├── .github └── workflows │ └── main.yml ├── Dockerfile ├── README.md ├── defaults-debian.conf ├── jail.conf ├── rportd-client-connect.conf └── supervisord.conf /.github/workflows/main.yml: -------------------------------------------------------------------------------- 1 | name: Docker Image CI 2 | 3 | on: 4 | push: 5 | schedule: 6 | # Runs every day at 12:00 AM UTC 7 | - cron: '0 0 * * 0' 8 | workflow_dispatch: # Allows manual trigger 9 | 10 | jobs: 11 | build: 12 | runs-on: ubuntu-latest 13 | environment: dockerhub 14 | 15 | steps: 16 | - uses: actions/checkout@v4 17 | 18 | - name: Build the Docker image 19 | run: docker build . --file Dockerfile --tag openrport-docker:latest 20 | 21 | - name: Log in to DockerHub 22 | uses: docker/login-action@v3 23 | with: 24 | username: ${{ secrets.DOCKERHUB_USERNAME }} 25 | password: ${{ secrets.DOCKERHUB_TOKEN }} 26 | 27 | - name: Tag the Docker image 28 | run: docker tag openrport-docker:latest ${{ secrets.DOCKERHUB_USERNAME }}/openrport-docker:latest 29 | 30 | - name: Push the Docker image to DockerHub 31 | run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/openrport-docker:latest 32 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.17 as downloader 2 | 3 | ARG rport_version=0.9.14 4 | ARG frontend_build=0.9.12-17-build-1145 5 | ARG NOVNC_VERSION=1.3.0 6 | 7 | RUN apk add unzip 8 | 9 | WORKDIR /app/ 10 | 11 | RUN wget -q https://github.com/openrport/openrport/releases/download/${rport_version}/rportd_${rport_version}_Linux_x86_64.tar.gz -O rportd.tar.gz \ 12 | && tar xzf rportd.tar.gz rportd 13 | RUN wget -q https://downloads.openrport.io/frontend/stable/rport-frontend-${frontend_build}.zip -O frontend.zip \ 14 | && unzip frontend.zip -d ./frontend 15 | RUN wget https://github.com/novnc/noVNC/archive/refs/tags/v${NOVNC_VERSION}.zip -O novnc.zip \ 16 | && unzip novnc.zip && mv noVNC-${NOVNC_VERSION} ./novnc 17 | 18 | FROM guacamole/guacd:latest 19 | 20 | USER root 21 | 22 | ARG TZ="UTC" 23 | RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && \ 24 | echo $TZ > /etc/timezone 25 | 26 | RUN apk add gcompat wget supervisor 27 | 28 | RUN apk --purge del apk-tools && rm -rf /tmp/* /var/tmp/* 29 | 30 | 31 | COPY --from=downloader /app/rportd /usr/local/bin/rportd 32 | COPY --from=downloader /app/frontend/ /var/www/html/ 33 | COPY --from=downloader /app/novnc/ /var/lib/rport-novnc 34 | COPY supervisord.conf /etc/supervisord.conf 35 | 36 | RUN useradd -d /var/lib/rport -m -U -r -s /bin/false rport 37 | 38 | RUN touch /var/lib/rport/rport.log && chown rport /var/lib/rport/rport.log && touch /var/lib/rport/supervisord.log && chown rport /var/lib/rport/supervisord.log 39 | 40 | USER rport 41 | 42 | RUN chmod 755 -R /var/lib/rport/ 43 | 44 | EXPOSE 8080 45 | EXPOSE 3000 46 | EXPOSE 30000-35000 47 | EXPOSE 4822 48 | 49 | CMD ["/usr/bin/supervisord"] 50 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # openrport-docker 2 | repository to build a docker container for rport using alpine as the base image, this version contains guacd to use RDP via web browser (remember to disable nla authentication for RDP). 3 | Fail2ban and iptables are also running to further protect rport from scanner and password guessing attacks. 4 | You will need to add a config file (preferably as a mounted read-only volume pointing to your local file) 5 | 6 | If you want to use a database to store the data please follow this guide : https://oss.openrport.io 7 | 8 | docker-compose 9 | ``` 10 | version: '3.9' 11 | services: 12 | rport-server: 13 | container_name: rport 14 | image: iotech17/openrport-docker:latest 15 | restart: always 16 | privileged: true 17 | ports: 18 | - 3000:3000 19 | - 4822:4822 20 | - 20000:8080 21 | - 30000-30100:30000-30100 22 | volumes: 23 | - /home/user/rport/rportd.conf:/etc/rport/rportd.conf:ro 24 | - /home/user/rport/rport.key:/var/lib/rport/rport.key:ro 25 | - /home/user/rport/rport.crt:/var/lib/rport/rport.crt:ro 26 | - data:/var/lib/rport/ 27 | healthcheck: 28 | test: ["CMD-SHELL", "wget --no-check-certificate --spider -S http://localhost:3000 || exit 1"] 29 | interval: 30s 30 | timeout: 10s 31 | retries: 3 32 | 33 | volumes: 34 | data: 35 | -------------------------------------------------------------------------------- /defaults-debian.conf: -------------------------------------------------------------------------------- 1 | [rportd-client-connect] 2 | enabled = true 3 | -------------------------------------------------------------------------------- /jail.conf: -------------------------------------------------------------------------------- 1 | # 2 | # WARNING: heavily refactored in 0.9.0 release. Please review and 3 | # customize settings for your setup. 