├── .github └── FUNDING.yml ├── README.md └── auto_script └── peer_auto_script.sh /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2] 4 | patreon: # Replace with a single Patreon username 5 | open_collective: # Replace with a single Open Collective username 6 | ko_fi: # Replace with a single Ko-fi username 7 | tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel 8 | community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry 9 | liberapay: # Replace with a single Liberapay username 10 | issuehunt: # Replace with a single IssueHunt username 11 | otechie: # Replace with a single Otechie username 12 | lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry 13 | custom: https://www.paypal.com/donate/?hosted_button_id=HV5ETC3R5VM4E 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Peertube Deployment Script 2 | 3 | This script is designed to automate the initial deployment of Peertube and its related components using Docker and bash scripting. 4 | 5 | This is a free-to-use Bash script that allows you to easily install Peertube and enhance its security with a single command. You can utilize this script on a blank server or an existing server, making it suitable for both new and experienced Peertube server owners. 6 | 7 | The script handles the entire Peertube installation process, including activating the admin user. It ensures the security of your peertube server by changing the SSH port, installing a firewall, and automatically updating the firewall rules to reflect the new SSH port and installing Fail2Ban with progressive blocking rules. 8 | 9 | The Bash file is unencrypted, freely usable, and redistributable (though credit to Honeytree Technologies is required). 10 | 11 | 12 | 13 | ## About the Script 14 | 15 | - **Language**: Bash 16 | - **Deployment**: Uses Docker images for deploying Peertube containers. 17 | - **Configuration**: 18 | - SSL certificate generation via Let's Encrypt for designated domains and Nginx setup. 19 | 20 | ## Pre-requisites 21 | 22 | - Server or VPS with a minimum of 4GB Ram, 2 vCPU, and 65 GB storage. 23 | - Ubuntu v20.04 LTS pre-installed. 24 | - Open ports: 443, 80 and SSH (Which you will choose in the script). 25 | - Machine should have internet access for fetching packages and Docker images. 26 | - Pre-register the machine's IP with the domain for SSL certificate generation. 27 | - An email delivery service or SMTP server. 28 | 29 | ## Deployment Steps 30 | 31 | 1. SSH into the machine and assume root privileges. 32 | 2. Create and navigate to a directory: `mkdir auto_script && cd auto_script`. 33 | You can also use own directory. 34 | 3. Run the following command to start the script. 35 | ```bash 36 | curl -lO https://code.honeytreetech.com/fediverse/peertube/auto-installer/auto_script.sh && sudo chmod +x auto_script.sh && ./auto_script.sh 37 | ``` 38 | 4. Input the requested details as per the following table. 39 | | Name | Description | Mandatory | Optional | Default Value | 40 | |------|---------|-----------|----------|---------------| 41 | | `admin_email`|Admin Email| ✓ | ✖| ✖ | 42 | |`domain_name` | Domain name| ✓| ✖| ✖| 43 | |`smtp_host` | SMTP host | ✓| ✖| ✖ | 44 | |`smtp_port` | SMTP port| ✓| ✖| ✖| 45 | |`smtp_user` | SMTP user| ✓| ✖| ✖| 46 | |`smtp_password` | SMTP password| ✓| ✖| ✖| 47 | |`smtp_from` | SMTP from| ✓| ✖| ✖| 48 | |`db_user` | Database user| ✖| ✓|peertube | 49 | |`db_password` | Database Password| ✖| ✓|pass_XXXXXXXXX (whereX is Random character) | 50 | |`db_name` | Database name| ✖| ✓|peer_XXXXXXXXX (whereX is Random character) | 51 | |`port` | SSH port | ✓| ✖| ✖| 52 | 53 | 54 | 5. Accept terms of service as prompted. 55 | 6. Follow further on-screen instructions to complete the setup. 56 | 57 | ## Post Deployment 58 | 59 | - Access Peertube via the provided domain with the given admin credentials. 60 | - SSH port defaults to new port (which you entered in the script). 61 | - fail2ban is activated with progressive blocking. 62 | 63 | ## Post-Installation Security Recommendations 64 | 65 | Once you have successfully deployed Peertube using this script, it's crucial to take additional steps to secure and harden your environment. 66 | 67 | Consider the following actions: 68 | 69 | - **Regular Updates**: Ensure that all system packages and software are regularly updated to patch potential vulnerabilities. 70 | - **Firewall Configuration**: Fine-tune your firewall settings to allow only necessary traffic and block potential threats. 71 | - **User Access**: Limit or disable root access. Use sudo for administrative tasks and avoid using the root account for daily tasks. 72 | - **Secure Passwords**: Implement strong password policies, and consider using password managers. 73 | - **Two-Factor Authentication**: Where possible, enable 2FA for critical services and accounts. 74 | - **Backup**: Regularly back up critical data and ensure backups are stored securely. 75 | - **Monitoring & Logging**: Set up monitoring and logging to detect and alert on suspicious activities. 76 | - **Application-Specific Security**: Explore and implement security best practices specifically tailored to Peertube and any other applications you might be running. 77 | - **Review and Audit**: Periodically review and audit your security settings and practices to ensure they are up-to-date with the latest threats and vulnerabilities. 78 | 79 | It's essential to recognize that the security landscape is dynamic. Stay informed, and be proactive in securing your digital assets. 80 | 81 | 82 | ## Disclaimer 83 | Using the installer is solely at your own risk, and you are responsible for any issues regarding quality, performance, accuracy, and effort. Additionally, support is only available to managed services clients of [Honeytree Technologies, LLC](https://honeytreetech.com); no free support is provided. 84 | 85 | ## CREDITS 86 | 87 | This script and deployment guide have been made possible by [Honeytree Technologies, LLC](https://honeytreetech.com). 88 | 89 | Please follow [@jeff@honeytree.social](https://honeytree.social/@jeff). 90 | -------------------------------------------------------------------------------- /auto_script/peer_auto_script.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Display the script header, providing basic information about the script. 