├── .codespellrc ├── .coveragerc ├── .gitattributes ├── .github ├── FUNDING.yml ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── filter_request.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── codespell.yml │ └── main.yml ├── .gitignore ├── .mailmap ├── .pylintrc ├── .typos.toml ├── CONTRIBUTING.md ├── COPYING ├── ChangeLog ├── DEVELOP ├── FILTERS ├── MANIFEST ├── MANIFEST.in ├── README.Solaris ├── README.md ├── RELEASE ├── THANKS ├── TODO ├── Vagrantfile ├── bin ├── fail2ban-client ├── fail2ban-regex ├── fail2ban-server └── fail2ban-testcases ├── config ├── action.d │ ├── abuseipdb.conf │ ├── apf.conf │ ├── apprise.conf │ ├── blocklist_de.conf │ ├── bsd-ipfw.conf │ ├── cloudflare-token.conf │ ├── cloudflare.conf │ ├── complain.conf │ ├── csf.conf │ ├── dshield.conf │ ├── dummy.conf │ ├── firewallcmd-allports.conf │ ├── firewallcmd-common.conf │ ├── firewallcmd-ipset.conf │ ├── firewallcmd-multiport.conf │ ├── firewallcmd-new.conf │ ├── firewallcmd-rich-logging.conf │ ├── firewallcmd-rich-rules.conf │ ├── helpers-common.conf │ ├── hostsdeny.conf │ ├── ipfilter.conf │ ├── ipfw.conf │ ├── iptables-allports.conf │ ├── iptables-ipset-proto4.conf │ ├── iptables-ipset-proto6-allports.conf │ ├── iptables-ipset-proto6.conf │ ├── iptables-ipset.conf │ ├── iptables-multiport-log.conf │ ├── iptables-multiport.conf │ ├── iptables-new.conf │ ├── iptables-xt_recent-echo.conf │ ├── iptables.conf │ ├── ipthreat.conf │ ├── mail-buffered.conf │ ├── mail-whois-common.conf │ ├── mail-whois-lines.conf │ ├── mail-whois.conf │ ├── mail.conf │ ├── mikrotik.conf │ ├── mynetwatchman.conf │ ├── netscaler.conf │ ├── nftables-allports.conf │ ├── nftables-multiport.conf │ ├── nftables.conf │ ├── nginx-block-map.conf │ ├── npf.conf │ ├── nsupdate.conf │ ├── osx-afctl.conf │ ├── osx-ipfw.conf │ ├── pf.conf │ ├── route.conf │ ├── sendmail-buffered.conf │ ├── sendmail-common.conf │ ├── sendmail-geoip-lines.conf │ ├── sendmail-whois-ipjailmatches.conf │ ├── sendmail-whois-ipmatches.conf │ ├── sendmail-whois-lines.conf │ ├── sendmail-whois-matches.conf │ ├── sendmail-whois.conf │ ├── sendmail.conf │ ├── shorewall-ipset-proto6.conf │ ├── shorewall.conf │ ├── smtp.py │ ├── symbiosis-blacklist-allports.conf │ ├── ufw.conf │ └── xarf-login-attack.conf ├── fail2ban.conf ├── filter.d │ ├── 3proxy.conf │ ├── apache-auth.conf │ ├── apache-badbots.conf │ ├── apache-botsearch.conf │ ├── apache-common.conf │ ├── apache-fakegooglebot.conf │ ├── apache-modsecurity.conf │ ├── apache-nohome.conf │ ├── apache-noscript.conf │ ├── apache-overflows.conf │ ├── apache-pass.conf │ ├── apache-shellshock.conf │ ├── assp.conf │ ├── asterisk.conf │ ├── bitwarden.conf │ ├── botsearch-common.conf │ ├── centreon.conf │ ├── common.conf │ ├── counter-strike.conf │ ├── courier-auth.conf │ ├── courier-smtp.conf │ ├── cyrus-imap.conf │ ├── dante.conf │ ├── directadmin.conf │ ├── domino-smtp.conf │ ├── dovecot.conf │ ├── dropbear.conf │ ├── drupal-auth.conf │ ├── ejabberd-auth.conf │ ├── exim-common.conf │ ├── exim-spam.conf │ ├── exim.conf │ ├── freeswitch.conf │ ├── froxlor-auth.conf │ ├── gitlab.conf │ ├── grafana.conf │ ├── groupoffice.conf │ ├── gssftpd.conf │ ├── guacamole.conf │ ├── haproxy-http-auth.conf │ ├── horde.conf │ ├── ignorecommands │ │ └── apache-fakegooglebot │ ├── kerio.conf │ ├── lighttpd-auth.conf │ ├── mongodb-auth.conf │ ├── monit.conf │ ├── monitorix.conf │ ├── mssql-auth.conf │ ├── murmur.conf │ ├── mysqld-auth.conf │ ├── nagios.conf │ ├── named-refused.conf │ ├── nginx-bad-request.conf │ ├── nginx-botsearch.conf │ ├── nginx-error-common.conf │ ├── nginx-forbidden.conf │ ├── nginx-http-auth.conf │ ├── nginx-limit-req.conf │ ├── nsd.conf │ ├── openhab.conf │ ├── openvpn.conf │ ├── openwebmail.conf │ ├── oracleims.conf │ ├── pam-generic.conf │ ├── perdition.conf │ ├── php-url-fopen.conf │ ├── phpmyadmin-syslog.conf │ ├── portsentry.conf │ ├── postfix.conf │ ├── proftpd.conf │ ├── proxmox.conf │ ├── pure-ftpd.conf │ ├── qmail.conf │ ├── recidive.conf │ ├── roundcube-auth.conf │ ├── routeros-auth.conf │ ├── scanlogd.conf │ ├── screensharingd.conf │ ├── selinux-common.conf │ ├── selinux-ssh.conf │ ├── sendmail-auth.conf │ ├── sendmail-reject.conf │ ├── sieve.conf │ ├── slapd.conf │ ├── softethervpn.conf │ ├── sogo-auth.conf │ ├── solid-pop3d.conf │ ├── squid.conf │ ├── squirrelmail.conf │ ├── sshd.conf │ ├── stunnel.conf │ ├── suhosin.conf │ ├── tine20.conf │ ├── traefik-auth.conf │ ├── uwimap-auth.conf │ ├── vaultwarden.conf │ ├── vsftpd.conf │ ├── webmin-auth.conf │ ├── wuftpd.conf │ ├── xinetd-fail.conf │ ├── znc-adminlog.conf │ └── zoneminder.conf ├── jail.conf ├── paths-arch.conf ├── paths-common.conf ├── paths-debian.conf ├── paths-fedora.conf ├── paths-freebsd.conf ├── paths-opensuse.conf └── paths-osx.conf ├── doc ├── Doxyfile ├── Makefile ├── conf.py ├── develop.rst ├── fail2ban.client.actionreader.rst ├── fail2ban.client.beautifier.rst ├── fail2ban.client.configparserinc.rst ├── fail2ban.client.configreader.rst ├── fail2ban.client.configurator.rst ├── fail2ban.client.csocket.rst ├── fail2ban.client.fail2banreader.rst ├── fail2ban.client.filterreader.rst ├── fail2ban.client.jailreader.rst ├── fail2ban.client.jailsreader.rst ├── fail2ban.client.rst ├── fail2ban.exceptions.rst ├── fail2ban.helpers.rst ├── fail2ban.protocol.rst ├── fail2ban.rst ├── fail2ban.server.action.rst ├── fail2ban.server.actions.rst ├── fail2ban.server.asyncserver.rst ├── fail2ban.server.banmanager.rst ├── fail2ban.server.database.rst ├── fail2ban.server.datedetector.rst ├── fail2ban.server.datetemplate.rst ├── fail2ban.server.failmanager.rst ├── fail2ban.server.failregex.rst ├── fail2ban.server.filter.rst ├── fail2ban.server.filterpoll.rst ├── fail2ban.server.filterpyinotify.rst ├── fail2ban.server.filtersystemd.rst ├── fail2ban.server.jail.rst ├── fail2ban.server.jails.rst ├── fail2ban.server.jailthread.rst ├── fail2ban.server.mytime.rst ├── fail2ban.server.rst ├── fail2ban.server.server.rst ├── fail2ban.server.strptime.rst ├── fail2ban.server.ticket.rst ├── fail2ban.server.transmitter.rst ├── fail2ban.server.utils.rst ├── fail2ban.version.rst ├── filters.rst ├── index.rst ├── release.rst ├── requirements.txt └── run-rootless.txt ├── fail2ban-testcases-all ├── fail2ban-testcases-all-python3 ├── fail2ban ├── __init__.py ├── client │ ├── __init__.py │ ├── actionreader.py │ ├── beautifier.py │ ├── configparserinc.py │ ├── configreader.py │ ├── configurator.py │ ├── csocket.py │ ├── fail2banclient.py │ ├── fail2bancmdline.py │ ├── fail2banreader.py │ ├── fail2banregex.py │ ├── fail2banserver.py │ ├── filterreader.py │ ├── jailreader.py │ └── jailsreader.py ├── compat │ ├── asynchat.py │ └── asyncore.py ├── exceptions.py ├── helpers.py ├── protocol.py ├── server │ ├── __init__.py │ ├── action.py │ ├── actions.py │ ├── asyncserver.py │ ├── banmanager.py │ ├── database.py │ ├── datedetector.py │ ├── datetemplate.py │ ├── failmanager.py │ ├── failregex.py │ ├── filter.py │ ├── filterpoll.py │ ├── filterpyinotify.py │ ├── filtersystemd.py │ ├── ipdns.py │ ├── jail.py │ ├── jails.py │ ├── jailthread.py │ ├── mytime.py │ ├── observer.py │ ├── server.py │ ├── strptime.py │ ├── ticket.py │ ├── transmitter.py │ └── utils.py ├── setup.py ├── tests │ ├── __init__.py │ ├── action_d │ │ ├── __init__.py │ │ └── test_smtp.py │ ├── actionstestcase.py │ ├── actiontestcase.py │ ├── banmanagertestcase.py │ ├── clientbeautifiertestcase.py │ ├── clientreadertestcase.py │ ├── config │ │ ├── action.d │ │ │ ├── action.conf │ │ │ └── brokenaction.conf │ │ ├── fail2ban.conf │ │ ├── filter.d │ │ │ ├── checklogtype.conf │ │ │ ├── checklogtype_test.conf │ │ │ ├── simple.conf │ │ │ ├── test.conf │ │ │ ├── test.local │ │ │ ├── zzz-generic-example.conf │ │ │ └── zzz-sshd-obsolete-multiline.conf │ │ └── jail.conf │ ├── databasetestcase.py │ ├── datedetectortestcase.py │ ├── dummyjail.py │ ├── fail2banclienttestcase.py │ ├── fail2banregextestcase.py │ ├── failmanagertestcase.py │ ├── files │ │ ├── action.d │ │ │ ├── action.py │ │ │ ├── action_checkainfo.py │ │ │ ├── action_errors.py │ │ │ ├── action_modifyainfo.py │ │ │ ├── action_noAction.py │ │ │ └── action_nomethod.py │ │ ├── config │ │ │ └── apache-auth │ │ │ │ ├── README │ │ │ │ ├── basic │ │ │ │ ├── authz_owner │ │ │ │ │ ├── .htaccess │ │ │ │ │ ├── .htpasswd │ │ │ │ │ └── cant_get_me.html │ │ │ │ └── file │ │ │ │ │ ├── .htaccess │ │ │ │ │ └── .htpasswd │ │ │ │ ├── digest.py │ │ │ │ ├── digest │ │ │ │ ├── .htaccess │ │ │ │ └── .htpasswd │ │ │ │ ├── digest_anon │ │ │ │ ├── .htaccess │ │ │ │ └── .htpasswd │ │ │ │ ├── digest_time │ │ │ │ ├── .htaccess │ │ │ │ └── .htpasswd │ │ │ │ ├── digest_wrongrelm │ │ │ │ ├── .htaccess │ │ │ │ └── .htpasswd │ │ │ │ └── noentry │ │ │ │ └── .htaccess │ │ ├── database_v1.db │ │ ├── database_v2.db │ │ ├── filter.d │ │ │ ├── substitution.conf │ │ │ ├── testcase-common.conf │ │ │ ├── testcase01.conf │ │ │ ├── testcase02.conf │ │ │ └── testcase02.local │ │ ├── ignorecommand.py │ │ ├── logs │ │ │ ├── 3proxy │ │ │ ├── apache-auth │ │ │ ├── apache-badbots │ │ │ ├── apache-botsearch │ │ │ ├── apache-fakegooglebot │ │ │ ├── apache-modsecurity │ │ │ ├── apache-nohome │ │ │ ├── apache-noscript │ │ │ ├── apache-overflows │ │ │ ├── apache-pass │ │ │ ├── apache-shellshock │ │ │ ├── assp │ │ │ ├── asterisk │ │ │ ├── bitwarden │ │ │ ├── bsd │ │ │ │ ├── syslog-plain.txt │ │ │ │ ├── syslog-v.txt │ │ │ │ └── syslog-vv.txt │ │ │ ├── centreon │ │ │ ├── counter-strike │ │ │ ├── courier-auth │ │ │ ├── courier-smtp │ │ │ ├── cyrus-imap │ │ │ ├── dante │ │ │ ├── directadmin │ │ │ ├── domino-smtp │ │ │ ├── dovecot │ │ │ ├── dropbear │ │ │ ├── drupal-auth │ │ │ ├── ejabberd-auth │ │ │ ├── exim │ │ │ ├── exim-spam │ │ │ ├── freeswitch │ │ │ ├── froxlor-auth │ │ │ ├── gitlab │ │ │ ├── grafana │ │ │ ├── groupoffice │ │ │ ├── gssftpd │ │ │ ├── guacamole │ │ │ ├── haproxy-http-auth │ │ │ ├── horde │ │ │ ├── kerio │ │ │ ├── lighttpd-auth │ │ │ ├── mongodb-auth │ │ │ ├── monit │ │ │ ├── monitorix │ │ │ ├── mssql-auth │ │ │ ├── murmur │ │ │ ├── mysqld-auth │ │ │ ├── nagios │ │ │ ├── named-refused │ │ │ ├── nginx-bad-request │ │ │ ├── nginx-botsearch │ │ │ ├── nginx-forbidden │ │ │ ├── nginx-http-auth │ │ │ ├── nginx-limit-req │ │ │ ├── nsd │ │ │ ├── openhab │ │ │ ├── openvpn │ │ │ ├── openwebmail │ │ │ ├── oracleims │ │ │ ├── pam-generic │ │ │ ├── perdition │ │ │ ├── php-url-fopen │ │ │ ├── phpmyadmin-syslog │ │ │ ├── portsentry │ │ │ ├── postfix │ │ │ ├── proftpd │ │ │ ├── proxmox │ │ │ ├── pure-ftpd │ │ │ ├── qmail │ │ │ ├── recidive │ │ │ ├── roundcube-auth │ │ │ ├── routeros-auth │ │ │ ├── scanlogd │ │ │ ├── screensharingd │ │ │ ├── selinux-ssh │ │ │ ├── sendmail-auth │ │ │ ├── sendmail-reject │ │ │ ├── sieve │ │ │ ├── slapd │ │ │ ├── softethervpn │ │ │ ├── sogo-auth │ │ │ ├── solid-pop3d │ │ │ ├── squid │ │ │ ├── squirrelmail │ │ │ ├── sshd │ │ │ ├── sshd-journal │ │ │ ├── stunnel │ │ │ ├── suhosin │ │ │ ├── tine20 │ │ │ ├── traefik-auth │ │ │ ├── uwimap-auth │ │ │ ├── vaultwarden │ │ │ ├── vsftpd │ │ │ ├── webmin-auth │ │ │ ├── wuftpd │ │ │ ├── xinetd-fail │ │ │ ├── znc-adminlog │ │ │ ├── zoneminder │ │ │ ├── zzz-generic-example │ │ │ └── zzz-sshd-obsolete-multiline │ │ ├── test-ign-ips-file │ │ ├── testcase-journal.log │ │ ├── testcase-multiline.log │ │ ├── testcase-usedns.log │ │ ├── testcase-wrong-char.log │ │ ├── testcase01.log │ │ ├── testcase01a.log │ │ ├── testcase02.log │ │ ├── testcase03.log │ │ ├── testcase04.log │ │ └── zzz-sshd-obsolete-multiline.log │ ├── filtertestcase.py │ ├── misctestcase.py │ ├── observertestcase.py │ ├── samplestestcase.py │ ├── servertestcase.py │ ├── sockettestcase.py │ ├── tickettestcase.py │ └── utils.py └── version.py ├── files ├── bash-completion ├── cacti │ ├── README │ ├── cacti_host_template_fail2ban.xml │ └── fail2ban_stats.sh ├── debian-initd ├── fail2ban-logrotate ├── fail2ban-openrc.conf ├── fail2ban-openrc.init.in ├── fail2ban-tmpfiles.conf ├── fail2ban.service.in ├── fail2ban.upstart ├── gen_badbots ├── ipmasq-ZZZzzz_fail2ban.rul ├── logwatch │ ├── fail2ban │ ├── fail2ban-0.8.log │ └── fail2ban-0.9.log ├── macosx-initd ├── monit │ └── fail2ban ├── nagios │ ├── README │ └── check_fail2ban ├── redhat-initd ├── solaris-fail2ban.xml ├── solaris-svc-fail2ban └── suse-initd ├── kill-server ├── man ├── fail2ban-client.1 ├── fail2ban-client.h2m ├── fail2ban-python.1 ├── fail2ban-python.h2m ├── fail2ban-regex.1 ├── fail2ban-regex.h2m ├── fail2ban-server.1 ├── fail2ban-server.h2m ├── fail2ban-testcases.1 ├── fail2ban-testcases.h2m ├── fail2ban.1 ├── generate-man └── jail.conf.5 ├── setup.cfg └── setup.py /.codespellrc: -------------------------------------------------------------------------------- 1 | [codespell] 2 | # THANKS - names 3 | skip = .git,*.pdf,*.svg,venv,.codespellrc,.typos.toml,THANKS,*test*.log,logs 4 | check-hidden = true 5 | # Ignore all acronyms etc as plenty e.g. in fail2ban/server/strptime.py 6 | # Try to identify incomplete words which are part of a regex, hence having [] at the beginning 7 | # Ignore all urls as something with :// in it 8 | # Ignore all lines with codespell-ignore in them for pragma annotation 9 | ignore-regex = (\b([A-Z][A-Z][A-Z]+|gir\.st)\b)|\[[a-zA-Z]+\][a-z]+\b|[a-z]+://\S+|.