├── jail.d ├── vaultwarden.conf ├── openvpn.conf ├── routeros-auth.conf ├── suhosin.conf ├── bitwarden.conf ├── selinux-ssh.conf ├── apache-auth.conf ├── grafana.conf ├── nginx-botsearch.conf ├── apache-noscript.conf ├── gitlab.conf ├── nginx-bad-request.conf ├── dropbear.conf ├── nginx-deny.conf ├── apache-nohome.conf ├── nzbget-auth.conf ├── emby-auth.conf ├── nginx-forbidden.conf ├── sabnzbd-auth.conf ├── airsonic-auth.conf ├── apache-botsearch.conf ├── apache-overflows.conf ├── apache-shellshock.conf ├── nginx-418.conf ├── phpmyadmin-syslog.conf ├── apache-modsecurity.conf ├── guacamole.conf ├── nginx-unauthorized.conf ├── openhab-auth.conf ├── authelia-auth.conf ├── znc-adminlog.conf ├── radarr-auth.conf ├── sonarr-auth.conf ├── apache-fakegooglebot.conf ├── prowlarr-auth.conf ├── unifi-controller-auth.conf ├── lighttpd-auth.conf ├── nginx-badbots.conf ├── zoneminder.conf ├── unraid-webgui.conf ├── mssql-auth.conf ├── mongodb-auth.conf ├── unraid-sshd.conf ├── traefik-auth.conf ├── apache-badbots.conf ├── filebrowser-auth.conf ├── php-url-fopen.conf ├── mysqld-auth.conf ├── haproxy-http-auth.conf ├── sshd.conf ├── overseerr-auth.conf ├── homeassistant-auth.conf ├── nginx-http-auth.conf ├── vaultwarden-auth.conf ├── nginx-limit-req.conf ├── nextcloud-auth.conf ├── gitea-auth.conf └── recidive.conf ├── filter.d ├── nginx-unauthorized.conf ├── emby-auth.conf ├── filebrowser-auth.conf ├── unraid-webgui.conf ├── overseerr-auth.conf ├── unifi-controller-auth.conf ├── gitlab.conf ├── servarr-auth.conf ├── squirrelmail.conf ├── vaultwarden-auth.conf ├── gitea-auth.conf ├── routeros-auth.conf ├── nzbget-auth.conf ├── airsonic-auth.conf ├── groupoffice.conf ├── portsentry.conf ├── counter-strike.conf ├── squid.conf ├── centreon.conf ├── homeassistant-auth.conf ├── phpmyadmin-syslog.conf ├── gssftpd.conf ├── nginx-418.conf ├── stunnel.conf ├── grafana.conf ├── scanlogd.conf ├── nginx-deny.conf ├── directadmin.conf ├── sieve.conf ├── apache-pass.conf ├── uwimap-auth.conf ├── vaultwarden.conf ├── horde.conf ├── nagios.conf ├── proxmox.conf ├── nextcloud-auth.conf ├── bitwarden.conf ├── apache-fakegooglebot.conf ├── softethervpn.conf ├── mssql-auth.conf ├── openhab.conf ├── lighttpd-auth.conf ├── cyrus-imap.conf ├── dante.conf ├── openvpn.conf ├── webmin-auth.conf ├── nginx-bad-request.conf ├── 3proxy.conf ├── courier-auth.conf ├── openwebmail.conf ├── apache-modsecurity.conf ├── botsearch-common.conf ├── courier-smtp.conf ├── wuftpd.conf ├── perdition.conf ├── selinux-common.conf ├── xinetd-fail.conf ├── drupal-auth.conf ├── apache-nohome.conf ├── monitorix.conf ├── slapd.conf ├── suhosin.conf ├── selinux-ssh.conf ├── sogo-auth.conf ├── nginx-botsearch.conf ├── vsftpd.conf ├── monit.conf ├── sendmail-auth.conf ├── nsd.conf ├── nginx-error-common.conf ├── qmail.conf ├── screensharingd.conf ├── tine20.conf ├── php-url-fopen.conf ├── authelia-auth.conf ├── kerio.conf ├── nginx-forbidden.conf ├── znc-adminlog.conf ├── murmur.conf ├── pam-generic.conf ├── apache-shellshock.conf ├── sabnzbd-auth.conf ├── solid-pop3d.conf ├── zoneminder.conf ├── proftpd.conf ├── mysqld-auth.conf ├── haproxy-http-auth.conf ├── froxlor-auth.conf ├── nginx-http-auth.conf ├── apache-botsearch.conf ├── apache-noscript.conf ├── guacamole.conf ├── roundcube-auth.conf ├── exim-common.conf ├── ejabberd-auth.conf ├── apache-common.conf ├── named-refused.conf ├── nginx-limit-req.conf ├── recidive.conf ├── freeswitch.conf ├── oracleims.conf ├── dropbear.conf ├── domino-smtp.conf ├── exim-spam.conf ├── apache-overflows.conf ├── exim.conf ├── pure-ftpd.conf ├── mongodb-auth.conf ├── asterisk.conf └── traefik-auth.conf ├── action.d ├── iptables-multiport.conf ├── iptables-allports.conf ├── iptables-new.conf ├── nftables-allports.conf ├── nftables-multiport.conf ├── osx-afctl.conf ├── helpers-common.conf ├── apf.conf ├── iptables-ipset-proto6.conf ├── iptables-ipset-proto6-allports.conf ├── sendmail.conf ├── sendmail-whois.conf ├── route.conf ├── firewallcmd-rich-logging.conf ├── mail-whois-common.conf ├── sendmail-whois-matches.conf ├── sendmail-whois-ipmatches.conf ├── sendmail-whois-ipjailmatches.conf ├── firewallcmd-multiport.conf ├── sendmail-whois-lines.conf ├── apprise.conf ├── netscaler.conf ├── firewallcmd-allports.conf ├── symbiosis-blacklist-allports.conf ├── npf.conf ├── ipfw.conf ├── ipfilter.conf ├── gotify.conf ├── discord-webhook.conf ├── hostsdeny.conf ├── firewallcmd-rich-rules.conf ├── dummy.conf ├── sendmail-geoip-lines.conf ├── mail.conf ├── apprise-api.conf ├── firewallcmd-new.conf ├── mail-whois.conf ├── sendmail-common.conf ├── pushover.conf ├── iptables-multiport-log.conf ├── shorewall.conf ├── iptables-ipset-proto4.conf ├── osx-ipfw.conf ├── ufw.conf ├── mail-whois-lines.conf └── mail-buffered.conf ├── .editorconfig ├── .gitattributes ├── .gitignore ├── .github ├── PULL_REQUEST_TEMPLATE.md ├── ISSUE_TEMPLATE.md └── workflows │ └── check_confs.yml └── paths-lsio.conf /jail.d/vaultwarden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/04/01 2 | 3 | [vaultwarden] 4 | 5 | enabled = false 6 | port = http,https 7 | logpath = %(remote_logs_path)s/vaultwarden.log 8 | -------------------------------------------------------------------------------- /jail.d/openvpn.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/01/29 2 | # Fail2Ban jail configuration for openvpn 3 | 4 | [openvpn] 5 | 6 | enabled = false 7 | port = 443 8 | logpath = %(logs_path)s/syslog 9 | -------------------------------------------------------------------------------- /jail.d/routeros-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/02/28 2 | 3 | [routeros-auth] 4 | 5 | enabled = false 6 | port = ssh,http,https 7 | logpath = %(remote_logs_path)s/MikroTik/router.log 8 | -------------------------------------------------------------------------------- /jail.d/suhosin.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for suhosin 3 | 4 | [suhosin] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(suhosin_log)s 9 | -------------------------------------------------------------------------------- /jail.d/bitwarden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for bitwarden 3 | 4 | [bitwarden] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(bitwarden_log)s 9 | -------------------------------------------------------------------------------- /jail.d/selinux-ssh.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for selinux-ssh 3 | 4 | [selinux-ssh] 5 | 6 | enable = false 7 | port = ssh 8 | logpath = %(auditd_log)s 9 | -------------------------------------------------------------------------------- /jail.d/apache-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-auth 3 | 4 | [apache-auth] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | -------------------------------------------------------------------------------- /jail.d/grafana.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for grafana 3 | 4 | [grafana] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(logs_path)s/grafana/grafana.log 9 | -------------------------------------------------------------------------------- /jail.d/nginx-botsearch.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx-botsearch 3 | 4 | [nginx-botsearch] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(nginx_error_log)s 9 | -------------------------------------------------------------------------------- /jail.d/apache-noscript.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-noscript 3 | 4 | [apache-noscript] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | -------------------------------------------------------------------------------- /jail.d/gitlab.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for gitlab 3 | 4 | [gitlab] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(logs_path)s/gitlab/gitlab-rails/application.log 9 | -------------------------------------------------------------------------------- /jail.d/nginx-bad-request.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx-bad-request 3 | 4 | [nginx-bad-request] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(nginx_access_log)s 9 | -------------------------------------------------------------------------------- /jail.d/dropbear.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for dropbear 3 | 4 | [dropbear] 5 | 6 | enable = false 7 | port = ssh 8 | logpath = %(dropbear_log)s 9 | backend = %(dropbear_backend)s 10 | -------------------------------------------------------------------------------- /jail.d/nginx-deny.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx deny 3 | # Works OOTB with defaults 4 | 5 | [nginx-deny] 6 | 7 | enabled = false 8 | port = http,https 9 | logpath = %(nginx_error_log)s 10 | -------------------------------------------------------------------------------- /filter.d/nginx-unauthorized.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for nginx unauthorized 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*"(GET|POST|HEAD).*" (401) .*$ 10 | -------------------------------------------------------------------------------- /jail.d/apache-nohome.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-nohome 3 | 4 | [apache-nohome] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | maxretry = 2 10 | -------------------------------------------------------------------------------- /jail.d/nzbget-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nzbget 3 | # Works OOTB with defaults 4 | 5 | [nzbget-auth] 6 | 7 | enabled = false 8 | port = 6789 9 | logpath = %(remote_logs_path)s/nzbget/nzbget.log 10 | -------------------------------------------------------------------------------- /jail.d/emby-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for emby 3 | # Works OOTB with defaults 4 | 5 | [emby-auth] 6 | 7 | enabled = false 8 | port = 8096,8920 9 | logpath = %(remote_logs_path)s/emby/embyserver.txt 10 | -------------------------------------------------------------------------------- /jail.d/nginx-forbidden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/03/23 2 | # Fail2Ban jail configuration for nginx forbidden 3 | # Works OOTB with defaults 4 | 5 | [nginx-forbidden] 6 | 7 | enabled = false 8 | port = http,https 9 | logpath = %(nginx_error_log)s 10 | -------------------------------------------------------------------------------- /jail.d/sabnzbd-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for sabnzbd 3 | # Works OOTB with defaults 4 | 5 | [sabnzbd-auth] 6 | 7 | enabled = false 8 | port = 8080 9 | logpath = %(remote_logs_path)s/sabnzbd/sabnzbd.log 10 | -------------------------------------------------------------------------------- /filter.d/emby-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/03/11 2 | # Fail2Ban filter for emby 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | _daemon = emby-server 10 | 11 | failregex = Server: AUTH-ERROR:\ \ - 12 | 13 | ignoreregex = 14 | -------------------------------------------------------------------------------- /filter.d/filebrowser-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for filebrowser 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*/api/login: 403 \.*$ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /jail.d/airsonic-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for airsonic 3 | # Works OOTB with defaults 4 | 5 | [airsonic-auth] 6 | 7 | enabled = false 8 | port = 4040 9 | logpath = %(remote_logs_path)s/airsonic/airsonic.log 10 | -------------------------------------------------------------------------------- /jail.d/apache-botsearch.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-botsearch 3 | 4 | [apache-botsearch] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | maxretry = 2 10 | -------------------------------------------------------------------------------- /jail.d/apache-overflows.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-overflows 3 | 4 | [apache-overflows] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | maxretry = 2 10 | -------------------------------------------------------------------------------- /jail.d/apache-shellshock.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-shellshock 3 | 4 | [apache-shellshock] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | maxretry = 1 10 | -------------------------------------------------------------------------------- /jail.d/nginx-418.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx 418 3 | # Works OOTB with defaults 4 | 5 | [nginx-418] 6 | 7 | enabled = false 8 | port = http,https 9 | logpath = %(nginx_access_log)s 10 | maxretry = 10 11 | -------------------------------------------------------------------------------- /jail.d/phpmyadmin-syslog.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for phpmyadmin-syslog 3 | 4 | [phpmyadmin-syslog] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(syslog_authpriv)s 9 | backend = %(syslog_backend)s 10 | -------------------------------------------------------------------------------- /jail.d/apache-modsecurity.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-modsecurity 3 | 4 | [apache-modsecurity] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_error_log)s 9 | maxretry = 2 10 | -------------------------------------------------------------------------------- /jail.d/guacamole.