# My personnal fail2ban jail config :)
#
# It's a really evil config, you should raise the value of
# "maxretry" accross the file and lower bantime
# to not block legitimate users (like you).
#
# For the "filters", see /etc/fail2ban/filters.d/
# (these are files managed by Fail2Ban and your Package Manager)


# Default values
# They can be overriden by each subsections

[DEFAULT]
bantime = 24h
findtime = 6h
bantime.increment = true
maxretry = 2
action = iptables-allports
backend = auto
# ignoreip won't ban specified IP addresses
# Put the local IPs of your network if desired
# For example if they all start with 192.168.0
ignoreip = 192.168.0.0/24

# SSH
# Enable it if you use SSH outside of your local network.

[sshd]
enabled = false
port = ssh
logpath = %(sshd_log)s
maxretry = 3
bantime = 3700
findtime = 3600

# Nginx configuration
# On debian 13 (for now) the nginx filters don't work
# if we don't define "backend = auto" (See [DEFAULT] section)
# They also don't work without specifying the logpath

[nginx-bad-request]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = nginx-bad-request

[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = nginx-botsearch

# Only triggers if limit req is enabled in your nginx conf
# See mine at etc/nginx/conf.d/antispam.conf
# And the line in etc/nginx/sites-available/mielota.com
[nginx-limit-req]
enabled = true
port = http,https
log_path = /var/log/nginx/error.log
filter = nginx-limit-req

[nginx-forbidden]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
          /var/log/nginx/error.log
filter = nginx-forbidden

# [nginx-error-common]
# enabled = true
# port = http,https
# logpath = /var/log/nginx/access.log
#           /var/log/nginx/error.log
# filter = nginx-error-common

# [nginx-http-auth]
# enabled = true
# port = http,https
# logpath = /var/log/nginx/access.log
#           /var/log/nginx/error.log
# filter = nginx-http-auth

# EMAIL SERVER CONFIGURATION
# HARDENED https://github.com/lukesmithxyz/emailwiz

# If you used emailwiz.sh, the script created a file named
# emailwiz.local in etc/fail2ban/jail.d/
# Remove it if you are going to use the configuration below

[postfix-sasl]
enabled = true
maxretry = 0

[sieve]
enabled = true
maxretry = 0

[postfix]
enabled = true
mode = aggressive
maxretry = 0

[dovecot]
enabled = true
mode = aggressive
maxretry = 0