Extension:Fail2Log

The Fail2Log extension creates a log file containing IP addresses of IP's that tried to login with an incorrect username and/or password

NOTES:
 * Only tested on Ubuntu 20.04 with Mediawiki 1.35
 * TODO: have PHP create log file with correct permissions
 * place holder for text editor of your choice.

Create Log file
Could not get PHP to create and set permissions for log file: So for now doing manually!

Failed login's with wrong user name and/or password should now be logged in:

Log Format:

Check installed on

Manually install Fail2Log
In extension Directory create directory for extension with an 'includes' sub directory:

Create extension.json file in Fail2Log extension directory

{       "name": "Fail2Log", "author": "Ozan Salih", "url": "https://github.com/greenhatmonkey/Fail2Log", "description": "Log IPs who failed username and/or password.", "version": "0.0.1", "license-name": "CC0", "requires": { "MediaWiki": ">= 1.25" },

"AutoloadClasses": { "Fail2LogClass": "includes/Fail2Log.php" },       "Hooks": { "AuthManagerLoginAuthenticateAudit": "Fail2LogClass::onAuthManagerLoginAuthenticateAudit" } }

Create extension php file in  directory

status === AuthenticationResponse::FAIL ) { error_log ( "Failed:$ip $time $username\n", 3, $wgFail2LogFile ); }   } }

Append to LocalSettings.php

wfLoadExtension ( 'Fail2Log' ); $wgFail2LogFile = '/var/log/Fail2Log.log';
 * 1) wgFail2LogFile = '/path/to/logfile'; need to manually create log file and change permissions

Create Log File manually

Failed login's with wrong user name and/or password should now be logged in:

Log Format:

Using With Fail2Ban
Fail2Ban works in a container. If using fail2ban on Host for container: Just include log path:


 * Fail2ban will use file.local over file.conf if file.local exists:
 * file.conf can be written over if file2ban gets updated.
 * Make a file.local of the file you are working on.

Default  file: Expand to view


 * 1) WARNING: heavily refactored in 0.9.0 release.  Please review and
 * 2)          customize settings for your setup.
 * 3) Changes:  in most of the cases you should not modify this
 * 4)           file, but provide customizations in jail.local file,
 * 5)           or separate .conf files under jail.d/ directory, e.g.:
 * 6) HOW TO ACTIVATE JAILS:
 * 7) YOU SHOULD NOT MODIFY THIS FILE.
 * 8) It will probably be overwritten or improved in a distribution update.
 * 9) Provide customizations in a jail.local file or a jail.d/customisation.local.
 * 10) For example to change the default bantime for all jails and to enable the
 * 11) ssh-iptables jail the following (uncommented) would appear in the .local file.
 * 12) See man 5 jail.conf for details.
 * 13) [DEFAULT]
 * 14) bantime = 1h
 * 15) [sshd]
 * 16) enabled = true
 * 17) See jail.conf(5) man page for more information
 * 1) See man 5 jail.conf for details.
 * 2) [DEFAULT]
 * 3) bantime = 1h
 * 4) [sshd]
 * 5) enabled = true
 * 6) See jail.conf(5) man page for more information
 * 1) enabled = true
 * 2) See jail.conf(5) man page for more information
 * 1) See jail.conf(5) man page for more information


 * 1) Comments: use '#' for comment lines and ';' (following a space) for inline comments

[INCLUDES]

before = paths-debian.conf
 * 1) before = paths-distro.conf


 * 1) The DEFAULT allows a global definition of the options. They can be overridden
 * 2) in each jail afterwards.

[DEFAULT]


 * 1) MISCELLANEOUS OPTIONS
 * 1) MISCELLANEOUS OPTIONS


 * 1) "bantime.increment" allows to use database for searching of previously banned ip's to increase a
 * 2) default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
 * 3) bantime.increment = true


 * 1) "bantime.rndtime" is the max number of seconds using for mixing with random time
 * 2) to prevent "clever" botnets calculate exact time IP can be unbanned again:
 * 3) bantime.rndtime =


 * 1) "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
 * 2) bantime.maxtime =


 * 1) "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
 * 2) default value of factor is 1 and with default value of formula, the ban time
 * 3) grows by 1, 2, 4, 8, 16 ...
 * 4) bantime.factor = 1


