├── .editorconfig ├── .gitattributes ├── .github ├── ISSUE_TEMPLATE.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ └── check_confs.yml ├── .gitignore ├── LICENSE ├── README.md ├── action.d ├── abuseipdb.conf ├── apf.conf ├── apprise-api.conf ├── apprise.conf ├── blocklist_de.conf ├── bsd-ipfw.conf ├── cloudflare-token.conf ├── cloudflare.conf ├── complain.conf ├── discord-webhook.conf ├── dshield.conf ├── dummy.conf ├── firewallcmd-allports.conf ├── firewallcmd-common.conf ├── firewallcmd-ipset.conf ├── firewallcmd-multiport.conf ├── firewallcmd-new.conf ├── firewallcmd-rich-logging.conf ├── firewallcmd-rich-rules.conf ├── gotify.conf ├── helpers-common.conf ├── hostsdeny.conf ├── ipfilter.conf ├── ipfw.conf ├── iptables-allports.conf ├── iptables-ipset-proto4.conf ├── iptables-ipset-proto6-allports.conf ├── iptables-ipset-proto6.conf ├── iptables-ipset.conf ├── iptables-multiport-log.conf ├── iptables-multiport.conf ├── iptables-new.conf ├── iptables-xt_recent-echo.conf ├── iptables.conf ├── ipthreat.conf ├── mail-buffered.conf ├── mail-whois-common.conf ├── mail-whois-lines.conf ├── mail-whois.conf ├── mail.conf ├── mynetwatchman.conf ├── netscaler.conf ├── nftables-allports.conf ├── nftables-multiport.conf ├── nftables.conf ├── nginx-block-map.conf ├── npf.conf ├── nsupdate.conf ├── opnsense.conf ├── osx-afctl.conf ├── osx-ipfw.conf ├── pf.conf ├── pushover.conf ├── route.conf ├── sendmail-buffered.conf ├── sendmail-common.conf ├── sendmail-geoip-lines.conf ├── sendmail-whois-ipjailmatches.conf ├── sendmail-whois-ipmatches.conf ├── sendmail-whois-lines.conf ├── sendmail-whois-matches.conf ├── sendmail-whois.conf ├── sendmail.conf ├── shorewall-ipset-proto6.conf ├── shorewall.conf ├── symbiosis-blacklist-allports.conf ├── ufw.conf └── xarf-login-attack.conf ├── fail2ban.conf ├── filter.d ├── 3proxy.conf ├── airsonic-auth.conf ├── apache-auth.conf ├── apache-badbots.conf ├── apache-botsearch.conf ├── apache-common.conf ├── apache-fakegooglebot.conf ├── apache-modsecurity.conf ├── apache-nohome.conf ├── apache-noscript.conf ├── apache-overflows.conf ├── apache-pass.conf ├── apache-shellshock.conf ├── assp.conf ├── asterisk.conf ├── authelia-auth.conf ├── bitwarden.conf ├── botsearch-common.conf ├── centreon.conf ├── common.conf ├── counter-strike.conf ├── courier-auth.conf ├── courier-smtp.conf ├── cyrus-imap.conf ├── dante.conf ├── directadmin.conf ├── domino-smtp.conf ├── dovecot.conf ├── dropbear.conf ├── drupal-auth.conf ├── ejabberd-auth.conf ├── emby-auth.conf ├── exim-common.conf ├── exim-spam.conf ├── exim.conf ├── filebrowser-auth.conf ├── freeswitch.conf ├── froxlor-auth.conf ├── gitea-auth.conf ├── gitlab.conf ├── grafana.conf ├── groupoffice.conf ├── gssftpd.conf ├── guacamole.conf ├── haproxy-http-auth.conf ├── homeassistant-auth.conf ├── horde.conf ├── kerio.conf ├── lighttpd-auth.conf ├── mongodb-auth.conf ├── monit.conf ├── monitorix.conf ├── mssql-auth.conf ├── murmur.conf ├── mysqld-auth.conf ├── nagios.conf ├── named-refused.conf ├── nextcloud-auth.conf ├── nginx-418.conf ├── nginx-bad-request.conf ├── nginx-botsearch.conf ├── nginx-deny.conf ├── nginx-http-auth.conf ├── nginx-limit-req.conf ├── nginx-unauthorized.conf ├── nsd.conf ├── nzbget-auth.conf ├── openhab.conf ├── openwebmail.conf ├── oracleims.conf ├── overseerr-auth.conf ├── pam-generic.conf ├── perdition.conf ├── php-url-fopen.conf ├── phpmyadmin-syslog.conf ├── portsentry.conf ├── postfix.conf ├── proftpd.conf ├── pure-ftpd.conf ├── qmail.conf ├── recidive.conf ├── roundcube-auth.conf ├── sabnzbd-auth.conf ├── scanlogd.conf ├── screensharingd.conf ├── selinux-common.conf ├── selinux-ssh.conf ├── sendmail-auth.conf ├── sendmail-reject.conf ├── servarr-auth.conf ├── sieve.conf ├── slapd.conf ├── softethervpn.conf ├── sogo-auth.conf ├── solid-pop3d.conf ├── squid.conf ├── squirrelmail.conf ├── sshd.conf ├── stunnel.conf ├── suhosin.conf ├── tine20.conf ├── traefik-auth.conf ├── unifi-controller-auth.conf ├── unraid-webgui.conf ├── uwimap-auth.conf ├── vaultwarden-auth.conf ├── vsftpd.conf ├── webmin-auth.conf ├── wuftpd.conf ├── xinetd-fail.conf ├── znc-adminlog.conf └── zoneminder.conf ├── jail.conf ├── jail.d ├── airsonic-auth.conf ├── apache-auth.conf ├── apache-badbots.conf ├── apache-botsearch.conf ├── apache-fakegooglebot.conf ├── apache-modsecurity.conf ├── apache-nohome.conf ├── apache-noscript.conf ├── apache-overflows.conf ├── apache-shellshock.conf ├── authelia-auth.conf ├── bitwarden.conf ├── dropbear.conf ├── emby-auth.conf ├── filebrowser-auth.conf ├── gitea-auth.conf ├── gitlab.conf ├── grafana.conf ├── guacamole.conf ├── haproxy-http-auth.conf ├── homeassistant-auth.conf ├── lighttpd-auth.conf ├── nextcloud-auth.conf ├── nginx-418.conf ├── nginx-bad-request.conf ├── nginx-badbots.conf ├── nginx-botsearch.conf ├── nginx-deny.conf ├── nginx-http-auth.conf ├── nginx-limit-req.conf ├── nginx-unauthorized.conf ├── nzbget-auth.conf ├── openhab-auth.conf ├── overseerr-auth.conf ├── php-url-fopen.conf ├── phpmyadmin-syslog.conf ├── prowlarr-auth.conf ├── radarr-auth.conf ├── sabnzbd-auth.conf ├── selinux-ssh.conf ├── sonarr-auth.conf ├── sshd.conf ├── suhosin.conf ├── traefik-auth.conf ├── unifi-controller-auth.conf ├── unraid-sshd.conf ├── unraid-webgui.conf ├── vaultwarden-auth.conf ├── znc-adminlog.conf └── zoneminder.conf ├── paths-common.conf └── paths-lsio.conf /.editorconfig: -------------------------------------------------------------------------------- 1 | # top-most EditorConfig file 2 | root = true 3 | 4 | # Unix-style newlines with a newline ending every file 5 | [*] 6 | end_of_line = lf 7 | insert_final_newline = true 8 | # trim_trailing_whitespace may cause unintended issues and should not be globally set true 9 | trim_trailing_whitespace = false 10 | 11 | [{*.conf,*.local}] 12 | indent_style = space 13 | indent_size = 4 14 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | # Auto detect text files and perform LF normalization 2 | * text=auto 3 | 4 | # Custom for Visual Studio 5 | *.cs diff=csharp 6 | 7 | # Standard to msysgit 8 | *.doc diff=astextplain 9 | *.DOC diff=astextplain 10 | *.docx diff=astextplain 11 | *.DOCX diff=astextplain 12 | *.dot diff=astextplain 13 | *.DOT diff=astextplain 14 | *.pdf diff=astextplain 15 | *.PDF diff=astextplain 16 | *.rtf diff=astextplain 17 | *.RTF diff=astextplain 18 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | [linuxserverurl]: https://linuxserver.io 4 | [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | ## Thanks, team linuxserver.io 21 | 22 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | [linuxserverurl]: https://linuxserver.io 4 | [![linuxserver.io](https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver_medium.png)][linuxserverurl] 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | ## Thanks, team linuxserver.io 15 | 16 | -------------------------------------------------------------------------------- /.github/workflows/check_confs.yml: -------------------------------------------------------------------------------- 1 | name: Check Confs 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | 9 | jobs: 10 | check-allowed-file-names: 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - uses: actions/checkout@v2 15 | 16 | - name: Check Allowed File Names 17 | run: | 18 | NOT_CONFS=$(find . -not -path '*/\.