Commit Graph

40 Commits

Author SHA1 Message Date
KiekerJan a0937290b7 correct reference in fail2ban jail to nextcloud log 2022-09-16 23:29:30 +02:00
KiekerJan a8aa3675bc add postfix aggressive jail 2022-09-04 20:57:50 +02:00
KiekerJan be899f2b9e avoid a runaway /64 in jail.conf 2021-10-25 16:44:25 +02:00
github@kiekerjan.isdronken.nl 52a5100265 align recidive search time to a week 2021-09-09 22:52:30 +02:00
KiekerJan c4fa84b966 tuning fail2ban 2021-08-29 22:47:29 +02:00
KiekerJan 63255d321a tuning fail2ban 2021-08-28 13:34:37 +02:00
KiekerJan 3592b6463d add ipv6 localhost to ignore ip list 2021-07-04 20:09:07 +02:00
github@kiekerjan.isdronken.nl 212b9a31df add definition of admin ipv6 address 2021-06-27 22:12:15 +02:00
github@kiekerjan.isdronken.nl ca5fb3c2e0 Merge changes from upstream v0.54 2021-06-20 23:36:54 +02:00
Joshua Tauberer d510c8ae2a Enable and recommend port 465 for mail submission instead of port 587 (fixes #1849)
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
github@kiekerjan.isdronken.nl 7368b4caea simplify fail2ban configuration 2021-04-28 15:57:52 +02:00
github@kiekerjan.isdronken.nl 3bf241c3e0 add postfix spamhaus jail 2021-04-23 22:03:22 +02:00
github@kiekerjan.isdronken.nl 1292dce11e merge from 1804 version 2021-04-21 22:42:10 +02:00
github@kiekerjan.isdronken.nl daf5a62e83 Merge changes from kiekerjan special 2021-04-11 20:45:24 +02:00
github@kiekerjan.isdronken.nl 12d0aee27a Add own changes 2021-04-11 12:14:41 +02:00
yeuna92 c87b62b8c2
Fix path to Roundcube error log in fail2ban jails.conf (#1761) 2020-05-11 08:59:42 -04:00
Joshua Tauberer 46f64e0e0a fail2ban should watch for managesieve logins too, fixes #1622 2019-08-31 09:04:17 -04:00
jvolkenant c60e3dc842 fail2ban ssh/ssh-ddos and sasl are now sshd and postfix-sasl (fixes #1453, merges #1454)
* fail2ban ssh/ssh-ddos and sasl are now sshd and postfix-sasl

* specified custom datepattern for miab-owncloud.conf
2019-01-18 09:40:51 -05:00
Jan Schulz-Hofen bb641cdfba Move from ownCloud to Nextcloud 2017-03-28 11:16:04 +07:00
NatCC f88c907a29 Update jails.conf - SSH fail2ban jail (#1105)
SSH fail2ban jail is not enabled by default and so the jail does not load.
2017-02-21 09:32:28 -05:00
Michael Kroes d9ac321f25 Owncloud needs more time to detect blocks. It doesn't respond as fast as the other services. Also owncloud logs UTC (since latest update) even though the timezone is not UTC. Also to detect a block, we get a timeout instead of a refused) 2016-06-27 06:03:19 -04:00
Michael Kroes 01fa8cf72c add fail2ban jails for ownCloud, postfix submission, roundcube, and the Mail-in-a-Box management daemon
(tests squashed into this commit by josh)
2016-06-06 09:13:10 -04:00
Chris Blankenship fac8477ba1 Configured Dovecot to log into its own logfile 2016-06-06 08:21:44 -04:00
Michael Kroes 4d7229ccb0 Add documentation on why the notification was removed from the recidive jail 2016-03-26 13:37:33 +01:00
Michael Kroes 454a2b167b Stop fail2ban recidive from sending emails, like all other jails 2016-03-26 09:04:51 +01:00
Joshua Tauberer bc79319864 Merge pull request #494 from anoma/fail2ban-recidive
Activate FAIL2BAN recidive jail
2015-12-22 08:11:19 -05:00
Joshua Tauberer 20e11bbab3 fail2ban: whitelist our machine's public ip address so status checks dont cause bans of the machine itself 2015-12-07 08:45:59 -05:00
anoma ae3ae0b5ba Revert to default FAIL2BAN findtime for SSH jail
I propose that the default 600s/10minute find time is a better test duration for this ban. The altered 120s findtime sounds reasonable until you consider that attackers can simply throttle to 3 attempts per minute and never be banned.