4 | # 5 | # Changes: in most of the cases you should not modify this 6 | # file, but provide customizations in jail.local file, 7 | # or separate .conf files under jail.d/ directory, e.g.: 8 | # 9 | # HOW TO ACTIVATE JAILS: 10 | # 11 | # YOU SHOULD NOT MODIFY THIS FILE. 12 | # 13 | # It will probably be overwritten or improved in a distribution update. 14 | # 15 | # Provide customizations in a jail.local file or a jail.d/customisation.local. 16 | # For example to change the default bantime for all jails and to enable the 17 | # ssh-iptables jail the following (uncommented) would appear in the .local file. 18 | # See man 5 jail.conf for details. 19 | # 20 | # [DEFAULT] 21 | # bantime = 1h 22 | # 23 | # [sshd] 24 | # enabled = true 25 | # 26 | # See jail.conf(5) man page for more information 27 | 28 | 29 | 30 | # Comments: use '#' for comment lines and ';' (following a space) for inline comments 31 | 32 | 33 | [INCLUDES] 34 | 35 | #before = paths-distro.conf 36 | before = paths-debian.conf 37 | 38 | # The DEFAULT allows a global definition of the options. They can be overridden 39 | # in each jail afterwards. 40 | 41 | [DEFAULT] 42 | 43 | # 44 | # MISCELLANEOUS OPTIONS 45 | # 46 | 47 | # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 48 | # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... 49 | #bantime.increment = true 50 | 51 | # "bantime.rndtime" is the max number of seconds using for mixing with random time 52 | # to prevent "clever" botnets calculate exact time IP can be unbanned again: 53 | #bantime.rndtime = 54 | 55 | # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) 56 | #bantime.maxtime = 57 | 58 | # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, 59 | # default value of factor is 1 and with default value of formula, the ban time 60 | # grows by 1, 2, 4, 8, 16 ... 61 | #bantime.factor = 1 62 | 63 | # "bantime.formula" used by default to calculate next value of ban time, default value below, 64 | # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... 65 | #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor 66 | # 67 | # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : 68 | #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) 69 | 70 | # "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding 71 | # previously ban count and given "bantime.factor" (for multipliers default is 1); 72 | # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 73 | # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours 74 | #bantime.multipliers = 1 2 4 8 16 32 64 75 | # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, 76 | # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day 77 | #bantime.multipliers = 1 5 30 60 300 720 1440 2880 78 | 79 | # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 80 | # cross over all jails, if false (default), only current jail of the ban IP will be searched 81 | #bantime.overalljails = false 82 | 83 | # -------------------- 84 | 85 | # "ignoreself" specifies whether the local resp. own IP addresses should be ignored 86 | # (default is true). Fail2ban will not ban a host which matches such addresses. 87 | #ignoreself = true 88 | 89 | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban 90 | # will not ban a host which matches an address in this list. Several addresses 91 | # can be defined using space (and/or comma) separator. 92 | #ignoreip = 127.0.0.1/8 ::1 93 | 94 | # External command that will take an tagged arguments to ignore, e.g. , 95 | # and return true if the IP is to be ignored. False otherwise. 96 | # 97 | # ignorecommand = /path/to/command 98 | ignorecommand = 99 | 100 | # "bantime" is the number of seconds that a host is banned. 101 | bantime = 10m 102 | 103 | # A host is banned if it has generated "maxretry" during the last "findtime" 104 | # seconds. 105 | findtime = 10m 106 | 107 | # "maxretry" is the number of failures before a host get banned. 108 | maxretry = 5 109 | 110 | # "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). 