*' -type f ! \( -name '*.conf' -o -name 'README.md' -o -name 'LICENSE' \)) 19 | NOT_CONFS_COUNT=$(echo "${NOT_CONFS}" | wc -w) 20 | if (( NOT_CONFS_COUNT > 0 )); then 21 | echo "The following files have extensions that are not allowed:" 22 | echo "${NOT_CONFS}" 23 | exit 1 24 | fi 25 | 26 | - name: Check Executable Bit 27 | run: | 28 | EXECUTABLE_BIT=$(find . -not -path '*/\.*' -type f -executable) 29 | EXECUTABLE_BIT_COUNT=$(echo "${EXECUTABLE_BIT}" | wc -w) 30 | if (( EXECUTABLE_BIT_COUNT > 0 )); then 31 | echo "The following files have executable permissions (not allowed):" 32 | echo "${EXECUTABLE_BIT}" 33 | exit 1 34 | fi 35 | 36 | - name: Check Line Endings 37 | run: | 38 | CRLF_ENDINGS=$(find . -not -path '*/\.*' -type f -exec file "{}" ";" | grep CRLF || true) 39 | CRLF_ENDINGS_COUNT=$(echo "${CRLF_ENDINGS}" | wc -w) 40 | if (( CRLF_ENDINGS_COUNT > 0 )); then 41 | echo "The following files have CRLF line endings (not allowed):" 42 | echo "${CRLF_ENDINGS}" 43 | exit 1 44 | fi 45 | 46 | - name: Check Version Date Line Exists 47 | run: | 48 | # Date regex based on https://www.html5pattern.com/Dates 49 | VERSION_LINE_MISSING=$(find . -not -path '*/\.*' -type f -name '*.conf' -exec grep -H -c -P '^## Version (?:19|20|21)[0-9]{2}/(?:(?:0[1-9]|1[0-2])/(?:0[1-9]|1[0-9]|2[0-9])|(?:(?!02)(?:0[1-9]|1[0-2])/(?:30))|(?:(?:0[13578]|1[02])/31))$' {} \; | grep 0$ | cut -d':' -f1) 50 | VERSION_LINE_MISSING_COUNT=$(echo "${VERSION_LINE_MISSING}" | wc -w) 51 | if (( VERSION_LINE_MISSING_COUNT > 0 )); then 52 | echo "The following files are missing the version date line or it is not formatted correctly (YYYY/MM/DD):" 53 | echo "${VERSION_LINE_MISSING}" 54 | exit 1 55 | fi 56 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Ignore everything 2 | * 3 | 4 | # Do NOT ignore repo files files 5 | !.editorconfig 6 | !.gitattributes 7 | !.github/* 8 | !.github/workflows/* 9 | !.gitignore 10 | !LICENSE 11 | !README.md 12 | 13 | # Do NOT ignore allowed files 14 | !*.conf 15 | 16 | # Do NOT ignore allowed subfolders 17 | !action.d/ 18 | !filter.d/ 19 | !jail.d/ 20 | 21 | # Ignore all files in allowed subfolders 22 | action.d/* 23 | filter.d/* 24 | jail.d/* 25 | 26 | # Do NOT ignore allowed files in allowed subfolders 27 | !action.d/*.conf 28 | !filter.d/*.conf 29 | !jail.d/*.conf 30 | -------------------------------------------------------------------------------- /action.d/apf.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # https://www.rfxn.com/projects/advanced-policy-firewall/ 4 | # 5 | # Note: APF doesn't play nicely with other actions. It has been observed to 6 | # remove bans created by other iptables based actions. If you are going to use 7 | # this action, use it for all of your jails. 8 | # 9 | # DON'T MIX APF and other IPTABLES based actions 10 | [Definition] 11 | 12 | actionstart = 13 | actionstop = 14 | actioncheck = 15 | actionban = apf --deny "banned by Fail2Ban " 16 | actionunban = apf --remove 17 | 18 | [Init] 19 | 20 | # Name used in APF configuration 21 | # 22 | name = default 23 | 24 | # DEV NOTES: 25 | # 26 | # Author: Mark McKinstry 27 | -------------------------------------------------------------------------------- /action.d/apprise-api.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban action configuration for apprise-api 3 | # Author: Roxedus https://github.com/Roxedus 4 | # Modified by: nemchik https://github.com/nemchik 5 | 6 | [Definition] 7 | 8 | # Option: actionstart 9 | # Notes.: command executed once at the start of Fail2Ban. 10 | # Values: CMD 11 | # 12 | actionstart = curl -X POST -d '{"tag": "", "type": "info", "body": "The jail as been started successfully."}' \ 13 | -H "Content-Type: application/json" \ 14 | 15 | 16 | # Option: actionstop 17 | # Notes.: command executed once at the end of Fail2Ban 18 | # Values: CMD 19 | # 20 | actionstop = curl -X POST -d '{"tag": "", "type": "info", "body": "The jail has been stopped."}' \ 21 | -H "Content-Type: application/json" \ 22 | 23 | 24 | # Option: actioncheck 25 | # Notes.: command executed once before each actionban command 26 | # Values: CMD 27 | # 28 | actioncheck = 29 | 30 | # Option: actionban 31 | # Notes.: command executed when banning an IP. Take care that the 32 | # command is executed with Fail2Ban user rights. 33 | # Tags: See jail.conf(5) man page 34 | # Values: CMD 35 | # 36 | 37 | actionban = curl -X POST -d '{"tag": "", "type": "warning", "body": "The IP has just been banned from after attempts."}' \ 38 | -H "Content-Type: application/json" \ 39 | 40 | 41 | # Option: actionunban 42 | # Notes.: command executed when unbanning an IP. Take care that the 43 | # command is executed with Fail2Ban user rights. 44 | # Tags: See jail.conf(5) man page 45 | # Values: CMD 46 | # 47 | 48 | actionunban = curl -X POST -d '{"tag": "", "type": "success", "body": "The IP has just been unbanned from ."}' \ 49 | -H "Content-Type: application/json" \ 50 | 51 | 52 | [Init] 53 | 54 | proto = http 55 | host = apprise 56 | port = 8000 57 | key = apprise 58 | url = ://:/notify/ 59 | #tag = fail2ban 60 | tag = all 61 | -------------------------------------------------------------------------------- /action.d/apprise.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Chris Caron 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # Option: actionstart 11 | # Notes.: command executed once at the start of Fail2Ban. 12 | # Values: CMD 13 | # 14 | actionstart = printf %%b "The jail as been started successfully." | -t "[Fail2Ban] : started on `uname -n`" 15 | 16 | # Option: actionstop 17 | # Notes.: command executed once at the end of Fail2Ban 18 | # Values: CMD 19 | # 20 | actionstop = printf %%b "The jail has been stopped." | -t "[Fail2Ban] : stopped on `uname -n`" 21 | 22 | # Option: actioncheck 23 | # Notes.: command executed once before each actionban command 24 | # Values: CMD 25 | # 26 | actioncheck = 27 | 28 | # Option: actionban 29 | # Notes.: command executed when banning an IP. Take care that the 30 | # command is executed with Fail2Ban user rights. 31 | # Tags: See jail.conf(5) man page 32 | # Values: CMD 33 | # 34 | actionban = printf %%b "The IP has just been banned by Fail2Ban after attempts against " | -n "warning" -t "[Fail2Ban] : banned from `uname -n`" 35 | 36 | # Option: actionunban 37 | # Notes.: command executed when unbanning an IP. Take care that the 38 | # command is executed with Fail2Ban user rights. 39 | # Tags: See jail.conf(5) man page 40 | # Values: CMD 41 | # 42 | actionunban = 43 | 44 | [Init] 45 | 46 | # Define location of the default apprise configuration file to use 47 | # 48 | config = /etc/fail2ban/apprise.conf 49 | # 50 | apprise = apprise -c "" 51 | -------------------------------------------------------------------------------- /action.d/discord-webhook.