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for guacamole 3 | 4 | [guacamole] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(logs_path)s/tomcat*/catalina.out 9 | # logpath = %(logs_path)s/guacamole.log 10 | -------------------------------------------------------------------------------- /jail.d/nginx-unauthorized.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx unauthorized 3 | # Works OOTB with defaults 4 | 5 | [nginx-unauthorized] 6 | 7 | enabled = false 8 | port = http,https 9 | logpath = %(nginx_access_log)s 10 | -------------------------------------------------------------------------------- /jail.d/openhab-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for openhab-auth 3 | 4 | [openhab-auth] 5 | 6 | enabled = false 7 | logpath = %(openhab_request_log)s 8 | filter = openhab 9 | banaction = %(banaction_allports)s 10 | -------------------------------------------------------------------------------- /filter.d/unraid-webgui.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for unRAID web GUI 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*webGUI: Unsuccessful login user .* from $ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /jail.d/authelia-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for authelia 3 | # Works OOTB with defaults 4 | 5 | [authelia-auth] 6 | 7 | enabled = false 8 | port = http,https,9091 9 | logpath = %(remote_logs_path)s/authelia/authelia.log 10 | -------------------------------------------------------------------------------- /jail.d/znc-adminlog.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for 3 | 4 | # enable adminlog; it will log to a file inside znc's directory by default. 5 | 6 | [znc-adminlog] 7 | 8 | enabled = false 9 | port = 6667 10 | logpath = %(znc_log)s 11 | -------------------------------------------------------------------------------- /filter.d/overseerr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/07/19 2 | # Fail2Ban filter configuration for overseerr 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = .*\[warn\]\[API\]\: Failed sign-in attempt.*"ip":"" 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /filter.d/unifi-controller-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for unifi controller 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^(.*)Failed admin login for (.*) from $ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /jail.d/radarr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for radarr 3 | # Works OOTB with defaults 4 | 5 | [radarr-auth] 6 | 7 | enabled = false 8 | port = 7878 9 | logpath = %(remote_logs_path)s/radarr/radarr.txt 10 | filter = servarr-auth 11 | -------------------------------------------------------------------------------- /jail.d/sonarr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for sonarr 3 | # Works OOTB with defaults 4 | 5 | [sonarr-auth] 6 | 7 | enabled = false 8 | port = 8989 9 | logpath = %(remote_logs_path)s/sonarr/sonarr.txt 10 | filter = servarr-auth 11 | -------------------------------------------------------------------------------- /jail.d/apache-fakegooglebot.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-fakegooglebot 3 | 4 | [apache-fakegooglebot] 5 | 6 | enabled = false 7 | port = http,https 8 | logpath = %(apache_access_log)s 9 | maxretry = 1 10 | -------------------------------------------------------------------------------- /jail.d/prowlarr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for prowlarr 3 | # Works OOTB with defaults 4 | 5 | [prowlarr-auth] 6 | 7 | enabled = false 8 | port = 9696 9 | logpath = %(remote_logs_path)s/prowlarr/prowlarr.txt 10 | filter = servarr-auth 11 | -------------------------------------------------------------------------------- /jail.d/unifi-controller-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for unifi controller 3 | # Works OOTB with defaults 4 | 5 | [unifi-controller-auth] 6 | 7 | enabled = false 8 | port = 8080,8443 9 | logpath = %(remote_logs_path)s/unificontroller/server.log 10 | -------------------------------------------------------------------------------- /filter.d/gitlab.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Gitlab 3 | # Detecting unauthorized access to the Gitlab Web portal 4 | # typically logged in /var/log/gitlab/gitlab-rails/application.log 5 | 6 | [Definition] 7 | failregex = ^: Failed Login: username=.+ ip=$ 8 | -------------------------------------------------------------------------------- /filter.d/servarr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for servarr (sonarr/radarr & derivatives) 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*\|Warn\|Auth\|Auth-Failure ip username .*$ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /filter.d/squirrelmail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | 3 | [Definition] 4 | 5 | failregex = ^ \[LOGIN_ERROR\].*from : Unknown user or password incorrect\.$ 6 | 7 | ignoreregex = 8 | 9 | datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S 10 | 11 | # DEV NOTES: 12 | # 13 | # Author: Daniel Black 14 | -------------------------------------------------------------------------------- /jail.d/lighttpd-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for lighttpd-auth 3 | 4 | # Same as Apache's mod_auth 5 | # It catches wrong authentifications 6 | 7 | [lighttpd-auth] 8 | 9 | enabled = false 10 | port = http,https 11 | logpath = %(lighttpd_error_log)s 12 | -------------------------------------------------------------------------------- /jail.d/nginx-badbots.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx badbots 3 | # Works OOTB with defaults 4 | 5 | [nginx-badbots] 6 | 7 | enabled = false 8 | port = http,https 9 | logpath = %(nginx_access_log)s 10 | filter = apache-badbots 11 | maxretry = 2 12 | -------------------------------------------------------------------------------- /filter.d/vaultwarden-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for vaultwarden 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*(Username or password is incorrect\. Try again|Invalid admin token)\. IP: .*$ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /jail.d/zoneminder.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for zoneminder 3 | 4 | # Zoneminder HTTP/HTTPS web interface auth 5 | # Logs auth failures to apache2 error log 6 | 7 | [zoneminder] 8 | 9 | enabled = false 10 | port = http,https 11 | logpath = %(apache_error_log)s 12 | -------------------------------------------------------------------------------- /filter.d/gitea-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for gitea 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from .*$ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /jail.d/unraid-webgui.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/07 2 | # Fail2Ban jail configuration for unRAID web GUI 3 | # Works OOTB with defaults 4 | 5 | # chain set to INPUT to apply bans at the host level 6 | 7 | [unraid-webgui] 8 | 9 | enabled = false 10 | port = http,https 11 | logpath = %(var_log_path)s/syslog 12 | -------------------------------------------------------------------------------- /filter.d/routeros-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/03/02 2 | # Fail2Ban filter for failure attempts in MikroTik RouterOS 3 | # 4 | # 5 | 6 | [Definition] 7 | 8 | failregex = ^\s*\S+ system,error,critical login failure for user .*? from via \S+$ 9 | 10 | # Author: Vit Kabele 11 | 12 | -------------------------------------------------------------------------------- /jail.d/mssql-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2020/02/24 2 | # Default configuration for Microsoft SQL Server for Linux 3 | # See the 'mssql-conf' manpage how to change logpath or port 4 | 5 | [mssql-auth] 6 | 7 | enabled = false 8 | logpath = %(remote_logs_path)s/mssql/log/errorlog 9 | port = 1433 10 | filter = mssql-auth 11 | -------------------------------------------------------------------------------- /filter.d/nzbget-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for nzbget 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*WARNING Request received on port .* from .* \(forwarded for: .*\), but username .* or password invalid$ 10 | 11 | ignoreregex = 12 | -------------------------------------------------------------------------------- /filter.d/airsonic-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for airsonic 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*: Login failed from \[\]$ 10 | 11 | ignoreregex = 12 | 13 | datepattern = {^LN-BEG} 14 | 15 | # DEV NOTES: 16 | # 17 | # Author: anoma 18 | -------------------------------------------------------------------------------- /jail.d/mongodb-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2016/11/10 2 | # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf') 3 | # change port when running with "--shardsvr" or "--configsvr" runtime operation 4 | 5 | [mongodb-auth] 6 | 7 | enabled = false 8 | port = 27017 9 | logpath = %(remote_logs_path)s/mongodb/mongodb.log 10 | -------------------------------------------------------------------------------- /jail.d/unraid-sshd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/07 2 | # Fail2Ban jail configuration for unRAID sshd 3 | # Works OOTB with defaults 4 | 5 | # chain set to INPUT to apply bans at the host level 6 | 7 | [unraid-sshd] 8 | 9 | enabled = false 10 | port = ssh 11 | logpath = %(var_log_path)s/syslog 12 | filter = sshd[mode=aggressive] 13 | -------------------------------------------------------------------------------- /action.d/iptables-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified by Yaroslav Halchenko for multiport banning 6 | # 7 | # Obsolete: superseded by iptables[type=multiport] 8 | 9 | [INCLUDES] 10 | 11 | before = iptables.conf 12 | 13 | [Definition] 14 | 15 | type = multiport 16 | -------------------------------------------------------------------------------- /filter.d/groupoffice.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Group-Office 3 | # 4 | # Enable logging with: 5 | # $config['info_log']='/home/groupoffice/log/info.log'; 6 | # 7 | 8 | [Definition] 9 | 10 | failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: $ 11 | 12 | ignoreregex = 13 | 14 | # Author: Daniel Black 15 | 16 | -------------------------------------------------------------------------------- /filter.d/portsentry.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for failure attempts in Counter Strike-1.6 3 | # 4 | # 5 | 6 | [Definition] 7 | 8 | failregex = \/ Port\: [0-9]+ (TCP|UDP) Blocked$ 9 | 10 | ignoreregex = 11 | 12 | datepattern = {^LN-BEG}Epoch 13 | {^LN-BEG} 14 | 15 | # Author: Pacop 16 | 17 | -------------------------------------------------------------------------------- /filter.d/counter-strike.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for failure attempts in Counter Strike-1.6 3 | # 4 | # 5 | 6 | [Definition] 7 | 8 | failregex = ^: Bad Rcon: "rcon \d+ "\S+" sv_contact ".*?"" from ":\d+"$ 9 | 10 | ignoreregex = 11 | 12 | datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S 13 | 14 | 15 | # Author: Daniel Black 16 | 17 | -------------------------------------------------------------------------------- /filter.d/squid.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Squid attempted proxy bypasses 3 | # 4 | # 5 | 6 | [Definition] 7 | 8 | failregex = ^\s+\d\s\s+[A-Z_]+_DENIED/403 .*$ 9 | ^\s+\d\s\s+NONE/405 .*$ 10 | 11 | ignoreregex = 12 | 13 | datepattern = {^LN-BEG}Epoch 14 | {^LN-BEG} 15 | 16 | # Author: Daniel Black 17 | 18 | -------------------------------------------------------------------------------- /jail.d/traefik-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for traefik-auth 3 | 4 | # to use 'traefik-auth' filter you have to configure your Traefik instance, 5 | # see `filter.d/traefik-auth.conf` for details and service example. 6 | 7 | [traefik-auth] 8 | 9 | enabled = false 10 | port = http,https 11 | logpath = %(logs_path)s/traefik/access.log 12 | -------------------------------------------------------------------------------- /filter.d/centreon.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Centreon Web 3 | # Detecting unauthorized access to the Centreon Web portal 4 | # typically logged in /var/log/centreon/login.log 5 | 6 | [Init] 7 | datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S 8 | 9 | [Definition] 10 | failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[\] Authentication failed for '[^']+' 11 | -------------------------------------------------------------------------------- /.editorconfig: -------------------------------------------------------------------------------- 1 | # top-most EditorConfig file 2 | root = true 3 | 4 | # Unix-style newlines with a newline ending every file 5 | [*] 6 | end_of_line = lf 7 | insert_final_newline = true 8 | # trim_trailing_whitespace may cause unintended issues and should not be globally set true 9 | trim_trailing_whitespace = false 10 | 11 | [{*.conf,*.local}] 12 | indent_style = space 13 | indent_size = 4 14 | -------------------------------------------------------------------------------- /filter.d/homeassistant-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for homeassistant 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^%(__prefix_line)s.*\[homeassistant.components.http.ban\] Login attempt or request with invalid authentication from .