From 5b9510a54090f76935ae268e0f400dbcd15a01b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20-=20Le=20Filament?= <remi@le-filament.com>
Date: Mon, 23 Dec 2024 22:01:18 +0100
Subject: [PATCH] [ADD] jail and actions for Ubuntu 24
---
templates/action.d/sendmail-common.j2 | 6 +-
templates/action.d/sendmail-whois-lines.j2 | 1 +
templates/jail.Ubuntu16.j2 | 162 +------------
templates/jail.Ubuntu18.j2 | 192 +--------------
templates/jail.Ubuntu20.j2 | 268 +--------------------
templates/jail.Ubuntu22.j2 | 1 +
templates/jail.Ubuntu24.j2 | 91 +++++++
7 files changed, 104 insertions(+), 617 deletions(-)
create mode 100644 templates/jail.Ubuntu24.j2
diff --git a/templates/action.d/sendmail-common.j2 b/templates/action.d/sendmail-common.j2
index 184691b..74ece27 100644
--- a/templates/action.d/sendmail-common.j2
+++ b/templates/action.d/sendmail-common.j2
@@ -16,6 +16,7 @@ after = sendmail-common.local
#
actionstart = printf %%b "Subject: [Fail2Ban] <name>: demarre sur {{ inventory_hostname | lower }}
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ From: <sendername> <<sender>>
To: <dest>\n
Bonjour,\n
La cage <name> a été démarree.\n
@@ -23,11 +24,12 @@ actionstart = printf %%b "Subject: [Fail2Ban] <name>: demarre sur {{ inventory_h
Fail2Ban" | <mailcmd>
# Option: actionstop
-# Notes.: command executed once at the end of Fail2Ban
+# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop = printf %%b "Subject: [Fail2Ban] <name>: arrete sur {{ inventory_hostname | lower }}
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ From: <sendername> <<sender>>
To: <dest>\n
Bonjour,\n
La cage <name> a été stoppee.\n
@@ -60,7 +62,7 @@ actionunban =
# Your system mail command
#
-mailcmd = /usr/sbin/sendmail "<dest>"
+mailcmd = /usr/sbin/sendmail -f "<sender>" "<dest>"
# Recipient mail address
#
diff --git a/templates/action.d/sendmail-whois-lines.j2 b/templates/action.d/sendmail-whois-lines.j2
index dd75cf6..60d9609 100644
--- a/templates/action.d/sendmail-whois-lines.j2
+++ b/templates/action.d/sendmail-whois-lines.j2
@@ -23,6 +23,7 @@ norestored = 1
#
actionban = ( printf %%b "Subject: [Fail2Ban] <name>: <ip> bannie sur {{ inventory_hostname | lower }}
Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
+ From: <sendername> <<sender>>
To: <dest>\n
Bonjour,\n
L'adresse IP <ip> vient d'etre bannie par Fail2Ban apres
diff --git a/templates/jail.Ubuntu16.j2 b/templates/jail.Ubuntu16.j2
index 97089ff..2d9792d 100644
--- a/templates/jail.Ubuntu16.j2
+++ b/templates/jail.Ubuntu16.j2
@@ -1,208 +1,50 @@
-# Comments: use '#' for comment lines and ';' (following a space) for inline comments
-
-
[INCLUDES]
-
-#before = paths-distro.conf
before = paths-debian.conf
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
[DEFAULT]
-
-#
-# MISCELLANEOUS OPTIONS
-#
-
-# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
-# ban a host which matches an address in this list. Several addresses can be
-# defined using space separator.
+# MISC
ignoreip = 127.0.0.1/8
-# External command that will take an tagged arguments to ignore, e.g. <ip>,
-# and return true if the IP is to be ignored. False otherwise.
-#
-# ignorecommand = /path/to/command <ip>
ignorecommand =
-
-# "bantime" is the number of seconds that a host is banned.
bantime = 86400 ; ban for 1 day
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
findtime = 3600 ; search for 1 hour
-
-# "maxretry" is the number of failures before a host get banned.
maxretry = 3
-# "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
-# This option can be overridden in each jail as well.
-#
-# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
-# If pyinotify is not installed, Fail2ban will use auto.
-# gamin: requires Gamin (a file alteration monitor) to be installed.
-# If Gamin is not installed, Fail2ban will use auto.
-# polling: uses a polling algorithm which does not require external libraries.
-# systemd: uses systemd python library to access the systemd journal.
-# Specifying "logpath" is not valid for this backend.