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Author: Gilbn from https://technicalramblings.com 3 | # Adapted Source: https://gist.github.com/sander1/075736a42db2c66bc6ce0fab159ca683 4 | # Create the Discord Webhook in: Server settings -> Webhooks -> Create Webhooks 5 | 6 | [Definition] 7 | 8 | # Notify on Startup 9 | actionstart = curl -X POST "" \ 10 | -H "Content-Type: application/json" \ 11 | -d '{"username":"", "content":":white_check_mark: The **[]** jail has started"}' 12 | 13 | # Notify on Shutdown 14 | actionstop = curl -X POST "" \ 15 | -H "Content-Type: application/json" \ 16 | -d '{"username":"", "content":":no_entry: The **[]** jail has been stopped"}' 17 | 18 | # 19 | actioncheck = 20 | 21 | # Notify on Banned 22 | actionban = curl -X POST "" \ 23 | -H "Content-Type: application/json" \ 24 | -d '{"username":"", "content":" :bell: **[]** :hammer:**BANNED**:hammer: IP: []() for **** seconds after **** failure(s). If you want to unban the IP run: `fail2ban-client unban `"}' 25 | 26 | # Notify on Unbanned 27 | actionunban = curl -X POST "" \ 28 | -H "Content-Type: application/json" \ 29 | -d '{"username":"", "content":":bell: **[]** **UNBANNED** IP: []()"}' 30 | [Init] 31 | 32 | # Discord Webhook URL 33 | webhook = https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 34 | 35 | # Discord Bot Username 36 | botname = Fail2Ban 37 | 38 | # User ID to ping 39 | # ex: discord_userid = "<@!1234567890>" 40 | discord_userid = 41 | 42 | # URL prefix for an IP checking website 43 | # abuseipdb is used by default since there is also an action to report an IP to their API 44 | url_check_ip = https://www.abuseipdb.com/check/ 45 | -------------------------------------------------------------------------------- /action.d/dummy.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # Option: actionstart 11 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 12 | # Values: CMD 13 | # 14 | actionstart = if [ ! -z '' ]; then touch ; fi; 15 | printf %%b "\n" 16 | echo "%(debug)s started" 17 | 18 | # Option: actionflush 19 | # Notes.: command executed once to flush (clear) all IPS, by shutdown (resp. by stop of the jail or this action) 20 | # Values: CMD 21 | # 22 | actionflush = printf %%b "-*\n" 23 | echo "%(debug)s clear all" 24 | 25 | # Option: actionstop 26 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 27 | # Values: CMD 28 | # 29 | actionstop = if [ ! -z '' ]; then rm -f ; fi; 30 | echo "%(debug)s stopped" 31 | 32 | # Option: actioncheck 33 | # Notes.: command executed once before each actionban command 34 | # Values: CMD 35 | # 36 | actioncheck = 37 | 38 | # Option: actionban 39 | # Notes.: command executed when banning an IP. Take care that the 40 | # command is executed with Fail2Ban user rights. 41 | # Tags: See jail.conf(5) man page 42 | # Values: CMD 43 | # 44 | actionban = printf %%b "+\n" 45 | echo "%(debug)s banned (family: )" 46 | 47 | # Option: actionunban 48 | # Notes.: command executed when unbanning an IP. Take care that the 49 | # command is executed with Fail2Ban user rights. 50 | # Tags: See jail.conf(5) man page 51 | # Values: CMD 52 | # 53 | actionunban = printf %%b "-\n" 54 | echo "%(debug)s unbanned (family: )" 55 | 56 | 57 | debug = [] -- 58 | 59 | [Init] 60 | 61 | init = 123 62 | 63 | target = /var/run/fail2ban/fail2ban.dummy 64 | to_target = >> 65 | -------------------------------------------------------------------------------- /action.d/firewallcmd-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Donald Yandt 5 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 6 | 7 | 8 | [INCLUDES] 9 | 10 | before = firewallcmd-common.conf 11 | 12 | [Definition] 13 | 14 | actionstart = firewall-cmd --direct --add-chain filter f2b- 15 | firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN 16 | firewall-cmd --direct --add-rule filter 0 -j f2b- 17 | 18 | actionstop = firewall-cmd --direct --remove-rule filter 0 -j f2b- 19 | firewall-cmd --direct --remove-rules filter f2b- 20 | firewall-cmd --direct --remove-chain filter f2b- 21 | 22 | 23 | # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$' 24 | 25 | actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' 26 | 27 | actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j 28 | 29 | actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j 30 | 31 | # DEV NOTES: 32 | # 33 | # Author: Donald Yandt 34 | # Uses "FirewallD" instead of the "iptables daemon". 35 | # 36 | # 37 | # Output: 38 | 39 | # actionstart: 40 | # $ firewall-cmd --direct --add-chain ipv4 filter f2b-recidive 41 | # success 42 | # $ firewall-cmd --direct --add-rule ipv4 filter f2b-recidive 1000 -j RETURN 43 | # success 44 | # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-recidive 45 | # success 46 | 47 | -------------------------------------------------------------------------------- /action.d/firewallcmd-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Donald Yandt 5 | # 6 | 7 | [Init] 8 | 9 | # Option: name 10 | # Notes Default name of the chain 11 | # Values: STRING 12 | name = default 13 | 14 | # Option port 15 | # Notes Can also use port numbers separated by a comma and in rich-rules comma and/or space. 16 | # Value STRING Default: 1:65535 17 | port = 1:65535 18 | 19 | # Option: protocol 20 | # Notes [ tcp | udp | icmp | all ] 21 | # Values: STRING Default: tcp 22 | protocol = tcp 23 | 24 | # Option: family(ipv4) 25 | # Notes specifies the socket address family type 26 | # Values: STRING 27 | family = ipv4 28 | 29 | # Option: chain 30 | # Notes specifies the firewalld chain to which the Fail2Ban rules should be 31 | # added 32 | # Values: STRING Default: INPUT_direct 33 | chain = INPUT_direct 34 | 35 | # Option: zone 36 | # Notes use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones 37 | # Values: STRING Default: public 38 | zone = public 39 | 40 | # Option: service 41 | # Notes use command firewall-cmd --get-services to see a list of services available 42 | # Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 43 | # freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 44 | # kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 45 | # postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 46 | # telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server 47 | # Values: STRING Default: ssh 48 | service = ssh 49 | 50 | # Option: rejecttype (ipv4) 51 | # Notes See iptables/firewalld man pages for ipv4 reject types. 52 | # Values: STRING 53 | rejecttype = icmp-port-unreachable 54 | 55 | # Option: blocktype (ipv4/ipv6) 56 | # Notes See iptables/firewalld man pages for jump targets. Common values are REJECT, 57 | # REJECT --reject-with icmp-port-unreachable, DROP 58 | # Values: STRING 59 | blocktype = REJECT --reject-with 60 | 61 | # Option: rich-blocktype (ipv4/ipv6) 62 | # Notes See firewalld man pages for jump targets. Common values are reject, 63 | # reject type="icmp-port-unreachable", drop 64 | # Values: STRING 65 | rich-blocktype = reject type='' 66 | 67 | [Init?family=inet6] 68 | 69 | # Option: family(ipv6) 70 | # Notes specifies the socket address family type 71 | # Values: STRING 72 | family = ipv6 73 | 74 | # Option: rejecttype (ipv6) 75 | # Note: See iptables/firewalld man pages for ipv6 reject types. 