*$ 10 | 11 | ignoreregex = 12 | 13 | [Init] 14 | datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S 15 | -------------------------------------------------------------------------------- /jail.d/apache-badbots.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for apache-badbots 3 | 4 | # Ban hosts which agent identifies spammer robots crawling the web 5 | # for email addresses. The mail outputs are buffered. 6 | 7 | [apache-badbots] 8 | 9 | enabled = false 10 | port = http,https 11 | logpath = %(apache_access_log)s 12 | bantime = 48h 13 | maxretry = 1 14 | -------------------------------------------------------------------------------- /action.d/iptables-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # 8 | # Obsolete: superseded by iptables[type=allports] 9 | 10 | [INCLUDES] 11 | 12 | before = iptables.conf 13 | 14 | [Definition] 15 | 16 | type = allports 17 | -------------------------------------------------------------------------------- /filter.d/phpmyadmin-syslog.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for the phpMyAdmin-syslog 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | _daemon = phpMyAdmin 12 | 13 | failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from \s*$ 14 | 15 | ignoreregex = 16 | 17 | 18 | # Author: Pavel Mihadyuk 19 | # Regex fixes: Serg G. Brester 20 | -------------------------------------------------------------------------------- /jail.d/filebrowser-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for filebrowser 3 | # Requires modification to Filebrowsers settings 4 | # https://filebrowser.org/cli/filebrowser#options 5 | 6 | # Enabling logs 7 | 8 | # -e 'FB_LOG'='/log/filebrowser.log' 9 | 10 | [filebrowser-auth] 11 | 12 | enabled = false 13 | port = http,https 14 | logpath = %(remote_logs_path)s/filebrowser/filebrowser.log 15 | -------------------------------------------------------------------------------- /jail.d/php-url-fopen.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/12/15 2 | # Fail2Ban jail configuration for php-url-fopen 3 | 4 | # Ban attackers that try to use PHP's URL-fopen() functionality 5 | # through GET/POST variables. - Experimental, with more than a year 6 | # of usage in production environments. 7 | 8 | [php-url-fopen] 9 | 10 | enabled = false 11 | port = http,https 12 | logpath = %(nginx_access_log)s 13 | %(apache_access_log)s 14 | -------------------------------------------------------------------------------- /action.d/iptables-new.conf: -------------------------------------------------------------------------------- 1 | ## Version 2020/02/14 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Copied from iptables.conf and modified by Yaroslav Halchenko 6 | # to fulfill the needs of bugreporter dbts#350746. 7 | # 8 | # Obsolete: superseded by iptables[pre-rule='-m state --state NEW'] 9 | 10 | [INCLUDES] 11 | 12 | before = iptables.conf 13 | 14 | [Definition] 15 | 16 | pre-rule = -m state --state NEW 17 | -------------------------------------------------------------------------------- /filter.d/gssftpd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter file for gssftp 3 | # 4 | # Note: gssftp is part of the krb5-appl-servers in Fedora 5 | # 6 | [INCLUDES] 7 | 8 | before = common.conf 9 | 10 | [Definition] 11 | 12 | _daemon = ftpd 13 | 14 | failregex = ^%(__prefix_line)srepeated login failures from \(\S+\)$ 15 | 16 | ignoreregex = 17 | 18 | # Author: Kevin Zembower 19 | # Edited: Daniel Black - syslog based daemon 20 | -------------------------------------------------------------------------------- /filter.d/nginx-418.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for nginx 418 3 | # Track RFC2324 4 | # 418 I'm a teapot 5 | # Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout. 6 | 7 | [INCLUDES] 8 | 9 | before = common.conf 10 | 11 | [Definition] 12 | 13 | failregex = ^.*"(GET|POST|HEAD).*" (418) .*$ 14 | 15 | ignoreregex = 16 | -------------------------------------------------------------------------------- /jail.d/mysqld-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/01/30 2 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or 3 | # equivalent section: 4 | # log_error_verbosity = 3 5 | # for older versions: 6 | # log-warnings = 2 7 | # Also check whether `log_error` (or `log-error`) system variable match the `logpath`. 8 | 9 | [mysqld-auth] 10 | 11 | enabled = false 12 | port = 3306 13 | logpath = %(mysql_log)s 14 | backend = %(mysql_backend)s 15 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /filter.d/stunnel.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2ban filter for stunnel 3 | 4 | [Definition] 5 | 6 | failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from :\d+ : (?P[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$ 7 | 8 | ignoreregex = 9 | 10 | # DEV NOTES: 11 | # 12 | # Author: Daniel Black 13 | # 14 | # Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4 15 | -------------------------------------------------------------------------------- /jail.d/haproxy-http-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for haproxy-http-auth 3 | 4 | # HAProxy by default doesn't log to file you'll need to set it up to forward 5 | # logs to a syslog server which would then write them to disk. 6 | # See "haproxy-http-auth" filter for a brief cautionary note when setting 7 | 8 | [haproxy-http-auth] 9 | 10 | enabled = false 11 | port = http,https 12 | logpath = %(logs_path)s/haproxy.log 13 | -------------------------------------------------------------------------------- /jail.d/sshd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for sshd 3 | 4 | [sshd] 5 | 6 | # To use more aggressive sshd modes set filter parameter "mode" in jail.local: 7 | # normal (default), ddos, extra or aggressive (combines all). 8 | # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. 9 | #mode = normal 10 | enabled = false 11 | port = ssh 12 | logpath = %(sshd_log)s 13 | backend = %(sshd_backend)s 14 | -------------------------------------------------------------------------------- /filter.d/grafana.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Grafana 3 | # Detecting unauthorized access 4 | # Typically logged in /var/log/grafana/grafana.log 5 | 6 | [Init] 7 | datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z 8 | 9 | [Definition] 10 | failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"[^"]+"|\S+)| error="[^"]+"| \S+=(?:\S*|"[^"]+"))* remote_addr=$ 11 | -------------------------------------------------------------------------------- /jail.d/overseerr-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for overseerr 3 | # Requires modification to Overseerrs settings 4 | # https://docs.overseerr.dev/extending-overseerr/fail2ban 5 | 6 | # If you are running Overseerr behind a reverse proxy, make sure that the Enable Proxy Support setting is enabled. 7 | 8 | [overseerr-auth] 9 | 10 | enabled = false 11 | port = 5055 12 | logpath = %(remote_logs_path)s/overseerr/overseerr.log 13 | -------------------------------------------------------------------------------- /filter.d/scanlogd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for port scans detected by scanlogd 3 | 4 | [INCLUDES] 5 | 6 | # Read common prefixes. If any customizations available -- read them from 7 | # common.local 8 | before = common.conf 9 | 10 | [Definition] 11 | 12 | _daemon = scanlogd 13 | 14 | failregex = ^%(__prefix_line)s(?::)? to \S+ ports\b 15 | 16 | ignoreregex = 17 | 18 | # Author: Mike Gabriel 19 | -------------------------------------------------------------------------------- /filter.d/nginx-deny.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for nginx deny 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | 10 | failregex = ^ \[error\] \d+#\d+: \*\d+ (access forbidden by rule), client: , server: \S*, request: "\S+ \S+ HTTP\/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ 11 | 12 | ignoreregex = 13 | 14 | datepattern = {^LN-BEG} 15 | 16 | # DEV NOTES: 17 | # 18 | # Author: Will L (driz@linuxserver.io) 19 | -------------------------------------------------------------------------------- /filter.d/directadmin.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file for Directadmin 3 | # 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = common.conf 10 | 11 | [Definition] 12 | 13 | failregex = ^: \'\' \d{1,3} failed login attempt(s)?. \s* 14 | 15 | ignoreregex = 16 | 17 | datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S 18 | 19 | # 20 | # Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590 21 | # 22 | # Author: Cyril Roos 23 | 24 | -------------------------------------------------------------------------------- /filter.d/sieve.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for sieve authentication failures 3 | # 4 | 5 | [INCLUDES] 6 | 7 | # Read common prefixes. If any customizations available -- read them from 8 | # common.local 9 | before = common.conf 10 | 11 | [Definition] 12 | 13 | _daemon = (?:cyrus/)?(?:tim)?sieved? 14 | 15 | failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[\] \S+ authentication failure$ 16 | 17 | ignoreregex = 18 | 19 | # Author: Jan Wagner 20 | -------------------------------------------------------------------------------- /filter.d/apache-pass.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban Apache pass filter 3 | # This filter is for access.log, NOT for error.log 4 | # 5 | # The knocking request must have a referer. 6 | 7 | [Definition] 8 | 9 | failregex = ^ - \w+ \[\] "GET HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$ 10 | 11 | ignoreregex = 12 | 13 | datepattern = ^[^\[]*\[({DATE}) 14 | {^LN-BEG} 15 | 16 | [Init] 17 | 18 | knocking_url = /knocking/ 19 | 20 | # Author: Viktor Szépe 21 | -------------------------------------------------------------------------------- /filter.d/uwimap-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for uwimap 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | _daemon = (?:ipop3d|imapd) 12 | 13 | failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[\]\s*$ 14 | ^%(__prefix_line)sFailed .* override of user=.* host=.*\[\]\s*$ 15 | 16 | ignoreregex = 17 | 18 | # Author: Amir Caspi 19 | -------------------------------------------------------------------------------- /filter.d/vaultwarden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/07/31 2 | # Fail2Ban filter for unsuccessful Vaultwarden authentication attempts 3 | # Logged in /var/log/vaultwarden.log 4 | # Author: LearningSpot 5 | 6 | [Definition] 7 | 8 | failregex = ^\s*(?:\[\]\s*)?\[vaultwarden::api::(?:identity|admin|core::two_factor::authenticator)?\]\[ERROR\] (?:Invalid admin token|Invalid TOTP code|Username or password is incorrect)[\.!](?:\s+(?!IP:)\S+)* IP: (?:\. Username: \S+)? 9 | ignoreregex = 10 | -------------------------------------------------------------------------------- /jail.d/homeassistant-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for homeassistant 3 | # Requires modification to Homeassitants settings 4 | # https://www.home-assistant.io/integrations/fail2ban/ 5 | 6 | # Enabling logging 7 | 8 | # logger: 9 | # logs: 10 | # homeassistant.components.http.ban: warning 11 | 12 | [homeassistant-auth] 13 | 14 | enabled = false 15 | port = 8123 16 | logpath = %(remote_logs_path)s/homeassistant/home-assistant.log 17 | maxretry = 2 18 | -------------------------------------------------------------------------------- /action.d/nftables-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # Modified: Alexander Belykh 8 | # adapted for nftables 9 | # 10 | # Obsolete: superseded by nftables[type=allports] 11 | 12 | [INCLUDES] 13 | 14 | before = nftables.conf 15 | 16 | [Definition] 17 | 18 | type = allports 19 | -------------------------------------------------------------------------------- /jail.d/nginx-http-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx-http-auth 3 | 4 | # To use more aggressive http-auth modes set filter parameter "mode" in jail.local: 5 | # normal (default), aggressive (combines all), auth or fallback 6 | # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details. 7 | 8 | [nginx-http-auth] 9 | 10 | enabled = false 11 | port = http,https 12 | logpath = %(nginx_error_log)s 13 | # mode = normal 14 | -------------------------------------------------------------------------------- /jail.d/vaultwarden-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for vaultwarden 3 | # Requires modification to Vaultwardens settings 4 | # https://github.com/dani-garcia/vaultwarden/wiki/Logging#logging-to-a-file 5 | 6 | # Specify the path to the log file with the LOG_FILE environment variable 7 | 8 | # -e LOG_FILE=/data/vaultwarden.log 9 | 10 | [vaultwarden-auth] 11 | 12 | enabled = false 13 | port = http,https 14 | logpath = %(remote_logs_path)s/vaultwarden/vaultwarden.log 15 | -------------------------------------------------------------------------------- /action.d/nftables-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # Modified: Alexander Belykh 8 | # adapted for nftables 9 | # 10 | # Obsolete: superseded by nftables[type=multiport] 11 | 12 | [INCLUDES] 13 | 14 | before = nftables.conf 15 | 16 | [Definition] 17 | 18 | type = multiport 19 | -------------------------------------------------------------------------------- /filter.d/horde.