-# See "journalmatch" in the jails associated filter config
-# auto: will try to use the following backends, in order:
-# pyinotify, gamin, polling.
-#
-# Note: if systemd backend is choses as the default but you enable a jail
-# for which logs are present only in its own log files, specify some other
-# backend for that jail (e.g. polling) and provide empty value for
-# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
-
-# "usedns" specifies if jails should trust hostnames in logs,
-# warn when DNS lookups are performed, or ignore all hostnames in logs
-#
-# yes: if a hostname is encountered, a DNS lookup will be performed.
-# warn: if a hostname is encountered, a DNS lookup will be performed,
-# but it will be logged as a warning.
-# no: if a hostname is encountered, will not be used for banning,
-# but it will be logged as info.
usedns = warn
-
-# "logencoding" specifies the encoding of the log files handled by the jail
-# This is used to decode the lines from the log file.
-# Typical examples: "ascii", "utf-8"
-#
-# auto: will use the system locale setting
logencoding = auto
-
-# "enabled" enables the jails.
-# By default all jails are disabled, and it should stay this way.
-# Enable only relevant to your setup jails in your .local or jail.d/*.conf
-#
-# true: jail will be enabled and log files will get monitored for changes
-# false: jail is not enabled
enabled = false
-
-# "filter" defines the filter to use by the jail.
-# By default jails have names matching their filter name
-#
filter = %(__name__)s
-#
# ACTIONS
-#
-
-# Some options used for actions
-
-# Destination email address used solely for the interpolations in
-# jail.{conf,local,d/*} configuration files.
destemail = {{ default_maintenance_email }}
-
-# Sender email address used solely for some actions
sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
-
-# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
-# mailing. Change mta configuration parameter to mail if you want to
-# revert to conventional 'mail'.
mta = sendmail
-
-# Default protocol
protocol = tcp
-
-# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
-
-# Ports to be banned
-# Usually should be overridden in a particular jail
port = 0:65535
-#
-# Action shortcuts. To be used to define action parameter
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
banaction = iptables-multiport
-# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
-#
-# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
-# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
-
-# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# Report block via blocklist.de fail2ban reporting service API
-#
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to
-# use this action. Create a file jail.d/blocklist_de.local containing
-# [Init]
-# blocklist_de_apikey = {api key from registration]
-#
-action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
-
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
-
-# Choose default action. To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
action = %(action_)s
-
-#
# JAILS
-#
-
-#
-# SSH servers
-#
-
[sshd]
enabled = true
-port = {{ default_sshd_port }}
logpath = %(sshd_log)s
+port = {{ default_sshd_port }}
[sshd-ddos]
-# This jail corresponds to the standard configuration in Fail2ban.
-# The mail-whois action send a notification e-mail with a whois request
-# in the body.
enabled = true
port = {{ default_sshd_port }}
logpath = %(sshd_log)s
{% if inventory_hostname in groups.odoo_server or inventory_hostname in groups.owncloud_server %}
-#
-# HTTP servers
-#
-
[nginx-http-auth]
enabled = true
logpath = %(nginx_error_log)s
diff --git a/templates/jail.Ubuntu18.j2 b/templates/jail.Ubuntu18.j2
index 1034894..0ccfd5e 100644
--- a/templates/jail.Ubuntu18.j2
+++ b/templates/jail.Ubuntu18.j2
@@ -1,210 +1,37 @@
-# Comments: use '#' for comment lines and ';' (following a space) for inline comments
-
-
[INCLUDES]
-
before = paths-debian.conf
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
[DEFAULT]
-
-#
-# MISCELLANEOUS OPTIONS
-#
-
-# "ignorself" specifies whether the local resp. own IP addresses should be ignored
-# (default is true). Fail2ban will not ban a host which matches such addresses.
-#ignorself = true
-
-# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
-# will not ban a host which matches an address in this list. Several addresses
-# can be defined using space (and/or comma) separator.
+# MISC
ignoreip = 127.0.0.1/8{% if inventory_hostname in groups.docker %} 172.16.0.0/12 192.168.0.0/16{% endif %}
-# External command that will take an tagged arguments to ignore, e.g. <ip>,
-# and return true if the IP is to be ignored. False otherwise.
-#
-# ignorecommand = /path/to/command <ip>
ignorecommand =
-
-# "bantime" is the number of seconds that a host is banned.
bantime = 86400 ; ban for 1 day
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
findtime = 3600 ; search for 1 hour
-
-# "maxretry" is the number of failures before a host get banned.
maxretry = 3
-# "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
-# This option can be overridden in each jail as well.