76 | # Values: STRING 77 | rejecttype = icmp6-port-unreachable 78 | -------------------------------------------------------------------------------- /action.d/firewallcmd-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Donald Yandt 5 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 6 | 7 | [INCLUDES] 8 | 9 | before = firewallcmd-common.conf 10 | 11 | [Definition] 12 | 13 | actionstart = firewall-cmd --direct --add-chain filter f2b- 14 | firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN 15 | firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 16 | 17 | actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 18 | firewall-cmd --direct --remove-rules filter f2b- 19 | firewall-cmd --direct --remove-chain filter f2b- 20 | 21 | # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$' 22 | 23 | actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' 24 | 25 | actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j 26 | 27 | actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j 28 | -------------------------------------------------------------------------------- /action.d/firewallcmd-new.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 5 | 6 | [INCLUDES] 7 | 8 | before = firewallcmd-common.conf 9 | 10 | [Definition] 11 | 12 | actionstart = firewall-cmd --direct --add-chain filter f2b- 13 | firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN 14 | firewall-cmd --direct --add-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- 15 | 16 | actionstop = firewall-cmd --direct --remove-rule filter 0 -m state --state NEW -p -m multiport --dports -j f2b- 17 | firewall-cmd --direct --remove-rules filter f2b- 18 | firewall-cmd --direct --remove-chain filter f2b- 19 | 20 | actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q 'f2b-$' 21 | 22 | actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j 23 | 24 | actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j 25 | 26 | # DEV NOTES: 27 | # 28 | # Author: Edgar Hoch 29 | # Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch. 30 | # It uses "firewall-cmd" instead of "iptables". 31 | # 32 | # Output: 33 | # 34 | # $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name 35 | # success 36 | # $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN 37 | # success 38 | # $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 22 -j fail2ban-name 39 | # success 40 | # $ firewall-cmd --direct --get-chains ipv4 filter 41 | # fail2ban-name 42 | # $ firewall-cmd --direct --get-chains ipv4 filter | od -h 43 | # 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65 44 | # $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $? 45 | # 0 46 | # $ firewall-cmd -V 47 | # 0.3.8 48 | 49 | -------------------------------------------------------------------------------- /action.d/firewallcmd-rich-logging.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Authors: Donald Yandt, Sergey G. Brester 5 | # 6 | # Because of the rich rule commands requires firewalld-0.3.1+ 7 | # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not 8 | # by chain. So for an example all deny rules will be listed under _deny and all log rules under _log. 9 | # 10 | # Also this action logs banned access attempts so you can filter that and increase ban time for offenders. 11 | # 12 | # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy 13 | # 14 | # This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters. 15 | 16 | [INCLUDES] 17 | 18 | before = firewallcmd-rich-rules.conf 19 | 20 | [Definition] 21 | 22 | rich-suffix = log prefix='f2b-' level='' limit value='/m' 23 | 24 | [Init] 25 | 26 | # log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug" 27 | level = info 28 | 29 | # log rate per minute 30 | rate = 1 31 | -------------------------------------------------------------------------------- /action.d/firewallcmd-rich-rules.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Donald Yandt 5 | # 6 | # Because of the rich rule commands requires firewalld-0.3.1+ 7 | # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not 8 | # by chain. So for an example all deny rules will be listed under _deny. 9 | # 10 | # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy 11 | # 12 | # Example commands to view rules: 13 | # firewall-cmd [--zone=] --list-rich-rules 14 | # firewall-cmd [--zone=] --list-all 15 | # firewall-cmd [--zone=zone] --query-rich-rule='rule' 16 | 17 | [INCLUDES] 18 | 19 | before = firewallcmd-common.conf 20 | 21 | [Definition] 22 | 23 | actionstart = 24 | 25 | actionstop = 26 | 27 | actioncheck = 28 | 29 | #you can also use zones and/or service names. 30 | # 31 | # zone example: 32 | # firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' port port='' protocol='' " 33 | # 34 | # service name example: 35 | # firewall-cmd --zone= --add-rich-rule="rule family='ipv4' source address='' service name='' " 36 | # 37 | # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 38 | 39 | fwcmd_rich_rule = rule family='' source address='' port port='$p' protocol='' %(rich-suffix)s 40 | 41 | actionban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done 42 | 43 | actionunban = ports=""; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done 44 | 45 | rich-suffix = 46 | -------------------------------------------------------------------------------- /action.d/gotify.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/12/18 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Quietsy 5 | # 6 | # Add the following to jail.local (uncommented) to apply the gotify action to all bans with all jails 7 | # Change the url to have a valid gotify address and a valid token 8 | # 9 | # [DEFAULT] 10 | # action = %(action_)s 11 | # gotify[url="https://gotify.domain.com/message?token=lkghlkhjo8y9"] 12 | 13 | [Definition] 14 | 15 | # Option: actionstart 16 | # Notes.: command executed once at the start of Fail2Ban. 17 | # Values: CMD 18 | # 19 | actionstart = curl --data '{"message": "Started "}' -X POST -H Content-Type:application/json 20 | 21 | # Option: actionstop 22 | # Notes.: command executed once at the end of Fail2Ban 23 | # Values: CMD 24 | # 25 | actionstop = curl --data '{"message": "Stopped "}' -X POST -H Content-Type:application/json 26 | 27 | # Option: actioncheck 28 | # Notes.: command executed once before each actionban command 29 | # Values: CMD 30 | # 31 | actioncheck = 32 | 33 | # Option: actionban 34 | # Notes.: command executed when banning an IP. Take care that the 35 | # command is executed with Fail2Ban user rights. 36 | # Tags: See jail.conf(5) man page 37 | # Values: CMD 38 | # 39 | actionban = curl -X POST -H Content-Type:application/json \ 40 | --data '{"message": "⛔ ⛔\n\n got banned for seconds after tries.\n\nUnban command:\nfail2ban-client unban "}' 41 | 42 | # Option: actionunban 43 | # Notes.: command executed when unbanning an IP. Take care that the 44 | # command is executed with Fail2Ban user rights. 