = iptables-allports[name=recidive]
#            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
#
# The last line on the action will sent an email to the configured address. This mail will
# notify the administrator that someone has been repeatedly triggering one of the other jails.
# By default we don't configure this address and no action is required from the admin anyway.
# So the notification is ommited. This will prevent message appearing in the mail.log that mail
# can't be delivered to fail2ban@$HOSTNAME.

# Copied from ChiefGyk's OwnCloud
# [owncloud]
# enabled = true
# filter = owncloud
# action = sendmail-whois-lines[name=owncloud, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
# logpath = /home/user-data/owncloud/owncloud.log
# maxretry = 20
# findtime = 300
# bantime = 300

[miab-management]
enabled = true
filter = miab-management-daemon
# action = sendmail-whois-lines[name=miab-management, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
port = http,https
logpath = /var/log/syslog
maxretry = 20
findtime = 30

[miab-munin]
enabled  = true
port     = http,https
filter   = miab-munin
# action = sendmail-whois-lines[name=miab-munin, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
logpath  = /var/log/nginx/access.log
maxretry = 20
findtime = 30

[miab-owncloud]
enabled  = true
port     = http,https
filter   = miab-owncloud
# action = sendmail-whois-lines[name=miab-owncloud, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
logpath  = /home/user-data/owncloud/owncloud.log
maxretry = 20
findtime = 30

[miab-postfix587]
enabled  = true
port     = 587
filter   = miab-postfix-submission
# action = sendmail-whois-lines[name=miab-postfix-submission, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
logpath  = /var/log/mail.log
maxretry = 20
findtime = 30

[miab-roundcube]
enabled  = true
port     = http,https
filter   = miab-roundcube
action = sendmail-whois-lines[name=miab-roundcube, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]
logpath  = /var/log/roundcubemail/errors
maxretry = 20
findtime = 30
Cleanup blank lines, comments and whitespace to make it easier to follow 2015-07-02 09:19:37 +00:00			`# Fail2Ban configuration file for Mail-in-a-Box`

fail2ban: whitelist our machine's public ip address so status checks dont cause bans of the machine itself 2015-12-07 13:45:59 +00:00			`[DEFAULT]`
			`# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks`
			`# ping services over the public interface so we should whitelist that address of`
			`# ours too. The string is substituted during installation.`
			`ignoreip = 127.0.0.1/8 PUBLIC_IP`

added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`action = %(action_mwl)s`

Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 00:13:55 +00:00			`# JAILS`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# Uncomment actions out with proper addresses once blocklist.de is configured, I like to send it to two email addresses`
Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 00:13:55 +00:00
Added more bantime and lowered max retry attempts Ban time was too low for preventing ssh brute force attacks, this change also allows to keep the auth.log more clean and avoid wasting cpu and i/o on this. Bots eventually will flag your IP as secure and move along. 2015-07-02 15:55:43 +00:00			`[ssh]`
			`maxretry = 7`
			`bantime = 3600`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# action = sendmail-whois-lines[name=ssh, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`

Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 00:13:55 +00:00			`[ssh-ddos]`
			`enabled = true`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# action = sendmail-whois-lines[name=ssh-ddos, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 00:13:55 +00:00
			`[sasl]`
			`enabled = true`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# action = sendmail-whois-lines[name=sasl, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`


			`[nginx]`

			`enabled = true`
			`filter = nginx-http-auth`
			`port = http,https`
			`# action = sendmail-whois-lines[name=nginx-http-auth, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`