-#
-# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
-# If pyinotify is not installed, Fail2ban will use auto.
-# gamin: requires Gamin (a file alteration monitor) to be installed.
-# If Gamin is not installed, Fail2ban will use auto.
-# polling: uses a polling algorithm which does not require external libraries.
-# systemd: uses systemd python library to access the systemd journal.
-# Specifying "logpath" is not valid for this backend.
-# See "journalmatch" in the jails associated filter config
-# auto: will try to use the following backends, in order:
-# pyinotify, gamin, polling.
-#
-# Note: if systemd backend is chosen as the default but you enable a jail
-# for which logs are present only in its own log files, specify some other
-# backend for that jail (e.g. polling) and provide empty value for
-# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = polling
-
-# "usedns" specifies if jails should trust hostnames in logs,
-# warn when DNS lookups are performed, or ignore all hostnames in logs
-#
-# yes: if a hostname is encountered, a DNS lookup will be performed.
-# warn: if a hostname is encountered, a DNS lookup will be performed,
-# but it will be logged as a warning.
-# no: if a hostname is encountered, will not be used for banning,
-# but it will be logged as info.
-# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
-
-# "logencoding" specifies the encoding of the log files handled by the jail
-# This is used to decode the lines from the log file.
-# Typical examples: "ascii", "utf-8"
-#
-# auto: will use the system locale setting
logencoding = auto
-
-# "enabled" enables the jails.
-# By default all jails are disabled, and it should stay this way.
-# Enable only relevant to your setup jails in your .local or jail.d/*.conf
-#
-# true: jail will be enabled and log files will get monitored for changes
-# false: jail is not enabled
enabled = false
-
-
-# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal
-
-# "filter" defines the filter to use by the jail.
-# By default jails have names matching their filter name
-#
filter = %(__name__)s[mode=%(mode)s]
-#
# ACTIONS
-#
-
-# Some options used for actions
-
-# Destination email address used solely for the interpolations in
-# jail.{conf,local,d/*} configuration files.
destemail = {{ default_maintenance_email }}
-
-# Sender email address used solely for some actions
sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
-
-# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
-# mailing. Change mta configuration parameter to mail if you want to
-# revert to conventional 'mail'.
mta = sendmail
-
-# Default protocol
protocol = tcp
-
-# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = INPUT
-
-# Ports to be banned
-# Usually should be overridden in a particular jail
port = 0:65535
-
-# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
-
-#
-# Action shortcuts. To be used to define action parameter
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
-
-# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
-#
-# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
-# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
-
-# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
-# Report block via blocklist.de fail2ban reporting service API
-#
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
-# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
-# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
-# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
-# corresponding jail.d/my-jail.local file).
-#
-action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
-
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
-#
-# Report ban via badips.com (uses action.d/badips.conf for reporting only)
-#
-action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-
-# Report ban via abuseipdb.com.
-#
-# See action.d/abuseipdb.conf for usage example and details.
-#
-action_abuseipdb = abuseipdb
-
-# Choose default action. To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
action = %(action_)s
-
-#
# JAILS
-#
-
-#
-# SSH servers
-#
-
[sshd]
backend = systemd
enabled = true
@@ -213,13 +40,6 @@ mode = aggressive
port = {{ default_sshd_port }}
-# Jail for more extended banning of persistent abusers
-# !!! WARNINGS !!!
-# 1. Make sure that your loglevel specified in fail2ban.conf/.local
-# is not at DEBUG level -- which might then cause fail2ban to fall into
-# an infinite loop constantly feeding itself with non-informative lines
-# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
-# to maintain entries for failed logins for sufficient amount of time
[recidive]
banaction = %(banaction_allports)s
bantime = 1w
@@ -229,14 +49,10 @@ logpath = /var/log/fail2ban.log
{% if inventory_hostname in groups.odoo_server or inventory_hostname in groups.owncloud_server %}
-#
-# HTTP servers
-#
-
[nginx-http-auth]
enabled = true
-port = http,https
logpath = /var/log/nginx/*error.log
+port = http,https
[nginx-botsearch]
enabled = true
@@ -247,10 +63,6 @@ maxretry = 2
{% endif %}
{% if inventory_hostname in groups.docker %}
-#
-# Docker containers
-#
-
[docker-traefik-auth]
chain = DOCKER-USER
enabled = true
diff --git a/templates/jail.Ubuntu20.j2 b/templates/jail.Ubuntu20.j2
index b0d0770..ddd1b12 100644
--- a/templates/jail.Ubuntu20.j2
+++ b/templates/jail.Ubuntu20.j2
@@ -1,280 +1,37 @@
-#
-# WARNING: heavily refactored in 0.9.0 release. Please review and
-# customize settings for your setup.