3 | echo "######################################################################" 4 | echo "# #" 5 | echo "# Peertube Installation and Hardening Script #" 6 | echo "# #" 7 | echo "# Created by Honeytree Technologies, LLC #" 8 | echo "# www.honeytreetech.com #" 9 | echo "# #" 10 | echo "# Mastodon: honeytree.social #" 11 | echo "# Email: info@honeytreetech.com #" 12 | echo "# #" 13 | echo "######################################################################" 14 | 15 | # Pause the script for 3 seconds to allow the user to read the header 16 | sleep 3 17 | 18 | # Display more detailed information about what each option does 19 | echo "########################################################################" 20 | echo "##### THIS IS IMPORTANT, PLEASE READ CAREFULLY BEFORE SELECTING #####" 21 | echo "##### #####" 22 | echo "##### This will install Peertube on fresh server. #####" 23 | echo "##### #####" 24 | echo "##### Installing on an operating Peertube server will wipe data. #####" 25 | echo "##### #####" 26 | echo "########################################################################" 27 | 28 | # Pause the script for 3 seconds to allow the user to read the warning 29 | sleep 3 30 | 31 | # Function to generate a random character 32 | function random_char() { 33 | local chars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" 34 | echo -n "${chars:RANDOM%${#chars}:1}" 35 | } 36 | 37 | # Function to generate a random string of a given length 38 | function random_string() { 39 | local length=$1 40 | local result="" 41 | for ((i = 0; i < length; i++)); do 42 | result="${result}$(random_char)" 43 | done 44 | echo -n "$result" 45 | } 46 | 47 | # Function to validate if the port number is within the specified range 48 | validate_port() { 49 | local port=$1 50 | local excluded_ports=("80" "443" "9000" "1935") 51 | 52 | if [[ $port =~ ^[0-9]+$ && $port -ge 0 && $port -le 65536 ]]; then 53 | for excluded_port in "${excluded_ports[@]}"; do 54 | if [ "$port" -eq "$excluded_port" ]; then 55 | return 2 # Excluded port 56 | fi 57 | done 58 | return 0 # Valid port number 59 | else 60 | return 1 # Invalid port number 61 | fi 62 | } 63 | 64 | while true; do 65 | read -p "Enter admin email: " admin_email 66 | if [ -n "$admin_email" ]; then 67 | break 68 | else 69 | echo "Admin email cannot be empty. Please enter admin email." 70 | fi 71 | done 72 | 73 | while true; do 74 | read -p "Enter valid domain name: " domain_name 75 | if [ -n "$domain_name" ]; then 76 | break 77 | else 78 | echo "Domain cannot be empty. Please enter domain." 79 | fi 80 | done 81 | 82 | read -p "Enter the DB USER NAME (Default: peertube): " db_user 83 | if [ -z ${db_user} ] ; then 84 | db_user=peertube 85 | fi 86 | 87 | temp_password="pass_$(random_string 16)" 88 | read -p "Enter the DB PASSWORD (Default: ${temp_password}): " db_password 89 | if [ -z ${db_password} ] ; then 90 | db_password=${temp_password} 91 | fi 92 | echo "your db password is ${db_password}" 93 | 94 | temp_db="peer_$(random_string 8)" 95 | read -p "Enter the DB NAME (Default: ${temp_db}): " db_name 96 | if [ -z ${db_name} ] ; then 97 | db_name=${temp_db} 98 | fi 99 | 100 | while true; do 101 | read -p "Enter SMTP_HOST name: " smtp_host 102 | if [ -n "$smtp_host" ]; then 103 | break 104 | else 105 | echo "SMTP hostname cannot be empty. Please enter SMTP hostname." 106 | fi 107 | done 108 | 109 | while true; do 110 | read -p "Enter SMTP PORT: " smtp_port 111 | if [ -n "$smtp_port" ]; then 112 | break 113 | else 114 | echo "SMTP port cannot be empty. Please enter SMTP port." 115 | fi 116 | done 117 | 118 | while true; do 119 | read -p "Enter SMTP user name: " smtp_user 120 | if [ -n "$smtp_user" ]; then 121 | break 122 | else 123 | echo "SMTP username cannot be empty. Please enter SMTP username." 124 | fi 125 | done 126 | 127 | while true; do 128 | read -p "Enter SMTP_PASSWORD: " smtp_password 129 | if [ -n "$smtp_password" ]; then 130 | break 131 | else 132 | echo "SMTP_PASSWORD cannot be empty. Please enter smtp password." 133 | fi 134 | done 135 | 136 | while true; do 137 | read -p "Enter SMTP_FROM: " smtp_from 138 | if [ -n "$smtp_from" ]; then 139 | break 140 | else 141 | echo "SMTP_FROM cannot be empty. Please enter smtp from." 142 | fi 143 | done 144 | 145 | 146 | # Prompt the user until a valid port is entered 147 | while true; do 148 | read -p "Enter a port number (1-65535, excluding 80, 443, 9000 and 1935): " port 149 | # Validate the input 150 | validate_port "$port" 151 | case $? in 152 | 0) 153 | echo "SSH port will be: $port" 154 | ssh_port=$port 155 | break # Exit the loop as a valid port has been entered 156 | ;; 157 | 1) 158 | echo "Invalid port number. Please enter a valid port number between 1 and 65535." 159 | ;; 160 | 2) 161 | echo "Invalid port number. Port $port is excluded. Please choose a different port." 162 | ;; 163 | esac 164 | done 165 | 166 | 167 | 168 | secret_key=$(openssl rand -hex 32) 169 | 170 | 171 | 172 | # Remove old docker container if docker already present 173 | if docker -v &>/dev/null; then 174 | sudo docker rm -f $(docker ps -a -q) 175 | sudo docker volume rm -f $(docker volume ls -q) 176 | fi 177 | 178 | # install new version of docker 179 | sudo apt-get update -y 180 | sudo apt-get install -y ca-certificates curl gnupg lsb-release 181 | if test -f /usr/share/keyrings/docker-archive-keyring.gpg; then 182 | sudo rm /usr/share/keyrings/docker-archive-keyring.gpg 183 | fi 184 | curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg 185 | echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null 186 | sudo apt-get update -y 187 | sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin 188 | sudo apt install docker-compose -y 189 | 190 | 191 | # assign work directory 192 | work_dir=/peertube 193 | # Remove old work directory if present 194 | sudo rm -rf ${work_dir} 195 | # Make new work directory 196 | mkdir ${work_dir} 197 | 198 | # create blank a enviromental files for Mastodon 199 | 200 | 201 | touch ${work_dir}/docker-compose.yml 202 | touch ${work_dir}/.env 203 | 204 | cat <>${work_dir}/docker-compose.yml 205 | version: "3.3" 206 | services: 207 | peertube: 208 | image: chocobozzz/peertube:production-bullseye 209 | env_file: 210 | - .env 211 | ports: 212 | - "1935:1935" 213 | - "9000:9000" 214 | volumes: 215 | - assets:/app/client/dist 216 | - ./docker-volume/data:/data 217 | - ./docker-volume/config:/config 218 | depends_on: 219 | - postgres 220 | - redis 221 | restart: "always" 222 | postgres: 223 | image: postgres:13-alpine 224 | env_file: 225 | - .env 226 | volumes: 227 | - ./docker-volume/db:/var/lib/postgresql/data 228 | restart: "always" 