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # fail2ban filter configuration for horde 3 | 4 | 5 | [Definition] 6 | 7 | 8 | failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$ 9 | 10 | 11 | ignoreregex = 12 | 13 | # DEV NOTES: 14 | # https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132 15 | # https://github.com/horde/horde/blob/master/horde/login.php 16 | # 17 | # Author: Daniel Black 18 | -------------------------------------------------------------------------------- /filter.d/nagios.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2) 3 | # Detecting unauthorized access to the nrpe2 daemon 4 | # typically logged in /var/log/messages syslog 5 | # 6 | 7 | [INCLUDES] 8 | # Read syslog common prefixes 9 | before = common.conf 10 | 11 | [Definition] 12 | _daemon = nrpe 13 | failregex = ^%(__prefix_line)sHost is not allowed to talk to us!\s*$ 14 | ignoreregex = 15 | 16 | # DEV Notes: 17 | # 18 | # Author: Ivo Truxa - 2014/02/03 19 | -------------------------------------------------------------------------------- /filter.d/proxmox.conf: -------------------------------------------------------------------------------- 1 | ## Version 2024/07/30 2 | # Fail2Ban filter for Proxmox Web GUI 3 | # 4 | # Jail example: 5 | # [proxmox] 6 | # enabled = true 7 | # port = https,http,8006 8 | # filter = proxmox 9 | # logpath = /var/log/daemon.log 10 | # maxretry = 3 11 | # # 1 hour 12 | # bantime = 3600 13 | 14 | [Definition] 15 | 16 | _daemon = pvedaemon 17 | 18 | failregex = ^\s*\S+ %(_daemon)s\[\d+\]: authentication failure; rhost= user=\S+ 19 | 20 | ignoreregex = 21 | 22 | -------------------------------------------------------------------------------- /filter.d/nextcloud-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration for nextcloud 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | _groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) 10 | 11 | failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: 12 | ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. 13 | 14 | datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" 15 | -------------------------------------------------------------------------------- /jail.d/nginx-limit-req.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nginx-limit-req 3 | 4 | # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 5 | # and define `limit_req` and `limit_req_zone` as described in nginx documentation 6 | # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html 7 | # or for example see in 'config/filter.d/nginx-limit-req.conf' 8 | 9 | [nginx-limit-req] 10 | 11 | enabled = false 12 | port = http,https 13 | logpath = %(nginx_error_log)s 14 | -------------------------------------------------------------------------------- /filter.d/bitwarden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Bitwarden 3 | # Detecting failed login attempts 4 | # Logged in bwdata/logs/identity/Identity/log.txt 5 | 6 | [INCLUDES] 7 | before = common.conf 8 | 9 | [Definition] 10 | _daemon = Bitwarden-Identity 11 | failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. $ 12 | 13 | # DEV Notes: 14 | # __prefix_line can result to an empty string, so it can support syslog and non-syslog at once. 15 | -------------------------------------------------------------------------------- /filter.d/apache-fakegooglebot.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for fake Googlebot User Agents 3 | 4 | [Definition] 5 | 6 | failregex = ^\s* \S+ \S+(?: \S+)?\s+\S+ "[A-Z]+ /\S* [^"]*" \d+ \d+ \"[^"]*\" "[^"]*\bGooglebot/[^"]*" 7 | 8 | ignoreregex = 9 | 10 | datepattern = ^[^\[]*(\[{DATE}\s*\]) 11 | {^LN-BEG} 12 | 13 | # DEV Notes: 14 | # 15 | # Author: Lee Clemens 16 | # Thanks: Johannes B. Ullrich, Ph.D. 17 | # Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ 18 | -------------------------------------------------------------------------------- /filter.d/softethervpn.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for SoftEtherVPN 3 | # Detecting unauthorized access to SoftEtherVPN 4 | # typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration 5 | 6 | [INCLUDES] 7 | before = common.conf 8 | 9 | [Definition] 10 | failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "(?:[^"]+|.+)", from \.$ 11 | -------------------------------------------------------------------------------- /jail.d/nextcloud-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for nextcloud 3 | # Recommended modification to Nextcloud settings 4 | # https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html#file 5 | 6 | # Set the following in config.php 7 | 8 | # "log_type" => "file", 9 | # "logfile" => "/config/log/nextcloud/nextcloud.log", 10 | 11 | [nextcloud-auth] 12 | 13 | enabled = false 14 | port = http,https 15 | logpath = %(remote_logs_path)s/nextcloud/nextcloud.log 16 | -------------------------------------------------------------------------------- /filter.d/mssql-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for failed MSSQL Server authentication attempts 3 | 4 | [Definition] 5 | 6 | failregex = ^\s*Logon\s+Login failed for user '(?:[^']*|.*)'\. [^'\[]+\[CLIENT: \]$ 7 | 8 | 9 | # DEV Notes: 10 | # Tested with SQL Server 2019 on Ubuntu 18.04 11 | # 12 | # Example: 13 | # 2020-02-24 14:48:55.12 Logon Login failed for user 'root'. Reason: Could not find a login matching the name provided. [CLIENT: 127.0.0.1] 14 | # 15 | # Author: Rüdiger Olschewsky 16 | # 17 | -------------------------------------------------------------------------------- /filter.d/openhab.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf: 3 | # 4 | # Block IPs trying to auth openhab by web or rest api 5 | # 6 | # Matches e.g. 7 | # 12.34.33.22 - - [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 8 | # 175.18.15.10 - - [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384 9 | 10 | [Definition] 11 | failregex = ^\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$ 12 | 13 | datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | * 3 | 4 | # Do NOT ignore repo files files 5 | !.editorconfig 6 | !.gitattributes 7 | !.github/* 8 | !.github/workflows/* 9 | !.gitignore 10 | !LICENSE 11 | !README.md 12 | 13 | # Do NOT ignore allowed files 14 | !*.conf 15 | 16 | # Do NOT ignore allowed subfolders 17 | !action.d/ 18 | !filter.d/ 19 | !jail.d/ 20 | 21 | # Ignore all files in allowed subfolders 22 | action.d/* 23 | filter.d/* 24 | jail.d/* 25 | 26 | # Do NOT ignore allowed files in allowed subfolders 27 | !action.d/*.conf 28 | !filter.d/*.conf 29 | !jail.d/*.conf 30 | -------------------------------------------------------------------------------- /filter.d/lighttpd-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/03/04 2 | # Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module 3 | # 4 | 5 | [Definition] 6 | 7 | failregex = ^[^\)]*\(?(?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match for (?:\S+|.*?) username:\s+(?:\S+|.*?)\s*|digest: auth failed(?: for\s+(?:\S+|.*?)\s*)?: (?:wrong password|uri mismatch \([^\)]*\))|get_password failed),? IP: \s*$ 8 | 9 | ignoreregex = 10 | 11 | # Authors: Francois Boulogne , Lucian Maly 12 | -------------------------------------------------------------------------------- /filter.d/cyrus-imap.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for authentication failures on Cyrus imap server 3 | # 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | # Read common prefixes. If any customizations available -- read them from 10 | # common.local 11 | before = common.conf 12 | 13 | [Definition] 14 | 15 | _daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?) 16 | 17 | failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$ 18 | 19 | ignoreregex = 20 | 21 | # Author: Jan Wagner 22 | -------------------------------------------------------------------------------- /filter.d/dante.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/12/30 2 | # Fail2Ban filter for dante 3 | # 4 | # Make sure you have "log: error" set in your "client pass" directive 5 | # 6 | 7 | [INCLUDES] 8 | before = common.conf 9 | 10 | [Definition] 11 | _daemon = danted 12 | 13 | failregex = ^%(__prefix_line)sinfo: block\(\d\): tcp/accept \]: \.\d+ \S+: error after reading \d+ bytes? in \d+ seconds?: (?:could not access|system password authentication failed for|pam_authenticate\(\) for) user "[^"]+" 14 | 15 | [Init] 16 | journalmatch = _SYSTEMD_UNIT=danted.service 17 | 18 | -------------------------------------------------------------------------------- /filter.d/openvpn.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/01/30 2 | # Fail2Ban filter for openvpn server 3 | # Detecting wrong TLS handshakes 4 | # typically logged in /var/log/syslog 5 | # Author: Philipp Burndorfer 6 | 7 | [INCLUDES] 8 | before = common.conf 9 | 10 | [Definition] 11 | _daemon = ovpn-server\d* 12 | 13 | failregex = ^%(__prefix_line)s:\d{4,5} (?:TLS Auth Error:|VERIFY ERROR:|TLS Error: TLS handshake failed\b|SIGUSR1\[soft,connection-reset\] received\b) 14 | ^%(__prefix_line)sTLS Error: cannot locate HMAC in incoming packet from \[AF_INET\]\s*:\d{4,5} 15 | -------------------------------------------------------------------------------- /filter.d/webmin-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for webmin 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | _daemon = webmin 12 | 13 | failregex = ^%(__prefix_line)sNon-existent login as .+ from \s*$ 14 | ^%(__prefix_line)sInvalid login as .+ from \s*$ 15 | 16 | ignoreregex = 17 | 18 | # DEV Notes: 19 | # 20 | # pattern : webmin[15673]: Non-existent login as toto from 86.0.6.217 21 | # webmin[29544]: Invalid login as root from 86.0.6.217 22 | # 23 | # Rule Author: Delvit Guillaume 24 | -------------------------------------------------------------------------------- /filter.d/nginx-bad-request.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to match bad requests to nginx 3 | # 4 | 5 | [Definition] 6 | 7 | # The request often doesn't contain a method, only some encoded garbage 8 | # This will also match requests that are entirely empty 9 | failregex = ^ - \S+ \[\] "[^"]*" 400 10 | 11 | datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? 12 | ^[^\[]*\[({DATE}) 13 | {^LN-BEG} 14 | 15 | journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx 16 | 17 | # Author: Jan Przybylak 18 | -------------------------------------------------------------------------------- /filter.d/3proxy.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for 3proxy 3 | # 4 | # 5 | 6 | [Definition] 7 | 8 | 9 | failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s 10 | 11 | ignoreregex = 12 | 13 | datepattern = {^LN-BEG} 14 | 15 | # DEV Notes: 16 | # http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are 17 | # all authentication problems (%E field) 18 | # Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" 19 | # 20 | # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 21 | # Author: Daniel Black 22 | -------------------------------------------------------------------------------- /filter.d/courier-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for courier authentication failures 3 | # 4 | 5 | [INCLUDES] 6 | 7 | # Read common prefixes. If any customizations available -- read them from 8 | # common.local 9 | before = common.conf 10 | 11 | [Definition] 12 | 13 | _daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)? 14 | 15 | failregex = ^%(__prefix_line)sLOGIN FAILED, (?:(?!ip=)(?:user=[^,]*|\w+=[^,]*), )*ip=\[\] 16 | 17 | ignoreregex = 18 | 19 | datepattern = {^LN-BEG} 20 | 21 | # Author: Christoph Haas 22 | # Modified by: Cyril Jaquier 23 | -------------------------------------------------------------------------------- /filter.d/openwebmail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Openwebmail 3 | # banning hosts with authentication errors in /var/log/openwebmail.log 4 | # OpenWebMail http://openwebmail.org 5 | # 6 | 7 | [Definition] 8 | 9 | failregex = ^ - \[\d+\] \(\) (?P\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$ 10 | ^ - \[\d+\] \(\) (?P\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$ 11 | 12 | ignoreregex = 13 | 14 | # DEV Notes: 15 | # 16 | # Author: Ivo Truxa (c) 2013 truXoft.com 17 | -------------------------------------------------------------------------------- /action.d/osx-afctl.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file for using afctl on Mac OS X Server 10.5 3 | # 4 | # Anonymous author 5 | # http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081 6 | # 7 | # Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html 8 | 9 | [Definition] 10 | actionstart = 11 | actionstop = 12 | actioncheck = 13 | actionban = /usr/libexec/afctl -a -t 14 | actionunban = /usr/libexec/afctl -r 15 | 16 | actionprolong = %(actionunban)s && %(actionban)s 17 | 18 | -------------------------------------------------------------------------------- /filter.d/apache-modsecurity.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban apache-modsec filter 3 | # 4 | 5 | [INCLUDES] 6 | 7 | # Read common prefixes. If any customizations available -- read them from 8 | # apache-common.local 9 | before = apache-common.conf 10 | 11 | [Definition] 12 | 13 | 14 | failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d 15 | 16 | ignoreregex = 17 | 18 | # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats 19 | # Author: Daniel Black 20 | # Sergey G. Brester aka sebres (review, optimization) 21 | -------------------------------------------------------------------------------- /filter.d/botsearch-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Generic configuration file for -botsearch filters 3 | 4 | [Init] 5 | 6 | # Block is the actual non-found directories to block 7 | block = \/?