*codespell-ignore.* 10 | # some oddly named variables, some names, etc 11 | # wee -- comes in regex etc for weeks 12 | ignore-words-list = assertIn,theis,timere,alls,wee,wight,ans,re-use,pre-emptive 13 | -------------------------------------------------------------------------------- /.coveragerc: -------------------------------------------------------------------------------- 1 | 2 | [run] 3 | branch = True 4 | source = 5 | config 6 | fail2ban 7 | 8 | [report] 9 | exclude_lines = 10 | pragma: ?no ?cover 11 | pragma: ?${F2B_PY}.x no ?cover 12 | pragma: ?systemd no ?cover 13 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ChangeLog linguist-language=Markdown 2 | -------------------------------------------------------------------------------- /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | # These are supported funding model platforms 2 | 3 | github: [sebres] 4 | custom: [https://paypal.me/sebres] 5 | liberapay: sebres 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea or an enhancement for this project 4 | title: '[RFE]: ' 5 | labels: enhancement 6 | assignees: '' 7 | 8 | --- 9 | 10 | 16 | 17 | #### Feature request type 18 | 21 | 22 | #### Description 23 | 26 | 27 | #### Considered alternatives 28 | 31 | 32 | #### Any additional information 33 | 36 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Before submitting your PR, please review the following checklist: 2 | 3 | - [ ] **CONSIDER adding a unit test** if your PR resolves an issue 4 | - [ ] **LIST ISSUES** this PR resolves or describe the approach in detail 5 | - [ ] **MAKE SURE** this PR doesn't break existing tests 6 | - [ ] **KEEP PR small** so it could be easily reviewed 7 | - [ ] **AVOID** making unnecessary stylistic changes in unrelated code 8 | - [ ] **ACCOMPANY** each new `failregex` for filter `X` with sample log lines 9 | (and `# failJSON`) within `fail2ban/tests/files/logs/X` file 10 | - [ ] **PROVIDE ChangeLog** entry describing the pull request 11 | -------------------------------------------------------------------------------- /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Codespell 3 | 4 | on: 5 | push: 6 | branches: [master] 7 | pull_request: 8 | branches: [master] 9 | 10 | permissions: 11 | contents: read 12 | 13 | jobs: 14 | codespell: 15 | name: Check for spelling errors 16 | runs-on: ubuntu-latest 17 | 18 | steps: 19 | - name: Checkout 20 | uses: actions/checkout@v3 21 | - name: Codespell 22 | uses: codespell-project/actions-codespell@v2 23 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | build 3 | dist 4 | *.pyc 5 | htmlcov 6 | .coverage 7 | *.orig 8 | *.rej 9 | *.bak 10 | __pycache__ 11 | .vagrant/ 12 | .idea/ 13 | .venv/ 14 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Lee Clemens 2 | Serg G. Brester 3 | Serg G. Brester 4 | Serg G. Brester 5 | Viktor Szépe 6 | -------------------------------------------------------------------------------- /.pylintrc: -------------------------------------------------------------------------------- 1 | # Custom pylint configuration for the Fail2Ban project 2 | # 3 | # Set your PYLINTRC environment variable to point to this file 4 | # e.g. 5 | # export PYLINTRC=$PWD/.pylintrc 6 | 7 | [FORMAT] 8 | indent-string='\t' 9 | 10 | [BASIC] 11 | # Fail2Ban uses non-conventional to Python world camel-casing 12 | # These regexps were originally borrowed from 0.4.x series of 13 | # PyMVPA which had similar conventions. 14 | 15 | # Regular expression which should only match correct module names 16 | module-rgx=(([a-z][a-z0-9_]*)|([A-Z][a-zA-Z0-9_]+))$ 17 | 18 | attr-rgx=[a-z_][a-zA-Z0-9_]{2,30} 19 | 20 | # Regular expression which should only match correct class names 21 | class-rgx=[A-Z_]+[a-zA-Z0-9]+$ 22 | 23 | # Regular expression which should only match correct function names 24 | function-rgx=[a-z_]+[a-z_][a-zA-Z0-9]*$ 25 | 26 | # Regular expression which should only match correct method names 27 | method-rgx=([a-z_]|__)[a-zA-Z0-9]*(__)?$ 28 | 29 | # Regular expression which should only match correct argument names 30 | argument-rgx=[a-z][a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?$ 31 | 32 | # Regular expression which should only match correct variable names 33 | variable-rgx=([a-z_]+[a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?||(__.*__))$||[A-Z] 34 | 35 | # Regular expression which should only match correct module level names 36 | # Default: (([A-Z_][A-Z1-9_]*)|(__.*__))$ 37 | const-rgx=([a-z_]+[a-zA-Z0-9]*_*[a-zA-Z0-9]*_*[a-zA-Z0-9]*_?|__.*__)$||[A-Z] 38 | -------------------------------------------------------------------------------- /.typos.toml: -------------------------------------------------------------------------------- 1 | [files] 2 | extend-exclude = [ 3 | ".git/", 4 | ".codespellrc", 5 | "fail2ban/tests/files/logs/", 6 | ] 7 | ignore-hidden = false 8 | 9 | [default] 10 | extend-ignore-re = [ 11 | "Christoph Theis", 12 | "\\[[0-9a-f]{7,8}\\]", 13 | "hash_[0-9a-f]{38}", 14 | "\t[0-9.-]+[ A-Z]+", 15 | "Erreur d'authentification", 16 | "WebEMailExtrac", 17 | "ssh2: RSA 14:ba:xx", 18 | "\\[Cc\\]lient", 19 | "\\[Gg\\]ot", 20 | "\\[nN\\]ot", 21 | "\\[Uu\\]nknown", 22 | "\\[uU\\]ser", 23 | "\\[Uu\\]\\(\\?:ser", 24 | ] 25 | 26 | [default.extend-words] 27 | "alls" = "alls" 28 | "helo" = "helo" 29 | 30 | [default.extend-identifiers] 31 | "failManager2nd" = "failManager2nd" 32 | "log2nd" = "log2nd" 33 | "routeros" = "routeros" 34 | "REFERERS" = "REFERERS" 35 | "tre_search" = "tre_search" 36 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Guidelines on Fail2Ban contributions 2 | ==================================== 3 | 4 | ### You found a severe security vulnerability in Fail2Ban? 5 | email details to fail2ban-vulnerabilities at lists dot sourceforge dot net . 6 | 7 | ### You need some new features, you found bugs? 8 | visit [Issues](https://github.com/fail2ban/fail2ban/issues) 9 | and if your issue is not yet known -- file a bug report. See 10 | [Fail2Ban wiki](http://www.fail2ban.org/wiki/index.php/HOWTO_Seek_Help) 11 | on further instructions. 12 | 13 | ### You would like to troubleshoot or discuss? 