mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-24 07:37:04 +00:00
tuning fail2ban
This commit is contained in:
parent
60adba79a1
commit
63255d321a
12
conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
Normal file
12
conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>:.+
|
||||||
|
miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>$
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
failregex = <miab-<mode>>
|
||||||
|
|
||||||
|
mode = normal
|
7
conf/fail2ban/filter.d/miab-postfix-scanner.conf
Normal file
7
conf/fail2ban/filter.d/miab-postfix-scanner.conf
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
[INCLUDES]
|
||||||
|
|
||||||
|
before = common.conf
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[<HOST>\].*HTTP.*$
|
||||||
|
ignoreregex =
|
8
conf/fail2ban/filter.d/nginx-badrequests.conf
Normal file
8
conf/fail2ban/filter.d/nginx-badrequests.conf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# Ban requests for non-existing or not-allowed resources
|
||||||
|
# Ban requests for 40x results
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
# first regex for error.log, second for access.log
|
||||||
|
failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
|
||||||
|
^<HOST> - .*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404) .*$
|
||||||
|
ignoreregex = ^.*(robots.txt|favicon.ico).*$
|
6
conf/fail2ban/filter.d/nginx-missingresource.conf
Normal file
6
conf/fail2ban/filter.d/nginx-missingresource.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
# Ban requests for non-existing or not-allowed resources
|
||||||
|
|
||||||
|
[Definition]
|
||||||
|
failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
|
||||||
|
ignoreregex = ^.*(robots.txt|favicon.ico).*$
|
||||||
|
|
@ -97,7 +97,8 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
|
|||||||
^<HOST> -.*(GET|POST|HEAD).*(/examples/file-manager\.html)
|
^<HOST> -.*(GET|POST|HEAD).*(/examples/file-manager\.html)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/getcfg\.php)
|
^<HOST> -.*(GET|POST|HEAD).*(/getcfg\.php)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/get_password\.php)
|
^<HOST> -.*(GET|POST|HEAD).*(/get_password\.php)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/\.git/info/)
|
^<HOST> -.*(GET|POST|HEAD).*(/\.git/info)
|
||||||
|
^<HOST> -.*(GET|POST|HEAD).*(/\.git/HEAD)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/Hello\.World)
|
^<HOST> -.*(GET|POST|HEAD).*(/Hello\.World)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/hndUnblock\.cgi)
|
^<HOST> -.*(GET|POST|HEAD).*(/hndUnblock\.cgi)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg)
|
^<HOST> -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg)
|
||||||
@ -231,7 +232,7 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
|
|||||||
^<HOST> -.*(GET|POST|HEAD).*(\x22sanitize)
|
^<HOST> -.*(GET|POST|HEAD).*(\x22sanitize)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(\x22SimplePie)
|
^<HOST> -.*(GET|POST|HEAD).*(\x22SimplePie)
|
||||||
^<HOST> -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers)
|
^<HOST> -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers)
|
||||||
^<HOST> -.*(GET).*(\.\./wp-config.php)
|
^<HOST> -.*(GET|POST|HEAD).*(\.\./wp-config.php)
|
||||||
|
|
||||||
|
|
||||||
ignoreregex =
|
ignoreregex =
|
||||||
|
14
conf/fail2ban/jail.d/badrequests.conf
Normal file
14
conf/fail2ban/jail.d/badrequests.conf
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
# Block clients that generate too many non existing resources
|
||||||
|
# Do not deploy of you host many websites on your box
|
||||||
|
# any bad html link will trigger a false positive.
|
||||||
|
# This jail is meant to catch scanners that try many
|
||||||
|
# sites.
|
||||||
|
[badrequests]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-badrequests
|
||||||
|
logpath = /var/log/nginx/error.log
|
||||||
|
/var/log/nginx/access.log
|
||||||
|
maxretry = 8
|
||||||
|
findtime = 15m
|
||||||
|
bantime = 15m
|
31
conf/fail2ban/jail.d/postfix-extra.conf
Normal file
31
conf/fail2ban/jail.d/postfix-extra.conf
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
# typically non smtp commands. Block fast for access to postfix
|
||||||
|
[miab-postfix-scanner]
|
||||||
|
enabled = true
|
||||||
|
port = smtp,465,587
|
||||||
|
filter = miab-postfix-scanner
|
||||||
|
logpath = /var/log/mail.log
|
||||||
|
maxretry = 2
|
||||||
|
findtime = 1d
|
||||||
|
bantime = 1h
|
||||||
|
|
||||||
|
# ip lookup of hostname does not match. Go easy on block
|
||||||
|
[miab-pf-rdnsfail]
|
||||||
|
enabled = true
|
||||||
|
port = smtp,465,587
|
||||||
|
mode = normal
|
||||||
|
filter = miab-postfix-rdnsfail
|
||||||
|
logpath = /var/log/mail.log
|
||||||
|
maxretry = 8
|
||||||
|
findtime = 12h
|
||||||
|
bantime = 30m
|
||||||
|
|
||||||
|
# ip lookup of hostname does not match with failure. More strict block
|
||||||
|
[miab-pf-rdnsfail-e]
|
||||||
|
enabled = true
|
||||||
|
port = smtp,465,587
|
||||||
|
mode = errors
|
||||||
|
filter = miab-postfix-rdnsfail[mode=errors]
|
||||||
|
logpath = /var/log/mail.log
|
||||||
|
maxretry = 4
|
||||||
|
findtime = 1d
|
||||||
|
bantime = 1h
|
@ -1,8 +1,12 @@
|
|||||||
|
# Block clients based on a list of specific requests
|
||||||
|
# The list contains applications that are not installed
|
||||||
|
# only scanners and bad parties will try too often
|
||||||
|
# so blocking can be fast and long
|
||||||
[webexploits]
|
[webexploits]
|
||||||
enabled = true
|
enabled = true
|
||||||
port = http,https
|
port = http,https
|
||||||
filter = webexploits
|
filter = webexploits
|
||||||
logpath = /var/log/nginx/access.log
|
logpath = /var/log/nginx/access.log
|
||||||
maxretry = 2
|
maxretry = 2
|
||||||
findtime = 240m
|
findtime = 4h
|
||||||
bantime = 60m
|
bantime = 4h
|
||||||
|
@ -5,7 +5,7 @@
|
|||||||
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
|
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
|
||||||
# ping services over the public interface so we should whitelist that address of
|
# ping services over the public interface so we should whitelist that address of
|
||||||
# ours too. The string is substituted during installation.
|
# ours too. The string is substituted during installation.
|
||||||
ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6 ADMIN_HOME_IP ADMIN_HOME_IPV6
|
ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64
|
||||||
bantime = 15m
|
bantime = 15m
|
||||||
findtime = 120m
|
findtime = 120m
|
||||||
maxretry = 4
|
maxretry = 4
|
||||||
@ -69,7 +69,7 @@ findtime = 15m
|
|||||||
enabled = true
|
enabled = true
|
||||||
maxretry = 10
|
maxretry = 10
|
||||||
bantime = 2w
|
bantime = 2w
|
||||||
findtime = 3d
|
findtime = 6d
|
||||||
action = iptables-allports[name=recidive]
|
action = iptables-allports[name=recidive]
|
||||||
# In the recidive section of jail.conf the action contains:
|
# In the recidive section of jail.conf the action contains:
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user