(|||cgi-bin|mysqladmin)[^,]* 8 | 9 | # These are just convenient definitions that assist the blocking of stuff that 10 | # isn't installed 11 | webmail = roundcube|(ext)?mail|horde|(v-?)?webmail 12 | 13 | phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin) 14 | 15 | wordpress = wp-(login|signup|admin)\.php 16 | 17 | # DEV Notes: 18 | # Taken from apache-botsearch filter 19 | # 20 | # Author: Frantisek Sumsal 21 | -------------------------------------------------------------------------------- /filter.d/courier-smtp.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to block relay attempts though a Courier smtp server 3 | # 4 | # 5 | 6 | [INCLUDES] 7 | 8 | # Read common prefixes. If any customizations available -- read them from 9 | # common.local 10 | before = common.conf 11 | 12 | [Definition] 13 | 14 | _daemon = courieresmtpd 15 | 16 | prefregex = ^%(__prefix_line)serror,relay=,(?:port=\d+,)?.+$ 17 | 18 | failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$ 19 | ^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$ 20 | 21 | ignoreregex = 22 | 23 | # Author: Cyril Jaquier 24 | -------------------------------------------------------------------------------- /filter.d/wuftpd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file for wuftpd 3 | # 4 | # 5 | 6 | [INCLUDES] 7 | 8 | # Read common prefixes. If any customizations available -- read them from 9 | # common.local 10 | before = common.conf 11 | 12 | [Definition] 13 | 14 | _daemon = wu-ftpd 15 | __pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:? 16 | 17 | failregex = ^%(__prefix_line)sfailed login from \S+ \[\]\s*$ 18 | ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=(?:\s+user=.*)?\s*$ 19 | 20 | 21 | ignoreregex = 22 | 23 | # Author: Yaroslav Halchenko 24 | -------------------------------------------------------------------------------- /filter.d/perdition.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for perdition 3 | # 4 | # 5 | 6 | [INCLUDES] 7 | 8 | before = common.conf 9 | 10 | [Definition] 11 | 12 | _daemon=perdition.\S+ 13 | 14 | failregex = ^%(__prefix_line)sAuth: :\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$ 15 | ^%(__prefix_line)sFatal Error reading authentication information from client :\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$ 16 | 17 | ignoreregex = 18 | 19 | # Author: Christophe Carles and Daniel Black 20 | -------------------------------------------------------------------------------- /filter.d/selinux-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/12/15 2 | # Fail2Ban configuration file for generic SELinux audit messages 3 | # 4 | # This file is not intended to be used directly, and should be included into a 5 | # filter file which would define following variables. See selinux-ssh.conf as 6 | # and example. 7 | # 8 | # _type 9 | # _uid 10 | # _auid 11 | # _subj 12 | # _msg 13 | # 14 | # Also one of these variables must include . 15 | 16 | [Definition] 17 | 18 | failregex = ^type=%(_type)s msg=audit\(:\d+\): (?:user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'(?:\x1D|$) 19 | 20 | ignoreregex = 21 | 22 | datepattern = EPOCH 23 | 24 | # Author: Daniel Black 25 | -------------------------------------------------------------------------------- /filter.d/xinetd-fail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for xinetd failures 3 | # 4 | # Cfr.: /var/log/(daemon\.|sys)log 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | # Read common prefixes. If any customizations available -- read them from 11 | # common.local 12 | before = common.conf 13 | 14 | [Definition] 15 | 16 | _daemon = xinetd 17 | 18 | prefregex = ^%(__prefix_line)sFAIL: .+$ 19 | 20 | failregex = ^\S+ address from=$ 21 | ^\S+ libwrap from=$ 22 | 23 | ignoreregex = 24 | 25 | # DEV Notes: 26 | # 27 | # libwrap => tcp wrappers: hosts.(allow|deny) 28 | # address => xinetd: deny_from|only_from 29 | # 30 | # Author: Guido Bozzetto 31 | -------------------------------------------------------------------------------- /jail.d/gitea-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban jail configuration for emby 3 | # Requires modification to Giteas settings 4 | # https://docs.gitea.io/en-us/fail2ban-setup/ 5 | 6 | # Enabling, and depending on Giteas built in SSH server 7 | 8 | # [server] 9 | # [DISABLE_SSH = false 10 | # [SSH_PORT = 22 11 | # [SSH_LISTEN_PORT = 822 12 | # [START_SSH_SERVER = true 13 | 14 | # Enabling logs 15 | 16 | # [log] 17 | # ROOT_PATH = /data/gitea/log 18 | # ENABLE_SSH_LOG = true 19 | # LEVEL = Info 20 | # MODE = file 21 | 22 | [gitea-auth] 23 | 24 | enabled = false 25 | port = http,https,822 26 | logpath = %(remote_logs_path)s/gitea/gitea.log 27 | maxretry = 3 28 | -------------------------------------------------------------------------------- /jail.d/recidive.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/01/30 2 | # Jail for more extended banning of persistent abusers 3 | # !!! WARNINGS !!! 4 | # 1. Make sure that your loglevel specified in fail2ban.conf/.local 5 | # is not at DEBUG level -- which might then cause fail2ban to fall into 6 | # an infinite loop constantly feeding itself with non-informative lines 7 | # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days) 8 | # to maintain entries for failed logins for sufficient amount of time 9 | 10 | [recidive] 11 | 12 | enabled = false 13 | # lsio value 14 | logpath = /config/log/fail2ban/fail2ban.log 15 | banaction = %(banaction_allports)s 16 | bantime = 1w 17 | findtime = 1d 18 | -------------------------------------------------------------------------------- /action.d/helpers-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | [DEFAULT] 3 | 4 | # Usage: 5 | # _grep_logs_args = 'test' 6 | # (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ... 7 | # 8 | _grep_logs = logpath=""; grep %(_grep_logs_args)s $logpath | 9 | # options `-wF` used to match only whole words and fixed string (not as pattern) 10 | _grep_logs_args = -wF "" 11 | 12 | # Used for actions, that should not by executed if ticket was restored: 13 | _bypass_if_restored = if [ '' = '1' ]; then exit 0; fi; 14 | 15 | [Init] 16 | greplimit = tail -n 17 | grepmax = 1000 18 | grepopts = -m 19 | -------------------------------------------------------------------------------- /filter.d/drupal-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to block repeated failed login attempts to Drupal site(s) 3 | # 4 | # 5 | # Drupal must be setup to use Syslog, which defaults to the following format: 6 | # 7 | # !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message 8 | # 9 | # 10 | 11 | [INCLUDES] 12 | 13 | before = common.conf 14 | 15 | 16 | [Definition] 17 | 18 | failregex = ^%(__prefix_line)s(?:https?:\/\/)[^|]+\|[^|]+\|[^|]+\|\|(?:[^|]*\|)*Login attempt failed (?:for|from) [^|]+\.$ 19 | 20 | ignoreregex = 21 | 22 | 23 | # DEV Notes: 24 | # 25 | # https://www.drupal.org/documentation/modules/syslog 26 | # 27 | # Author: Lee Clemens 28 | -------------------------------------------------------------------------------- /filter.d/apache-nohome.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to web requests for home directories on Apache servers 3 | # 4 | # Regex to match failures to find a home directory on a server, which 5 | # became popular last days. Most often attacker just uses IP instead of 6 | # domain name -- so expect to see them in generic error.log if you have 7 | # per-domain log files. 8 | 9 | [INCLUDES] 10 | 11 | # overwrite with apache-common.local if _apache_error_client is incorrect. 12 | before = apache-common.conf 13 | 14 | [Definition] 15 | 16 | 17 | failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* 18 | 19 | ignoreregex = 20 | 21 | # Author: Yaroslav O. Halchenko 22 | -------------------------------------------------------------------------------- /action.d/apf.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # https://www.rfxn.com/projects/advanced-policy-firewall/ 4 | # 5 | # Note: APF doesn't play nicely with other actions. It has been observed to 6 | # remove bans created by other iptables based actions. If you are going to use 7 | # this action, use it for all of your jails. 8 | # 9 | # DON'T MIX APF and other IPTABLES based actions 10 | [Definition] 11 | 12 | actionstart = 13 | actionstop = 14 | actioncheck = 15 | actionban = apf --deny "banned by Fail2Ban " 16 | actionunban = apf --remove 17 | 18 | [Init] 19 | 20 | # Name used in APF configuration 21 | # 22 | name = default 23 | 24 | # DEV NOTES: 25 | # 26 | # Author: Mark McKinstry 27 | -------------------------------------------------------------------------------- /filter.d/monitorix.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Monitorix (HTTP built-in server) 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | _daemon = monitorix-httpd 12 | 13 | # Option: failregex 14 | # Notes.: regex to match the password failures messages in the logfile. The 15 | # host must be matched by a group named "host". The tag "" can 16 | # be used for standard IP/hostname matching and is only an alias for 17 | # (?:::f{4,6}:)?(?P\S+) 18 | # Values: TEXT 19 | # 20 | failregex = ^(?:\s+-)?\s*(?:NOTEXIST|AUTHERR|NOTALLOWED) - \b 21 | 22 | # Option: ignoreregex 23 | # Notes.: regex to ignore. If this regex matches, the line is ignored. 24 | # Values: TEXT 25 | # 26 | ignoreregex = 27 | -------------------------------------------------------------------------------- /filter.d/slapd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/10/18 2 | # slapd (Stand-alone LDAP Daemon) openldap daemon filter 3 | # 4 | # Detecting invalid credentials: error code 49 5 | # http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49) 6 | 7 | [INCLUDES] 8 | 9 | # Read common prefixes. If any customizations available -- read them from 10 | # common.local 11 | before = common.conf 12 | 13 | [Definition] 14 | 15 | _daemon = slapd 16 | 17 | prefregex = ^%(__prefix_line)sconn=\d+(?: (?:fd|op)=\d+){0,2} (?=ACCEPT|RESULT).+$ 18 | 19 | failregex = ^ACCEPT from IP=:\d{1,5}\s+ 20 | ^RESULT(?:\s(?!err)\S+=\S*)* err=49\b 21 | 22 | ignoreregex = 23 | 24 | # Author: Andrii Melnyk, Sergey G. Brester 25 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | [linuxserverurl]: https://linuxserver.io 4 | [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ## Thanks, team linuxserver.io 15 | 16 | -------------------------------------------------------------------------------- /filter.d/suhosin.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for suhosian PHP hardening 3 | # 4 | # This occurs with lighttpd or directly from the plugin 5 | # 6 | 7 | [INCLUDES] 8 | 9 | # Read common prefixes. If any customizations available -- read them from 10 | # common.local 11 | before = common.conf 12 | 13 | 14 | [Definition] 15 | 16 | _daemon = (?:lighttpd|suhosin) 17 | 18 | 19 | _lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s) 20 | 21 | failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '', file '[^']*'(?:, line \d+)?\)$ 22 | 23 | ignoreregex = 24 | 25 | # DEV Notes: 26 | # 27 | # https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161 28 | # 29 | # Author: Arturo 'Buanzo' Busleiman 30 | -------------------------------------------------------------------------------- /filter.d/selinux-ssh.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/11/18 2 | # Fail2Ban configuration file for SELinux ssh authentication errors 3 | # 4 | 5 | [INCLUDES] 6 | 7 | after = selinux-common.conf 8 | 9 | [Definition] 10 | 11 | _type = USER_(ERR|AUTH) 12 | _uid = 0 13 | _auid = \d+ 14 | _subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023 15 | 16 | _exe =/usr/sbin/sshd 17 | _terminal = ssh 18 | 19 | _anygrp = (?!acct=|exe=|addr=|terminal=|res=)\w+=(?:"[^"]+"|\S*) 20 | 21 | _msg = (?:%(_anygrp)s )*acct=(?:"[^"]+"|\S+) exe="%(_exe)s" (?:%(_anygrp)s )*addr= terminal=%(_terminal)s res=failed 22 | 23 | # DEV Notes: 24 | # 25 | # Note: USER_LOGIN is ignored as this is the duplicate message 26 | # ssh logs after 3 USER_AUTH failures. 27 | # 28 | # Author: Daniel Black 29 | -------------------------------------------------------------------------------- /filter.d/sogo-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/11/18 2 | # Fail2ban filter for SOGo authentication 3 | # 4 | # Log file usually in /var/log/sogo/sogo.log 5 | 6 | [Definition] 7 | 8 | failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d* grace: -?\d* expire: -?\d* bound: -?\d*)?\s*$ 9 | 10 | ignoreregex = "^" 11 | 12 | datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? 13 | {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)? 14 | ^[^\[]*\[({DATE}) 15 | {^LN-BEG} 16 | 17 | # 18 | # DEV Notes: 19 | # 20 | # The error log may contain multiple hosts, whereas the first one 21 | # is the client and all others are poxys. We match the first one, only 22 | # 23 | # Author: Arnd Brandes 24 | -------------------------------------------------------------------------------- /filter.d/nginx-botsearch.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to match web requests for selected URLs that don't exist 3 | # 4 | 5 | [INCLUDES] 6 | 7 | # Load regexes for filtering 8 | before = botsearch-common.conf 9 | 10 | [Definition] 11 | 12 | failregex = ^ \- \S+ \[\] \"(GET|POST|HEAD) \/ \S+\" 404 .