diff options
Diffstat (limited to 'debian13/etc/fail2ban')
| -rw-r--r-- | debian13/etc/fail2ban/jail.local | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/debian13/etc/fail2ban/jail.local b/debian13/etc/fail2ban/jail.local new file mode 100644 index 0000000..2202c3e --- /dev/null +++ b/debian13/etc/fail2ban/jail.local @@ -0,0 +1,107 @@ +# My personnal fail2ban jail config :) +# +# It's a really evil config, you should raise the value of +# "maxretry" accross the file and lower bantime +# to not block legitimate users (like you). +# +# For the "filters", see /etc/fail2ban/filters.d/ +# (these are files managed by Fail2Ban and your Package Manager) + + +# Default values +# They can be overriden by each subsections + +[DEFAULT] +bantime = 24h +findtime = 6h +bantime.increment = true +maxretry = 2 +action = iptables-allports +backend = auto +# ignoreip won't ban specified IP addresses +# Put the local IPs of your network if desired +# For example if they all start with 192.168.0 +ignoreip = 192.168.0.0/24 + +# SSH +# Enable it if you use SSH outside of your local network. + +[sshd] +enabled = false +port = ssh +logpath = %(sshd_log)s +maxretry = 3 +bantime = 3700 +findtime = 3600 + +# Nginx configuration +# On debian 13 (for now) the nginx filters don't work +# if we don't define "backend = auto" (See [DEFAULT] section) +# They also don't work without specifying the logpath + +[nginx-bad-request] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log +filter = nginx-bad-request + +[nginx-botsearch] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log +filter = nginx-botsearch + +# Only triggers if limit req is enabled in your nginx conf +# See mine at etc/nginx/conf.d/antispam.conf +# And the line in etc/nginx/sites-available/mielota.com +[nginx-limit-req] +enabled = true +port = http,https +log_path = /var/log/nginx/error.log +filter = nginx-limit-req + +[nginx-forbidden] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log + /var/log/nginx/error.log +filter = nginx-forbidden + +# [nginx-error-common] +# enabled = true +# port = http,https +# logpath = /var/log/nginx/access.log +# /var/log/nginx/error.log +# filter = nginx-error-common + +# [nginx-http-auth] +# enabled = true +# port = http,https +# logpath = /var/log/nginx/access.log +# /var/log/nginx/error.log +# filter = nginx-http-auth + +# EMAIL SERVER CONFIGURATION +# HARDENED https://github.com/lukesmithxyz/emailwiz + +# If you used emailwiz.sh, the script created a file named +# emailwiz.local in etc/fail2ban/jail.d/ +# Remove it if you are going to use the configuration below + +[postfix-sasl] +enabled = true +maxretry = 0 + +[sieve] +enabled = true +maxretry = 0 + +[postfix] +enabled = true +mode = aggressive +maxretry = 0 + +[dovecot] +enabled = true +mode = aggressive +maxretry = 0 |