chore(confs): sync jails with upstream Fail2Ban

naXa777 · naXa777 · commit 0a1f92c9b701 · 2025-09-07T21:21:32.000+02:00
diff --git a/jail.conf b/jail.conf
@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2025/04/01
 #
 # WARNING: heavily refactored in 0.9.0 release.  Please review and
 #          customize settings for your setup.
@@ -99,7 +99,9 @@ before = paths-lsio.conf
 # ignorecommand = /path/to/command <ip>
 ignorecommand =
 
-# "bantime" is the number of seconds that a host is banned.
+# "bantime" is the amount of time that a host is banned, integer in seconds or
+# time abbreviation format (m - minutes, h - hours, d - days, w - weeks, mo - months, y - years).
+# This is to consider as an initial time if bantime.increment gets enabled.
 bantime  = 10m
 
 # A host is banned if it has generated "maxretry" during the last "findtime"
@@ -113,19 +115,17 @@ maxretry = 5
 maxmatches = %(maxretry)s
 
 # "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
+# Available options are "pyinotify", "polling", "systemd" and "auto".
 # This option can be overridden in each jail as well.
 #
 # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 #              If pyinotify is not installed, Fail2ban will use auto.
-# gamin:     requires Gamin (a file alteration monitor) to be installed.
-#              If Gamin is not installed, Fail2ban will use auto.
 # polling:   uses a polling algorithm which does not require external libraries.
 # systemd:   uses systemd python library to access the systemd journal.
 #              Specifying "logpath" is not valid for this backend.
 #              See "journalmatch" in the jails associated filter config
 # auto:      will try to use the following backends, in order:
-#              pyinotify, gamin, polling.
+#              pyinotify, polling.
 #
 # Note: if systemd backend is chosen as the default but you enable a jail
 #       for which logs are present only in its own log files, specify some other
@@ -207,8 +207,8 @@ fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
-banaction = iptables-multiport
-banaction_allports = iptables-allports
+#banaction = iptables-multiport
+#banaction_allports = iptables-allports
 
 # The simplest action to take: ban only
 action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
diff --git a/jail.d/mongodb-auth.conf b/jail.d/mongodb-auth.conf
@@ -0,0 +1,9 @@
+## Version 2016/11/10
+# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
+# change port when running with "--shardsvr" or "--configsvr" runtime operation
+
+[mongodb-auth]
+
+enabled = false
+port    = 27017
+logpath = %(remote_logs_path)s/mongodb/mongodb.log
diff --git a/jail.d/mssql-auth.conf b/jail.d/mssql-auth.conf
@@ -0,0 +1,10 @@
+## Version 2020/02/24
+# Default configuration for Microsoft SQL Server for Linux
+# See the 'mssql-conf' manpage how to change logpath or port
+
+[mssql-auth]
+
+enabled = false
+logpath = %(remote_logs_path)s/mssql/log/errorlog
+port    = 1433
+filter  = mssql-auth
diff --git a/jail.d/mysqld-auth.conf b/jail.d/mysqld-auth.conf
@@ -0,0 +1,14 @@
+## Version 2025/01/30
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
+# equivalent section:
+#   log_error_verbosity = 3
+# for older versions:
+#   log-warnings = 2
+# Also check whether `log_error` (or `log-error`) system variable match the `logpath`.
+
+[mysqld-auth]
+
+enabled = false
+port    = 3306
+logpath = %(mysql_log)s
+backend = %(mysql_backend)s
diff --git a/jail.d/nginx-forbidden.conf b/jail.d/nginx-forbidden.conf
@@ -0,0 +1,9 @@
+## Version 2023/03/23
+# Fail2Ban jail configuration for nginx forbidden
+# Works OOTB with defaults
+
+[nginx-forbidden]
+
+enabled = false
+port    = http,https
+logpath = %(nginx_error_log)s
diff --git a/jail.d/openvpn.conf b/jail.d/openvpn.conf
@@ -0,0 +1,8 @@
+## Version 2025/01/29
+# Fail2Ban jail configuration for openvpn
+
+[openvpn]
+
+enabled = false
+port    = 443
+logpath = %(logs_path)s/syslog
diff --git a/jail.d/recidive.conf b/jail.d/recidive.conf
@@ -0,0 +1,17 @@
+## Version 2025/01/30
+# Jail for more extended banning of persistent abusers
+# !!! WARNINGS !!!
+# 1. Make sure that your loglevel specified in fail2ban.conf/.local
+#    is not at DEBUG level -- which might then cause fail2ban to fall into
+#    an infinite loop constantly feeding itself with non-informative lines
+# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
+#    to maintain entries for failed logins for sufficient amount of time
+
+[recidive]
+
+enabled   = false
+# lsio value
+logpath = /config/log/fail2ban/fail2ban.log
+banaction = %(banaction_allports)s
+bantime   = 1w
+findtime  = 1d
diff --git a/jail.d/routeros-auth.conf b/jail.d/routeros-auth.conf
@@ -0,0 +1,7 @@
+## Version 2023/02/28
+
+[routeros-auth]
+
+enabled = false
+port    = ssh,http,https
+logpath = %(remote_logs_path)s/MikroTik/router.log
diff --git a/jail.d/vaultwarden.conf b/jail.d/vaultwarden.conf
@@ -0,0 +1,7 @@
+## Version 2025/04/01
+
+[vaultwarden]
+
+enabled = false
+port    = http,https
+logpath = %(remote_logs_path)s/vaultwarden.log