+$ 13 | ^ \[error\] \d+#\d+: \*\d+ (\S+ )?\"\S+\" (failed|is not found) \(2\: No such file or directory\), client\: \, server\: \S*\, request: \"(GET|POST|HEAD) \/ \S+\"\, .*?$ 14 | 15 | ignoreregex = 16 | 17 | datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)? 18 | ^[^\[]*\[({DATE}) 19 | {^LN-BEG} 20 | 21 | journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx 22 | 23 | # DEV Notes: 24 | # Based on apache-botsearch filter 25 | # 26 | # Author: Frantisek Sumsal 27 | -------------------------------------------------------------------------------- /filter.d/vsftpd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/03/04 2 | # Fail2Ban filter for vsftp 3 | # 4 | # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch 5 | # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the 6 | # incoming ip address rather than domain names. 7 | 8 | [INCLUDES] 9 | 10 | before = common.conf 11 | 12 | [Definition] 13 | 14 | __pam_re=(?:\(?%(__pam_auth)s(?:\(\S+\))?\)?:?\s+)? 15 | _daemon = vsftpd 16 | 17 | failregex = ^%(__prefix_line)s%(__pam_re)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=(?:ftp)? ruser=\S* rhost=(?:\s+user=\S*)?\s*$ 18 | ^(?:\s*\[pid \d+\] |%(__prefix_line)s)\[[^\]]+\] FAIL LOGIN: Client ""(?:\s*$|,) 19 | 20 | ignoreregex = 21 | 22 | # Authors: Cyril Jaquier, Lucian Maly 23 | # Documentation from fail2ban wiki 24 | -------------------------------------------------------------------------------- /filter.d/monit.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for monit.conf, looks for failed access attempts 3 | # 4 | # 5 | 6 | [INCLUDES] 7 | 8 | # Read common prefixes. If any customizations available -- read them from 9 | # common.local 10 | before = common.conf 11 | 12 | # [DEFAULT] 13 | # logtype = short 14 | 15 | [Definition] 16 | 17 | _daemon = monit 18 | 19 | _prefix = Warning|HttpRequest 20 | 21 | # Regexp for previous (accessing monit httpd) and new (access denied) versions 22 | failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?'?(?:\s+supplied|\s*:)\s+(?:unknown user '[^']+'|wrong password for user '[^']*'|empty password) 23 | 24 | # Ignore login with empty user (first connect, no user specified) 25 | # ignoreregex = %(__prefix_line)s\w+: access denied -- client : (?:unknown user '') 26 | ignoreregex = 27 | -------------------------------------------------------------------------------- /action.d/iptables-ipset-proto6.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Daniel Black 5 | # 6 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 7 | # Use ipset -V to see the protocol and version. Version 4 should use 8 | # iptables-ipset-proto4.conf. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules. 16 | # 17 | # Modified: Alexander Koeppe , Serg G. Brester 18 | # made config file IPv6 capable (see new section Init?family=inet6) 19 | # 20 | # Obsolete: superseded by iptables-ipset[type=multiport] 21 | 22 | [INCLUDES] 23 | 24 | before = iptables-ipset.conf 25 | 26 | [Definition] 27 | 28 | type = multiport 29 | -------------------------------------------------------------------------------- /filter.d/sendmail-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/12/15 2 | # Fail2Ban filter for sendmail authentication failures 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | _daemon = (?:sendmail|sm-(?:mta|acceptingconnections)) 12 | # "\w{14,20}" will give support for IDs from 14 up to 20 characters long 13 | __prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )? 14 | addr = (?:IPv6:|) 15 | 16 | prefregex = ^%(__prefix_line)s.+$ 17 | 18 | failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$ 19 | ^AUTH failure \([^\)]+\):(?: [^:]+:)? (?:authentication failure|user not found): [^,]*, (?:user=(?:\S+|.*?), )?relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$ 20 | ignoreregex = 21 | 22 | journalmatch = _SYSTEMD_UNIT=sendmail.service 23 | 24 | # DEV Notes: 25 | # 26 | # Author: Daniel Black 27 | -------------------------------------------------------------------------------- /filter.d/nsd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Bas van den Dikkenberg 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | # Read common prefixes. If any customizations available -- read them from 11 | # common.local 12 | before = common.conf 13 | 14 | 15 | [Definition] 16 | 17 | _daemon = nsd 18 | 19 | # Option: failregex 20 | # Notes.: regex to match the password failures messages in the logfile. The 21 | # host must be matched by a group named "host". The tag "" can 22 | # be used for standard IP/hostname matching and is only an alias for 23 | # (?:::f{4,6}:)?(?P[\w\-.^_]+) 24 | # Values: TEXT 25 | 26 | failregex = ^%(__prefix_line)sinfo: ratelimit block .* query TYPE255$ 27 | ^%(__prefix_line)sinfo: .* from(?: client)? refused, no acl matches\.?$ 28 | 29 | ignoreregex = 30 | 31 | datepattern = {^LN-BEG}Epoch 32 | {^LN-BEG} 33 | -------------------------------------------------------------------------------- /filter.d/nginx-error-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/12/10 2 | # Generic nginx error_log configuration items (to be used as interpolations) in other 3 | # filters monitoring nginx error-logs 4 | # 5 | 6 | [DEFAULT] 7 | 8 | # Type of log-file resp. log-format (file, short, journal): 9 | logtype = file 10 | 11 | # Daemon definition is to be specialized (if needed) in .conf file 12 | _daemon = nginx 13 | 14 | # Common line prefixes (beginnings) which could be used in filters 15 | # 16 | # [bsdverbose]? [hostname] [vserver tag] daemon_id spaces 17 | # 18 | # This can be optional (for instance if we match named native log files) 19 | __prefix = /__prefix> 20 | 21 | __err_type = error 22 | 23 | __prefix_line = %(__prefix)s\[%(__err_type)s\] \d+#\d+: \*\d+\s+ 24 | 25 | 26 | [lt_file] 27 | __prefix = \s* 28 | 29 | [lt_short] 30 | __prefix = \s*(?:(?!\[)\S+ %(_daemon)s\[\d+\]: [^\[]*)? 31 | 32 | [lt_journal] 33 | __prefix = %(lt_short/__prefix)s 34 | -------------------------------------------------------------------------------- /filter.d/qmail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filters for qmail RBL patches/fake proxies 3 | # 4 | # the default djb RBL implementation doesn't log any rejections 5 | # so is useless with this filter. 6 | # 7 | # One patch is here: 8 | # 9 | # http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd 10 | 11 | [INCLUDES] 12 | 13 | before = common.conf 14 | 15 | [Definition] 16 | 17 | _daemon = (?:qmail|rblsmtpd) 18 | 19 | failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: pid \d+ \S+ 4\d\d \S+\s*$ 20 | ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip rbl: \S+\s*$ 21 | ^%(__prefix_line)s\S+ blocked \S+ -\s*$ 22 | 23 | ignoreregex = 24 | 25 | # DEV Notes: 26 | # 27 | # These seem to be for two or 3 different patches to qmail or rblsmtpd 28 | # so you'll probably only ever see one of these regex's that match. 29 | # 30 | # ref: https://github.com/fail2ban/fail2ban/pull/386 31 | # 32 | # Author: Daniel Black 33 | -------------------------------------------------------------------------------- /action.d/iptables-ipset-proto6-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Daniel Black 5 | # 6 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 7 | # Use ipset -V to see the protocol and version. Version 4 should use 8 | # iptables-ipset-proto4.conf. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules which probably won't be protocol version 6. 16 | # 17 | # Modified: Alexander Koeppe , Serg G. Brester 18 | # made config file IPv6 capable (see new section Init?family=inet6) 19 | # 20 | # Obsolete: superseded by iptables-ipset[type=allports] 21 | 22 | [INCLUDES] 23 | 24 | before = iptables-ipset.conf 25 | 26 | [Definition] 27 | 28 | type = allports 29 | -------------------------------------------------------------------------------- /filter.d/screensharingd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Simon Brown 5 | # 6 | # Filter for Mac OS X Screen Sharing service 7 | 8 | [INCLUDES] 9 | 10 | # Read common prefixes. If any customizations available -- read them from 11 | # common.local 12 | before = common.conf 13 | 14 | 15 | [Definition] 16 | 17 | _daemon = screensharingd 18 | 19 | # Option: failregex 20 | # Notes.: regex to match the password failures messages in the logfile. The 21 | # host must be matched by a group named "host". The tag "" can 22 | # be used for standard IP/hostname matching and is only an alias for 23 | # (?:::f{4,6}:)?(?P[\w\-.^_]+) 24 | # Values: TEXT 25 | # 26 | failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: :: Type: DH$ 27 | 28 | # Option: ignoreregex 29 | # Notes.: regex to ignore. If this regex matches, the line is ignored. 30 | # Values: TEXT 31 | # 32 | ignoreregex = 33 | -------------------------------------------------------------------------------- /filter.d/tine20.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Tine 2.0 authentication 3 | # 4 | # Enable logging with: 5 | # $config['info_log']='/var/log/tine20/tine20.log'; 6 | # 7 | 8 | [Definition] 9 | 10 | failregex = ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} - WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from failed \(-[13]\)!$ 11 | 12 | ignoreregex = 13 | 14 | datepattern = ^[^-]+ -- [^-]+ -- - ({DATE}) 15 | {^LN-BEG} 16 | 17 | # Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766 18 | # Editor: Daniel Black 19 | # Advisor: Lars Kneschke 20 | # 21 | # Usernames can contain spaces. 22 | # 23 | # Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105 24 | # Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php 25 | # formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276 26 | -------------------------------------------------------------------------------- /filter.d/php-url-fopen.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for URLs with a URL as a script parameters 3 | # which can be an indication of a fopen url php injection 4 | # 5 | # Example of web requests in Apache access log: 6 | # 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)" 7 | 8 | [Definition] 9 | 10 | failregex = ^ -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$ 11 | 12 | ignoreregex = 13 | 14 | # DEV Notes: 15 | # 16 | # Version 2 17 | # fixes the failregex so REFERERS that contain =http:// don't get blocked 18 | # (mentioned by "fasuto" (no real email provided... blog comment) in this entry: 19 | # http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489 20 | # 21 | # Author: Arturo 'Buanzo' Busleiman 22 | 23 | datepattern = ^[^\[]*\[({DATE}) 24 | {^LN-BEG} 25 | -------------------------------------------------------------------------------- /action.d/sendmail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = sendmail-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionban 18 | # Notes.: command executed when banning an IP. Take care that the 19 | # command is executed with Fail2Ban user rights. 20 | # Tags: See jail.conf(5) man page 21 | # Values: CMD 22 | # 23 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 24 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 25 | From: <> 26 | To: \n 27 | Hi,\n 28 | The IP has just been banned by Fail2Ban after 29 | attempts against .\n 30 | Regards,\n 31 | Fail2Ban" | 32 | 33 | [Init] 34 | 35 | # Default name of the chain 36 | # 37 | name = default 38 | 39 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | [linuxserverurl]: https://linuxserver.io 4 | [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | ## Thanks, team linuxserver.io 21 | 22 | -------------------------------------------------------------------------------- /filter.d/authelia-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2024/01/19 2 | # Fail2Ban filter configuration for authelia 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | # Make sure that the HTTP header "X-Forwarded-For" received by Authelia's backend 8 | # only contains a single IP address (the one from the end-user), and not the proxy chain 9 | # (it is misleading: usually, this is the purpose of this header). 10 | 11 | [Definition] 12 | 13 | # this counts every failed login (wrong username or password) and failed TOTP entry as a failure 14 | failregex = ^.*Unsuccessful (1FA|TOTP|Duo|U2F) authentication attempt by user .*remote_ip"?(:|=)"?"?.*$ 15 | (?i)^.*access to .*is not authorized.*remote_ip"?(:|=)"?"?.*$ 16 | ^.* is banned until .*remote_ip"?(:|=)"?"?.*$ 17 | 18 | # we can ignore debug, info and warning messages as all authentication failures are flagged as level=error by Authelia 19 | ignoreregex = ^.*level"?(:|=)"?info.* 20 | ^.*level"?(:|=)"?warning.* 21 | ^.*level"?(:|=)"?debug.* 22 | -------------------------------------------------------------------------------- /filter.d/kerio.