14 | join the [mailing list](https://lists.sourceforge.net/lists/listinfo/fail2ban-users) 15 | 16 | ### You would like to contribute (new filters/actions/code/documentation)? 17 | send a [pull request](https://github.com/fail2ban/fail2ban/pulls) 18 | 19 | Pull requests guidelines 20 | ======================== 21 | 22 | - If there is an issue on github to be closed by the pull request, include 23 | ```Closes #ISSUE``` (where ISSUE is issue's number) 24 | 25 | - Add a brief summary of the change to the ChangeLog file into a corresponding 26 | section out of Fixes, New Features or Enhancements (improvements to existing 27 | features) 28 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include ChangeLog COPYING DEVELOP FILTERS README.* THANKS TODO CONTRIBUTING* Vagrantfile 2 | graft doc 3 | graft files 4 | recursive-include config *.conf *.py 5 | recursive-include config/filter.d/ignorecommands * 6 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | __ _ _ ___ _ 2 | / _|__ _(_) |_ ) |__ __ _ _ _ 3 | | _/ _` | | |/ /| '_ \/ _` | ' \ 4 | |_| \__,_|_|_/___|_.__/\__,_|_||_| 5 | 6 | ================================================================================ 7 | ToDo 8 | ================================================================================ 9 | 10 | Legend: 11 | - not yet done 12 | ? maybe 13 | # partially done 14 | * done 15 | 16 | - Added tag for failregex. Add features using this information. Maybe add 17 | more tags 18 | 19 | - Look at the memory consumption. Decrease memory usage 20 | 21 | - More detailed statistics 22 | 23 | - Auto-enable function (search for log files), check modification date to see if 24 | service is still in use 25 | 26 | - Better handling of the protocol in transmitter.py 27 | 28 | - Add gettext support (I18N) 29 | 30 | # improve documentation and website for user 31 | 32 | # better return values in function 33 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | Vagrant.configure("2") do |config| 2 | 3 | config.vm.define "secure" do |secure| 4 | secure.vm.box = "ubuntu/trusty64" 5 | secure.vm.hostname = "secure.dev.fail2ban.org" 6 | secure.vm.network "private_network", ip: "192.168.200.100" 7 | 8 | # secure.vm.synced_folder 'salt/roots', '/srv/salt' 9 | 10 | # secure.vm.provision :salt do |salt| 11 | # salt.minion_config = 'salt/minion' 12 | # salt.run_highstate = true 13 | # salt.verbose = true 14 | # end 15 | end 16 | 17 | config.vm.define "attacker" do |attacker| 18 | attacker.vm.box = "ubuntu/trusty64" 19 | attacker.vm.hostname = "attacker.dev.fail2ban.org" 20 | attacker.vm.network "private_network", ip: "192.168.200.150" 21 | 22 | # attacker.vm.synced_folder 'salt/roots', '/srv/salt' 23 | 24 | # attacker.vm.provision :salt do |salt| 25 | # salt.minion_config = 'salt/minion' 26 | # salt.run_highstate = true 27 | # salt.verbose = true 28 | # end 29 | end 30 | end 31 | -------------------------------------------------------------------------------- /bin/fail2ban-client: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- 3 | # vi: set ft=python sts=4 ts=4 sw=4 noet : 4 | 5 | # This file is part of Fail2Ban. 6 | # 7 | # Fail2Ban is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation; either version 2 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # Fail2Ban is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with Fail2Ban; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | 21 | """ 22 | Fail2Ban reads log file that contains password failure report 23 | and bans the corresponding IP addresses using firewall rules. 24 | 25 | This tools starts/stops fail2ban server or does client/server communication, 26 | to change/read parameters of the server or jails. 27 | 28 | """ 29 | 30 | __author__ = "Fail2Ban Developers" 31 | __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko, 2014-2016 Serg G. Brester" 32 | __license__ = "GPL" 33 | 34 | from fail2ban.client.fail2banclient import exec_command_line, sys 35 | 36 | if __name__ == "__main__": 37 | exec_command_line(sys.argv) 38 | -------------------------------------------------------------------------------- /bin/fail2ban-regex: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- 3 | # vi: set ft=python sts=4 ts=4 sw=4 noet : 4 | # 5 | # This file is part of Fail2Ban. 6 | # 7 | # Fail2Ban is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation; either version 2 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # Fail2Ban is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with Fail2Ban; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | """ 21 | Fail2Ban reads log file that contains password failure report 22 | and bans the corresponding IP addresses using firewall rules. 23 | 24 | This tools can test regular expressions for "fail2ban". 25 | 26 | """ 27 | 28 | __author__ = "Fail2Ban Developers" 29 | __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko" 30 | __license__ = "GPL" 31 | 32 | from fail2ban.client.fail2banregex import exec_command_line 33 | 34 | exec_command_line() 35 | -------------------------------------------------------------------------------- /bin/fail2ban-server: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | # emacs: -*- mode: python; py-indent-offset: 4; indent-tabs-mode: t -*- 3 | # vi: set ft=python sts=4 ts=4 sw=4 noet : 4 | 5 | # This file is part of Fail2Ban. 6 | # 7 | # Fail2Ban is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation; either version 2 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # Fail2Ban is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with Fail2Ban; if not, write to the Free Software 19 | # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 20 | 21 | """ 22 | Fail2Ban reads log file that contains password failure report 23 | and bans the corresponding IP addresses using firewall rules. 24 | 25 | This tool starts/stops fail2ban server or does client/server communication 26 | to change/read parameters of the server or jails. 27 | 28 | """ 29 | 30 | __author__ = "Fail2Ban Developers" 31 | __copyright__ = "Copyright (c) 2004-2008 Cyril Jaquier, 2012-2014 Yaroslav Halchenko, 2014-2016 Serg G. Brester" 32 | __license__ = "GPL" 33 | 34 | from fail2ban.client.fail2banserver import exec_command_line, sys 35 | 36 | if __name__ == "__main__": 37 | exec_command_line(sys.argv) 38 | -------------------------------------------------------------------------------- /config/action.d/apf.