/
cfailban.conf
80 lines (63 loc) · 1.53 KB
/
cfailban.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
[defaults]
rate = 1/min
burst = 10
duration = 300
[parser]
chroot = /run/user/
user = nobody
group = nobody
force = false
[filter]
ip4tables_prog = /usr/sbin/iptables
ip6tables_prog = /usr/sbin/ip6tables
chain = chk-BANNED
target = BANNED
manage = false
[whitelist]
local0 = 127.0.0.1/8
local1 = 192.168.0.0/16
[source/syslogsink]
type = fifo
#path = /run/failban
path = /run/user/1000/failban
manage = true
mode = 0770
#owner = root
group = wheel
[source/tcpsink]
type = socket
stype = tcp
host = localhost
port = 2345
[source/udpsink]
type = socket
stype = udp
host = localhost
port = 2345
[rule/ssh0]
pattern4 = "sshd.*: authentication failure; logname= uid=.* euid=.* tty=.* ruser= rhost=@IP4@ user=.*"
ban4 = 1
pattern6 = "sshd.*: authentication failure; logname= uid=.* euid=.* tty=.* ruser= rhost=@IP6@ user=.*"
ban6 = 1
pattern = "sshd.*: authentication failure; logname= uid=.* euid=.* tty=.* ruser= rhost=@IP@ user=.*"
ban = 1
test_0 = "103.41.124.33|sshd[7773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=103.41.124.33 user=root"
test_1 = "|xxxx"
test_2 = "::1|sshd[7773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=root"
[rule/ssh1]
pattern4 = "Invalid user .* from @IP4@"
ban4 = 1
test_0 = "87.106.143.189|Invalid user PlcmSpIp from 87.106.143.189"
[rule/test0]
pattern = "ip=@IP@"
ban = 1
rate = 20/min
burst = 3
duration = 5
[rule/test1]
pattern4 = "ip=@HOST@"
resolve4 = true
ban4 = 1
rate = 20/min
burst = 3
duration = 10