diff --git a/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf new file mode 100644 index 00000000..c2eb3634 --- /dev/null +++ b/conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf @@ -0,0 +1,12 @@ +[INCLUDES] + +before = common.conf + +[Definition] +miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address :.+ +miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address $ +ignoreregex = + +failregex = > + +mode = normal \ No newline at end of file diff --git a/conf/fail2ban/filter.d/miab-postfix-scanner.conf b/conf/fail2ban/filter.d/miab-postfix-scanner.conf new file mode 100644 index 00000000..191dacd6 --- /dev/null +++ b/conf/fail2ban/filter.d/miab-postfix-scanner.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[\].*HTTP.*$ +ignoreregex = diff --git a/conf/fail2ban/filter.d/nginx-badrequests.conf b/conf/fail2ban/filter.d/nginx-badrequests.conf new file mode 100644 index 00000000..5ba83405 --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-badrequests.conf @@ -0,0 +1,8 @@ +# Ban requests for non-existing or not-allowed resources +# Ban requests for 40x results + +[Definition] +# first regex for error.log, second for access.log +failregex = ^.* \[error\] .*2: No such file or directory.*client: .*$ + ^ - .*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404) .*$ +ignoreregex = ^.*(robots.txt|favicon.ico).*$ \ No newline at end of file diff --git a/conf/fail2ban/filter.d/nginx-missingresource.conf b/conf/fail2ban/filter.d/nginx-missingresource.conf new file mode 100644 index 00000000..22a26e7b --- /dev/null +++ b/conf/fail2ban/filter.d/nginx-missingresource.conf @@ -0,0 +1,6 @@ +# Ban requests for non-existing or not-allowed resources + +[Definition] +failregex = ^.* \[error\] .*2: No such file or directory.*client: .*$ +ignoreregex = ^.*(robots.txt|favicon.ico).*$ + diff --git a/conf/fail2ban/filter.d/webexploits.conf b/conf/fail2ban/filter.d/webexploits.conf index ff5a101a..dbb297ae 100644 --- a/conf/fail2ban/filter.d/webexploits.conf +++ b/conf/fail2ban/filter.d/webexploits.conf @@ -97,7 +97,8 @@ failregex = ^ -.*(GET|POST|HEAD).*(/\.git/config) ^ -.*(GET|POST|HEAD).*(/examples/file-manager\.html) ^ -.*(GET|POST|HEAD).*(/getcfg\.php) ^ -.*(GET|POST|HEAD).*(/get_password\.php) - ^ -.*(GET|POST|HEAD).*(/\.git/info/) + ^ -.*(GET|POST|HEAD).*(/\.git/info) + ^ -.*(GET|POST|HEAD).*(/\.git/HEAD) ^ -.*(GET|POST|HEAD).*(/Hello\.World) ^ -.*(GET|POST|HEAD).*(/hndUnblock\.cgi) ^ -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg) @@ -231,7 +232,7 @@ failregex = ^ -.*(GET|POST|HEAD).*(/\.git/config) ^ -.*(GET|POST|HEAD).*(\x22sanitize) ^ -.*(GET|POST|HEAD).*(\x22SimplePie) ^ -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers) - ^ -.*(GET).*(\.\./wp-config.php) + ^ -.*(GET|POST|HEAD).*(\.\./wp-config.php) ignoreregex = diff --git a/conf/fail2ban/jail.d/badrequests.conf b/conf/fail2ban/jail.d/badrequests.conf new file mode 100644 index 00000000..d80e527c --- /dev/null +++ b/conf/fail2ban/jail.d/badrequests.conf @@ -0,0 +1,14 @@ +# Block clients that generate too many non existing resources +# Do not deploy of you host many websites on your box +# any bad html link will trigger a false positive. +# This jail is meant to catch scanners that try many +# sites. +[badrequests] +enabled = true +port = http,https +filter = nginx-badrequests +logpath = /var/log/nginx/error.log + /var/log/nginx/access.log +maxretry = 8 +findtime = 15m +bantime = 15m diff --git a/conf/fail2ban/jail.d/postfix-extra.conf b/conf/fail2ban/jail.d/postfix-extra.conf new file mode 100644 index 00000000..2e62e70d --- /dev/null +++ b/conf/fail2ban/jail.d/postfix-extra.conf @@ -0,0 +1,31 @@ +# typically non smtp commands. Block fast for access to postfix +[miab-postfix-scanner] +enabled = true +port = smtp,465,587 +filter = miab-postfix-scanner +logpath = /var/log/mail.log +maxretry = 2 +findtime = 1d +bantime = 1h + +# ip lookup of hostname does not match. Go easy on block +[miab-pf-rdnsfail] +enabled = true +port = smtp,465,587 +mode = normal +filter = miab-postfix-rdnsfail +logpath = /var/log/mail.log +maxretry = 8 +findtime = 12h +bantime = 30m + +# ip lookup of hostname does not match with failure. More strict block +[miab-pf-rdnsfail-e] +enabled = true +port = smtp,465,587 +mode = errors +filter = miab-postfix-rdnsfail[mode=errors] +logpath = /var/log/mail.log +maxretry = 4 +findtime = 1d +bantime = 1h diff --git a/conf/fail2ban/jail.d/webexploits.conf b/conf/fail2ban/jail.d/webexploits.conf index 30baaceb..f5edda95 100644 --- a/conf/fail2ban/jail.d/webexploits.conf +++ b/conf/fail2ban/jail.d/webexploits.conf @@ -1,8 +1,12 @@ +# Block clients based on a list of specific requests +# The list contains applications that are not installed +# only scanners and bad parties will try too often +# so blocking can be fast and long [webexploits] enabled = true port = http,https filter = webexploits logpath = /var/log/nginx/access.log maxretry = 2 -findtime = 240m -bantime = 60m +findtime = 4h +bantime = 4h diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index b360aa77..006a5c7e 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -5,7 +5,7 @@ # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks # ping services over the public interface so we should whitelist that address of # ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6 ADMIN_HOME_IP ADMIN_HOME_IPV6 +ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64 bantime = 15m findtime = 120m maxretry = 4 @@ -69,7 +69,7 @@ findtime = 15m enabled = true maxretry = 10 bantime = 2w -findtime = 3d +findtime = 6d action = iptables-allports[name=recidive] # In the recidive section of jail.conf the action contains: #