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # https://www.rfxn.com/projects/advanced-policy-firewall/ 3 | # 4 | # Note: APF doesn't play nicely with other actions. It has been observed to 5 | # remove bans created by other iptables based actions. If you are going to use 6 | # this action, use it for all of your jails. 7 | # 8 | # DON'T MIX APF and other IPTABLES based actions 9 | [Definition] 10 | 11 | actionstart = 12 | actionstop = 13 | actioncheck = 14 | actionban = apf --deny "banned by Fail2Ban " 15 | actionunban = apf --remove 16 | 17 | [Init] 18 | 19 | # Name used in APF configuration 20 | # 21 | name = default 22 | 23 | # DEV NOTES: 24 | # 25 | # Author: Mark McKinstry 26 | -------------------------------------------------------------------------------- /config/action.d/apprise.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Chris Caron 4 | # 5 | # 6 | 7 | [Definition] 8 | 9 | # Option: actionstart 10 | # Notes.: command executed once at the start of Fail2Ban. 11 | # Values: CMD 12 | # 13 | actionstart = printf %%b "The jail has been started successfully." | -t "[Fail2Ban] : started on `uname -n`" 14 | 15 | # Option: actionstop 16 | # Notes.: command executed once at the end of Fail2Ban 17 | # Values: CMD 18 | # 19 | actionstop = printf %%b "The jail has been stopped." | -t "[Fail2Ban] : stopped on `uname -n`" 20 | 21 | # Option: actioncheck 22 | # Notes.: command executed once before each actionban command 23 | # Values: CMD 24 | # 25 | actioncheck = 26 | 27 | # Option: actionban 28 | # Notes.: command executed when banning an IP. Take care that the 29 | # command is executed with Fail2Ban user rights. 30 | # Tags: See jail.conf(5) man page 31 | # Values: CMD 32 | # 33 | actionban = printf %%b "The IP has just been banned by Fail2Ban after attempts against " | -n "warning" -t "[Fail2Ban] : banned from `uname -n`" 34 | 35 | # Option: actionunban 36 | # Notes.: command executed when unbanning an IP. Take care that the 37 | # command is executed with Fail2Ban user rights. 38 | # Tags: See jail.conf(5) man page 39 | # Values: CMD 40 | # 41 | actionunban = 42 | 43 | [Init] 44 | 45 | # Define location of the default apprise configuration file to use 46 | # 47 | config = /etc/fail2ban/apprise.conf 48 | # 49 | apprise = apprise -c "" 50 | -------------------------------------------------------------------------------- /config/action.d/csf.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # http://configserver.com/cp/csf.html 3 | # 4 | # Note: CSF doesn't play nicely with other actions. It has been observed to 5 | # remove bans created by other iptables based actions. If you are going to use 6 | # this action, use it for all of your jails. 7 | # 8 | # DON'T MIX CSF and other IPTABLES based actions 9 | 10 | [Definition] 11 | 12 | actionstart = 13 | actionstop = 14 | actioncheck = 15 | actionban = csf --deny "banned by Fail2Ban " 16 | actionunban = csf --denyrm 17 | 18 | [Init] 19 | 20 | # Name used in CSF configuration 21 | # 22 | name = default 23 | 24 | # DEV NOTES: 25 | # 26 | # based on apf.conf by Mark McKinstry 27 | -------------------------------------------------------------------------------- /config/action.d/firewallcmd-multiport.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Donald Yandt 4 | # Because of the --remove-rules in stop this action requires firewalld-0.3.8+ 5 | 6 | [INCLUDES] 7 | 8 | before = firewallcmd-common.conf 9 | 10 | [Definition] 11 | 12 | actionstart = firewall-cmd --direct --add-chain filter f2b- 13 | firewall-cmd --direct --add-rule filter f2b- 1000 -j RETURN 14 | firewall-cmd --direct --add-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 15 | 16 | actionstop = firewall-cmd --direct --remove-rule filter 0 -m conntrack --ctstate NEW -p -m multiport --dports -j f2b- 17 | firewall-cmd --direct --remove-rules filter f2b- 18 | firewall-cmd --direct --remove-chain filter f2b- 19 | 20 | # Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$' 21 | 22 | actioncheck = firewall-cmd --direct --get-chains filter | sed -e 's, ,\n,g' | grep -q '^f2b-$' 23 | 24 | actionban = firewall-cmd --direct --add-rule filter f2b- 0 -s -j 25 | 26 | actionunban = firewall-cmd --direct --remove-rule filter f2b- 0 -s -j 27 | -------------------------------------------------------------------------------- /config/action.d/firewallcmd-rich-logging.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Authors: Donald Yandt, Sergey G. Brester 4 | # 5 | # Because of the rich rule commands requires firewalld-0.3.1+ 6 | # This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not 7 | # by chain. So for an example all deny rules will be listed under _deny and all log rules under _log. 8 | # 9 | # Also this action logs banned access attempts so you can filter that and increase ban time for offenders. 10 | # 11 | # If you use the --permanent rule you get a xml file in /etc/firewalld/zones/.xml that can be shared and parsed easliy 12 | # 13 | # This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters. 14 | 15 | [INCLUDES] 16 | 17 | before = firewallcmd-rich-rules.conf 18 | 19 | [Definition] 20 | 21 | rich-suffix = log prefix='f2b-' level='' limit value='/m' 22 | 23 | [Init] 24 | 25 | # log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug" 26 | level = info 27 | 28 | # log rate per minute 29 | rate = 1 30 | -------------------------------------------------------------------------------- /config/action.d/helpers-common.conf: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | 3 | # Usage: 4 | # _grep_logs_args = 'test' 5 | # (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ... 6 | # 7 | _grep_logs = logpath=""; grep %(_grep_logs_args)s $logpath | 8 | # options `-wF` used to match only whole words and fixed string (not as pattern) 9 | _grep_logs_args = -wF "" 10 | 11 | # Used for actions, that should not by executed if ticket was restored: 12 | _bypass_if_restored = if [ '' = '1' ]; then exit 0; fi; 13 | 14 | [Init] 15 | greplimit = tail -n 16 | grepmax = 1000 17 | grepopts = -m 18 | -------------------------------------------------------------------------------- /config/action.d/iptables-allports.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified: Yaroslav O. Halchenko 5 | # made active on all ports from original iptables.conf 6 | # 7 | # Obsolete: superseded by iptables[type=allports] 8 | 9 | [INCLUDES] 10 | 11 | before = iptables.conf 12 | 13 | [Definition] 14 | 15 | type = allports 16 | -------------------------------------------------------------------------------- /config/action.d/iptables-ipset-proto6-allports.