 * 1) "bantime.formula" used by default to calculate next value of ban time, default value bellow,
 * 2) the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
 * 3) bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
 * 4) more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
 * 5) bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
 * 1) bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)


 * 1) "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
 * 2) previously ban count and given "bantime.factor" (for multipliers default is 1);
 * 3) following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
 * 4) always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
 * 5) bantime.multipliers = 1 2 4 8 16 32 64
 * 6) following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
 * 7) for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
 * 8) bantime.multipliers = 1 5 30 60 300 720 1440 2880


 * 1) "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
 * 2) cross over all jails, if false (dafault), only current jail of the ban IP will be searched
 * 3) bantime.overalljails = false




 * 1) "ignoreself" specifies whether the local resp. own IP addresses should be ignored
 * 2) (default is true). Fail2ban will not ban a host which matches such addresses.
 * 3) ignoreself = true


 * 1) "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 * 2) will not ban a host which matches an address in this list. Several addresses
 * 3) can be defined using space (and/or comma) separator.
 * 4) ignoreip = 127.0.0.1/8 ::1

ignorecommand =
 * 1) External command that will take an tagged arguments to ignore, e.g. ,
 * 2) and return true if the IP is to be ignored. False otherwise.
 * 3) ignorecommand = /path/to/command 
 * 1) ignorecommand = /path/to/command 

bantime = 10m
 * 1) "bantime" is the number of seconds that a host is banned.

findtime = 10m
 * 1) A host is banned if it has generated "maxretry" during the last "findtime"
 * 2) seconds.

maxretry = 5
 * 1) "maxretry" is the number of failures before a host get banned.

maxmatches = %(maxretry)s
 * 1) "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions).

backend = auto
 * 1) "backend" specifies the backend used to get files modification.
 * 2) Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
 * 3) This option can be overridden in each jail as well.
 * 4) pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 * 5)              If pyinotify is not installed, Fail2ban will use auto.
 * 6) gamin:     requires Gamin (a file alteration monitor) to be installed.
 * 7)              If Gamin is not installed, Fail2ban will use auto.
 * 8) polling:   uses a polling algorithm which does not require external libraries.
 * 9) systemd:   uses systemd python library to access the systemd journal.
 * 10)              Specifying "logpath" is not valid for this backend.
 * 11)              See "journalmatch" in the jails associated filter config
 * 12) auto:      will try to use the following backends, in order:
 * 13)              pyinotify, gamin, polling.
 * 14) Note: if systemd backend is chosen as the default but you enable a jail
 * 15)       for which logs are present only in its own log files, specify some other
 * 16)       backend for that jail (e.g. polling) and provide empty value for
 * 17)       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
 * 1)       backend for that jail (e.g. polling) and provide empty value for
 * 2)       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200

usedns = warn
 * 1) "usedns" specifies if jails should trust hostnames in logs,
 * 2)   warn when DNS lookups are performed, or ignore all hostnames in logs
 * 3) yes:   if a hostname is encountered, a DNS lookup will be performed.
 * 4) warn:  if a hostname is encountered, a DNS lookup will be performed,
 * 5)        but it will be logged as a warning.
 * no:   if a hostname is encountered, will not be used for banning,
 * 1)        but it will be logged as info.
 * 2) raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
 * 1) raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)

logencoding = auto
 * 1) "logencoding" specifies the encoding of the log files handled by the jail
 * 2)   This is used to decode the lines from the log file.
 * 3)   Typical examples:  "ascii", "utf-8"
 * 4)   auto:   will use the system locale setting
 * 1)   auto:   will use the system locale setting

enabled = false
 * 1) "enabled" enables the jails.
 * 2)  By default all jails are disabled, and it should stay this way.
 * 3)  Enable only relevant to your setup jails in your .local or jail.d/*.conf
 * 4) true:  jail will be enabled and log files will get monitored for changes
 * 5) false: jail is not enabled
 * 1) false: jail is not enabled

mode = normal
 * 1) "mode" defines the mode of the filter (see corresponding filter implementation for more info).

filter = %(__name__)s[mode=%(mode)s]
 * 1) "filter" defines the filter to use by the jail.
 * 2)  By default jails have names matching their filter name