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2ban filter for kerio 3 | 4 | [Definition] 5 | 6 | failregex = ^ SMTP Spam attack detected from , 7 | ^ IP address found in DNS blacklist 8 | ^ Relay attempt from IP address 9 | ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address $ 10 | ^ Failed SMTP login from 11 | ^ SMTP: User \S+ doesn't exist. Attempt from IP address 12 | ^ Client with IP address has no reverse DNS entry, connection rejected before SMTP greeting$ 13 | ^ Administration login into Web Administration from failed: IP address not allowed$ 14 | ^ Message from IP address , sender \S+ rejected: sender domain does not exist$ 15 | 16 | ignoreregex = 17 | 18 | datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\] 19 | 20 | # DEV NOTES: 21 | # 22 | # Author: A.P. Lawrence 23 | # Updated by: M. Bischoff 24 | # 25 | # Based off: http://aplawrence.com/Kerio/fail2ban.html 26 | -------------------------------------------------------------------------------- /filter.d/nginx-forbidden.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/12/10 2 | # fail2ban filter configuration for nginx forbidden accesses 3 | # 4 | # If you have configured nginx to forbid some paths in your webserver, e.g.: 5 | # 6 | # location ~ /\. { 7 | # deny all; 8 | # } 9 | # 10 | # if a client tries to access https://yoursite/.user.ini then you will see 11 | # in nginx error log: 12 | # 13 | # 2018/09/14 19:03:05 [error] 2035#2035: *9134 access forbidden by rule, client: 10.20.30.40, server: www.example.net, request: "GET /.user.ini HTTP/1.1", host: "www.example.net", referrer: "https://www.example.net" 14 | # 15 | # By carefully setting this filter we ban every IP that tries too many times to 16 | # access forbidden resources. 17 | # 18 | # Author: Michele Bologna https://www.michelebologna.net/ 19 | 20 | [INCLUDES] 21 | 22 | before = nginx-error-common.conf 23 | 24 | [Definition] 25 | failregex = ^%(__prefix_line)saccess forbidden by rule, client: 26 | ignoreregex = 27 | 28 | datepattern = {^LN-BEG} 29 | 30 | journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx 31 | -------------------------------------------------------------------------------- /filter.d/znc-adminlog.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for ZNC (requires adminlog module) 3 | # 4 | # to use this module, enable the adminlog module from within ZNC and point 5 | # logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log). 6 | 7 | [DEFAULT] 8 | 9 | logtype = file 10 | 11 | [Definition] 12 | 13 | _daemon = znc 14 | 15 | # Prefix for different logtype (file, journal): 16 | # 17 | __prefix_file = (?:\[\]\s+)? 18 | __prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+ 19 | __prefix_journal = %(__prefix_short)s 20 | 21 | __prefix_line = <__prefix_> 22 | 23 | failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from 24 | 25 | ignoreregex = 26 | 27 | journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc 28 | 29 | # DEV Notes: 30 | # Log format is: [] [] from 31 | # [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4 32 | # [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4 33 | # [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4 34 | # 35 | # Author: Tobias Girstmair (//gir.st/) 36 | -------------------------------------------------------------------------------- /filter.d/murmur.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for murmur/mumble-server 3 | # 4 | 5 | [Definition] 6 | 7 | _daemon = murmurd 8 | 9 | # N.B. If you allow users to have usernames that include the '>' character you 10 | # should change this to match the regex assigned to the 'username' 11 | # variable in your server config file (murmur.ini / mumble-server.ini). 12 | _usernameregex = [^>]+ 13 | 14 | # Prefix for systemd-journal (with second date-pattern as optional match): 15 | # 16 | __prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\[\d\-]+ [\d:]+.\d+)?) 17 | 18 | __prefix_line = %(__prefix_journal)s? 19 | 20 | _prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from :\d+: 21 | 22 | prefregex = ^%(_prefix)s .+$ 23 | 24 | failregex = ^Invalid server password$ 25 | ^Wrong certificate or password for existing user$ 26 | 27 | ignoreregex = 28 | 29 | datepattern = ^{DATE} 30 | 31 | journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd 32 | 33 | # DEV Notes: 34 | # 35 | # Author: Ross Brown 36 | -------------------------------------------------------------------------------- /filter.d/pam-generic.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file for generic PAM authentication errors 3 | # 4 | 5 | [INCLUDES] 6 | 7 | before = common.conf 8 | 9 | [Definition] 10 | 11 | # if you want to catch only login errors from specific daemons, use something like 12 | #_ttys_re=(?:ssh|pure-ftpd|ftp) 13 | # 14 | # Default: catch all failed logins 15 | _ttys_re=\S* 16 | 17 | __pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:? 18 | _daemon = \S+ 19 | 20 | prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s .+$ 21 | 22 | failregex = ^ruser=(?:\S*|.*?) rhost=(?:\s+user=(?:\S*|.*?))?\s*$ 23 | 24 | ignoreregex = 25 | 26 | datepattern = {^LN-BEG} 27 | 28 | # DEV Notes: 29 | # 30 | # for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release) 31 | # _daemon = \S*\(?pam_unix\)? 32 | # failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=(?:\s+user=.*)?\s*$ 33 | # 34 | # Author: Yaroslav Halchenko 35 | -------------------------------------------------------------------------------- /action.d/sendmail-whois.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = sendmail-common.conf 11 | mail-whois-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionban 19 | # Notes.: command executed when banning an IP. Take care that the 20 | # command is executed with Fail2Ban user rights. 21 | # Tags: See jail.conf(5) man page 22 | # Values: CMD 23 | # 24 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 25 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 26 | From: <> 27 | To: \n 28 | Hi,\n 29 | The IP has just been banned by Fail2Ban after 30 | attempts against .\n\n 31 | Here is more information about :\n 32 | `%(_whois_command)s`\n 33 | Regards,\n 34 | Fail2Ban" | 35 | 36 | [Init] 37 | 38 | # Default name of the chain 39 | # 40 | name = default 41 | 42 | -------------------------------------------------------------------------------- /action.d/route.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Michael Gebetsroither 5 | # 6 | # This is for blocking whole hosts through blackhole routes. 7 | # 8 | # PRO: 9 | # - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further). 10 | # - It's FAST for very large numbers of blocked ips. 11 | # - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering. 12 | # - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts. 13 | # - No additional software required beside iproute/iproute2 14 | # 15 | # CON: 16 | # - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts 17 | 18 | [Definition] 19 | actionban = ip route add 20 | actionunban = ip route del 21 | actioncheck = 22 | actionstart = 23 | actionstop = 24 | 25 | [Init] 26 | 27 | # Option: blocktype 28 | # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. 29 | # Values: STRING 30 | blocktype = unreachable 31 | -------------------------------------------------------------------------------- /filter.d/apache-shellshock.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug 3 | # 4 | # 5 | 6 | [INCLUDES] 7 | 8 | # overwrite with apache-common.local if _apache_error_client is incorrect. 9 | before = apache-common.conf 10 | 11 | [Definition] 12 | 13 | prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: .+$ 14 | 15 | failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$ 16 | ^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$ 17 | 18 | ignoreregex = 19 | 20 | 21 | # DEV Notes: 22 | # 23 | # https://wiki.apache.org/httpd/ListOfErrors for apache error IDs 24 | # 25 | # example log lines: 26 | # [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt 27 | # [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST' 28 | # 29 | # Author: Eugene Hopkinson (e.hopkinson@gmail.com) 30 | -------------------------------------------------------------------------------- /action.d/firewallcmd-rich-logging.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Authors: Donald Yandt, Sergey G. Brester 5 | # 6 | # Because of the rich rule commands requires firewalld-0.3.1+ 7 | # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not 8 | # by chain. So for an example all deny rules will be listed under _deny and all log rules under _log. 9 | # 10 | # Also this action logs banned access attempts so you can filter that and increase ban time for offenders. 11 | # 12 | # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy 13 | # 14 | # This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters. 15 | 16 | [INCLUDES] 17 | 18 | before = firewallcmd-rich-rules.conf 19 | 20 | [Definition] 21 | 22 | rich-suffix = log prefix='f2b-' level='' limit value='/m' 23 | 24 | [Init] 25 | 26 | # log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug" 27 | level = info 28 | 29 | # log rate per minute 30 | rate = 1 31 | -------------------------------------------------------------------------------- /action.d/mail-whois-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Common settings for mail actions 5 | # 6 | # Users can override the defaults in mail-whois-common.local 7 | 8 | [INCLUDES] 9 | 10 | # Load customizations if any available 11 | after = mail-whois-common.local 12 | 13 | [DEFAULT] 14 | #original character set of whois output will be sent to mail program 15 | _whois = whois || echo "missing whois program" 16 | 17 | # use heuristics to convert charset of whois output to a target 18 | # character set before sending it to a mail program 19 | # make sure you have 'file' and 'iconv' commands installed when opting for that 20 | _whois_target_charset = UTF-8 21 | _whois_convert_charset = (%(_whois)s) | 22 | { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; } 23 | 24 | # choose between _whois and _whois_convert_charset in mail-whois-common.local 25 | # or other *.local which include mail-whois-common.conf. 26 | _whois_command = %(_whois)s 27 | #_whois_command = %(_whois_convert_charset)s 28 | 29 | [Init] 30 | -------------------------------------------------------------------------------- /action.d/sendmail-whois-matches.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = sendmail-common.conf 11 | mail-whois-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionban 19 | # Notes.: command executed when banning an IP. Take care that the 20 | # command is executed with Fail2Ban user rights. 21 | # Tags: See jail.conf(5) man page 22 | # Values: CMD 23 | # 24 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 25 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 26 | From: <> 27 | To: \n 28 | Hi,\n 29 | The IP has just been banned by Fail2Ban after 30 | attempts against .\n\n 31 | Here is more information about :\n 32 | `%(_whois_command)s`\n\n 33 | Matches:\n 34 | \n\n 35 | Regards,\n 36 | Fail2Ban" | 37 | 38 | [Init] 39 | 40 | # Default name of the chain 41 | # 42 | name = default 43 | -------------------------------------------------------------------------------- /filter.d/sabnzbd-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/11 2 | # Fail2Ban filter configuration for sabnzbd 3 | 4 | [INCLUDES] 5 | before = common.conf 6 | 7 | [Definition] 8 | 9 | failregex = ^.*API Key incorrect, Use the api key from Config->General in your 3rd party program: .* \(X-Forwarded-For: \) \[[^\]*]\]$ 10 | ^.*API Key incorrect, Use the api key from Config->General in your 3rd party program: \[[^\]*]\]$ 11 | ^.*API Key missing, please enter the api key from Config->General into your 3rd party program: .* \(X-Forwarded-For: \) \[[^\]*]\]$ 12 | ^.*API Key missing, please enter the api key from Config->General into your 3rd party program: \[[^\]*]\]$ 13 | ^.*Refused connection from: .* \(X-Forwarded-For: \) \[[^\]*]\]$ 14 | ^.*Refused connection from: \[[^\]*]\]$ 15 | ^.*Refused connection with hostname "[^"]*" from: .* \(X-Forwarded-For: \) \[[^\]*]\]$ 16 | ^.*Refused connection with hostname "[^"]*" from: \[[^\]*]\]$ 17 | ^.*Unsuccessful login attempt from .* \(X-Forwarded-For: \) \[[^\]*]\]$ 18 | ^.*Unsuccessful login attempt from \[[^\]*]\]$ 19 | 20 | ignoreregex = 21 | -------------------------------------------------------------------------------- /action.d/sendmail-whois-ipmatches.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = sendmail-common.conf 11 | mail-whois-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionban 19 | # Notes.: command executed when banning an IP. Take care that the 20 | # command is executed with Fail2Ban user rights. 21 | # Tags: See jail.conf(5) man page 22 | # Values: CMD 23 | # 24 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 25 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 26 | From: <> 27 | To: \n 28 | Hi,\n 29 | The IP has just been banned by Fail2Ban after 30 | attempts against .\n\n 31 | Here is more information about :\n 32 | `%(_whois_command)s`\n\n 33 | Matches with failures IP:\n 34 | \n\n 35 | Regards,\n 36 | Fail2Ban" | 37 | 38 | [Init] 39 | 40 | # Default name of the chain 41 | # 42 | name = default 43 | -------------------------------------------------------------------------------- /filter.d/solid-pop3d.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for unsuccessful solid-pop3 authentication attempts 3 | # 4 | # Doesn't currently provide PAM support as PAM log messages don't include rhost as 5 | # remote IP. 6 | # 7 | [INCLUDES] 8 | 9 | before = common.conf 10 | 11 | [Definition] 12 | 13 | _daemon = solid-pop3d 14 | 15 | failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - $ 16 | ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - $ 17 | ^%(__prefix_line)sroot login not allowed - $ 18 | ^%(__prefix_line)scan't find APOP secret for user .