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 6 | # Use ipset -V to see the protocol and version. Version 4 should use 7 | # iptables-ipset-proto4.conf. 8 | # 9 | # This requires the program ipset which is normally in package called ipset. 10 | # 11 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12 | # 13 | # If you are running on an older kernel you make need to patch in external 14 | # modules which probably won't be protocol version 6. 15 | # 16 | # Modified: Alexander Koeppe , Serg G. Brester 17 | # made config file IPv6 capable (see new section Init?family=inet6) 18 | # 19 | # Obsolete: superseded by iptables-ipset[type=allports] 20 | 21 | [INCLUDES] 22 | 23 | before = iptables-ipset.conf 24 | 25 | [Definition] 26 | 27 | type = allports 28 | -------------------------------------------------------------------------------- /config/action.d/iptables-ipset-proto6.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Daniel Black 4 | # 5 | # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 6 | # Use ipset -V to see the protocol and version. Version 4 should use 7 | # iptables-ipset-proto4.conf. 8 | # 9 | # This requires the program ipset which is normally in package called ipset. 10 | # 11 | # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12 | # 13 | # If you are running on an older kernel you make need to patch in external 14 | # modules. 15 | # 16 | # Modified: Alexander Koeppe , Serg G. Brester 17 | # made config file IPv6 capable (see new section Init?family=inet6) 18 | # 19 | # Obsolete: superseded by iptables-ipset[type=multiport] 20 | 21 | [INCLUDES] 22 | 23 | before = iptables-ipset.conf 24 | 25 | [Definition] 26 | 27 | type = multiport 28 | -------------------------------------------------------------------------------- /config/action.d/iptables-multiport.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified by Yaroslav Halchenko for multiport banning 5 | # 6 | # Obsolete: superseded by iptables[type=multiport] 7 | 8 | [INCLUDES] 9 | 10 | before = iptables.conf 11 | 12 | [Definition] 13 | 14 | type = multiport 15 | -------------------------------------------------------------------------------- /config/action.d/iptables-new.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Copied from iptables.conf and modified by Yaroslav Halchenko 5 | # to fulfill the needs of bugreporter dbts#350746. 6 | # 7 | # Obsolete: superseded by iptables[pre-rule='-m state --state NEW'] 8 | 9 | [INCLUDES] 10 | 11 | before = iptables.conf 12 | 13 | [Definition] 14 | 15 | pre-rule = -m state --state NEW -------------------------------------------------------------------------------- /config/action.d/mail-whois-common.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Common settings for mail actions 4 | # 5 | # Users can override the defaults in mail-whois-common.local 6 | 7 | [INCLUDES] 8 | 9 | # Load customizations if any available 10 | after = mail-whois-common.local 11 | 12 | [DEFAULT] 13 | #original character set of whois output will be sent to mail program 14 | _whois = whois || echo "missing whois program" 15 | 16 | # use heuristics to convert charset of whois output to a target 17 | # character set before sending it to a mail program 18 | # make sure you have 'file' and 'iconv' commands installed when opting for that 19 | _whois_target_charset = UTF-8 20 | _whois_convert_charset = (%(_whois)s) | 21 | { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; } 22 | 23 | # choose between _whois and _whois_convert_charset in mail-whois-common.local 24 | # or other *.local which include mail-whois-common.conf. 25 | _whois_command = %(_whois)s 26 | #_whois_command = %(_whois_convert_charset)s 27 | 28 | [Init] 29 | -------------------------------------------------------------------------------- /config/action.d/netscaler.conf: -------------------------------------------------------------------------------- 1 | # Fail2ban Citrix Netscaler Action 2 | # by Juliano Jeziorny 3 | # juliano@jeziorny.eu 4 | # 5 | # The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level 6 | # This dataset is then used to block IPs using responder policies on the netscaler. 7 | # 8 | # The script assumes using HTTPS with insecure certificate to access the netscaler, 9 | # if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k) 10 | # 11 | # This action depends on curl 12 | # 13 | # You need to populate the 3 options inside Init 14 | # 15 | # ns_host: IP or hostname of netslcaer appliance 16 | # ns_auth: username:password, suggest base64 encoded for a little added security (echo -n "username:password" | base64) 17 | # ns_dataset: Name of the netscaler dataset holding the IPs to be blocked. 18 | # 19 | # For further details on how to use it please check http://blog.ckzone.eu/2017/01/fail2ban-action-for-citrix-netscaler.html 20 | 21 | [Init] 22 | ns_host = 23 | ns_auth = 24 | ns_dataset = 25 | 26 | [Definition] 27 | actionstart = curl -kH 'Authorization: Basic ' https:///nitro/v1/config 28 | 29 | actioncheck = 30 | 31 | actionban = curl -k -H 'Authorization: Basic ' -X PUT -d '{"policydataset_value_binding":{"name":"","value":""}}' https:///nitro/v1/config/ 32 | 33 | actionunban = curl -H 'Authorization: Basic ' -X DELETE -k "https:///nitro/v1/config/policydataset_value_binding/?args=value:" 34 | -------------------------------------------------------------------------------- /config/action.d/nftables-allports.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified: Yaroslav O. Halchenko 5 | # made active on all ports from original iptables.conf 6 | # Modified: Alexander Belykh 7 | # adapted for nftables 8 | # 9 | # Obsolete: superseded by nftables[type=allports] 10 | 11 | [INCLUDES] 12 | 13 | before = nftables.conf 14 | 15 | [Definition] 16 | 17 | type = allports 18 | -------------------------------------------------------------------------------- /config/action.d/nftables-multiport.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # Modified: Yaroslav O. Halchenko 5 | # made active on all ports from original iptables.conf 6 | # Modified: Alexander Belykh 7 | # adapted for nftables 8 | # 9 | # Obsolete: superseded by nftables[type=multiport] 10 | 11 | [INCLUDES] 12 | 13 | before = nftables.conf 14 | 15 | [Definition] 16 | 17 | type = multiport -------------------------------------------------------------------------------- /config/action.d/osx-afctl.