229 | redis: 230 | image: redis:6-alpine 231 | volumes: 232 | - ./docker-volume/redis:/data 233 | restart: "always" 234 | volumes: 235 | assets: 236 | docker_content 237 | 238 | 239 | # Add content in the .env.peertube 240 | cat <> ${work_dir}/.env 241 | POSTGRES_USER=${db_user} 242 | POSTGRES_PASSWORD=${db_password} 243 | POSTGRES_DB=${db_name} 244 | PEERTUBE_DB_NAME=${db_name} 245 | #PEERTUBE_DB_SUFFIX=_prod 246 | PEERTUBE_DB_USERNAME=${db_user} 247 | PEERTUBE_DB_PASSWORD=${db_password} 248 | PEERTUBE_DB_SSL=false 249 | PEERTUBE_DB_HOSTNAME=postgres 250 | PEERTUBE_WEBSERVER_HOSTNAME=${domain_name} 251 | PEERTUBE_WEBSERVER_HTTPS=true 252 | PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback", "172.18.0.0/16"] 253 | PEERTUBE_SECRET=${secret_key} 254 | PEERTUBE_SMTP_USERNAME=${smtp_user} 255 | PEERTUBE_SMTP_PASSWORD=${smtp_password} 256 | PEERTUBE_SMTP_HOSTNAME=${smtp_host} 257 | PEERTUBE_SMTP_PORT=${smtp_port} 258 | PEERTUBE_SMTP_FROM=${smtp_from} 259 | PEERTUBE_SMTP_TLS=false 260 | PEERTUBE_SMTP_DISABLE_STARTTLS=false 261 | PEERTUBE_ADMIN_EMAIL=${admin_email} 262 | POSTFIX_myhostname=${domain_name} 263 | OPENDKIM_DOMAINS=${domain_name}=peertube 264 | OPENDKIM_RequireSafeKeys=no 265 | PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC="public-read" 266 | PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE="private" 267 | 268 | PEERTUBE_SIGNUP_ENABLED=true 269 | PEERTUBE_TRANSCODING_ENABLED=true 270 | PEERTUBE_CONTACT_FORM_ENABLED=true 271 | 272 | peertube_env 273 | 274 | docker compose -f ${work_dir}/docker-compose.yml up -d 275 | 276 | 277 | # Setting up the nginx 278 | 279 | if nginx -v &>/dev/null; then 280 | echo "Nginx is already install installed" 281 | rm /etc/nginx/sites-available/peertube 282 | rm /etc/nginx/sites-enabled/peertube 283 | else 284 | sudo apt-get update 285 | sudo apt-get install -y nginx 286 | fi 287 | 288 | # make the nginx file for the application 289 | touch /etc/nginx/sites-available/peertube 290 | 291 | cat <>/etc/nginx/sites-available/peertube 292 | server { 293 | 294 | server_name ${domain_name}; 295 | 296 | 297 | 298 | proxy_set_header Host \$host; 299 | 300 | proxy_set_header X-Real-IP \$remote_addr; 301 | 302 | proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; 303 | 304 | proxy_set_header X-Forwarded-Proto \$scheme; 305 | 306 | proxy_set_header Proxy ""; 307 | 308 | proxy_http_version 1.1; 309 | 310 | proxy_set_header Upgrade \$http_upgrade; 311 | 312 | proxy_set_header Connection "upgrade"; 313 | 314 | 315 | 316 | location / { 317 | 318 | proxy_pass http://localhost:9000; 319 | 320 | proxy_pass_header Server; 321 | 322 | 323 | 324 | proxy_buffering on; 325 | 326 | proxy_redirect off; 327 | 328 | } 329 | 330 | 331 | 332 | location ^~ /api/v1/streaming { 333 | 334 | 335 | 336 | proxy_pass http://localhost:1935; 337 | 338 | proxy_buffering off; 339 | 340 | proxy_redirect off; 341 | 342 | } 343 | 344 | } 345 | nginx_content 346 | 347 | # Link to sites-enabled to enable the virtual host. 348 | sudo ln -s /etc/nginx/sites-available/peertube /etc/nginx/sites-enabled/ 349 | 350 | # Reload the nginx service. 351 | sudo systemctl restart nginx 352 | 353 | # Config ufw firewall to allow Nginx ports. Skip if your server doesn't have ufw. 354 | sudo ufw allow 'Nginx Full' 355 | 356 | # Secure Mastodon with Let's Encrypt SSL 357 | sudo apt-get install -y certbot python3-certbot-nginx 358 | 359 | # Generate the ssl certificate for domain 360 | sudo certbot --nginx -d ${domain_name} 361 | 362 | systemctl restart nginx 363 | 364 | admin_password=$(docker logs peertube-peertube-1 | grep password | awk -F 'password: ' '{print $2}') 365 | 366 | 367 | # change ssh port 368 | sudo cp /etc/ssh/ssh_config /etc/ssh/ssh_config_copy 369 | sudo rm /etc/ssh/ssh_config 370 | 371 | cat <> /etc/ssh/ssh_config 372 | Host * 373 | # ForwardAgent no 374 | # ForwardX11 no 375 | # ForwardX11Trusted yes 376 | # PasswordAuthentication yes 377 | # HostbasedAuthentication no 378 | # GSSAPIAuthentication no 379 | # GSSAPIDelegateCredentials no 380 | # GSSAPIKeyExchange no 381 | # GSSAPITrustDNS no 382 | # BatchMode no 383 | # CheckHostIP yes 384 | # AddressFamily any 385 | # ConnectTimeout 0 386 | # StrictHostKeyChecking ask 387 | # IdentityFile ~/.ssh/id_rsa 388 | # IdentityFile ~/.ssh/id_dsa 389 | # IdentityFile ~/.ssh/id_ecdsa 390 | # IdentityFile ~/.ssh/id_ed25519 391 | Port ${ssh_port} 392 | # Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc 393 | # MACs hmac-md5,hmac-sha1,umac-64@openssh.com 394 | # EscapeChar ~ 395 | # Tunnel no 396 | # TunnelDevice any:any 397 | # PermitLocalCommand no 398 | # VisualHostKey no 399 | # ProxyCommand ssh -q -W %h:%p gateway.example.com 400 | # RekeyLimit 1G 1h 401 | # UserKnownHostsFile ~/.ssh/known_hosts.d/%k 402 | SendEnv LANG LC_* 403 | HashKnownHosts yes 404 | GSSAPIAuthentication yes 405 | ssh_content 406 | 407 | sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config_copy 408 | sudo rm /etc/ssh/sshd_config 409 | 410 | cat <> /etc/ssh/sshd_config 411 | PermitRootLogin yes 412 | 413 | 414 | # This is the sshd server system-wide configuration file. See 415 | # sshd_config(5) for more information. 416 | 417 | # This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games 418 | 419 | # The strategy used for options in the default sshd_config shipped with 420 | # OpenSSH is to specify options with their default value where 421 | # possible, but leave them commented. Uncommented options override the 422 | # default value. 423 | 424 | Include /etc/ssh/sshd_config.d/*.conf 425 | 426 | Port ${ssh_port} 427 | #AddressFamily any 428 | #ListenAddress 0.0.0.0 429 | #ListenAddress :: 430 | 431 | #HostKey /etc/ssh/ssh_host_rsa_key 432 | #HostKey /etc/ssh/ssh_host_ecdsa_key 433 | #HostKey /etc/ssh/ssh_host_ed25519_key 434 | 435 | # Ciphers and keying 436 | #RekeyLimit default none 437 | 438 | # Logging 439 | #SyslogFacility AUTH 440 | #LogLevel INFO 441 | 442 | # Authentication: 443 | 444 | #LoginGraceTime 2m 445 | #PermitRootLogin prohibit-password 446 | #StrictModes yes 447 | #MaxAuthTries 6 448 | #MaxSessions 10 449 | 450 | #PubkeyAuthentication yes 451 | 452 | # Expect .ssh/authorized_keys2 to be disregarded by default in future. 