 * 1) ACTIONS
 * 1) ACTIONS


 * 1) Some options used for actions

destemail = root@localhost
 * 1) Destination email address used solely for the interpolations in
 * 2) jail.{conf,local,d/*} configuration files.

sender = root@
 * 1) Sender email address used solely for some actions

mta = sendmail
 * 1) E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 * 2) mailing. Change mta configuration parameter to mail if you want to
 * 3) revert to conventional 'mail'.

protocol = tcp
 * 1) Default protocol

chain = 
 * 1) Specify chain where jumps would need to be added in ban-actions expecting parameter chain

port = 0:65535
 * 1) Ports to be banned
 * 2) Usually should be overridden in a particular jail

fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 * 1) Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3


 * 1) Action shortcuts. To be used to define action parameter
 * 1) Action shortcuts. To be used to define action parameter

banaction = iptables-multiport banaction_allports = iptables-allports
 * 1) Default banning action (e.g. iptables, iptables-new,
 * 2) iptables-multiport, shorewall, etc) It is used to define
 * 3) action_* variables. Can be overridden globally or per
 * 4) section within jail.local file

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 * 1) The simplest action to take: ban only

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 * 1) ban & send an e-mail with whois report to the destemail.

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 * 1) ban & send an e-mail with whois report and relevant log lines
 * 2) to the destemail.

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
 * 1) See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
 * 2) ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 * 3) to the destemail.
 * 1) to the destemail.

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
 * 1) ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
 * 2) to the destemail.

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
 * 1) Report block via blocklist.de fail2ban reporting service API
 * 2) See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
 * 3) Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
 * 4) `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
 * 5) in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
 * 6) corresponding jail.d/my-jail.local file).
 * 1) corresponding jail.d/my-jail.local file).

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
 * 1) Report ban via badips.com, and use as blacklist
 * 2) See BadIPsAction docstring in config/action.d/badips.py for
 * 3) documentation for this action.
 * 4) NOTE: This action relies on banaction being present on start and therefore
 * 5) should be last action defined for a jail.
 * 1) NOTE: This action relies on banaction being present on start and therefore
 * 2) should be last action defined for a jail.
 * 1) Report ban via badips.com (uses action.d/badips.conf for reporting only)
 * 1) Report ban via badips.com (uses action.d/badips.conf for reporting only)

action_abuseipdb = abuseipdb
 * 1) Report ban via abuseipdb.com.
 * 2) See action.d/abuseipdb.conf for usage example and details.
 * 1) See action.d/abuseipdb.conf for usage example and details.

action = %(action_)s
 * 1) Choose default action.  To change, just override value of 'action' with the
 * 2) interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 * 3) globally (section [DEFAULT]) or per specific section


 * 1) JAILS
 * 1) JAILS


 * 1) SSH servers
 * 1) SSH servers

[sshd]

port   = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s
 * 1) To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 * 2) normal (default), ddos, extra or aggressive (combines all).
 * 3) See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
 * 4) mode  = normal

[dropbear]

port    = ssh logpath = %(dropbear_log)s backend = %(dropbear_backend)s

[selinux-ssh]

port    = ssh logpath = %(auditd_log)s


 * 1) HTTP servers
 * 1) HTTP servers

[apache-auth]

port    = http,https logpath = %(apache_error_log)s

[apache-badbots] port    = http,https logpath = %(apache_access_log)s bantime = 48h maxretry = 1
 * 1) Ban hosts which agent identifies spammer robots crawling the web
 * 2) for email addresses. The mail outputs are buffered.

[apache-noscript]

port    = http,https logpath = %(apache_error_log)s

[apache-overflows]

port    = http,https logpath = %(apache_error_log)s maxretry = 2

[apache-nohome]

port    = http,https logpath = %(apache_error_log)s maxretry = 2

[apache-botsearch]

port    = http,https logpath = %(apache_error_log)s maxretry = 2

[apache-fakegooglebot]

port    = http,https logpath = %(apache_access_log)s maxretry = 1 ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot 

[apache-modsecurity]

port    = http,https logpath = %(apache_error_log)s maxretry = 2

[apache-shellshock]

port   = http,https logpath = %(apache_error_log)s maxretry = 1

[openhab-auth]

filter = openhab action = iptables-allports[name=NoAuthFailures] logpath = /opt/openhab/logs/request.log