111 | maxmatches = %(maxretry)s 112 | 113 | # "backend" specifies the backend used to get files modification. 114 | # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto". 115 | # This option can be overridden in each jail as well. 116 | # 117 | # pyinotify: requires pyinotify (a file alteration monitor) to be installed. 118 | # If pyinotify is not installed, Fail2ban will use auto. 119 | # gamin: requires Gamin (a file alteration monitor) to be installed. 120 | # If Gamin is not installed, Fail2ban will use auto. 121 | # polling: uses a polling algorithm which does not require external libraries. 122 | # systemd: uses systemd python library to access the systemd journal. 123 | # Specifying "logpath" is not valid for this backend. 124 | # See "journalmatch" in the jails associated filter config 125 | # auto: will try to use the following backends, in order: 126 | # pyinotify, gamin, polling. 127 | # 128 | # Note: if systemd backend is chosen as the default but you enable a jail 129 | # for which logs are present only in its own log files, specify some other 130 | # backend for that jail (e.g. polling) and provide empty value for 131 | # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200 132 | backend = auto 133 | 134 | # "usedns" specifies if jails should trust hostnames in logs, 135 | # warn when DNS lookups are performed, or ignore all hostnames in logs 136 | # 137 | # yes: if a hostname is encountered, a DNS lookup will be performed. 138 | # warn: if a hostname is encountered, a DNS lookup will be performed, 139 | # but it will be logged as a warning. 140 | # no: if a hostname is encountered, will not be used for banning, 141 | # but it will be logged as info. 142 | # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user) 143 | usedns = warn 144 | 145 | # "logencoding" specifies the encoding of the log files handled by the jail 146 | # This is used to decode the lines from the log file. 147 | # Typical examples: "ascii", "utf-8" 148 | # 149 | # auto: will use the system locale setting 150 | logencoding = auto 151 | 152 | # "enabled" enables the jails. 153 | # By default all jails are disabled, and it should stay this way. 154 | # Enable only relevant to your setup jails in your .local or jail.d/*.conf 155 | # 156 | # true: jail will be enabled and log files will get monitored for changes 157 | # false: jail is not enabled 158 | enabled = false 159 | 160 | 161 | # "mode" defines the mode of the filter (see corresponding filter implementation for more info). 162 | mode = normal 163 | 164 | # "filter" defines the filter to use by the jail. 165 | # By default jails have names matching their filter name 166 | # 167 | filter = %(__name__)s[mode=%(mode)s] 168 | 169 | 170 | # 171 | # ACTIONS 172 | # 173 | 174 | # Some options used for actions 175 | 176 | # Destination email address used solely for the interpolations in 177 | # jail.{conf,local,d/*} configuration files. 178 | destemail = root@localhost 179 | 180 | # Sender email address used solely for some actions 181 | sender = root@ 182 | 183 | # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the 184 | # mailing. Change mta configuration parameter to mail if you want to 185 | # revert to conventional 'mail'. 186 | mta = sendmail 187 | 188 | # Default protocol 189 | protocol = tcp 190 | 191 | # Specify chain where jumps would need to be added in ban-actions expecting parameter chain 192 | chain = 193 | 194 | # Ports to be banned 195 | # Usually should be overridden in a particular jail 196 | port = 0:65535 197 | 198 | # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3 199 | fail2ban_agent = Fail2Ban/%(fail2ban_version)s 200 | 201 | # 202 | # Action shortcuts. To be used to define action parameter 203 | 204 | # Default banning action (e.g. iptables, iptables-new, 205 | # iptables-multiport, shorewall, etc) It is used to define 206 | # action_* variables. Can be overridden globally or per 207 | # section within jail.local file 208 | banaction = iptables-multiport 209 | banaction_allports = iptables-allports 210 | 211 | # The simplest action to take: ban only 212 | action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] 213 | 214 | # ban & send an e-mail with whois report to the destemail. 215 | action_mw = %(action_)s 216 | %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] 217 | 218 | # ban & send an e-mail with whois report and relevant log lines 219 | # to the destemail. 