-#
-# Changes: in most of the cases you should not modify this
-# file, but provide customizations in jail.local file,
-# or separate .conf files under jail.d/ directory, e.g.:
-#
-# HOW TO ACTIVATE JAILS:
-#
-# YOU SHOULD NOT MODIFY THIS FILE.
-#
-# It will probably be overwritten or improved in a distribution update.
-#
-# Provide customizations in a jail.local file or a jail.d/customisation.local.
-# For example to change the default bantime for all jails and to enable the
-# ssh-iptables jail the following (uncommented) would appear in the .local file.
-# See man 5 jail.conf for details.
-#
-# [DEFAULT]
-# bantime = 1h
-#
-# [sshd]
-# enabled = true
-#
-# See jail.conf(5) man page for more information
-
-
-
-# Comments: use '#' for comment lines and ';' (following a space) for inline comments
-
-
[INCLUDES]
-
before = paths-debian.conf
-# The DEFAULT allows a global definition of the options. They can be overridden
-# in each jail afterwards.
-
[DEFAULT]
-
-#
-# MISCELLANEOUS OPTIONS
-#
-
-# "bantime.increment" allows to use database for searching of previously banned ip's to increase a
-# default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
-#bantime.increment = true
-
-# "bantime.rndtime" is the max number of seconds using for mixing with random time
-# to prevent "clever" botnets calculate exact time IP can be unbanned again:
-#bantime.rndtime =
-
-# "bantime.maxtime" is the max number of seconds using the ban time can reach (don't grows further)
-#bantime.maxtime =
-
-# "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
-# default value of factor is 1 and with default value of formula, the ban time
-# grows by 1, 2, 4, 8, 16 ...
-#bantime.factor = 1
-
-# "bantime.formula" used by default to calculate next value of ban time, default value bellow,
-# the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
-#bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
-#
-# more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
-#bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
-
-# "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
-# previously ban count and given "bantime.factor" (for multipliers default is 1);
-# following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
-# always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
-#bantime.multipliers = 1 2 4 8 16 32 64
-# following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
-# for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
-#bantime.multipliers = 1 5 30 60 300 720 1440 2880
-
-# "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
-# cross over all jails, if false (dafault), only current jail of the ban IP will be searched
-#bantime.overalljails = false
-
-# --------------------
-
-# "ignoreself" specifies whether the local resp. own IP addresses should be ignored
-# (default is true). Fail2ban will not ban a host which matches such addresses.
-#ignoreself = true
-
-# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
-# will not ban a host which matches an address in this list. Several addresses
-# can be defined using space (and/or comma) separator.
+# MISC
ignoreip = 127.0.0.1/8{% if inventory_hostname in groups.docker %} 172.16.0.0/12 192.168.0.0/16{% endif %}{% for host in groups.docker_nagios %} {{ hostvars[host].ansible_host }}/32{% endfor %}
-# External command that will take an tagged arguments to ignore, e.g. <ip>,
-# and return true if the IP is to be ignored. False otherwise.
-#
-# ignorecommand = /path/to/command <ip>
ignorecommand =
-
-# "bantime" is the number of seconds that a host is banned.
bantime = 86400 ; ban for 1 day
-
-# A host is banned if it has generated "maxretry" during the last "findtime"
-# seconds.
findtime = 3600 ; search for 1 hour
-
-# "maxretry" is the number of failures before a host get banned.
maxretry = 3
-
-# "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
maxmatches = %(maxretry)s
-
-# "backend" specifies the backend used to get files modification.
-# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
-# This option can be overridden in each jail as well.
-#
-# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
-# If pyinotify is not installed, Fail2ban will use auto.
-# gamin: requires Gamin (a file alteration monitor) to be installed.
-# If Gamin is not installed, Fail2ban will use auto.
-# polling: uses a polling algorithm which does not require external libraries.
-# systemd: uses systemd python library to access the systemd journal.
-# Specifying "logpath" is not valid for this backend.
-# See "journalmatch" in the jails associated filter config
-# auto: will try to use the following backends, in order:
-# pyinotify, gamin, polling.