[nginx-http-auth]

port   = http,https logpath = %(nginx_error_log)s

[nginx-limit-req] port   = http,https logpath = %(nginx_error_log)s
 * 1) To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
 * 2) and define `limit_req` and `limit_req_zone` as described in nginx documentation
 * 3) http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
 * 4) or for example see in 'config/filter.d/nginx-limit-req.conf'

[nginx-botsearch]

port    = http,https logpath = %(nginx_error_log)s maxretry = 2


 * 1) Ban attackers that try to use PHP's URL-fopen functionality
 * 2) through GET/POST variables. - Experimental, with more than a year
 * 3) of usage in production environments.

[php-url-fopen]

port   = http,https logpath = %(nginx_access_log)s %(apache_access_log)s

[suhosin]

port   = http,https logpath = %(suhosin_log)s

[lighttpd-auth] port   = http,https logpath = %(lighttpd_error_log)s
 * 1) Same as above for Apache's mod_auth
 * 2) It catches wrong authentifications


 * 1) Webmail and groupware servers
 * 1) Webmail and groupware servers

[roundcube-auth]

port    = http,https logpath = %(roundcube_errors_log)s
 * 1) Use following line in your jail.local if roundcube logs to journal.
 * 2) backend = %(syslog_backend)s

[openwebmail]

port    = http,https logpath = /var/log/openwebmail.log

[horde]

port    = http,https logpath = /var/log/horde/horde.log

[groupoffice]

port    = http,https logpath = /home/groupoffice/log/info.log

[sogo-auth] port    = http,https logpath = /var/log/sogo/sogo.log
 * 1) Monitor SOGo groupware server
 * 2) without proxy this would be:
 * 3) port    = 20000

[tine20]

logpath = /var/log/tine20/tine20.log port    = http,https


 * 1) Web Applications
 * 1) Web Applications

[drupal-auth]

port    = http,https logpath = %(syslog_daemon)s backend = %(syslog_backend)s

[guacamole]

port    = http,https logpath = /var/log/tomcat*/catalina.out

[monit] port = 2812 logpath = /var/log/monit /var/log/monit.log
 * 1) Ban clients brute-forcing the monit gui login

[webmin-auth]

port   = 10000 logpath = %(syslog_authpriv)s backend = %(syslog_backend)s

[froxlor-auth]

port   = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s


 * 1) HTTP Proxy servers
 * 1) HTTP Proxy servers

[squid]

port    =  80,443,3128,8080 logpath = /var/log/squid/access.log

[3proxy]

port   = 3128 logpath = /var/log/3proxy.log


 * 1) FTP servers
 * 1) FTP servers

[proftpd]

port    = ftp,ftp-data,ftps,ftps-data logpath = %(proftpd_log)s backend = %(proftpd_backend)s

[pure-ftpd]

port    = ftp,ftp-data,ftps,ftps-data logpath = %(pureftpd_log)s backend = %(pureftpd_backend)s

[gssftpd]

port    = ftp,ftp-data,ftps,ftps-data logpath = %(syslog_daemon)s backend = %(syslog_backend)s

[wuftpd]

port    = ftp,ftp-data,ftps,ftps-data logpath = %(wuftpd_log)s backend = %(wuftpd_backend)s

[vsftpd] port    = ftp,ftp-data,ftps,ftps-data logpath = %(vsftpd_log)s
 * 1) or overwrite it in jails.local to be
 * 2) logpath = %(syslog_authpriv)s
 * 3) if you want to rely on PAM failed login attempts
 * 4) vsftpd's failregex should match both of those formats


 * 1) Mail servers
 * 1) Mail servers

[assp]
 * 1) ASSP SMTP Proxy Jail

port    = smtp,465,submission logpath = /root/path/to/assp/logs/maillog.txt

[courier-smtp]

port    = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s

[postfix] mode   = more port   = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s
 * 1) To use another modes set filter parameter "mode" in jail.local:

[postfix-rbl]

filter  = postfix[mode=rbl] port    = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1

[sendmail-auth]

port   = submission,465,smtp logpath = %(syslog_mail)s backend = %(syslog_backend)s