220 | action_mwl = %(action_)s 221 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] 222 | 223 | # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action 224 | # 225 | # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines 226 | # to the destemail. 227 | action_xarf = %(action_)s 228 | xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] 229 | 230 | # ban & send a notification to one or more of the 50+ services supported by Apprise. 231 | # See https://github.com/caronc/apprise/wiki for details on what is supported. 232 | # 233 | # You may optionally over-ride the default configuration line (containing the Apprise URLs) 234 | # by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise 235 | # /etc/fail2ban/apprise.conf is sourced for your supported notification configuration. 236 | # action = %(action_)s 237 | # apprise 238 | 239 | # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines 240 | # to the destemail. 241 | action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] 242 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] 243 | 244 | # Report block via blocklist.de fail2ban reporting service API 245 | # 246 | # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action. 247 | # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation 248 | # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey` 249 | # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 250 | # corresponding jail.d/my-jail.local file). 251 | # 252 | action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] 253 | 254 | # Report ban via abuseipdb.com. 255 | # 256 | # See action.d/abuseipdb.conf for usage example and details. 257 | # 258 | action_abuseipdb = abuseipdb 259 | 260 | # Choose default action. To change, just override value of 'action' with the 261 | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local 262 | # globally (section [DEFAULT]) or per specific section 263 | action = %(action_)s 264 | 265 | 266 | # 267 | # JAILS 268 | # 269 | 270 | # 271 | # SSH servers 272 | # 273 | 274 | [sshd] 275 | 276 | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: 277 | # normal (default), ddos, extra or aggressive (combines all). 278 | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. 279 | #mode = normal 280 | port = ssh 281 | logpath = %(sshd_log)s 282 | backend = %(sshd_backend)s 283 | 284 | 285 | [dropbear] 286 | 287 | port = ssh 288 | logpath = %(dropbear_log)s 289 | backend = %(dropbear_backend)s 290 | 291 | 292 | [selinux-ssh] 293 | 294 | port = ssh 295 | logpath = %(auditd_log)s 296 | 297 | 298 | # 299 | # HTTP servers 300 | # 301 | 302 | [apache-auth] 303 | 304 | port = http,https 305 | logpath = %(apache_error_log)s 306 | 307 | 308 | [apache-badbots] 309 | # Ban hosts which agent identifies spammer robots crawling the web 310 | # for email addresses. The mail outputs are buffered. 311 | port = http,https 312 | logpath = %(apache_access_log)s 313 | bantime = 48h 314 | maxretry = 1 315 | 316 | 317 | [apache-noscript] 318 | 319 | port = http,https 320 | logpath = %(apache_error_log)s 321 | 322 | 323 | [apache-overflows] 324 | 325 | port = http,https 326 | logpath = %(apache_error_log)s 327 | maxretry = 2 328 | 329 | 330 | [apache-nohome] 331 | 332 | port = http,https 333 | logpath = %(apache_error_log)s 334 | maxretry = 2 335 | 336 | 337 | [apache-botsearch] 338 | 339 | port = http,https 340 | logpath = %(apache_error_log)s 341 | maxretry = 2 342 | 343 | 344 | [apache-fakegooglebot] 345 | 346 | port = http,https 347 | logpath = %(apache_access_log)s 348 | maxretry = 1 349 | ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot 350 | 351 | 352 | [apache-modsecurity] 353 | 354 | port = http,https 355 | logpath = %(apache_error_log)s 356 | maxretry = 2 357 | 358 | 359 | [apache-shellshock] 360 | 361 | port = http,https 362 | logpath = %(apache_error_log)s 363 | maxretry = 1 364 | 365 | 366 | [openhab-auth] 367 | 368 | filter = openhab 369 | banaction = %(banaction_allports)s 370 | logpath = /opt/openhab/logs/request.log 371 | 372 | 373 | # To use more aggressive http-auth modes set filter parameter "mode" in jail.local: 374 | # normal (default), aggressive (combines all), auth or fallback 375 | # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details. 