*? - $ 19 | 20 | ignoreregex = 21 | 22 | # DEV Notes: 23 | # 24 | # solid-pop3d needs to be compiled with --enable-logextend to support 25 | # IP addresses in log messages. 26 | # 27 | # solid-pop3d-0.15/src/main.c contains all authentication errors 28 | # except for PAM authentication messages ( src/authenticate.c ) 29 | # 30 | # A pam authentication failure message (note no IP for rhost). 31 | # Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=jacques 32 | # 33 | # Authors: Daniel Black 34 | -------------------------------------------------------------------------------- /action.d/sendmail-whois-ipjailmatches.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = sendmail-common.conf 11 | mail-whois-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionban 19 | # Notes.: command executed when banning an IP. Take care that the 20 | # command is executed with Fail2Ban user rights. 21 | # Tags: See jail.conf(5) man page 22 | # Values: CMD 23 | # 24 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 25 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 26 | From: <> 27 | To: \n 28 | Hi,\n 29 | The IP has just been banned by Fail2Ban after 30 | attempts against .\n\n 31 | Here is more information about :\n 32 | `%(_whois_command)s`\n\n 33 | Matches for with failures IP:\n 34 | \n\n 35 | Regards,\n 36 | Fail2Ban" | 37 | 38 | [Init] 39 | 40 | # Default name of the chain 41 | # 42 | name = default 43 | -------------------------------------------------------------------------------- /filter.d/zoneminder.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for Zoneminder login failures 3 | 4 | [INCLUDES] 5 | before = apache-common.conf 6 | 7 | [Definition] 8 | 9 | # patterns: [Mon Mar 28 16:50:49.522240 2016] [:error] [pid 1795] [client 10.1.1.1:50700] WAR [Login denied for user "username1"], referer: https://zoneminder/ 10 | # [Sun Mar 28 16:53:00.472693 2021] [php7:notice] [pid 11328] [client 10.1.1.1:39568] ERR [Could not retrieve user test details], referer: https://zm/ 11 | # [Sun Mar 28 16:59:14.150625 2021] [php7:notice] [pid 11336] [client 10.1.1.1:39654] ERR [Login denied for user "john"], referer: https://zm/ 12 | # 13 | # Option: failregex 14 | # Notes.: regex to match the login failure and non-existent user error messages in the logfile. 15 | 16 | prefregex = ^%(_apache_error_client)s (?:ERR|WAR) \[(?:Login denied|Could not retrieve).*$ 17 | 18 | failregex = ^\[Login denied for user "[^"]*"\] 19 | ^\[Could not retrieve user \S* 20 | 21 | ignoreregex = 22 | 23 | # Notes: 24 | # Tested on Zoneminder 1.29 and 1.35.21 25 | # 26 | # Zoneminder versions > 1.3x use "ERR" and < 1.3x use "WAR" level logs, so i've kept both for compatibility reasons 27 | # 28 | # Author: John Marzella 29 | -------------------------------------------------------------------------------- /filter.d/proftpd.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter for the Proftpd FTP daemon 3 | # 4 | # Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS. 5 | # See: http://www.proftpd.org/docs/howto/DNS.html 6 | # When the default locale for your system is not en_US.UTF-8 7 | # on Debian-based systems be sure to add this to /etc/default/proftpd 8 | # export LC_TIME="en_US.UTF-8" 9 | 10 | [INCLUDES] 11 | 12 | before = common.conf 13 | 14 | [Definition] 15 | 16 | _daemon = proftpd 17 | 18 | __suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded) 19 | 20 | 21 | prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[\]\)[: -]+ (?:USER|SECURITY|Maximum) .+$ 22 | 23 | 24 | failregex = ^USER \S+|.*?(?: \(Login failed\))?: %(__suffix_failed_login)s 25 | ^SECURITY VIOLATION: \S+|.*? login attempted 26 | ^Maximum login attempts \(\d+\) exceeded 27 | 28 | ignoreregex = 29 | 30 | [Init] 31 | journalmatch = _SYSTEMD_UNIT=proftpd.service 32 | 33 | # Author: Yaroslav Halchenko 34 | # Daniel Black - hardening of regex 35 | -------------------------------------------------------------------------------- /filter.d/mysqld-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/01/30 2 | # Fail2Ban filter for unsuccessful MySQL authentication attempts 3 | # 4 | # 5 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld], 6 | # `log_error_verbosity` system variable set to 3 (`log-warnings = 2` for older versions), 7 | # and check whether `log_error` (or `log-error`) system variable would match the `logpath` of fail2ban 8 | # (see https://dev.mysql.com/doc/refman/en/communication-errors.html) 9 | # 10 | # If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf 11 | 12 | [INCLUDES] 13 | 14 | # Read common prefixes. If any customizations available -- read them from 15 | # common.local 16 | before = common.conf 17 | 18 | [Definition] 19 | 20 | _daemon = mysqld 21 | 22 | failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '[^']+'@''(?:\s+(?:to database '[^']*'|\(using password: (?:YES|NO)\)){1,2})?\s*$ 23 | 24 | ignoreregex = 25 | 26 | # DEV Notes: 27 | # 28 | # Technically __prefix_line can equate to an empty string hence it can support 29 | # syslog and non-syslog at once. 30 | # Example: 31 | # 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES) 32 | # 33 | # Authors: Artur Penttinen 34 | # Yaroslav O. Halchenko 35 | -------------------------------------------------------------------------------- /filter.d/haproxy-http-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter configuration file to match failed login attempts to 3 | # HAProxy HTTP Authentication protected servers. 4 | # 5 | # PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server 6 | # which prompts their browser to ask for login details. 7 | # This initial 401 is logged by HAProxy. 8 | # In other words, even successful logins will have at least 1 fail regex match. 9 | # Please keep this in mind when setting findtime and maxretry for jails. 10 | # 11 | # Author: Jordan Moeser 12 | # 13 | 14 | [INCLUDES] 15 | 16 | # Read common prefixes. If any customizations available -- read them from 17 | # common.local 18 | before = common.conf 19 | 20 | 21 | [Definition] 22 | 23 | _daemon = haproxy 24 | 25 | # Option: failregex 26 | # Notes.: regex to match the password failures messages in the logfile. The 27 | # host must be matched by a group named "host". The tag "" can 28 | # be used for standard IP/hostname matching and is only an alias for 29 | # (?:::f{4,6}:)?(?P[\w\-.^_]+) 30 | # Values: TEXT 31 | # 32 | failregex = ^%(__prefix_line)s(?::\d+)?\s+.* -1/-1/-1/-1/\+*\d* 401 33 | 34 | # Option: ignoreregex 35 | # Notes.: regex to ignore. If this regex matches, the line is ignored. 36 | # Values: TEXT 37 | # 38 | ignoreregex = 39 | -------------------------------------------------------------------------------- /action.d/firewallcmd-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Donald Yandt 5 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 6 | 7 | [INCLUDES] 8 | 9 | before = firewallcmd-common.conf 10 | 11 | [Definition] 12 | 13 | actionstart = firewall-cmd --direct --add-chain filter f2b- 14 | firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN 15 | firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 16 | 17 | actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 18 | firewall-cmd --direct --remove-rules filter f2b- 19 | firewall-cmd --direct --remove-chain filter f2b- 20 | 21 | # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$' 22 | 23 | actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' 24 | 25 | actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j 26 | 27 | actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j 28 | -------------------------------------------------------------------------------- /filter.d/froxlor-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s) 3 | # 4 | # Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages 5 | # Froxlor: [Login Action ] Unknown user '' tried to login. 6 | # Froxlor: [Login Action ] User '' tried to login with wrong password. 7 | # 8 | # Author: Joern Muehlencord 9 | # 10 | 11 | [INCLUDES] 12 | 13 | # Read common prefixes. If any customizations available -- read them from 14 | # common.local 15 | before = common.conf 16 | 17 | 18 | [Definition] 19 | 20 | _daemon = Froxlor 21 | 22 | # Option: failregex 23 | # Notes.: regex to match the password failures messages in the logfile. The 24 | # host must be matched by a group named "host". The tag "" can 25 | # be used for standard IP/hostname matching and is only an alias for 26 | # (?:::f{4,6}:)?(?P[\w\-.^_]+) 27 | # Values: TEXT 28 | # 29 | 30 | prefregex = ^%(__prefix_line)s\[Login Action \] .+$ 31 | 32 | failregex = ^Unknown user \S* tried to login.$ 33 | ^User \S* tried to login with wrong password.$ 34 | 35 | 36 | # Option: ignoreregex 37 | # Notes.: regex to ignore. If this regex matches, the line is ignored. 38 | # Values: TEXT 39 | # 40 | ignoreregex = 41 | 42 | -------------------------------------------------------------------------------- /filter.d/nginx-http-auth.conf: -------------------------------------------------------------------------------- 1 | ## Version 2023/12/10 2 | # fail2ban filter configuration for nginx 3 | 4 | [INCLUDES] 5 | 6 | before = nginx-error-common.conf 7 | 8 | [Definition] 9 | 10 | mode = normal 11 | 12 | __err_type = <_ertp-> 13 | 14 | _ertp-auth = error 15 | mdre-auth = ^%(__prefix_line)suser "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: , server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$ 16 | _ertp-fallback = crit 17 | mdre-fallback = ^%(__prefix_line)sSSL_do_handshake\(\) failed \(SSL: error:\S+(?: \S+){1,3} too (?:long|short)\)[^,]*, client: 18 | 19 | _ertp-normal = %(_ertp-auth)s 20 | mdre-normal = %(mdre-auth)s 21 | _ertp-aggressive = (?:%(_ertp-auth)s|%(_ertp-fallback)s) 22 | mdre-aggressive = %(mdre-auth)s 23 | %(mdre-fallback)s 24 | 25 | failregex = > 26 | 27 | ignoreregex = 28 | 29 | datepattern = {^LN-BEG} 30 | 31 | journalmatch = _SYSTEMD_UNIT=nginx.service + _COMM=nginx 32 | 33 | # DEV NOTES: 34 | # mdre-auth: 35 | # Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files 36 | # Extensive search of all nginx auth failures not done yet. 37 | # 38 | # Author: Daniel Black 39 | 40 | # mdre-fallback: 41 | # Ban people checking for TLS_FALLBACK_SCSV repeatedly 42 | # https://stackoverflow.com/questions/28010492/nginx-critical-error-with-ssl-handshaking/28010608#28010608 43 | # Author: Stephan Orlowsky 44 | 45 | -------------------------------------------------------------------------------- /filter.d/apache-botsearch.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban filter to match web requests for selected URLs that don't exist 3 | # 4 | # This filter is aimed at blocking specific URLs that don't exist. This 5 | # could be a set of URLs places in a Disallow: directive in robots.txt or 6 | # just some web services that don't exist caused bots are searching for 7 | # exploitable content. This filter is designed to have a low false positive 8 | # rate due. 9 | # 10 | # An alternative to this is the apache-noscript filter which blocks all 11 | # types of scripts that don't exist. 12 | # 13 | # 14 | # This is normally a predefined list of exploitable or valuable web services 15 | # that are hidden or aren't actually installed. 16 | # 17 | 18 | [INCLUDES] 19 | 20 | # overwrite with apache-common.local if _apache_error_client is incorrect. 21 | # Load regexes for filtering from botsearch-common.conf 22 | before = apache-common.conf 23 | botsearch-common.conf 24 | 25 | [Definition] 26 | 27 | prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$ 28 | 29 | failregex = ^(?:File does not exist|script not found or unable to stat): (, referer: \S+)?\s*$ 30 | ^script '' not found or unable to stat(, referer: \S+)?\s*$ 31 | 32 | ignoreregex = 33 | 34 | # Webroot represents the webroot on which all other files are based 35 | webroot = /var/www/ 36 | 37 | 38 | # DEV Notes: 39 | # 40 | # Author: Daniel Black 41 | -------------------------------------------------------------------------------- /filter.d/apache-noscript.conf: -------------------------------------------------------------------------------- 1 | ## Version 2025/03/28 2 | # Fail2Ban filter to block web requests for scripts (on non scripted websites) 3 | # 4 | # This matches many types of scripts that don't exist. This could generate a 5 | # lot of false positive matches in cases like wikis and forums where users 6 | # no affiliated with the website can insert links to missing files/scripts into 7 | # pages and cause non-malicious browsers of the site to trigger against this 8 | # filter. 9 | # 10 | # If you'd like to match specific URLs that don't exist see the 11 | # apache-botsearch filter. 12 | # 13 | 14 | [INCLUDES] 15 | 16 | # overwrite with apache-common.local if _apache_error_client is incorrect. 17 | before = apache-common.conf 18 | 19 | [Definition] 20 | 21 | script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) 22 | 23 | prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?=(?:[Ff]ile|[Ss]cript|[Gg]ot error|stderr from) ).+$ 24 | 25 | failregex = ^(?:(?:[Ff]ile does not exist|[Ss]cript not found or unable to stat):