453 | #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 454 | 455 | #AuthorizedPrincipalsFile none 456 | 457 | #AuthorizedKeysCommand none 458 | #AuthorizedKeysCommandUser nobody 459 | 460 | # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 461 | #HostbasedAuthentication no 462 | # Change to yes if you don't trust ~/.ssh/known_hosts for 463 | # HostbasedAuthentication 464 | #IgnoreUserKnownHosts no 465 | # Don't read the user's ~/.rhosts and ~/.shosts files 466 | #IgnoreRhosts yes 467 | 468 | # To disable tunneled clear text passwords, change to no here! 469 | #PasswordAuthentication yes 470 | #PermitEmptyPasswords no 471 | 472 | # Change to yes to enable challenge-response passwords (beware issues with 473 | # some PAM modules and threads) 474 | KbdInteractiveAuthentication no 475 | 476 | # Kerberos options 477 | #KerberosAuthentication no 478 | #KerberosOrLocalPasswd yes 479 | #KerberosTicketCleanup yes 480 | #KerberosGetAFSToken no 481 | 482 | # GSSAPI options 483 | #GSSAPIAuthentication no 484 | #GSSAPICleanupCredentials yes 485 | #GSSAPIStrictAcceptorCheck yes 486 | #GSSAPIKeyExchange no 487 | 488 | # Set this to 'yes' to enable PAM authentication, account processing, 489 | # and session processing. If this is enabled, PAM authentication will 490 | # be allowed through the KbdInteractiveAuthentication and 491 | # PasswordAuthentication. Depending on your PAM configuration, 492 | # PAM authentication via KbdInteractiveAuthentication may bypass 493 | # the setting of "PermitRootLogin without-password". 494 | # If you just want the PAM account and session checks to run without 495 | # PAM authentication, then enable this but set PasswordAuthentication 496 | # and KbdInteractiveAuthentication to 'no'. 497 | UsePAM yes 498 | 499 | #AllowAgentForwarding yes 500 | #AllowTcpForwarding yes 501 | #GatewayPorts no 502 | X11Forwarding yes 503 | #X11DisplayOffset 10 504 | #X11UseLocalhost yes 505 | #PermitTTY yes 506 | PrintMotd no 507 | #PrintLastLog yes 508 | #TCPKeepAlive yes 509 | #PermitUserEnvironment no 510 | #Compression delayed 511 | #ClientAliveInterval 0 512 | #ClientAliveCountMax 3 513 | #UseDNS no 514 | #PidFile /run/sshd.pid 515 | #MaxStartups 10:30:100 516 | #PermitTunnel no 517 | #ChrootDirectory none 518 | #VersionAddendum none 519 | 520 | # no default banner path 521 | #Banner none 522 | 523 | # Allow client to pass locale environment variables 524 | AcceptEnv LANG LC_* 525 | 526 | # override default of no subsystems 527 | Subsystem sftp /usr/lib/openssh/sftp-server 528 | 529 | # Example of overriding settings on a per-user basis 530 | #Match User anoncvs 531 | # X11Forwarding no 532 | # AllowTcpForwarding no 533 | # PermitTTY no 534 | # ForceCommand cvs server 535 | sshd_content 536 | 537 | # restart sshd service 538 | systemctl reload ssh 539 | systemctl reload sshd 540 | systemctl restart ssh 541 | systemctl restart sshd 542 | 543 | # Turn on automatic security updates. 544 | sudo dpkg-reconfigure -plow unattended-upgrades --unseen-only 545 | 546 | # set up a firewall with ufw. 547 | sudo apt-get install ufw 548 | sudo ufw default allow outgoing 549 | sudo ufw default deny incoming 550 | sudo ufw allow ${ssh_port}/tcp comment 'SSH' 551 | sudo ufw allow http comment 'HTTP' 552 | sudo ufw allow https comment 'HTTPS' 553 | yes | sudo ufw enable 554 | 555 | # Install Fail2Ban 556 | sudo apt-get install -y fail2ban 557 | rm /etc/fail2ban/jail.local 558 | touch /etc/fail2ban/jail.local 559 | 560 | # make fail2ban configuration 561 | cat <> /etc/fail2ban/jail.local 562 | # 563 | # WARNING: heavily refactored in 0.9.0 release. Please review and 564 | # customize settings for your setup. 565 | # 566 | # Changes: in most of the cases you should not modify this 567 | # file, but provide customizations in jail.local file, 568 | # or separate .conf files under jail.d/ directory, e.g.: 569 | # 570 | # HOW TO ACTIVATE JAILS: 571 | # 572 | # YOU SHOULD NOT MODIFY THIS FILE. 573 | # 574 | # It will probably be overwritten or improved in a distribution update. 575 | # 576 | # Provide customizations in a jail.local file or a jail.d/customisation.local. 577 | # For example to change the default bantime for all jails and to enable the 578 | # ssh-iptables jail the following (uncommented) would appear in the .local file. 579 | # See man 5 jail.conf for details. 580 | # 581 | # [DEFAULT] 582 | ignoreip = 127.0.0.1 583 | bantime = 3600 584 | findtime = 600 585 | maxretry = 3 586 | # 587 | # [sshd] 588 | port = ssh 589 | logpath = %(sshd_log)s 590 | backend = %(sshd_backend)s 591 | # 592 | # See jail.conf(5) man page for more information 593 | 594 | 595 | 596 | # Comments: use '#' for comment lines and ';' (following a space) for inline comments 597 | 598 | 599 | [INCLUDES] 600 | 601 | #before = paths-distro.conf 602 | before = paths-debian.conf 603 | 604 | # The DEFAULT allows a global definition of the options. They can be overridden 605 | # in each jail afterwards. 606 | 607 | [DEFAULT] 608 | 609 | # 610 | # MISCELLANEOUS OPTIONS 611 | # 612 | 613 | # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 614 | # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... 615 | #bantime.increment = true 616 | 617 | # "bantime.rndtime" is the max number of seconds using for mixing with random time 618 | # to prevent "clever" botnets calculate exact time IP can be unbanned again: 619 | #bantime.rndtime = 620 | 621 | # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) 622 | #bantime.maxtime = 623 | 624 | # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, 625 | # default value of factor is 1 and with default value of formula, the ban time 626 | # grows by 1, 2, 4, 8, 16 ... 627 | #bantime.factor = 1 628 | 629 | # "bantime.formula" used by default to calculate next value of ban time, default value below, 630 | # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... 631 | #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor 632 | # 633 | # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : 634 | #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) 635 | 636 | # "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding 637 | # previously ban count and given "bantime.factor" (for multipliers default is 1); 638 | # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 639 | # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours 640 | #bantime.multipliers = 1 2 4 8 16 32 64 641 | # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, 642 | # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day 643 | #bantime.multipliers = 1 5 30 60 300 720 1440 2880 644 | 645 | # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 646 | # cross over all jails, if false (dafault), only current jail of the ban IP will be searched 647 | #bantime.overalljails = false 648 | 649 | # -------------------- 650 | 651 | # "ignoreself" specifies whether the local resp. own IP addresses should be ignored 652 | # (default is true). Fail2ban will not ban a host which matches such addresses. 