376 | [nginx-http-auth] 377 | # mode = normal 378 | port = http,https 379 | logpath = %(nginx_error_log)s 380 | 381 | # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 382 | # and define `limit_req` and `limit_req_zone` as described in nginx documentation 383 | # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html 384 | # or for example see in 'config/filter.d/nginx-limit-req.conf' 385 | [nginx-limit-req] 386 | port = http,https 387 | logpath = %(nginx_error_log)s 388 | 389 | [nginx-botsearch] 390 | 391 | port = http,https 392 | logpath = %(nginx_error_log)s 393 | 394 | [nginx-bad-request] 395 | port = http,https 396 | logpath = %(nginx_access_log)s 397 | 398 | # Ban attackers that try to use PHP's URL-fopen() functionality 399 | # through GET/POST variables. - Experimental, with more than a year 400 | # of usage in production environments. 401 | 402 | [php-url-fopen] 403 | 404 | port = http,https 405 | logpath = %(nginx_access_log)s 406 | %(apache_access_log)s 407 | 408 | 409 | [suhosin] 410 | 411 | port = http,https 412 | logpath = %(suhosin_log)s 413 | 414 | 415 | [lighttpd-auth] 416 | # Same as above for Apache's mod_auth 417 | # It catches wrong authentifications 418 | port = http,https 419 | logpath = %(lighttpd_error_log)s 420 | 421 | 422 | # 423 | # Webmail and groupware servers 424 | # 425 | 426 | [roundcube-auth] 427 | 428 | port = http,https 429 | logpath = %(roundcube_errors_log)s 430 | # Use following line in your jail.local if roundcube logs to journal. 431 | #backend = %(syslog_backend)s 432 | 433 | 434 | [openwebmail] 435 | 436 | port = http,https 437 | logpath = /var/log/openwebmail.log 438 | 439 | 440 | [horde] 441 | 442 | port = http,https 443 | logpath = /var/log/horde/horde.log 444 | 445 | 446 | [groupoffice] 447 | 448 | port = http,https 449 | logpath = /home/groupoffice/log/info.log 450 | 451 | 452 | [sogo-auth] 453 | # Monitor SOGo groupware server 454 | # without proxy this would be: 455 | # port = 20000 456 | port = http,https 457 | logpath = /var/log/sogo/sogo.log 458 | 459 | 460 | [tine20] 461 | 462 | logpath = /var/log/tine20/tine20.log 463 | port = http,https 464 | 465 | 466 | # 467 | # Web Applications 468 | # 469 | # 470 | 471 | [drupal-auth] 472 | 473 | port = http,https 474 | logpath = %(syslog_daemon)s 475 | backend = %(syslog_backend)s 476 | 477 | [guacamole] 478 | 479 | port = http,https 480 | logpath = /var/log/tomcat*/catalina.out 481 | #logpath = /var/log/guacamole.log 482 | 483 | [monit] 484 | #Ban clients brute-forcing the monit gui login 485 | port = 2812 486 | logpath = /var/log/monit 487 | /var/log/monit.log 488 | 489 | 490 | [webmin-auth] 491 | 492 | port = 10000 493 | logpath = %(syslog_authpriv)s 494 | backend = %(syslog_backend)s 495 | 496 | 497 | [froxlor-auth] 498 | 499 | port = http,https 500 | logpath = %(syslog_authpriv)s 501 | backend = %(syslog_backend)s 502 | 503 | 504 | # 505 | # HTTP Proxy servers 506 | # 507 | # 508 | 509 | [squid] 510 | 511 | port = 80,443,3128,8080 512 | logpath = /var/log/squid/access.log 513 | 514 | 515 | [3proxy] 516 | 517 | port = 3128 518 | logpath = /var/log/3proxy.log 519 | 520 | 521 | # 522 | # FTP servers 523 | # 524 | 525 | 526 | [proftpd] 527 | 528 | port = ftp,ftp-data,ftps,ftps-data 529 | logpath = %(proftpd_log)s 530 | backend = %(proftpd_backend)s 531 | 532 | 533 | [pure-ftpd] 534 | 535 | port = ftp,ftp-data,ftps,ftps-data 536 | logpath = %(pureftpd_log)s 537 | backend = %(pureftpd_backend)s 538 | 539 | 540 | [gssftpd] 541 | 542 | port = ftp,ftp-data,ftps,ftps-data 543 | logpath = %(syslog_daemon)s 544 | backend = %(syslog_backend)s 545 | 546 | 547 | [wuftpd] 548 | 549 | port = ftp,ftp-data,ftps,ftps-data 550 | logpath = %(wuftpd_log)s 551 | backend = %(wuftpd_backend)s 552 | 553 | 554 | [vsftpd] 555 | # or overwrite it in jails.local to be 556 | # logpath = %(syslog_authpriv)s 557 | # if you want to rely on PAM failed login attempts 558 | # vsftpd's failregex should match both of those formats 559 | port = ftp,ftp-data,ftps,ftps-data 560 | logpath = %(vsftpd_log)s 561 | 562 | 563 | # 564 | # Mail servers 565 | # 566 | 567 | # ASSP SMTP Proxy Jail 568 | [assp] 569 | 570 | port = smtp,465,submission 571 | logpath = /root/path/to/assp/logs/maillog.txt 572 | 573 | 574 | [courier-smtp] 575 | 576 | port = smtp,465,submission 577 | logpath = %(syslog_mail)s 578 | backend = %(syslog_backend)s 579 | 580 | 581 | [postfix] 582 | # To use another modes set filter parameter "mode" in jail.local: 583 | mode = more 584 | port = smtp,465,submission 585 | logpath = %(postfix_log)s 586 | backend = %(postfix_backend)s 587 | 588 | 589 | [postfix-rbl] 590 | 591 | filter = postfix[mode=rbl] 592 | port = smtp,465,submission 593 | logpath = %(postfix_log)s 594 | backend = %(postfix_backend)s 595 | maxretry = 1 596 | 597 | 598 | [sendmail-auth] 599 | 600 | port = submission,465,smtp 601 | logpath = %(syslog_mail)s 602 | backend = %(syslog_backend)s 603 | 604 | 605 | [sendmail-reject] 606 | # To use more aggressive modes set filter parameter "mode" in jail.local: 607 | # normal (default), extra or aggressive 608 | # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details. 609 | #mode = normal 610 | port = smtp,465,submission 611 | logpath = %(syslog_mail)s 612 | backend = %(syslog_backend)s 613 | 614 | 615 | [qmail-rbl] 616 | 617 | filter = qmail 618 | port = smtp,465,submission 619 | logpath = /service/qmail/log/main/current 620 | 621 | 622 | # dovecot defaults to logging to the mail syslog facility 623 | # but can be set by syslog_facility in the dovecot configuration. 624 | [dovecot] 625 | 626 | port = pop3,pop3s,imap,imaps,submission,465,sieve 627 | logpath = %(dovecot_log)s 628 | backend = %(dovecot_backend)s 629 | 630 | 631 | [sieve] 632 | 633 | port = smtp,465,submission 634 | logpath = %(dovecot_log)s 635 | backend = %(dovecot_backend)s 636 | 637 | 638 | [solid-pop3d] 639 | 640 | port = pop3,pop3s 641 | logpath = %(solidpop3d_log)s 642 | 643 | 644 | [exim] 645 | # see filter.d/exim.conf for further modes supported from filter: 646 | #mode = normal 647 | port = smtp,465,submission 648 | logpath = %(exim_main_log)s 649 | 650 | 651 | [exim-spam] 652 | 653 | port = smtp,465,submission 654 | logpath = %(exim_main_log)s 655 | 656 | 657 | [kerio] 658 | 659 | port = imap,smtp,imaps,465 660 | logpath = /opt/kerio/mailserver/store/logs/security.log 661 | 662 | 663 | # 664 | # Mail servers authenticators: might be used for smtp,ftp,imap servers, so 665 | # all relevant ports get banned 666 | # 667 | 668 | [courier-auth] 669 | 670 | port = smtp,465,submission,imap,imaps,pop3,pop3s 671 | logpath = %(syslog_mail)s 672 | backend = %(syslog_backend)s 673 | 674 | 675 | [postfix-sasl] 676 | 677 | filter = postfix[mode=auth] 678 | port = smtp,465,submission,imap,imaps,pop3,pop3s 679 | # You might consider monitoring /var/log/mail.warn instead if you are 680 | # running postfix since it would provide the same log lines at the 681 | # "warn" level but overall at the smaller filesize. 682 | logpath = %(postfix_log)s 683 | backend = %(postfix_backend)s 684 | 685 | 686 | [perdition] 687 | 688 | port = imap,imaps,pop3,pop3s 689 | logpath = %(syslog_mail)s 690 | backend = %(syslog_backend)s 691 | 692 | 693 | [squirrelmail] 694 | 695 | port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks 696 | logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log 697 | 698 | 699 | [cyrus-imap] 700 | 701 | port = imap,imaps 702 | logpath = %(syslog_mail)s 703 | backend = %(syslog_backend)s 704 | 705 | 706 | [uwimap-auth] 707 | 708 | port = imap,imaps 709 | logpath = %(syslog_mail)s 710 | backend = %(syslog_backend)s 711 | 712 | 713 | # 714 | # 715 | # DNS servers 716 | # 717 | 718 | 719 | # !!! WARNING !!! 720 | # Since UDP is connection-less protocol, spoofing of IP and imitation 721 | # of illegal actions is way too simple. Thus enabling of this filter 722 | # might provide an easy way for implementing a DoS against a chosen 723 | # victim. See 724 | # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html 725 | # Please DO NOT USE this jail unless you know what you are doing. 726 | # 727 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 728 | # This jail blocks UDP traffic for DNS requests. 729 | # [named-refused-udp] 730 | # 731 | # filter = named-refused 732 | # port = domain,953 733 | # protocol = udp 734 | # logpath = /var/log/named/security.log 735 | 736 | # IMPORTANT: see filter.d/named-refused for instructions to enable logging 737 | # This jail blocks TCP traffic for DNS requests. 