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file for using afctl on Mac OS X Server 10.5 2 | # 3 | # Anonymous author 4 | # http://www.fail2ban.org/wiki/index.php?title=HOWTO_Mac_OS_X_Server_(10.5)&diff=prev&oldid=4081 5 | # 6 | # Ref: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/afctl.8.html 7 | 8 | [Definition] 9 | actionstart = 10 | actionstop = 11 | actioncheck = 12 | actionban = /usr/libexec/afctl -a -t 13 | actionunban = /usr/libexec/afctl -r 14 | 15 | actionprolong = %(actionunban)s && %(actionban)s 16 | 17 | -------------------------------------------------------------------------------- /config/action.d/route.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Michael Gebetsroither 4 | # 5 | # This is for blocking whole hosts through blackhole routes. 6 | # 7 | # PRO: 8 | # - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further). 9 | # - It's FAST for very large numbers of blocked ips. 10 | # - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering. 11 | # - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts. 12 | # - No additional software required beside iproute/iproute2 13 | # 14 | # CON: 15 | # - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts 16 | 17 | [Definition] 18 | actionban = ip route add 19 | actionunban = ip route del 20 | actioncheck = 21 | actionstart = 22 | actionstop = 23 | 24 | [Init] 25 | 26 | # Option: blocktype 27 | # Note: Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages. 28 | # Values: STRING 29 | blocktype = unreachable 30 | -------------------------------------------------------------------------------- /config/action.d/sendmail-whois-ipjailmatches.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | mail-whois-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionban 18 | # Notes.: command executed when banning an IP. Take care that the 19 | # command is executed with Fail2Ban user rights. 20 | # Tags: See jail.conf(5) man page 21 | # Values: CMD 22 | # 23 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 24 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 25 | From: <> 26 | To: \n 27 | Hi,\n 28 | The IP has just been banned by Fail2Ban after 29 | attempts against .\n\n 30 | Here is more information about :\n 31 | `%(_whois_command)s`\n\n 32 | Matches for with failures IP:\n 33 | \n\n 34 | Regards,\n 35 | Fail2Ban" | 36 | 37 | [Init] 38 | 39 | # Default name of the chain 40 | # 41 | name = default 42 | -------------------------------------------------------------------------------- /config/action.d/sendmail-whois-ipmatches.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | mail-whois-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionban 18 | # Notes.: command executed when banning an IP. Take care that the 19 | # command is executed with Fail2Ban user rights. 20 | # Tags: See jail.conf(5) man page 21 | # Values: CMD 22 | # 23 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 24 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 25 | From: <> 26 | To: \n 27 | Hi,\n 28 | The IP has just been banned by Fail2Ban after 29 | attempts against .\n\n 30 | Here is more information about :\n 31 | `%(_whois_command)s`\n\n 32 | Matches with failures IP:\n 33 | \n\n 34 | Regards,\n 35 | Fail2Ban" | 36 | 37 | [Init] 38 | 39 | # Default name of the chain 40 | # 41 | name = default 42 | -------------------------------------------------------------------------------- /config/action.d/sendmail-whois-lines.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | mail-whois-common.conf 11 | helpers-common.conf 12 | 13 | [Definition] 14 | 15 | # bypass ban/unban for restored tickets 16 | norestored = 1 17 | 18 | # Option: actionban 19 | # Notes.: command executed when banning an IP. Take care that the 20 | # command is executed with Fail2Ban user rights. 21 | # Tags: See jail.conf(5) man page 22 | # Values: CMD 23 | # 24 | actionban = ( printf %%b "Subject: [Fail2Ban] : banned from 25 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 26 | From: <> 27 | To: \n 28 | Hi,\n 29 | The IP has just been banned by Fail2Ban after 30 | attempts against .\n\n 31 | Here is more information about :\n" 32 | %(_whois_command)s; 33 | printf %%b "\nLines containing failures of (max )\n"; 34 | %(_grep_logs)s; 35 | printf %%b "\n 36 | Regards,\n 37 | Fail2Ban" ) | 38 | 39 | [Init] 40 | 41 | # Default name of the chain 42 | # 43 | name = default 44 | 45 | # Path to the log files which contain relevant lines for the abuser IP 46 | # 47 | logpath = /dev/null 48 | 49 | # Number of log lines to include in the email 50 | # 51 | #grepmax = 1000 52 | #grepopts = -m 53 | -------------------------------------------------------------------------------- /config/action.d/sendmail-whois-matches.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | mail-whois-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionban 18 | # Notes.: command executed when banning an IP. Take care that the 19 | # command is executed with Fail2Ban user rights. 20 | # Tags: See jail.conf(5) man page 21 | # Values: CMD 22 | # 23 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 24 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 25 | From: <> 26 | To: \n 27 | Hi,\n 28 | The IP has just been banned by Fail2Ban after 29 | attempts against .\n\n 30 | Here is more information about :\n 31 | `%(_whois_command)s`\n\n 32 | Matches:\n 33 | \n\n 34 | Regards,\n 35 | Fail2Ban" | 36 | 37 | [Init] 38 | 39 | # Default name of the chain 40 | # 41 | name = default 42 | -------------------------------------------------------------------------------- /config/action.d/sendmail-whois.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | mail-whois-common.conf 11 | 12 | [Definition] 13 | 14 | # bypass ban/unban for restored tickets 15 | norestored = 1 16 | 17 | # Option: actionban 18 | # Notes.: command executed when banning an IP. Take care that the 19 | # command is executed with Fail2Ban user rights. 20 | # Tags: See jail.conf(5) man page 21 | # Values: CMD 22 | # 23 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 24 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 25 | From: <> 26 | To: \n 27 | Hi,\n 28 | The IP has just been banned by Fail2Ban after 29 | attempts against .