653 | #ignoreself = true 654 | 655 | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban 656 | # will not ban a host which matches an address in this list. Several addresses 657 | # can be defined using space (and/or comma) separator. 658 | #ignoreip = 127.0.0.1/8 ::1 659 | 660 | # External command that will take an tagged arguments to ignore, e.g. , 661 | # and return true if the IP is to be ignored. False otherwise. 662 | # 663 | # ignorecommand = /path/to/command 664 | ignorecommand = 665 | 666 | # "bantime" is the number of seconds that a host is banned. 667 | bantime = 10m 668 | 669 | # A host is banned if it has generated "maxretry" during the last "findtime" 670 | # seconds. 671 | findtime = 10m 672 | 673 | # "maxretry" is the number of failures before a host get banned. 674 | maxretry = 5 675 | 676 | # "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). 677 | maxmatches = %(maxretry)s 678 | 679 | # "backend" specifies the backend used to get files modification. 680 | # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". 681 | # This option can be overridden in each jail as well. 682 | # 683 | # pyinotify: requires pyinotify (a file alteration monitor) to be installed. 684 | # If pyinotify is not installed, Fail2ban will use auto. 685 | # gamin: requires Gamin (a file alteration monitor) to be installed. 686 | # If Gamin is not installed, Fail2ban will use auto. 687 | # polling: uses a polling algorithm which does not require external libraries. 688 | # systemd: uses systemd python library to access the systemd journal. 689 | # Specifying "logpath" is not valid for this backend. 690 | # See "journalmatch" in the jails associated filter config 691 | # auto: will try to use the following backends, in order: 692 | # pyinotify, gamin, polling. 693 | # 694 | # Note: if systemd backend is chosen as the default but you enable a jail 695 | # for which logs are present only in its own log files, specify some other 696 | # backend for that jail (e.g. polling) and provide empty value for 697 | # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 698 | backend = auto 699 | 700 | # "usedns" specifies if jails should trust hostnames in logs, 701 | # warn when DNS lookups are performed, or ignore all hostnames in logs 702 | # 703 | # yes: if a hostname is encountered, a DNS lookup will be performed. 704 | # warn: if a hostname is encountered, a DNS lookup will be performed, 705 | # but it will be logged as a warning. 706 | # no: if a hostname is encountered, will not be used for banning, 707 | # but it will be logged as info. 708 | # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) 709 | usedns = warn 710 | 711 | # "logencoding" specifies the encoding of the log files handled by the jail 712 | # This is used to decode the lines from the log file. 713 | # Typical examples: "ascii", "utf-8" 714 | # 715 | # auto: will use the system locale setting 716 | logencoding = auto 717 | 718 | # "enabled" enables the jails. 719 | # By default all jails are disabled, and it should stay this way. 720 | # Enable only relevant to your setup jails in your .local or jail.d/*.conf 721 | # 722 | # true: jail will be enabled and log files will get monitored for changes 723 | # false: jail is not enabled 724 | enabled = false 725 | 726 | 727 | # "mode" defines the mode of the filter (see corresponding filter implementation for more info). 728 | mode = normal 729 | 730 | # "filter" defines the filter to use by the jail. 731 | # By default jails have names matching their filter name 732 | # 733 | filter = %(__name__)s[mode=%(mode)s] 734 | 735 | 736 | # 737 | # ACTIONS 738 | # 739 | 740 | # Some options used for actions 741 | 742 | # Destination email address used solely for the interpolations in 743 | # jail.{conf,local,d/*} configuration files. 744 | destemail = root@localhost 745 | 746 | # Sender email address used solely for some actions 747 | sender = root@ 748 | 749 | # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the 750 | # mailing. Change mta configuration parameter to mail if you want to 751 | # revert to conventional 'mail'. 752 | mta = sendmail 753 | 754 | # Default protocol 755 | protocol = tcp 756 | 757 | # Specify chain where jumps would need to be added in ban-actions expecting parameter chain 758 | chain = 759 | 760 | # Ports to be banned 761 | # Usually should be overridden in a particular jail 762 | port = 0:65535 763 | 764 | # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 765 | fail2ban_agent = Fail2Ban/%(fail2ban_version)s 766 | 767 | # 768 | # Action shortcuts. To be used to define action parameter 769 | 770 | # Default banning action (e.g. iptables, iptables-new, 771 | # iptables-multiport, shorewall, etc) It is used to define 772 | # action_* variables. Can be overridden globally or per 773 | # section within jail.local file 774 | banaction = ufw 775 | banaction_allports = ufw 776 | 777 | # The simplest action to take: ban only 778 | action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 779 | 780 | # ban & send an e-mail with whois report to the destemail. 781 | action_mw = %(action_)s 782 | %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] 783 | 784 | # ban & send an e-mail with whois report and relevant log lines 785 | # to the destemail. 786 | action_mwl = %(action_)s 787 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] 788 | 789 | # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action 790 | # 791 | # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines 792 | # to the destemail. 793 | action_xarf = %(action_)s 794 | xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] 795 | 796 | # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines 797 | # to the destemail. 798 | action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] 799 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] 800 | 801 | # Report block via blocklist.de fail2ban reporting service API 802 | # 803 | # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. 804 | # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation 805 | # action_blocklist_de used for the action, set value of blocklist_de_apikey 806 | # in your jail.local globally (section [DEFAULT]) or per specific jail section (resp. in 807 | # corresponding jail.d/my-jail.local file). 