The remaining non default jail settings of maxretry = 7 and bantime = 3600 I believe are good.
2015-09-07 08:36:59 +01:00
anoma 42d657eb54 Unnecessary config item, inherited from default jail.conf 2015-09-07 08:28:54 +01:00
Joshua Tauberer 2c29d59895 Merge pull request #478 from kri3v/patch-1
Added more bantime and lowered max retry attempts
2015-09-05 11:42:36 -04:00
anoma 593fd242bf Activate FAIL2BAN recidive jail
Recidive can be thought of as FAIL2BAN checking itself. This setup will monitor the FAIL2BAN log and if 10 bans are seen within one day activate a week long ban and email the mail in a box admin that it has been applied . These bans survive FAIL2BAN service restarts so are much stronger which obviously means we need to be careful with them.

Our current settings are relatively safe and definitely not easy to trigger by mistake e.g to activate a recidive IP jail by failed SSH logins a user would have to fail logging into SSH  6 times in 10 minutes, get banned, wait for the ban to expire and then repeat this process 9 further times within a 24 hour period.

The default maxretry of 5 is much saner but that can be applied once users are happy with this jail. I have been running a stronger version of this for months and it does a very good job of ejecting persistent abusers.
2015-07-07 12:37:42 +01:00
anoma e591d9082f Ultra safe dovecot findtime and maxretry settings
Explicitly set the timings and counts for the dovecot jail rather than change the global [DEFAULT] and inherit it for this one jail. These settings are far too safe so a future PR should increase security here.
2015-07-06 13:44:53 +01:00
anoma b6f26c0f1e Revert to defaults FAIL2BAN findtime and maxretry
Reverts the remaining FAIL2BAN settings to default: findtime 600 and maxretry 3. As jail settings override default settings this was hardly being used anyway so it is better to explicitly set it per jail as and when required.
2015-07-06 13:42:41 +01:00
kri3v dd0bdef640 Added more bantime and lowered max retry attempts
Ban time was too low for preventing ssh brute force attacks, this change also allows to keep the auth.log more clean and avoid wasting cpu and i/o on this. 

Bots eventually will flag your IP as secure and move along.
2015-07-02 12:55:43 -03:00
anoma b2eaaeca4b Revert to default 6 ssh/ddos login attempts
No legitimate admin will require 20 login attempts. The default 6 is a sane middle ground especially since in 10 minutes they can try again  or immediately from another IP anyway.
2015-07-02 10:23:48 +01:00
anoma e2d9a523c3 Cleanup blank lines, comments and whitespace to make it easier to follow 2015-07-02 10:19:37 +01:00
anoma 11df1e4680 Unnecessary config item, inherited from default jail.conf 2015-07-02 10:10:50 +01:00
anoma 53d5542402 Revert to default 600 second ban time
A 60 second/1 minute ban time is not long enough to counter brute force attacks which is the main purpose of fail2ban for mail in a box. The default bantime of 10 minutes is still sane and I think we have proven fail2ban is reliable enough not to cause problems in general. It is not worth sacrificing security for the rare case where an admin locks themselves out for 10 minutes.
2015-07-02 10:08:50 +01:00
anoma bfda3f40b9 Unnecessary config item, inherited from default jail.conf 2015-07-02 09:55:59 +01:00
H8H c443524ee2 Configure fail2ban jails to prevent dumb brute-force attacks against postfix, dovecot and ssh. See #319 2015-03-08 01:13:55 +01:00