45 | # Tags: See jail.conf(5) man page 46 | # Values: CMD 47 | # 48 | actionunban = curl -X POST -H Content-Type:application/json --data '{"message": "✅ ✅\n\n is now unbanned"}' 49 | 50 | [Init] 51 | 52 | url = 53 | -------------------------------------------------------------------------------- /action.d/helpers-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | [DEFAULT] 3 | 4 | # Usage: 5 | # _grep_logs_args = 'test' 6 | # (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ... 7 | # 8 | _grep_logs = logpath=""; grep %(_grep_logs_args)s $logpath | 9 | # options `-wF` used to match only whole words and fixed string (not as pattern) 10 | _grep_logs_args = -wF "" 11 | 12 | # Used for actions, that should not by executed if ticket was restored: 13 | _bypass_if_restored = if [ '' = '1' ]; then exit 0; fi; 14 | 15 | [Init] 16 | greplimit = tail -n 17 | grepmax = 1000 18 | grepopts = -m 19 | -------------------------------------------------------------------------------- /action.d/hostsdeny.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Edited for cross platform by: James Stout, Yaroslav Halchenko and Daniel Black 6 | # 7 | # 8 | 9 | [Definition] 10 | 11 | # Option: actionstart 12 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 13 | # Values: CMD 14 | # 15 | actionstart = 16 | 17 | # Option: actionstop 18 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 19 | # Values: CMD 20 | # 21 | actionstop = 22 | 23 | # Option: actioncheck 24 | # Notes.: command executed once before each actionban command 25 | # Values: CMD 26 | # 27 | actioncheck = 28 | 29 | # Option: actionban 30 | # Notes.: command executed when banning an IP. Take care that the 31 | # command is executed with Fail2Ban user rights. 32 | # Tags: See jail.conf(5) man page 33 | # Values: CMD 34 | # 35 | actionban = printf %%b ": \n" >> 36 | 37 | # Option: actionunban 38 | # Notes.: command executed when unbanning an IP. Take care that the 39 | # command is executed with Fail2Ban user rights. 40 | # Tags: See jail.conf(5) man page 41 | # Values: CMD 42 | # 43 | actionunban = IP=$(echo "" | sed 's/[][\.]/\\\0/g') && sed -i "/^: $IP$/d" 44 | 45 | [Init] 46 | 47 | # Option: file 48 | # Notes.: hosts.deny file path. 49 | # Values: STR Default: /etc/hosts.deny 50 | # 51 | file = /etc/hosts.deny 52 | 53 | # Option: daemon_list 54 | # Notes: The list of services that this action will deny. See the man page 55 | # for hosts.deny/hosts_access. Default is all services. 56 | # Values: STR Default: ALL 57 | daemon_list = ALL 58 | 59 | # internal variable IP (to differentiate the IPv4 and IPv6 syntax, where it is enclosed in brackets): 60 | ip_value = 61 | 62 | [Init?family=inet6] 63 | ip_value = [] 64 | -------------------------------------------------------------------------------- /action.d/ipfilter.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # NetBSD ipfilter (ipf command) ban/unban 5 | # 6 | # Author: Ed Ravin 7 | # 8 | # 9 | 10 | [Definition] 11 | 12 | # Option: actionstart 13 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 14 | # Values: CMD 15 | # 16 | # enable IPF if not already enabled 17 | actionstart = /sbin/ipf -E 18 | 19 | 20 | # Option: actionstop 21 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 22 | # Values: CMD 23 | # 24 | # don't disable IPF with "/sbin/ipf -D", there may be other filters in use 25 | actionstop = 26 | 27 | 28 | # Option: actioncheck 29 | # Notes.: command executed once before each actionban command 30 | # Values: CMD 31 | # 32 | actioncheck = 33 | 34 | 35 | # Option: actionban 36 | # Notes.: command executed when banning an IP. Take care that the 37 | # command is executed with Fail2Ban user rights. 38 | # Tags: See jail.conf(5) man page 39 | # Values: CMD 40 | # 41 | actionban = echo block in quick from /32 | /sbin/ipf -f - 42 | 43 | 44 | # Option: actionunban 45 | # Notes.: command executed when unbanning an IP. Take care that the 46 | # command is executed with Fail2Ban user rights. 47 | # Tags: See jail.conf(5) man page 48 | # Values: CMD 49 | # 50 | # note -r option used to remove matching rule 51 | actionunban = echo block in quick from /32 | /sbin/ipf -r -f - 52 | 53 | [Init] 54 | 55 | # Option: Blocktype 56 | # Notes : This is the return-icmp[return-code] mentioned in the ipf man page section 5. Keep this quoted to prevent 57 | # Shell expansion. This should be blank (unquoted) to drop the packet. 58 | # Values: STRING 59 | blocktype = "return-icmp(port-unr)" 60 | -------------------------------------------------------------------------------- /action.d/ipfw.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Nick Munger 5 | # Modified by: Cyril Jaquier 6 | # 7 | # 8 | 9 | [Definition] 10 | 11 | # Option: actionstart 12 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 13 | # Values: CMD 14 | # 15 | actionstart = 16 | 17 | 18 | # Option: actionstop 19 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 20 | # Values: CMD 21 | # 22 | actionstop = 23 | 24 | 25 | # Option: actioncheck 26 | # Notes.: command executed once before each actionban command 27 | # Values: CMD 28 | # 29 | actioncheck = 30 | 31 | 32 | # Option: actionban 33 | # Notes.: command executed when banning an IP. Take care that the 34 | # command is executed with Fail2Ban user rights. 35 | # Tags: See jail.conf(5) man page 36 | # Values: CMD 37 | # 38 | actionban = ipfw add tcp from to 39 | 40 | 41 | # Option: actionunban 42 | # Notes.: command executed when unbanning an IP. Take care that the 43 | # command is executed with Fail2Ban user rights. 44 | # Tags: See jail.conf(5) man page 45 | # Values: CMD 46 | # 47 | actionunban = ipfw delete `ipfw list | grep -i "[^0-9][^0-9]" | awk '{print $1;}'` 48 | 49 | [Init] 50 | 51 | # Option: port 52 | # Notes.: specifies port to monitor 53 | # Values: [ NUM | STRING ] 54 | # 55 | port = ssh 56 | 57 | # Option: localhost 58 | # Notes.: the local IP address of the network interface 59 | # Values: IP 60 | # 61 | localhost = 127.0.0.1 62 | 63 | 64 | # Option: blocktype 65 | # Notes.: How to block the traffic. Use a action from man 5 ipfw 66 | # Common values: deny, unreach port, reset 67 | # Values: STRING 68 | # 69 | blocktype = unreach port 70 | -------------------------------------------------------------------------------- /action.d/iptables-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # 8 | # Obsolete: superseded by iptables[type=allports] 9 | 10 | [INCLUDES] 11 | 12 | before = iptables.conf 13 | 14 | [Definition] 15 | 16 | type = allports 17 | -------------------------------------------------------------------------------- /action.d/iptables-ipset-proto4.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Daniel Black 5 | # 6 | # This is for ipset protocol 4 (ipset v4.2). If you have a later version 7 | # of ipset try to use the iptables-ipset-proto6.conf as it does some things 8 | # nicer. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules. Debian squeeze can do this with: 16 | # apt-get install xtables-addons-source 17 | # module-assistant auto-install xtables-addons 18 | # 19 | # Debian wheezy and above uses protocol 6 20 | 21 | [INCLUDES] 22 | 23 | before = iptables.conf 24 | 25 | [Definition] 26 | 27 | # Option: actionstart 28 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 29 | # Values: CMD 30 | # 31 | actionstart = ipset --create f2b- iphash 32 | <_ipt_add_rules> 33 | 34 | 35 | # Option: actionflush 36 | # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) 37 | # Values: CMD 38 | # 39 | actionflush = ipset --flush f2b- 40 | 41 | # Option: actionstop 42 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 43 | # Values: CMD 44 | # 45 | actionstop = <_ipt_del_rules> 46 | 47 | ipset --destroy f2b- 48 | 49 | # Option: actionban 50 | # Notes.: command executed when banning an IP. Take care that the 51 | # command is executed with Fail2Ban user rights. 52 | # Tags: See jail.conf(5) man page 53 | # Values: CMD 54 | # 55 | actionban = ipset --test f2b- || ipset --add f2b- 56 | 57 | # Option: actionunban 58 | # Notes.: command executed when unbanning an IP. Take care that the 59 | # command is executed with Fail2Ban user rights. 60 | # Tags: See jail.conf(5) man page 61 | # Values: CMD 62 | # 63 | actionunban = ipset --test f2b- && ipset --del f2b- 64 | 65 | # Several capabilities used internaly: 66 | 67 | rule-jump = -m set --match-set f2b- src -j 68 | -------------------------------------------------------------------------------- /action.d/iptables-ipset-proto6-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Daniel Black 5 | # 6 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 7 | # Use ipset -V to see the protocol and version. Version 4 should use 8 | # iptables-ipset-proto4.conf. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules which probably won't be protocol version 6. 16 | # 17 | # Modified: Alexander Koeppe , Serg G. Brester 18 | # made config file IPv6 capable (see new section Init?family=inet6) 19 | # 20 | # Obsolete: superseded by iptables-ipset[type=allports] 21 | 22 | [INCLUDES] 23 | 24 | before = iptables-ipset.conf 25 | 26 | [Definition] 27 | 28 | type = allports 29 | -------------------------------------------------------------------------------- /action.d/iptables-ipset-proto6.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Daniel Black 5 | # 6 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 7 | # Use ipset -V to see the protocol and version. Version 4 should use 8 | # iptables-ipset-proto4.conf. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules. 16 | # 17 | # Modified: Alexander Koeppe , Serg G. Brester 18 | # made config file IPv6 capable (see new section Init?family=inet6) 19 | # 20 | # Obsolete: superseded by iptables-ipset[type=multiport] 21 | 22 | [INCLUDES] 23 | 24 | before = iptables-ipset.conf 25 | 26 | [Definition] 27 | 28 | type = multiport 29 | -------------------------------------------------------------------------------- /action.d/iptables-ipset.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe 5 | # 6 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 7 | # Use ipset -V to see the protocol and version. Version 4 should use 8 | # iptables-ipset-proto4.conf. 9 | # 10 | # This requires the program ipset which is normally in package called ipset. 11 | # 12 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 13 | # 14 | # If you are running on an older kernel you make need to patch in external 15 | # modules. 16 | # 17 | 18 | [INCLUDES] 19 | 20 | before = iptables.conf 21 | 22 | [Definition] 23 | 24 | # Option: actionstart 25 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 26 | # Values: CMD 27 | # 28 | actionstart = ipset -exist create hash:ip timeout 29 | <_ipt_add_rules> 30 | 31 | # Option: actionflush 32 | # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) 33 | # Values: CMD 34 | # 35 | actionflush = ipset flush 36 | 37 | # Option: actionstop 38 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 39 | # Values: CMD 40 | # 41 | actionstop = <_ipt_del_rules> 42 | 43 | ipset destroy 44 | 45 | # Option: actionban 46 | # Notes.: command executed when banning an IP. Take care that the 47 | # command is executed with Fail2Ban user rights. 48 | # Tags: See jail.conf(5) man page 49 | # Values: CMD 50 | # 51 | actionban = ipset -exist add timeout 52 | 53 | # actionprolong = %(actionban)s 54 | 55 | # Option: actionunban 56 | # Notes.: command executed when unbanning an IP. Take care that the 57 | # command is executed with Fail2Ban user rights. 58 | # Tags: See jail.conf(5) man page 59 | # Values: CMD 60 | # 61 | actionunban = ipset -exist del 62 | 63 | # Several capabilities used internaly: 64 | 65 | rule-jump = -m set --match-set src -j 66 | 67 | 68 | [Init] 69 | 70 | # Option: default-ipsettime 71 | # Notes: specifies default timeout in seconds (handled default ipset timeout only) 72 | # Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) 73 | default-ipsettime = 0 74 | 75 | # Option: ipsettime 76 | # Notes: specifies ticket timeout (handled ipset timeout only) 77 | # Values: [ NUM ] Default: 0 (managed by fail2ban by unban) 78 | ipsettime = 0 79 | 80 | # expresion to caclulate timeout from bantime, example: 81 | # banaction = %(known/banaction)s[ipsettime=''] 82 | timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0) 83 | 84 | ipmset = f2b- 85 | familyopt = 86 | 87 | 88 | [Init?family=inet6] 89 | 90 | ipmset = f2b-6 91 | familyopt = family inet6 92 | -------------------------------------------------------------------------------- /action.d/iptables-multiport-log.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Guido Bozzetto 5 | # Modified: Cyril Jaquier 6 | # 7 | # make "f2b-" chain to match drop IP 8 | # make "f2b--log" chain to log and drop 9 | # insert a jump to f2b- from -I if proto/port match 10 | # 11 | # 12 | 13 | [INCLUDES] 14 | 15 | before = iptables.conf 16 | 17 | [Definition] 18 | 19 | # Option: actionstart 20 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 21 | # Values: CMD 22 | # 23 | actionstart = -N f2b- 24 | -A f2b- -j 25 | -I 1 -p -m multiport --dports -j f2b- 26 | -N f2b--log 27 | -I f2b--log -j LOG --log-prefix "$(expr f2b- : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2 28 | -A f2b--log -j 29 | 30 | # Option: actionflush 31 | # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) 32 | # Values: CMD 33 | # 34 | actionflush = -F f2b- 35 | -F f2b--log 36 | 37 | # Option: actionstop 38 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 39 | # Values: CMD 40 | # 41 | actionstop = -D -p -m multiport --dports -j f2b- 42 | 43 | -X f2b- 44 | -X f2b--log 45 | 46 | # Option: actioncheck 47 | # Notes.: command executed once before each actionban command 48 | # Values: CMD 49 | # 50 | actioncheck = -n -L f2b--log >/dev/null 51 | 52 | # Option: actionban 53 | # Notes.: command executed when banning an IP. Take care that the 54 | # command is executed with Fail2Ban user rights. 