[sendmail-reject] port    = smtp,465,submission logpath = %(syslog_mail)s backend = %(syslog_backend)s
 * 1) To use more aggressive modes set filter parameter "mode" in jail.local:
 * 2) normal (default), extra or aggressive
 * 3) See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
 * 4) mode   = normal

[qmail-rbl]

filter = qmail port   = smtp,465,submission logpath = /service/qmail/log/main/current

[dovecot]
 * 1) dovecot defaults to logging to the mail syslog facility
 * 2) but can be set by syslog_facility in the dovecot configuration.

port   = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s

[sieve]

port  = smtp,465,submission logpath = %(dovecot_log)s backend = %(dovecot_backend)s

[solid-pop3d]

port   = pop3,pop3s logpath = %(solidpop3d_log)s

[exim] port  = smtp,465,submission logpath = %(exim_main_log)s
 * 1) see filter.d/exim.conf for further modes supported from filter:
 * 2) mode = normal

[exim-spam]

port  = smtp,465,submission logpath = %(exim_main_log)s

[kerio]

port   = imap,smtp,imaps,465 logpath = /opt/kerio/mailserver/store/logs/security.log


 * 1) Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 * 2) all relevant ports get banned
 * 1) all relevant ports get banned

[courier-auth]

port    = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s

[postfix-sasl]

filter  = postfix[mode=auth] port    = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s
 * 1) You might consider monitoring /var/log/mail.warn instead if you are
 * 2) running postfix since it would provide the same log lines at the
 * 3) "warn" level but overall at the smaller filesize.

[perdition]

port  = imap,imaps,pop3,pop3s logpath = %(syslog_mail)s backend = %(syslog_backend)s

[squirrelmail]

port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log

[cyrus-imap]

port  = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s

[uwimap-auth]

port  = imap,imaps logpath = %(syslog_mail)s backend = %(syslog_backend)s


 * 1) DNS servers
 * 1) DNS servers
 * 1) DNS servers


 * 1) !!! WARNING !!!
 * 2)   Since UDP is connection-less protocol, spoofing of IP and imitation
 * 3)   of illegal actions is way too simple.  Thus enabling of this filter
 * 4)   might provide an easy way for implementing a DoS against a chosen
 * 5)   victim. See
 * 6)    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 * 7)   Please DO NOT USE this jail unless you know what you are doing.
 * 8) IMPORTANT: see filter.d/named-refused for instructions to enable logging
 * 9) This jail blocks UDP traffic for DNS requests.
 * 10) [named-refused-udp]
 * 11) filter   = named-refused
 * 12) port     = domain,953
 * 13) protocol = udp
 * 14) logpath  = /var/log/named/security.log
 * 1) protocol = udp
 * 2) logpath  = /var/log/named/security.log


 * 1) IMPORTANT: see filter.d/named-refused for instructions to enable logging
 * 2) This jail blocks TCP traffic for DNS requests.

[named-refused]

port    = domain,953 logpath = /var/log/named/security.log

[nsd]

port    = 53 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/nsd.log


 * 1) Miscellaneous
 * 1) Miscellaneous

[asterisk]

port    = 5060,5061 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/asterisk/messages maxretry = 10

[freeswitch]

port    = 5060,5061 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"] logpath = /var/log/freeswitch.log maxretry = 10

[znc-adminlog]
 * 1) enable adminlog; it will log to a file inside znc's directory by default.

port    = 6667 logpath = /var/lib/znc/moddata/adminlog/znc.log

[mysqld-auth]
 * 1) To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
 * 2) equivalent section:
 * 3) log-warnings = 2
 * 4) for syslog (daemon facility)
 * 5) [mysqld_safe]
 * 6) syslog
 * 7) for own logfile
 * 8) [mysqld]
 * 9) log-error=/var/log/mysqld.log
 * 1) [mysqld]
 * 2) log-error=/var/log/mysqld.log

port    = 3306 logpath = %(mysql_log)s backend = %(mysql_backend)s

[mongodb-auth] port    = 27017 logpath = /var/log/mongodb/mongodb.log
 * 1) Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
 * 1) change port when running with "--shardsvr" or "--configsvr" runtime operation