808 | # 809 | action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] 810 | 811 | # Report ban via badips.com, and use as blacklist 812 | # 813 | # See BadIPsAction docstring in config/action.d/badips.py for 814 | # documentation for this action. 815 | # 816 | # NOTE: This action relies on banaction being present on start and therefore 817 | # should be last action defined for a jail. 818 | # 819 | action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] 820 | # 821 | # Report ban via badips.com (uses action.d/badips.conf for reporting only) 822 | # 823 | action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] 824 | 825 | # Report ban via abuseipdb.com. 826 | # 827 | # See action.d/abuseipdb.conf for usage example and details. 828 | # 829 | action_abuseipdb = abuseipdb 830 | 831 | # Choose default action. To change, just override value of 'action' with the 832 | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local 833 | # globally (section [DEFAULT]) or per specific section 834 | action = %(action_)s 835 | 836 | 837 | # 838 | # JAILS 839 | # 840 | 841 | # 842 | # SSH servers 843 | # 844 | 845 | [sshd] 846 | 847 | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: 848 | # normal (default), ddos, extra or aggressive (combines all). 849 | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. 850 | #mode = normal 851 | port = ssh 852 | logpath = %(sshd_log)s 853 | backend = %(sshd_backend)s 854 | 855 | 856 | [dropbear] 857 | 858 | port = ssh 859 | logpath = %(dropbear_log)s 860 | backend = %(dropbear_backend)s 861 | 862 | 863 | [selinux-ssh] 864 | 865 | port = ssh 866 | logpath = %(auditd_log)s 867 | 868 | 869 | # 870 | # HTTP servers 871 | # 872 | 873 | [apache-auth] 874 | 875 | port = http,https 876 | logpath = %(apache_error_log)s 877 | 878 | 879 | [apache-badbots] 880 | # Ban hosts which agent identifies spammer robots crawling the web 881 | # for email addresses. The mail outputs are buffered. 882 | port = http,https 883 | logpath = %(apache_access_log)s 884 | bantime = 48h 885 | maxretry = 1 886 | 887 | 888 | [apache-noscript] 889 | 890 | port = http,https 891 | logpath = %(apache_error_log)s 892 | 893 | 894 | [apache-overflows] 895 | 896 | port = http,https 897 | logpath = %(apache_error_log)s 898 | maxretry = 2 899 | 900 | 901 | [apache-nohome] 902 | 903 | port = http,https 904 | logpath = %(apache_error_log)s 905 | maxretry = 2 906 | 907 | 908 | [apache-botsearch] 909 | 910 | port = http,https 911 | logpath = %(apache_error_log)s 912 | maxretry = 2 913 | 914 | 915 | [apache-fakegooglebot] 916 | 917 | port = http,https 918 | logpath = %(apache_access_log)s 919 | maxretry = 1 920 | ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot 921 | 922 | 923 | [apache-modsecurity] 924 | 925 | port = http,https 926 | logpath = %(apache_error_log)s 927 | maxretry = 2 928 | 929 | 930 | [apache-shellshock] 931 | 932 | port = http,https 933 | logpath = %(apache_error_log)s 934 | maxretry = 1 935 | 936 | 937 | [openhab-auth] 938 | 939 | filter = openhab 940 | banaction = %(banaction_allports)s 941 | logpath = /opt/openhab/logs/request.log 942 | 943 | 944 | [nginx-http-auth] 945 | 946 | port = http,https 947 | logpath = %(nginx_error_log)s 948 | 949 | # To use 'nginx-limit-req' jail you should have ngx_http_limit_req_module 950 | # and define limit_req and limit_req_zone as described in nginx documentation 951 | # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html 952 | # or for example see in 'config/filter.d/nginx-limit-req.conf' 953 | [nginx-limit-req] 954 | port = http,https 955 | logpath = %(nginx_error_log)s 956 | 957 | [nginx-botsearch] 958 | 959 | port = http,https 960 | logpath = %(nginx_error_log)s 961 | maxretry = 2 962 | 963 | 964 | # Ban attackers that try to use PHP's URL-fopen() functionality 965 | # through GET/POST variables. - Experimental, with more than a year 966 | # of usage in production environments. 967 | 968 | [php-url-fopen] 969 | 970 | port = http,https 971 | logpath = %(nginx_access_log)s 972 | %(apache_access_log)s 973 | 974 | 975 | [suhosin] 976 | 977 | port = http,https 978 | logpath = %(suhosin_log)s 979 | 980 | 981 | [lighttpd-auth] 982 | # Same as above for Apache's mod_auth 983 | # It catches wrong authentifications 984 | port = http,https 985 | logpath = %(lighttpd_error_log)s 986 | 987 | 988 | # 989 | # Webmail and groupware servers 990 | # 991 | 992 | [roundcube-auth] 993 | 994 | port = http,https 995 | logpath = %(roundcube_errors_log)s 996 | # Use following line in your jail.local if roundcube logs to journal. 997 | #backend = %(syslog_backend)s 998 | 999 | 1000 | [openwebmail] 1001 | 1002 | port = http,https 1003 | logpath = /var/log/openwebmail.log 1004 | 1005 | 1006 | [horde] 1007 | 1008 | port = http,https 1009 | logpath = /var/log/horde/horde.log 1010 | 1011 | 1012 | [groupoffice] 1013 | 1014 | port = http,https 1015 | logpath = /home/groupoffice/log/info.log 1016 | 1017 | 1018 | [sogo-auth] 1019 | # Monitor SOGo groupware server 1020 | # without proxy this would be: 1021 | # port = 20000 1022 | port = http,https 1023 | logpath = /var/log/sogo/sogo.log 1024 | 1025 | 1026 | [tine20] 1027 | 1028 | logpath = /var/log/tine20/tine20.log 1029 | port = http,https 1030 | 1031 | 1032 | # 1033 | # Web Applications 1034 | # 1035 | # 1036 | 1037 | [drupal-auth] 1038 | 1039 | port = http,https 1040 | logpath = %(syslog_daemon)s 1041 | backend = %(syslog_backend)s 1042 | 1043 | [guacamole] 1044 | 1045 | port = http,https 1046 | logpath = /var/log/tomcat*/catalina.out 1047 | #logpath = /var/log/guacamole.log 1048 | 1049 | [monit] 1050 | #Ban clients brute-forcing the monit gui login 1051 | port = 2812 1052 | logpath = /var/log/monit 1053 | /var/log/monit.log 1054 | 1055 | 1056 | [webmin-auth] 1057 | 1058 | port = 10000 1059 | logpath = %(syslog_authpriv)s 1060 | backend = %(syslog_backend)s 1061 | 1062 | 1063 | [froxlor-auth] 1064 | 1065 | port = http,https 1066 | logpath = %(syslog_authpriv)s 1067 | backend = %(syslog_backend)s 1068 | 1069 | 1070 | # 1071 | # HTTP Proxy servers 1072 | # 1073 | # 1074 | 1075 | [squid] 1076 | 1077 | port = 80,443,3128,8080 1078 | logpath = /var/log/squid/access.log 1079 | 1080 | 1081 | [3proxy] 1082 | 1083 | port = 3128 1084 | logpath = /var/log/3proxy.log 1085 | 1086 | 1087 | # 1088 | # FTP servers 1089 | # 1090 | 1091 | 1092 | [proftpd] 1093 | 1094 | port = ftp,ftp-data,ftps,ftps-data 1095 | logpath = %(proftpd_log)s 