			`[nginx-badbots]`

			`enabled = true`
			`port = http,https`
			`filter = nginx-badbots`
			`# action = sendmail-whois-lines[name=nginx-badbots, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`logpath = /var/log/nginx/access.log`
			`maxretry = 2`
Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 00:13:55 +00:00
			`[dovecot]`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`enabled = true`
			`filter = dovecotimap`
Ultra safe dovecot findtime and maxretry settings Explicitly set the timings and counts for the dovecot jail rather than change the global [DEFAULT] and inherit it for this one jail. These settings are far too safe so a future PR should increase security here. 2015-07-06 12:44:53 +00:00			`findtime = 30`
			`maxretry = 20`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# action = sendmail-whois-lines[name=dovecot, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
Activate FAIL2BAN recidive jail Recidive can be thought of as FAIL2BAN checking itself. This setup will monitor the FAIL2BAN log and if 10 bans are seen within one day activate a week long ban and email the mail in a box admin that it has been applied . These bans survive FAIL2BAN service restarts so are much stronger which obviously means we need to be careful with them. Our current settings are relatively safe and definitely not easy to trigger by mistake e.g to activate a recidive IP jail by failed SSH logins a user would have to fail logging into SSH 6 times in 10 minutes, get banned, wait for the ban to expire and then repeat this process 9 further times within a 24 hour period. The default maxretry of 5 is much saner but that can be applied once users are happy with this jail. I have been running a stronger version of this for months and it does a very good job of ejecting persistent abusers. 2015-07-07 11:37:42 +00:00
			`[recidive]`
			`enabled = true`
			`maxretry = 10`
Stop fail2ban recidive from sending emails, like all other jails 2016-03-26 08:04:51 +00:00			`action = iptables-allports[name=recidive]`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00			`# sendmail-whois-lines[name=recidive, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`

Add documentation on why the notification was removed from the recidive jail 2016-03-26 12:37:33 +00:00			`# In the recidive section of jail.conf the action contains:`
			`#`
			`# action = iptables-allports[name=recidive]`
			`# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]`
			`#`
			`# The last line on the action will sent an email to the configured address. This mail will`
			`# notify the administrator that someone has been repeatedly triggering one of the other jails.`
			`# By default we don't configure this address and no action is required from the admin anyway.`
			`# So the notification is ommited. This will prevent message appearing in the mail.log that mail`
			`# can't be delivered to fail2ban@$HOSTNAME.`
added Fail2ban filters from #866, #767, and #798 on main branch 2016-06-26 14:57:59 +00:00
			`# Copied from ChiefGyk's OwnCloud`
			`# [owncloud]`
			`# enabled = true`
			`# filter = owncloud`
			`# action = sendmail-whois-lines[name=owncloud, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`# logpath = /home/user-data/owncloud/owncloud.log`
			`# maxretry = 20`
			`# findtime = 300`
			`# bantime = 300`

			`[miab-management]`
			`enabled = true`
			`filter = miab-management-daemon`
			`# action = sendmail-whois-lines[name=miab-management, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`port = http,https`
			`logpath = /var/log/syslog`
			`maxretry = 20`
			`findtime = 30`

			`[miab-munin]`
			`enabled = true`
			`port = http,https`
			`filter = miab-munin`
			`# action = sendmail-whois-lines[name=miab-munin, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`logpath = /var/log/nginx/access.log`
			`maxretry = 20`
			`findtime = 30`

			`[miab-owncloud]`
			`enabled = true`
			`port = http,https`
			`filter = miab-owncloud`
			`# action = sendmail-whois-lines[name=miab-owncloud, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`logpath = /home/user-data/owncloud/owncloud.log`
			`maxretry = 20`
			`findtime = 30`

			`[miab-postfix587]`
			`enabled = true`
			`port = 587`
			`filter = miab-postfix-submission`
			`# action = sendmail-whois-lines[name=miab-postfix-submission, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`logpath = /var/log/mail.log`
			`maxretry = 20`
			`findtime = 30`

			`[miab-roundcube]`
			`enabled = true`
			`port = http,https`
			`filter = miab-roundcube`
			`action = sendmail-whois-lines[name=miab-roundcube, dest="<USER>@<DOMAIN>.<TLD>,<USER2>@<DOMAIN2>.<TLD2>,fail2ban@blocklist.de", sender=fail2ban@box.<SERVER>.<TLD>, sendername="Fail2Ban"]`
			`logpath = /var/log/roundcubemail/errors`
			`maxretry = 20`
			`findtime = 30`