blob: 2202c3e5b8e5ea15855ca1866f6c461248bb4ff0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
# My personnal fail2ban jail config :)
#
# It's a really evil config, you should raise the value of
# "maxretry" accross the file and lower bantime
# to not block legitimate users (like you).
#
# For the "filters", see /etc/fail2ban/filters.d/
# (these are files managed by Fail2Ban and your Package Manager)
# Default values
# They can be overriden by each subsections
[DEFAULT]
bantime = 24h
findtime = 6h
bantime.increment = true
maxretry = 2
action = iptables-allports
backend = auto
# ignoreip won't ban specified IP addresses
# Put the local IPs of your network if desired
# For example if they all start with 192.168.0
ignoreip = 192.168.0.0/24
# SSH
# Enable it if you use SSH outside of your local network.
[sshd]
enabled = false
port = ssh
logpath = %(sshd_log)s
maxretry = 3
bantime = 3700
findtime = 3600
# Nginx configuration
# On debian 13 (for now) the nginx filters don't work
# if we don't define "backend = auto" (See [DEFAULT] section)
# They also don't work without specifying the logpath
[nginx-bad-request]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = nginx-bad-request
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
filter = nginx-botsearch
# Only triggers if limit req is enabled in your nginx conf
# See mine at etc/nginx/conf.d/antispam.conf
# And the line in etc/nginx/sites-available/mielota.com
[nginx-limit-req]
enabled = true
port = http,https
log_path = /var/log/nginx/error.log
filter = nginx-limit-req
[nginx-forbidden]
enabled = true
port = http,https
logpath = /var/log/nginx/access.log
/var/log/nginx/error.log
filter = nginx-forbidden
# [nginx-error-common]
# enabled = true
# port = http,https
# logpath = /var/log/nginx/access.log
# /var/log/nginx/error.log
# filter = nginx-error-common
# [nginx-http-auth]
# enabled = true
# port = http,https
# logpath = /var/log/nginx/access.log
# /var/log/nginx/error.log
# filter = nginx-http-auth
# EMAIL SERVER CONFIGURATION
# HARDENED https://github.com/lukesmithxyz/emailwiz
# If you used emailwiz.sh, the script created a file named
# emailwiz.local in etc/fail2ban/jail.d/
# Remove it if you are going to use the configuration below
[postfix-sasl]
enabled = true
maxretry = 0
[sieve]
enabled = true
maxretry = 0
[postfix]
enabled = true
mode = aggressive
maxretry = 0
[dovecot]
enabled = true
mode = aggressive
maxretry = 0
|