1096 | backend = %(proftpd_backend)s 1097 | 1098 | 1099 | [pure-ftpd] 1100 | 1101 | port = ftp,ftp-data,ftps,ftps-data 1102 | logpath = %(pureftpd_log)s 1103 | backend = %(pureftpd_backend)s 1104 | 1105 | 1106 | [gssftpd] 1107 | 1108 | port = ftp,ftp-data,ftps,ftps-data 1109 | logpath = %(syslog_daemon)s 1110 | backend = %(syslog_backend)s 1111 | 1112 | 1113 | [wuftpd] 1114 | 1115 | port = ftp,ftp-data,ftps,ftps-data 1116 | logpath = %(wuftpd_log)s 1117 | backend = %(wuftpd_backend)s 1118 | 1119 | 1120 | [vsftpd] 1121 | # or overwrite it in jails.local to be 1122 | # logpath = %(syslog_authpriv)s 1123 | # if you want to rely on PAM failed login attempts 1124 | # vsftpd's failregex should match both of those formats 1125 | port = ftp,ftp-data,ftps,ftps-data 1126 | logpath = %(vsftpd_log)s 1127 | 1128 | 1129 | # 1130 | # Mail servers 1131 | # 1132 | 1133 | # ASSP SMTP Proxy Jail 1134 | [assp] 1135 | 1136 | port = smtp,465,submission 1137 | logpath = /root/path/to/assp/logs/maillog.txt 1138 | 1139 | 1140 | [courier-smtp] 1141 | 1142 | port = smtp,465,submission 1143 | logpath = %(syslog_mail)s 1144 | backend = %(syslog_backend)s 1145 | 1146 | 1147 | [postfix] 1148 | # To use another modes set filter parameter "mode" in jail.local: 1149 | mode = more 1150 | port = smtp,465,submission 1151 | logpath = %(postfix_log)s 1152 | backend = %(postfix_backend)s 1153 | 1154 | 1155 | [postfix-rbl] 1156 | 1157 | filter = postfix[mode=rbl] 1158 | port = smtp,465,submission 1159 | logpath = %(postfix_log)s 1160 | backend = %(postfix_backend)s 1161 | maxretry = 1 1162 | 1163 | 1164 | [sendmail-auth] 1165 | 1166 | port = submission,465,smtp 1167 | logpath = %(syslog_mail)s 1168 | backend = %(syslog_backend)s 1169 | 1170 | 1171 | [sendmail-reject] 1172 | # To use more aggressive modes set filter parameter "mode" in jail.local: 1173 | # normal (default), extra or aggressive 1174 | # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. 1175 | #mode = normal 1176 | port = smtp,465,submission 1177 | logpath = %(syslog_mail)s 1178 | backend = %(syslog_backend)s 1179 | 1180 | 1181 | [qmail-rbl] 1182 | 1183 | filter = qmail 1184 | port = smtp,465,submission 1185 | logpath = /service/qmail/log/main/current 1186 | 1187 | 1188 | # dovecot defaults to logging to the mail syslog facility 1189 | # but can be set by syslog_facility in the dovecot configuration. 1190 | [dovecot] 1191 | 1192 | port = pop3,pop3s,imap,imaps,submission,465,sieve 1193 | logpath = %(dovecot_log)s 1194 | backend = %(dovecot_backend)s 1195 | 1196 | 1197 | [sieve] 1198 | 1199 | port = smtp,465,submission 1200 | logpath = %(dovecot_log)s 1201 | backend = %(dovecot_backend)s 1202 | 1203 | 1204 | [solid-pop3d] 1205 | 1206 | port = pop3,pop3s 1207 | logpath = %(solidpop3d_log)s 1208 | 1209 | 1210 | [exim] 1211 | # see filter.d/exim.conf for further modes supported from filter: 1212 | #mode = normal 1213 | port = smtp,465,submission 1214 | logpath = %(exim_main_log)s 1215 | 1216 | 1217 | [exim-spam] 1218 | 1219 | port = smtp,465,submission 1220 | logpath = %(exim_main_log)s 1221 | 1222 | 1223 | [kerio] 1224 | 1225 | port = imap,smtp,imaps,465 1226 | logpath = /opt/kerio/mailserver/store/logs/security.log 1227 | 1228 | 1229 | # 1230 | # Mail servers authenticators: might be used for smtp,ftp,imap servers, so 1231 | # all relevant ports get banned 1232 | # 1233 | 1234 | [courier-auth] 1235 | 1236 | port = smtp,465,submission,imap,imaps,pop3,pop3s 1237 | logpath = %(syslog_mail)s 1238 | backend = %(syslog_backend)s 1239 | 1240 | 1241 | [postfix-sasl] 1242 | 1243 | filter = postfix[mode=auth] 1244 | port = smtp,465,submission,imap,imaps,pop3,pop3s 1245 | # You might consider monitoring /var/log/mail.warn instead if you are 1246 | # running postfix since it would provide the same log lines at the 1247 | # "warn" level but overall at the smaller filesize. 1248 | logpath = %(postfix_log)s 1249 | backend = %(postfix_backend)s 1250 | 1251 | 1252 | [perdition] 1253 | 1254 | port = imap,imaps,pop3,pop3s 1255 | logpath = %(syslog_mail)s 1256 | backend = %(syslog_backend)s 1257 | 1258 | 1259 | [squirrelmail] 1260 | 1261 | port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks 1262 | logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log 1263 | 1264 | 1265 | [cyrus-imap] 1266 | 1267 | port = imap,imaps 1268 | logpath = %(syslog_mail)s 1269 | backend = %(syslog_backend)s 1270 | 1271 | 1272 | [uwimap-auth] 1273 | 1274 | port = imap,imaps 1275 | logpath = %(syslog_mail)s 1276 | backend = %(syslog_backend)s 1277 | 1278 | 1279 | # 1280 | # 1281 | # DNS servers 1282 | # 1283 | 1284 | 1285 | # !!! WARNING !!! 1286 | # Since UDP is connection-less protocol, spoofing of IP and imitation 1287 | # of illegal actions is way too simple. Thus enabling of this filter 1288 | # might provide an easy way for implementing a DoS against a chosen 1289 | # victim. See 1290 | # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html 1291 | # Please DO NOT USE this jail unless you know what you are doing. 1292 | # 1293 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 1294 | # This jail blocks UDP traffic for DNS requests. 1295 | # [named-refused-udp] 1296 | # 1297 | # filter = named-refused 1298 | # port = domain,953 1299 | # protocol = udp 1300 | # logpath = /var/log/named/security.log 1301 | 1302 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 1303 | # This jail blocks TCP traffic for DNS requests. 1304 | 1305 | [named-refused] 1306 | 1307 | port = domain,953 1308 | logpath = /var/log/named/security.log 1309 | 1310 | 1311 | [nsd] 1312 | 1313 | port = 53 1314 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 1315 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 1316 | logpath = /var/log/nsd.log 1317 | 1318 | 1319 | # 1320 | # Miscellaneous 1321 | # 1322 | 1323 | [asterisk] 1324 | 1325 | port = 5060,5061 1326 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 1327 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 1328 | logpath = /var/log/asterisk/messages 1329 | maxretry = 10 1330 | 1331 | 1332 | [freeswitch] 1333 | 1334 | port = 5060,5061 1335 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 1336 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 1337 | logpath = /var/log/freeswitch.log 1338 | maxretry = 10 1339 | 1340 | 1341 | # enable adminlog; it will log to a file inside znc's directory by default. 