55 | # Tags: See jail.conf(5) man page 56 | # Values: CMD 57 | # 58 | actionban = -I f2b- 1 -s -j f2b--log 59 | 60 | # Option: actionunban 61 | # Notes.: command executed when unbanning an IP. Take care that the 62 | # command is executed with Fail2Ban user rights. 63 | # Tags: See jail.conf(5) man page 64 | # Values: CMD 65 | # 66 | actionunban = -D f2b- -s -j f2b--log 67 | 68 | [Init] 69 | 70 | -------------------------------------------------------------------------------- /action.d/iptables-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified by Yaroslav Halchenko for multiport banning 6 | # 7 | # Obsolete: superseded by iptables[type=multiport] 8 | 9 | [INCLUDES] 10 | 11 | before = iptables.conf 12 | 13 | [Definition] 14 | 15 | type = multiport 16 | -------------------------------------------------------------------------------- /action.d/iptables-new.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Copied from iptables.conf and modified by Yaroslav Halchenko 6 | # to fulfill the needs of bugreporter dbts#350746. 7 | # 8 | # Obsolete: superseded by iptables[pre-rule='-m state --state NEW'] 9 | 10 | [INCLUDES] 11 | 12 | before = iptables.conf 13 | 14 | [Definition] 15 | 16 | pre-rule = -m state --state NEW 17 | -------------------------------------------------------------------------------- /action.d/mail-buffered.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # bypass ban/unban for restored tickets 11 | norestored = 1 12 | 13 | # Option: actionstart 14 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 15 | # Values: CMD 16 | # 17 | actionstart = printf %%b "Hi,\n 18 | The jail has been started successfully.\n 19 | Output will be buffered until lines are available.\n 20 | Regards,\n 21 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " 22 | 23 | # Option: actionstop 24 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 25 | # Values: CMD 26 | # 27 | actionstop = if [ -f ]; then 28 | printf %%b "Hi,\n 29 | These hosts have been banned by Fail2Ban.\n 30 | `cat ` 31 | Regards,\n 32 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary from " 33 | rm 34 | fi 35 | printf %%b "Hi,\n 36 | The jail has been stopped.\n 37 | Regards,\n 38 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " 39 | 40 | # Option: actioncheck 41 | # Notes.: command executed once before each actionban command 42 | # Values: CMD 43 | # 44 | actioncheck = 45 | 46 | # Option: actionban 47 | # Notes.: command executed when banning an IP. Take care that the 48 | # command is executed with Fail2Ban user rights. 49 | # Tags: See jail.conf(5) man page 50 | # Values: CMD 51 | # 52 | actionban = printf %%b "`date`: ( failures)\n" >> 53 | LINE=$( wc -l | awk '{ print $1 }' ) 54 | if [ $LINE -ge ]; then 55 | printf %%b "Hi,\n 56 | These hosts have been banned by Fail2Ban.\n 57 | `cat ` 58 | \nRegards,\n 59 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : Summary" 60 | rm 61 | fi 62 | 63 | # Option: actionunban 64 | # Notes.: command executed when unbanning an IP. Take care that the 65 | # command is executed with Fail2Ban user rights. 66 | # Tags: See jail.conf(5) man page 67 | # Values: CMD 68 | # 69 | actionunban = 70 | 71 | [Init] 72 | 73 | # Default name of the chain 74 | # 75 | name = default 76 | 77 | # Default number of lines that are buffered 78 | # 79 | lines = 5 80 | 81 | # Default temporary file 82 | # 83 | tmpfile = /var/run/fail2ban/tmp-mail.txt 84 | 85 | # Destination/Addressee of the mail 86 | # 87 | dest = root 88 | -------------------------------------------------------------------------------- /action.d/mail-whois-common.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Common settings for mail actions 5 | # 6 | # Users can override the defaults in mail-whois-common.local 7 | 8 | [INCLUDES] 9 | 10 | # Load customizations if any available 11 | after = mail-whois-common.local 12 | 13 | [DEFAULT] 14 | #original character set of whois output will be sent to mail program 15 | _whois = whois || echo "missing whois program" 16 | 17 | # use heuristics to convert charset of whois output to a target 18 | # character set before sending it to a mail program 19 | # make sure you have 'file' and 'iconv' commands installed when opting for that 20 | _whois_target_charset = UTF-8 21 | _whois_convert_charset = (%(_whois)s) | 22 | { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; } 23 | 24 | # choose between _whois and _whois_convert_charset in mail-whois-common.local 25 | # or other *.local which include mail-whois-common.conf. 26 | _whois_command = %(_whois)s 27 | #_whois_command = %(_whois_convert_charset)s 28 | 29 | [Init] 30 | -------------------------------------------------------------------------------- /action.d/mail-whois-lines.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified-By: Yaroslav Halchenko to include grepping on IP over log files 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = mail-whois-common.conf 11 | helpers-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionstart 19 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 20 | # Values: CMD 21 | # 22 | actionstart = printf %%b "Hi,\n 23 | The jail has been started successfully.\n 24 | Regards,\n 25 | Fail2Ban" | "[Fail2Ban] : started on " 26 | 27 | # Option: actionstop 28 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 29 | # Values: CMD 30 | # 31 | actionstop = printf %%b "Hi,\n 32 | The jail has been stopped.\n 33 | Regards,\n 34 | Fail2Ban" | "[Fail2Ban] : stopped on " 35 | 36 | # Option: actioncheck 37 | # Notes.: command executed once before each actionban command 38 | # Values: CMD 39 | # 40 | actioncheck = 41 | 42 | # Option: actionban 43 | # Notes.: command executed when banning an IP. Take care that the 44 | # command is executed with Fail2Ban user rights. 45 | # Tags: See jail.conf(5) man page 46 | # Values: CMD 47 | # 48 | 49 | _ban_mail_content = ( printf %%b "Hi,\n 50 | The IP has just been banned by Fail2Ban after 51 | attempts against .\n\n 52 | Here is more information about :\n" 53 | %(_whois_command)s; 54 | printf %%b "\nLines containing failures of (max )\n"; 55 | %(_grep_logs)s; 56 | printf %%b "\n 57 | Regards,\n 58 | Fail2Ban" ) 59 | 60 | actionban = %(_ban_mail_content)s | "[Fail2Ban] : banned from " 61 | 62 | # Option: actionunban 63 | # Notes.: command executed when unbanning an IP. Take care that the 64 | # command is executed with Fail2Ban user rights. 65 | # Tags: See jail.conf(5) man page 66 | # Values: CMD 67 | # 68 | actionunban = 69 | 70 | [Init] 71 | 72 | # Option: mailcmd 73 | # Notes.: Your system mail command. Is passed 2 args: subject and recipient 74 | # Values: CMD 75 | # 76 | mailcmd = mail -E 'set escape' -s 77 | 78 | # Default name of the chain 79 | # 80 | name = default 81 | 82 | # Destinataire of the mail 83 | # 84 | dest = root 85 | 86 | # Path to the log files which contain relevant lines for the abuser IP 87 | # 88 | logpath = /dev/null 89 | 90 | # Number of log lines to include in the email 91 | # 92 | #grepmax = 1000 93 | #grepopts = -m 94 | -------------------------------------------------------------------------------- /action.d/mail-whois.