\n\n 30 | Here is more information about :\n 31 | `%(_whois_command)s`\n 32 | Regards,\n 33 | Fail2Ban" | 34 | 35 | [Init] 36 | 37 | # Default name of the chain 38 | # 39 | name = default 40 | 41 | -------------------------------------------------------------------------------- /config/action.d/sendmail.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban configuration file 2 | # 3 | # Author: Cyril Jaquier 4 | # 5 | # 6 | 7 | [INCLUDES] 8 | 9 | before = sendmail-common.conf 10 | 11 | [Definition] 12 | 13 | # bypass ban/unban for restored tickets 14 | norestored = 1 15 | 16 | # Option: actionban 17 | # Notes.: command executed when banning an IP. Take care that the 18 | # command is executed with Fail2Ban user rights. 19 | # Tags: See jail.conf(5) man page 20 | # Values: CMD 21 | # 22 | actionban = printf %%b "Subject: [Fail2Ban] : banned from 23 | Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"` 24 | From: <> 25 | To: \n 26 | Hi,\n 27 | The IP has just been banned by Fail2Ban after 28 | attempts against .\n 29 | Regards,\n 30 | Fail2Ban" | 31 | 32 | [Init] 33 | 34 | # Default name of the chain 35 | # 36 | name = default 37 | 38 | -------------------------------------------------------------------------------- /config/filter.d/3proxy.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter for 3proxy 2 | # 3 | # 4 | 5 | [Definition] 6 | 7 | 8 | failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ :\d+ [\d.]+:\d+ \d+ \d+ \d+\s 9 | 10 | ignoreregex = 11 | 12 | datepattern = {^LN-BEG} 13 | 14 | # DEV Notes: 15 | # http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are 16 | # all authentication problems (%E field) 17 | # Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T" 18 | # 19 | # Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246 20 | # Author: Daniel Black 21 | -------------------------------------------------------------------------------- /config/filter.d/apache-botsearch.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter to match web requests for selected URLs that don't exist 2 | # 3 | # This filter is aimed at blocking specific URLs that don't exist. This 4 | # could be a set of URLs places in a Disallow: directive in robots.txt or 5 | # just some web services that don't exist caused bots are searching for 6 | # exploitable content. This filter is designed to have a low false positive 7 | # rate due. 8 | # 9 | # An alternative to this is the apache-noscript filter which blocks all 10 | # types of scripts that don't exist. 11 | # 12 | # 13 | # This is normally a predefined list of exploitable or valuable web services 14 | # that are hidden or aren't actually installed. 15 | # 16 | 17 | [INCLUDES] 18 | 19 | # overwrite with apache-common.local if _apache_error_client is incorrect. 20 | # Load regexes for filtering from botsearch-common.conf 21 | before = apache-common.conf 22 | botsearch-common.conf 23 | 24 | [Definition] 25 | 26 | prefregex = ^%(_apache_error_client)s (?:AH\d+: )?.+$ 27 | 28 | failregex = ^(?:File does not exist|script not found or unable to stat): (, referer: \S+)?\s*$ 29 | ^script '' not found or unable to stat(, referer: \S+)?\s*$ 30 | 31 | ignoreregex = 32 | 33 | # Webroot represents the webroot on which all other files are based 34 | webroot = /var/www/ 35 | 36 | 37 | # DEV Notes: 38 | # 39 | # Author: Daniel Black 40 | -------------------------------------------------------------------------------- /config/filter.d/apache-fakegooglebot.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter for fake Googlebot User Agents 2 | 3 | [Definition] 4 | 5 | failregex = ^\s* \S+ \S+(?: \S+)?\s+\S+ "[A-Z]+ /\S* [^"]*" \d+ \d+ \"[^"]*\" "[^"]*\bGooglebot/[^"]*" 6 | 7 | ignoreregex = 8 | 9 | datepattern = ^[^\[]*(\[{DATE}\s*\]) 10 | {^LN-BEG} 11 | 12 | # DEV Notes: 13 | # 14 | # Author: Lee Clemens 15 | # Thanks: Johannes B. Ullrich, Ph.D. 16 | # Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/ 17 | -------------------------------------------------------------------------------- /config/filter.d/apache-modsecurity.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban apache-modsec filter 2 | # 3 | 4 | [INCLUDES] 5 | 6 | # Read common prefixes. If any customizations available -- read them from 7 | # apache-common.local 8 | before = apache-common.conf 9 | 10 | [Definition] 11 | 12 | 13 | failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d 14 | 15 | ignoreregex = 16 | 17 | # https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats 18 | # Author: Daniel Black 19 | # Sergey G. Brester aka sebres (review, optimization) 20 | -------------------------------------------------------------------------------- /config/filter.d/apache-nohome.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter to web requests for home directories on Apache servers 2 | # 3 | # Regex to match failures to find a home directory on a server, which 4 | # became popular last days. Most often attacker just uses IP instead of 5 | # domain name -- so expect to see them in generic error.log if you have 6 | # per-domain log files. 7 | 8 | [INCLUDES] 9 | 10 | # overwrite with apache-common.local if _apache_error_client is incorrect. 11 | before = apache-common.conf 12 | 13 | [Definition] 14 | 15 | 16 | failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.* 17 | 18 | ignoreregex = 19 | 20 | # Author: Yaroslav O. Halchenko 21 | -------------------------------------------------------------------------------- /config/filter.d/apache-noscript.conf: -------------------------------------------------------------------------------- 1 | # Fail2Ban filter to block web requests for scripts (on non scripted websites) 2 | # 3 | # This matches many types of scripts that don't exist. This could generate a 4 | # lot of false positive matches in cases like wikis and forums where users 5 | # no affiliated with the website can insert links to missing files/scripts into 6 | # pages and cause non-malicious browsers of the site to trigger against this 7 | # filter. 8 | # 9 | # If you'd like to match specific URLs that don't exist see the 10 | # apache-botsearch filter. 11 | # 12 | 13 | [INCLUDES] 14 | 15 | # overwrite with apache-common.local if _apache_error_client is incorrect. 16 | before = apache-common.conf 17 | 18 | [Definition] 19 | 20 | script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/) 21 | 22 | prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?=(?:[Ff]ile|[Ss]cript|[Gg]ot error|stderr from) ).+$ 23 | 24 | failregex = ^(?:(?:[Ff]ile does not exist|[Ss]cript not found or unable to stat):