1342 | [znc-adminlog] 1343 | 1344 | port = 6667 1345 | logpath = /var/lib/znc/moddata/adminlog/znc.log 1346 | 1347 | 1348 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or 1349 | # equivalent section: 1350 | # log-warnings = 2 1351 | # 1352 | # for syslog (daemon facility) 1353 | # [mysqld_safe] 1354 | # syslog 1355 | # 1356 | # for own logfile 1357 | # [mysqld] 1358 | # log-error=/var/log/mysqld.log 1359 | [mysqld-auth] 1360 | 1361 | port = 3306 1362 | logpath = %(mysql_log)s 1363 | backend = %(mysql_backend)s 1364 | 1365 | 1366 | # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') 1367 | [mongodb-auth] 1368 | # change port when running with "--shardsvr" or "--configsvr" runtime operation 1369 | port = 27017 1370 | logpath = /var/log/mongodb/mongodb.log 1371 | 1372 | 1373 | # Jail for more extended banning of persistent abusers 1374 | # !!! WARNINGS !!! 1375 | # 1. Make sure that your loglevel specified in fail2ban.conf/.local 1376 | # is not at DEBUG level -- which might then cause fail2ban to fall into 1377 | # an infinite loop constantly feeding itself with non-informative lines 1378 | # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) 1379 | # to maintain entries for failed logins for sufficient amount of time 1380 | [recidive] 1381 | 1382 | logpath = /var/log/fail2ban.log 1383 | banaction = %(banaction_allports)s 1384 | bantime = 1w 1385 | findtime = 1d 1386 | 1387 | 1388 | # Generic filter for PAM. Has to be used with action which bans all 1389 | # ports such as iptables-allports, shorewall 1390 | 1391 | [pam-generic] 1392 | # pam-generic filter can be customized to monitor specific subset of 'tty's 1393 | banaction = %(banaction_allports)s 1394 | logpath = %(syslog_authpriv)s 1395 | backend = %(syslog_backend)s 1396 | 1397 | 1398 | [xinetd-fail] 1399 | 1400 | banaction = iptables-multiport-log 1401 | logpath = %(syslog_daemon)s 1402 | backend = %(syslog_backend)s 1403 | maxretry = 2 1404 | 1405 | 1406 | # stunnel - need to set port for this 1407 | [stunnel] 1408 | 1409 | logpath = /var/log/stunnel4/stunnel.log 1410 | 1411 | 1412 | [ejabberd-auth] 1413 | 1414 | port = 5222 1415 | logpath = /var/log/ejabberd/ejabberd.log 1416 | 1417 | 1418 | [counter-strike] 1419 | 1420 | logpath = /opt/cstrike/logs/L[0-9]*.log 1421 | tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 1422 | udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 1423 | action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] 1424 | %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] 1425 | 1426 | [softethervpn] 1427 | port = 500,4500 1428 | protocol = udp 1429 | logpath = /usr/local/vpnserver/security_log/*/sec.log 1430 | 1431 | [gitlab] 1432 | port = http,https 1433 | logpath = /var/log/gitlab/gitlab-rails/application.log 1434 | 1435 | [grafana] 1436 | port = http,https 1437 | logpath = /var/log/grafana/grafana.log 1438 | 1439 | [bitwarden] 1440 | port = http,https 1441 | logpath = /home/*/bwdata/logs/identity/Identity/log.txt 1442 | 1443 | [centreon] 1444 | port = http,https 1445 | logpath = /var/log/centreon/login.log 1446 | 1447 | # consider low maxretry and a long bantime 1448 | # nobody except your own Nagios server should ever probe nrpe 1449 | [nagios] 1450 | 1451 | logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility 1452 | backend = %(syslog_backend)s 1453 | maxretry = 1 1454 | 1455 | 1456 | [oracleims] 1457 | # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above 1458 | logpath = /opt/sun/comms/messaging64/log/mail.log_current 1459 | banaction = %(banaction_allports)s 1460 | 1461 | [directadmin] 1462 | logpath = /var/log/directadmin/login.log 1463 | port = 2222 1464 | 1465 | [portsentry] 1466 | logpath = /var/lib/portsentry/portsentry.history 1467 | maxretry = 1 1468 | 1469 | [pass2allow-ftp] 1470 | # this pass2allow example allows FTP traffic after successful HTTP authentication 1471 | port = ftp,ftp-data,ftps,ftps-data 1472 | # knocking_url variable must be overridden to some secret value in jail.local 1473 | knocking_url = /knocking/ 1474 | filter = apache-pass[knocking_url="%(knocking_url)s"] 1475 | # access log of the website with HTTP auth 1476 | logpath = %(apache_access_log)s 1477 | blocktype = RETURN 1478 | returntype = DROP 1479 | action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, 1480 | actionstart_on_demand=false, actionrepair_on_unban=true] 1481 | bantime = 1h 1482 | maxretry = 1 1483 | findtime = 1 1484 | 1485 | 1486 | [murmur] 1487 | # AKA mumble-server 1488 | port = 64738 1489 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 1490 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 1491 | logpath = /var/log/mumble-server/mumble-server.log 1492 | 1493 | 1494 | [screensharingd] 1495 | # For Mac OS Screen Sharing Service (VNC) 1496 | logpath = /var/log/system.log 1497 | logencoding = utf-8 1498 | 1499 | [haproxy-http-auth] 1500 | # HAProxy by default doesn't log to file you'll need to set it up to forward 1501 | # logs to a syslog server which would then write them to disk. 1502 | # See "haproxy-http-auth" filter for a brief cautionary note when setting 1503 | # maxretry and findtime. 1504 | logpath = /var/log/haproxy.log 1505 | 1506 | [slapd] 1507 | port = ldap,ldaps 1508 | logpath = /var/log/slapd.log 1509 | 1510 | [domino-smtp] 1511 | port = smtp,ssmtp 1512 | logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log 1513 | 1514 | [phpmyadmin-syslog] 1515 | port = http,https 1516 | logpath = %(syslog_authpriv)s 1517 | backend = %(syslog_backend)s 1518 | 1519 | 1520 | [zoneminder] 1521 | # Zoneminder HTTP/HTTPS web interface auth 1522 | # Logs auth failures to apache2 error log 1523 | port = http,https 1524 | logpath = %(apache_error_log)s 1525 | 1526 | [traefik-auth] 1527 | # to use 'traefik-auth' filter you have to configure your Traefik instance, 1528 | # see filter.d/traefik-auth.conf for details and service example. 1529 | port = http,https 1530 | logpath = /var/log/traefik/access.log 1531 | 1532 | [scanlogd] 1533 | logpath = %(syslog_local0)s 1534 | banaction = %(banaction_allports)s 1535 | fail2ban_ban 1536 | 1537 | 1538 | # Restart the fail2ban service. 1539 | sudo systemctl restart fail2ban 1540 | 1541 | 1542 | echo "Congratulations your setup is complete, now can login on https://${domain_name}" 1543 | echo "Use this credentials Email :- ${admin_email} and password:- ${admin_password}" 1544 | echo "Database user: ${db_user} , password: ${db_password} and name ${db_name}" 1545 | echo "Now SSH port is ${ssh_port}" 1546 | --------------------------------------------------------------------------------