[recidive]
 * 1) Jail for more extended banning of persistent abusers
 * 2) !!! WARNINGS !!!
 * 3) 1. Make sure that your loglevel specified in fail2ban.conf/.local
 * 4)    is not at DEBUG level -- which might then cause fail2ban to fall into
 * 5)    an infinite loop constantly feeding itself with non-informative lines
 * 6) 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
 * 7)    to maintain entries for failed logins for sufficient amount of time

logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 1w findtime = 1d


 * 1) Generic filter for PAM. Has to be used with action which bans all
 * 2) ports such as iptables-allports, shorewall

[pam-generic] banaction = %(banaction_allports)s logpath = %(syslog_authpriv)s backend = %(syslog_backend)s
 * 1) pam-generic filter can be customized to monitor specific subset of 'tty's

[xinetd-fail]

banaction = iptables-multiport-log logpath  = %(syslog_daemon)s backend  = %(syslog_backend)s maxretry = 2

[stunnel]
 * 1) stunnel - need to set port for this

logpath = /var/log/stunnel4/stunnel.log

[ejabberd-auth]

port   = 5222 logpath = /var/log/ejabberd/ejabberd.log

[counter-strike]

logpath = /opt/cstrike/logs/L[0-9]*.log tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039 udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015 action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
 * 1) Firewall: http://www.cstrike-planet.com/faq/6

[bitwarden] port   = http,https logpath = /home/*/bwdata/logs/identity/Identity/log.txt

[centreon] port   = http,https logpath = /var/log/centreon/login.log

[nagios]
 * 1) consider low maxretry and a long bantime
 * 2) nobody except your own Nagios server should ever probe nrpe

logpath = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility backend = %(syslog_backend)s maxretry = 1

[oracleims] logpath = /opt/sun/comms/messaging64/log/mail.log_current banaction = %(banaction_allports)s
 * 1) see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above

[directadmin] logpath = /var/log/directadmin/login.log port = 2222

[portsentry] logpath = /var/lib/portsentry/portsentry.history maxretry = 1

[pass2allow-ftp] port        = ftp,ftp-data,ftps,ftps-data knocking_url = /knocking/ filter      = apache-pass[knocking_url="%(knocking_url)s"] logpath     = %(apache_access_log)s blocktype   = RETURN returntype  = DROP action      = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s, actionstart_on_demand=false, actionrepair_on_unban=true] bantime     = 1h maxretry    = 1 findtime    = 1
 * 1) this pass2allow example allows FTP traffic after successful HTTP authentication
 * 1) knocking_url variable must be overridden to some secret value in jail.local
 * 1) access log of the website with HTTP auth

[murmur] port    = 64738 action  = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp] logpath = /var/log/mumble-server/mumble-server.log
 * 1) AKA mumble-server

[screensharingd] logpath = /var/log/system.log logencoding = utf-8
 * 1) For Mac OS Screen Sharing Service (VNC)

[haproxy-http-auth] logpath = /var/log/haproxy.log
 * 1) HAProxy by default doesn't log to file you'll need to set it up to forward
 * 2) logs to a syslog server which would then write them to disk.
 * 3) See "haproxy-http-auth" filter for a brief cautionary note when setting
 * 4) maxretry and findtime.

[slapd] port   = ldap,ldaps logpath = /var/log/slapd.log

[domino-smtp] port   = smtp,ssmtp logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log

[phpmyadmin-syslog] port   = http,https logpath = %(syslog_authpriv)s backend = %(syslog_backend)s

[zoneminder] port   = http,https logpath = %(apache_error_log)s
 * 1) Zoneminder HTTP/HTTPS web interface auth
 * 2) Logs auth failures to apache2 error log

[traefik-auth] port   = http,https logpath = /var/log/traefik/access.log
 * 1) to use 'traefik-auth' filter you have to configure your Traefik instance,
 * 2) see `filter.d/traefik-auth.conf` for details and service example.

