mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-12-24 07:37:04 +00:00
tuning fail2ban
This commit is contained in:
parent
60adba79a1
commit
63255d321a
12
conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
Normal file
12
conf/fail2ban/filter.d/miab-postfix-rdnsfail.conf
Normal file
@ -0,0 +1,12 @@
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
miab-errors=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>:.+
|
||||
miab-normal=postfix/(submission/)?smtpd.*warning: hostname .* does not resolve to address <HOST>$
|
||||
ignoreregex =
|
||||
|
||||
failregex = <miab-<mode>>
|
||||
|
||||
mode = normal
|
7
conf/fail2ban/filter.d/miab-postfix-scanner.conf
Normal file
7
conf/fail2ban/filter.d/miab-postfix-scanner.conf
Normal file
@ -0,0 +1,7 @@
|
||||
[INCLUDES]
|
||||
|
||||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex=postfix/submission/smtpd.*warning: non-SMTP command from.*\[<HOST>\].*HTTP.*$
|
||||
ignoreregex =
|
8
conf/fail2ban/filter.d/nginx-badrequests.conf
Normal file
8
conf/fail2ban/filter.d/nginx-badrequests.conf
Normal file
@ -0,0 +1,8 @@
|
||||
# Ban requests for non-existing or not-allowed resources
|
||||
# Ban requests for 40x results
|
||||
|
||||
[Definition]
|
||||
# first regex for error.log, second for access.log
|
||||
failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
|
||||
^<HOST> - .*"(GET|POST|HEAD).*HTTP.*" (400|401|403|404) .*$
|
||||
ignoreregex = ^.*(robots.txt|favicon.ico).*$
|
6
conf/fail2ban/filter.d/nginx-missingresource.conf
Normal file
6
conf/fail2ban/filter.d/nginx-missingresource.conf
Normal file
@ -0,0 +1,6 @@
|
||||
# Ban requests for non-existing or not-allowed resources
|
||||
|
||||
[Definition]
|
||||
failregex = ^.* \[error\] .*2: No such file or directory.*client: <HOST>.*$
|
||||
ignoreregex = ^.*(robots.txt|favicon.ico).*$
|
||||
|
@ -97,7 +97,8 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/examples/file-manager\.html)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/getcfg\.php)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/get_password\.php)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/\.git/info/)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/\.git/info)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/\.git/HEAD)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/Hello\.World)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/hndUnblock\.cgi)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(/images/login9/login_33\.jpg)
|
||||
@ -231,7 +232,7 @@ failregex = ^<HOST> -.*(GET|POST|HEAD).*(/\.git/config)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(\x22sanitize)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(\x22SimplePie)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(\x5C0disconnectHandlers)
|
||||
^<HOST> -.*(GET).*(\.\./wp-config.php)
|
||||
^<HOST> -.*(GET|POST|HEAD).*(\.\./wp-config.php)
|
||||
|
||||
|
||||
ignoreregex =
|
||||
|
14
conf/fail2ban/jail.d/badrequests.conf
Normal file
14
conf/fail2ban/jail.d/badrequests.conf
Normal file
@ -0,0 +1,14 @@
|
||||
# Block clients that generate too many non existing resources
|
||||
# Do not deploy of you host many websites on your box
|
||||
# any bad html link will trigger a false positive.
|
||||
# This jail is meant to catch scanners that try many
|
||||
# sites.
|
||||
[badrequests]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-badrequests
|
||||
logpath = /var/log/nginx/error.log
|
||||
/var/log/nginx/access.log
|
||||
maxretry = 8
|
||||
findtime = 15m
|
||||
bantime = 15m
|
31
conf/fail2ban/jail.d/postfix-extra.conf
Normal file
31
conf/fail2ban/jail.d/postfix-extra.conf
Normal file
@ -0,0 +1,31 @@
|
||||
# typically non smtp commands. Block fast for access to postfix
|
||||
[miab-postfix-scanner]
|
||||
enabled = true
|
||||
port = smtp,465,587
|
||||
filter = miab-postfix-scanner
|
||||
logpath = /var/log/mail.log
|
||||
maxretry = 2
|
||||
findtime = 1d
|
||||
bantime = 1h
|
||||
|
||||
# ip lookup of hostname does not match. Go easy on block
|
||||
[miab-pf-rdnsfail]
|
||||
enabled = true
|
||||
port = smtp,465,587
|
||||
mode = normal
|
||||
filter = miab-postfix-rdnsfail
|
||||
logpath = /var/log/mail.log
|
||||
maxretry = 8
|
||||
findtime = 12h
|
||||
bantime = 30m
|
||||
|
||||
# ip lookup of hostname does not match with failure. More strict block
|
||||
[miab-pf-rdnsfail-e]
|
||||
enabled = true
|
||||
port = smtp,465,587
|
||||
mode = errors
|
||||
filter = miab-postfix-rdnsfail[mode=errors]
|
||||
logpath = /var/log/mail.log
|
||||
maxretry = 4
|
||||
findtime = 1d
|
||||
bantime = 1h
|
@ -1,8 +1,12 @@
|
||||
# Block clients based on a list of specific requests
|
||||
# The list contains applications that are not installed
|
||||
# only scanners and bad parties will try too often
|
||||
# so blocking can be fast and long
|
||||
[webexploits]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = webexploits
|
||||
logpath = /var/log/nginx/access.log
|
||||
maxretry = 2
|
||||
findtime = 240m
|
||||
bantime = 60m
|
||||
findtime = 4h
|
||||
bantime = 4h
|
||||
|
@ -5,7 +5,7 @@
|
||||
# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks
|
||||
# ping services over the public interface so we should whitelist that address of
|
||||
# ours too. The string is substituted during installation.
|
||||
ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6 ADMIN_HOME_IP ADMIN_HOME_IPV6
|
||||
ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64
|
||||
bantime = 15m
|
||||
findtime = 120m
|
||||
maxretry = 4
|
||||
@ -69,7 +69,7 @@ findtime = 15m
|
||||
enabled = true
|
||||
maxretry = 10
|
||||
bantime = 2w
|
||||
findtime = 3d
|
||||
findtime = 6d
|
||||
action = iptables-allports[name=recidive]
|
||||
# In the recidive section of jail.conf the action contains:
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user