738 | 739 | [named-refused] 740 | 741 | port = domain,953 742 | logpath = /var/log/named/security.log 743 | 744 | 745 | [nsd] 746 | 747 | port = 53 748 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 749 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 750 | logpath = /var/log/nsd.log 751 | 752 | 753 | # 754 | # Miscellaneous 755 | # 756 | 757 | [asterisk] 758 | 759 | port = 5060,5061 760 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 761 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 762 | logpath = /var/log/asterisk/messages 763 | maxretry = 10 764 | 765 | 766 | [freeswitch] 767 | 768 | port = 5060,5061 769 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 770 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 771 | logpath = /var/log/freeswitch.log 772 | maxretry = 10 773 | 774 | 775 | # enable adminlog; it will log to a file inside znc's directory by default. 776 | [znc-adminlog] 777 | 778 | port = 6667 779 | logpath = /var/lib/znc/moddata/adminlog/znc.log 780 | 781 | 782 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or 783 | # equivalent section: 784 | # log-warnings = 2 785 | # 786 | # for syslog (daemon facility) 787 | # [mysqld_safe] 788 | # syslog 789 | # 790 | # for own logfile 791 | # [mysqld] 792 | # log-error=/var/log/mysqld.log 793 | [mysqld-auth] 794 | 795 | port = 3306 796 | logpath = %(mysql_log)s 797 | backend = %(mysql_backend)s 798 | 799 | 800 | [mssql-auth] 801 | # Default configuration for Microsoft SQL Server for Linux 802 | # See the 'mssql-conf' manpage how to change logpath or port 803 | logpath = /var/opt/mssql/log/errorlog 804 | port = 1433 805 | filter = mssql-auth 806 | 807 | 808 | # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') 809 | [mongodb-auth] 810 | # change port when running with "--shardsvr" or "--configsvr" runtime operation 811 | port = 27017 812 | logpath = /var/log/mongodb/mongodb.log 813 | 814 | 815 | # Jail for more extended banning of persistent abusers 816 | # !!! WARNINGS !!! 817 | # 1. Make sure that your loglevel specified in fail2ban.conf/.local 818 | # is not at DEBUG level -- which might then cause fail2ban to fall into 819 | # an infinite loop constantly feeding itself with non-informative lines 820 | # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) 821 | # to maintain entries for failed logins for sufficient amount of time 822 | [recidive] 823 | 824 | logpath = /var/log/fail2ban.log 825 | banaction = %(banaction_allports)s 826 | bantime = 1w 827 | findtime = 1d 828 | 829 | 830 | # Generic filter for PAM. Has to be used with action which bans all 831 | # ports such as iptables-allports, shorewall 832 | 833 | [pam-generic] 834 | # pam-generic filter can be customized to monitor specific subset of 'tty's 835 | banaction = %(banaction_allports)s 836 | logpath = %(syslog_authpriv)s 837 | backend = %(syslog_backend)s 838 | 839 | 840 | [xinetd-fail] 841 | 842 | banaction = iptables-multiport-log 843 | logpath = %(syslog_daemon)s 844 | backend = %(syslog_backend)s 845 | maxretry = 2 846 | 847 | 848 | # stunnel - need to set port for this 849 | [stunnel] 850 | 851 | logpath = /var/log/stunnel4/stunnel.log 852 | 853 | 854 | [ejabberd-auth] 855 | 856 | port = 5222 857 | logpath = /var/log/ejabberd/ejabberd.log 858 | 859 | 860 | [counter-strike] 861 | 862 | logpath = /opt/cstrike/logs/L[0-9]*.log 863 | tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 864 | udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 865 | action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"] 866 | %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"] 867 | 868 | [softethervpn] 869 | port = 500,4500 870 | protocol = udp 871 | logpath = /usr/local/vpnserver/security_log/*/sec.log 872 | 873 | [gitlab] 874 | port = http,https 875 | logpath = /var/log/gitlab/gitlab-rails/application.log 876 | 877 | [grafana] 878 | port = http,https 879 | logpath = /var/log/grafana/grafana.log 880 | 881 | [bitwarden] 882 | port = http,https 883 | logpath = /home/*/bwdata/logs/identity/Identity/log.txt 884 | 885 | [centreon] 886 | port = http,https 887 | logpath = /var/log/centreon/login.log 888 | 889 | # consider low maxretry and a long bantime 890 | # nobody except your own Nagios server should ever probe nrpe 891 | [nagios] 892 | 893 | logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility 894 | backend = %(syslog_backend)s 895 | maxretry = 1 896 | 897 | 898 | [oracleims] 899 | # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above 900 | logpath = /opt/sun/comms/messaging64/log/mail.log_current 901 | banaction = %(banaction_allports)s 902 | 903 | [directadmin] 904 | logpath = /var/log/directadmin/login.log 905 | port = 2222 906 | 907 | [portsentry] 908 | logpath = /var/lib/portsentry/portsentry.history 909 | maxretry = 1 910 | 911 | [pass2allow-ftp] 912 | # this pass2allow example allows FTP traffic after successful HTTP authentication 913 | port = ftp,ftp-data,ftps,ftps-data 914 | # knocking_url variable must be overridden to some secret value in jail.local 915 | knocking_url = /knocking/ 916 | filter = apache-pass[knocking_url="%(knocking_url)s"] 917 | # access log of the website with HTTP auth 918 | logpath = %(apache_access_log)s 919 | blocktype = RETURN 920 | returntype = DROP 921 | action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, 922 | actionstart_on_demand=false, actionrepair_on_unban=true] 923 | bantime = 1h 924 | maxretry = 1 925 | findtime = 1 926 | 927 | 928 | [murmur] 929 | # AKA mumble-server 930 | port = 64738 931 | action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"] 932 | %(default/action_)s[name=%(__name__)s-udp, protocol="udp"] 933 | logpath = /var/log/mumble-server/mumble-server.log 934 | 935 | 936 | [screensharingd] 937 | # For Mac OS Screen Sharing Service (VNC) 938 | logpath = /var/log/system.log 939 | logencoding = utf-8 940 | 941 | [haproxy-http-auth] 942 | # HAProxy by default doesn't log to file you'll need to set it up to forward 943 | # logs to a syslog server which would then write them to disk. 944 | # See "haproxy-http-auth" filter for a brief cautionary note when setting 945 | # maxretry and findtime. 946 | logpath = /var/log/haproxy.log 947 | 948 | [slapd] 949 | port = ldap,ldaps 950 | logpath = /var/log/slapd.log 951 | 952 | [domino-smtp] 953 | port = smtp,ssmtp 954 | logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log 955 | 956 | [phpmyadmin-syslog] 957 | port = http,https 958 | logpath = %(syslog_authpriv)s 959 | backend = %(syslog_backend)s 960 | 961 | 962 | [zoneminder] 963 | # Zoneminder HTTP/HTTPS web interface auth 964 | # Logs auth failures to apache2 error log 965 | port = http,https 966 | logpath = %(apache_error_log)s 967 | 968 | [traefik-auth] 969 | # to use 'traefik-auth' filter you have to configure your Traefik instance, 970 | # see `filter.d/traefik-auth.conf` for details and service example. 971 | port = http,https 972 | logpath = /var/log/traefik/access.log 973 | 974 | [scanlogd] 975 | logpath = %(syslog_local0)s 976 | banaction = %(banaction_allports)s 977 | 978 | [monitorix] 979 | port = 8080 980 | logpath = /var/log/monitorix-httpd 981 | 982 | [rportd-client-connect] 983 | port = 8080 984 | filter = rportd-client-connect 985 | logpath = /var/lib/rport/rport.log 986 | maxretry = 2 987 | findtime = 20 988 | bantime = 3600 989 | -------------------------------------------------------------------------------- /rportd-client-connect.conf: -------------------------------------------------------------------------------- 1 | [Definition] 2 | # Identify scanners 3 | failregex = 404 [0-9]+\w+ \(\) 4 | # Identify password guesser 5 | -------------------------------------------------------------------------------- /supervisord.conf: -------------------------------------------------------------------------------- 1 | [supervisord] 2 | logfile=/var/lib/rport/supervisord.log ; supervisord log file 3 | logfile_maxbytes=50MB ; maximum size of logfile before rotation 4 | logfile_backups=10 ; number of backed up logfiles 5 | loglevel=debug ; info, debug, warn, trace 6 | pidfile=/var/lib/rport/supervisord.pid ; pidfile location 7 | nodaemon=true ; run supervisord as a daemon 8 | minfds=1024 ; number of startup file descriptors 9 | minprocs=200 ; number of process descriptors 10 | childlogdir=/var/lib/rport/ ; where child log files will live 11 | 12 | [program:rport] 13 | command=/usr/local/bin/rportd --data-dir /var/lib/rport -c /etc/rport/rportd.conf 14 | autostart=true 15 | autorestart=true 16 | startsecs=10 17 | 18 | ## same setting for 2nd service 19 | [program:guacamole-daemon] 20 | command=/opt/guacamole/sbin/guacd -f -b 0.0.0.0 -l 4822 21 | autostart=true 22 | autorestart=true 23 | startsecs=10 24 | stderr_logfile=/dev/stdout 25 | stderr_logfile_maxbytes = 0 26 | stdout_logfile=/dev/stdout 27 | stdout_logfile_maxbytes = 0 28 | --------------------------------------------------------------------------------