Default  file with (almost all) comments removed: Default  with (almost) comments removed: [INCLUDES]

before = paths-debian.conf

[DEFAULT]

ignorecommand =

bantime = 10m

findtime = 10m

maxretry = 5

maxmatches = %(maxretry)s

backend = auto

usedns = warn

logencoding = auto

enabled = false

mode = normal

filter = %(__name__)s[mode=%(mode)s]


 * 1) ACTIONS
 * 1) ACTIONS

destemail = root@localhost

sender = root@

mta = sendmail

protocol = tcp

chain = 

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s


 * 1) JAILS
 * 1) JAILS


 * 1) SSH servers
 * 1) SSH servers

[sshd]

port   = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s

Fail2Ban Configuration
When an IP address enters the incorrect username and password more than the max retry's allowed the IP will be banned, but the connection to the server will not disconnect. The ban will only take affect if the IP tries to make a new connection. So as long as the person(or bot) does not refresh the page, they can try as many time's as they want at guessing the password. We are going to add a new action that will reject connection of banned ip's.

Note:  this will disconnect ip's that are banned

Insert at the bottom of the   section of

_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]
 * 1) Reject/Disconnect Connections that failed username password

actionx = %(_action_tcp_udp)s

After inserting new action to config file: [INCLUDES]

before = paths-debian.conf

[DEFAULT]

ignorecommand =

bantime = 10m

findtime = 10m

maxretry = 5

maxmatches = %(maxretry)s

backend = auto

usedns = warn

logencoding = auto

enabled = false

mode = normal

filter = %(__name__)s[mode=%(mode)s]


 * 1) ACTIONS
 * 1) ACTIONS

destemail = root@localhost

sender = root@

mta = sendmail

protocol = tcp

chain = 

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s

_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]
 * 1) Reject/Disconnect Connections that failed username password

actionx = %(_action_tcp_udp)s


 * 1) JAILS
 * 1) JAILS


 * 1) SSH servers
 * 1) SSH servers

[sshd]

port   = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s

Fail2Ban Rules for mediawiki

To be placed in

[mediawiki]

enabled = true filter = mediawiki action = iptables-allports bantime = 1h maxretry = 20 logpath = /var/log/Fail2Log.log

After inserting mediawiki jail to config file: [INCLUDES]

before = paths-debian.conf

[DEFAULT]

ignorecommand =

bantime = 10m

findtime = 10m

maxretry = 5

maxmatches = %(maxretry)s

backend = auto

usedns = warn

logencoding = auto

enabled = false

mode = normal

filter = %(__name__)s[mode=%(mode)s]


 * 1) ACTIONS
 * 1) ACTIONS

destemail = root@localhost

sender = root@

mta = sendmail

protocol = tcp

chain = 

port = 0:65535

fail2ban_agent = Fail2Ban/%(fail2ban_version)s

banaction = iptables-multiport banaction_allports = iptables-allports

action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_xarf = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]

action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]

action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]

action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]

action_abuseipdb = abuseipdb

action = %(action_)s

_action_tcp_udp = %(banaction)s[name=%(__name__)s-tcp, protocol="tcp", port="%(port)s", blocktype="REJECT --reject-with tcp-reset", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, protocol="udp", port="%(port)s", blocktype="REJECT --reject-with icmp-port-unreachable", chain="%(chain)s", actname=%(banaction)s-udp]
 * 1) Reject/Disconnect Connections that failed username password

actionx = %(_action_tcp_udp)s


 * 1) JAILS
 * 1) JAILS


 * 1) SSH servers
 * 1) SSH servers

[sshd]

port   = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s

[mediawiki]

enabled = true filter = mediawiki action = iptables-allports bantime = 4h maxretry = 20 logpath = /var/log/Fail2Log.log
 * 1) mediawiki jail can over ride defaults for bantime, maxretry by including in the jail.

Filter for mediawiki

Create file and append /etc/fail2ban/filter.d/mediawiki.conf

[Definition]

failregex = ^Failed:

ignoreregex =

Now restart Fail2ban:

Check running with mediawiki jail:

unban ip
Find banned ip's in mediawiki jail: Unban ip address: Syntax:

fail2ban regex and error checking
Check regex:


 * Syntax:
 * Example:
 * If you want to test  enter filter file twice:
 * Example:
 * Read  for some more opitions:
 * Examples:
 * Be verbose in output
 * Print all missed lines
 * Print all ignored lines
 * Print all matched lines
 * Print all ignored lines
 * Print all matched lines
 * Print all matched lines
 * Print all matched lines

Debug Fail2Ban


 * dump configuration. For debugging.
 * ,  dump the configuration using more human readable representation.
 * will print the systemd log for Fail2Ban.