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [INCLUDES] 9 | 10 | before = mail-whois-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionstart 18 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 19 | # Values: CMD 20 | # 21 | actionstart = printf %%b "Hi,\n 22 | The jail has been started successfully.\n 23 | Regards,\n 24 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " 25 | 26 | # Option: actionstop 27 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 28 | # Values: CMD 29 | # 30 | actionstop = printf %%b "Hi,\n 31 | The jail has been stopped.\n 32 | Regards,\n 33 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " 34 | 35 | # Option: actioncheck 36 | # Notes.: command executed once before each actionban command 37 | # Values: CMD 38 | # 39 | actioncheck = 40 | 41 | # Option: actionban 42 | # Notes.: command executed when banning an IP. Take care that the 43 | # command is executed with Fail2Ban user rights. 44 | # Tags: See jail.conf(5) man page 45 | # Values: CMD 46 | # 47 | actionban = printf %%b "Hi,\n 48 | The IP has just been banned by Fail2Ban after 49 | attempts against .\n\n 50 | Here is more information about :\n 51 | `%(_whois_command)s`\n 52 | Regards,\n 53 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " 54 | 55 | # Option: actionunban 56 | # Notes.: command executed when unbanning an IP. Take care that the 57 | # command is executed with Fail2Ban user rights. 58 | # Tags: See jail.conf(5) man page 59 | # Values: CMD 60 | # 61 | actionunban = 62 | 63 | [Init] 64 | 65 | # Default name of the chain 66 | # 67 | name = default 68 | 69 | # Destination/Addressee of the mail 70 | # 71 | dest = root 72 | 73 | -------------------------------------------------------------------------------- /action.d/mail.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # 6 | # 7 | 8 | [Definition] 9 | 10 | # bypass ban/unban for restored tickets 11 | norestored = 1 12 | 13 | # Option: actionstart 14 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 15 | # Values: CMD 16 | # 17 | actionstart = printf %%b "Hi,\n 18 | The jail has been started successfully.\n 19 | Regards,\n 20 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : started on " 21 | 22 | # Option: actionstop 23 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 24 | # Values: CMD 25 | # 26 | actionstop = printf %%b "Hi,\n 27 | The jail has been stopped.\n 28 | Regards,\n 29 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : stopped on " 30 | 31 | # Option: actioncheck 32 | # Notes.: command executed once before each actionban command 33 | # Values: CMD 34 | # 35 | actioncheck = 36 | 37 | # Option: actionban 38 | # Notes.: command executed when banning an IP. Take care that the 39 | # command is executed with Fail2Ban user rights. 40 | # Tags: See jail.conf(5) man page 41 | # Values: CMD 42 | # 43 | actionban = printf %%b "Hi,\n 44 | The IP has just been banned by Fail2Ban after 45 | attempts against .\n 46 | Regards,\n 47 | Fail2Ban"|mail -E 'set escape' -s "[Fail2Ban] : banned from " 48 | 49 | # Option: actionunban 50 | # Notes.: command executed when unbanning an IP. Take care that the 51 | # command is executed with Fail2Ban user rights. 52 | # Tags: See jail.conf(5) man page 53 | # Values: CMD 54 | # 55 | actionunban = 56 | 57 | [Init] 58 | 59 | # Default name of the chain 60 | # 61 | name = default 62 | 63 | # Destination/Addressee of the mail 64 | # 65 | dest = root 66 | 67 | -------------------------------------------------------------------------------- /action.d/netscaler.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2ban Citrix Netscaler Action 3 | # by Juliano Jeziorny 4 | # juliano@jeziorny.eu 5 | # 6 | # The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level 7 | # This dataset is then used to block IPs using responder policies on the netscaler. 8 | # 9 | # The script assumes using HTTPS with unsecure certificate to access the netscaler, 10 | # if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k) 11 | # 12 | # This action depends on curl 13 | # 14 | # You need to populate the 3 options inside Init 15 | # 16 | # ns_host: IP or hostname of netslcaer appliance 17 | # ns_auth: username:password, suggest base64 encoded for a little added security (echo -n "username:password" | base64) 18 | # ns_dataset: Name of the netscaler dataset holding the IPs to be blocked. 19 | # 20 | # For further details on how to use it please check http://blog.ckzone.eu/2017/01/fail2ban-action-for-citrix-netscaler.html 21 | 22 | [Init] 23 | ns_host = 24 | ns_auth = 25 | ns_dataset = 26 | 27 | [Definition] 28 | actionstart = curl -kH 'Authorization: Basic ' https:///nitro/v1/config 29 | 30 | actioncheck = 31 | 32 | actionban = curl -k -H 'Authorization: Basic ' -X PUT -d '{"policydataset_value_binding":{"name":"","value":""}}' https:///nitro/v1/config/ 33 | 34 | actionunban = curl -H 'Authorization: Basic ' -X DELETE -k "https:///nitro/v1/config/policydataset_value_binding/?args=value:" 35 | -------------------------------------------------------------------------------- /action.d/nftables-allports.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # Modified: Alexander Belykh 8 | # adapted for nftables 9 | # 10 | # Obsolete: superseded by nftables[type=allports] 11 | 12 | [INCLUDES] 13 | 14 | before = nftables.conf 15 | 16 | [Definition] 17 | 18 | type = allports 19 | -------------------------------------------------------------------------------- /action.d/nftables-multiport.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # Author: Cyril Jaquier 5 | # Modified: Yaroslav O. Halchenko 6 | # made active on all ports from original iptables.conf 7 | # Modified: Alexander Belykh 8 | # adapted for nftables 9 | # 10 | # Obsolete: superseded by nftables[type=multiport] 11 | 12 | [INCLUDES] 13 | 14 | before = nftables.conf 15 | 16 | [Definition] 17 | 18 | type = multiport 19 | -------------------------------------------------------------------------------- /action.d/npf.conf: -------------------------------------------------------------------------------- 1 | ## Version 2022/08/06 2 | # Fail2Ban configuration file 3 | # 4 | # NetBSD npf ban/unban 5 | # 6 | # Author: Nils Ratusznik 7 | # Based on pf.conf action file 8 | # 9 | 10 | [Definition] 11 | 12 | # Option: actionstart 13 | # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 14 | # Values: CMD 15 | # 16 | # we don't enable NPF automatically, as it will be enabled elsewhere 17 | actionstart = 18 | 19 | 20 | # Option: actionstop 21 | # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 22 | # Values: CMD 23 | # 24 | # we don't disable NPF automatically either 25 | actionstop = 26 | 27 | 28 | # Option: actioncheck 29 | # Notes.: command executed once before each actionban command 30 | # Values: CMD 31 | # 32 | actioncheck = 33 | 34 | 35 | # Option: actionban 36 | # Notes.: command executed when banning an IP. Take care that the 37 | # command is executed with Fail2Ban user rights. 38 | # Tags: IP address 39 | # number of failures 40 | #