-#
-# Note: if systemd backend is chosen as the default but you enable a jail
-# for which logs are present only in its own log files, specify some other
-# backend for that jail (e.g. polling) and provide empty value for
-# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = polling
-
-# "usedns" specifies if jails should trust hostnames in logs,
-# warn when DNS lookups are performed, or ignore all hostnames in logs
-#
-# yes: if a hostname is encountered, a DNS lookup will be performed.
-# warn: if a hostname is encountered, a DNS lookup will be performed,
-# but it will be logged as a warning.
-# no: if a hostname is encountered, will not be used for banning,
-# but it will be logged as info.
-# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
-
-# "logencoding" specifies the encoding of the log files handled by the jail
-# This is used to decode the lines from the log file.
-# Typical examples: "ascii", "utf-8"
-#
-# auto: will use the system locale setting
logencoding = auto
-
-# "enabled" enables the jails.
-# By default all jails are disabled, and it should stay this way.
-# Enable only relevant to your setup jails in your .local or jail.d/*.conf
-#
-# true: jail will be enabled and log files will get monitored for changes
-# false: jail is not enabled
enabled = false
-
-
-# "mode" defines the mode of the filter (see corresponding filter implementation for more info).
mode = normal
-
-# "filter" defines the filter to use by the jail.
-# By default jails have names matching their filter name
-#
filter = %(__name__)s[mode=%(mode)s]
-#
# ACTIONS
-#
-
-# Some options used for actions
-
-# Destination email address used solely for the interpolations in
-# jail.{conf,local,d/*} configuration files.
destemail = {{ default_maintenance_email }}
-
-# Sender email address used solely for some actions
sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
-
-# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
-# mailing. Change mta configuration parameter to mail if you want to
-# revert to conventional 'mail'.
mta = sendmail
-
-# Default protocol
protocol = tcp
-
-# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
chain = INPUT
-
-# Ports to be banned
-# Usually should be overridden in a particular jail
port = 0:65535
-
-# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
-
-#
-# Action shortcuts. To be used to define action parameter
-
-# Default banning action (e.g. iptables, iptables-new,
-# iptables-multiport, shorewall, etc) It is used to define
-# action_* variables. Can be overridden globally or per
-# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
-
-# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report to the destemail.
-action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
-
-# ban & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
-
-# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
-#
-# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
-# to the destemail.
-action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
- xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
-
-# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
-# to the destemail.
-action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
- %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
-
-# Report block via blocklist.de fail2ban reporting service API
-#
-# See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
-# Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
-# `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
-# in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
-# corresponding jail.d/my-jail.local file).
-#
-action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
-
-# Report ban via badips.com, and use as blacklist
-#
-# See BadIPsAction docstring in config/action.d/badips.py for
-# documentation for this action.
-#
-# NOTE: This action relies on banaction being present on start and therefore
-# should be last action defined for a jail.
-#
-action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
-#
-# Report ban via badips.com (uses action.d/badips.conf for reporting only)
-#
-action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
-
-# Report ban via abuseipdb.com.
-#
-# See action.d/abuseipdb.conf for usage example and details.
-#
-action_abuseipdb = abuseipdb
-
-# Choose default action. To change, just override value of 'action' with the
-# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
-# globally (section [DEFAULT]) or per specific section
action = %(action_)s
-
-#
# JAILS
-#
-
-#
-# SSH servers
-#
-
[sshd]
backend = systemd
enabled = true
@@ -283,13 +40,6 @@ mode = aggressive
port = {{ default_sshd_port }}
-# Jail for more extended banning of persistent abusers
-# !!! WARNINGS !!!
-# 1. Make sure that your loglevel specified in fail2ban.conf/.local
-# is not at DEBUG level -- which might then cause fail2ban to fall into
-# an infinite loop constantly feeding itself with non-informative lines
-# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
-# to maintain entries for failed logins for sufficient amount of time
[recidive]
banaction = %(banaction_allports)s
bantime = 1w
@@ -299,14 +49,10 @@ logpath = /var/log/fail2ban.log
{% if inventory_hostname in groups.gitlab %}
-#
-# HTTP servers
-#
-
[nginx-http-auth]
enabled = true
-port = http,https
logpath = /var/log/gitlab/nginx/*error.log
+port = http,https
[nginx-botsearch]
enabled = true
@@ -317,14 +63,10 @@ maxretry = 3
{% endif %}
{% if inventory_hostname in groups.odoo_server or inventory_hostname in groups.owncloud_server %}
-#
-# HTTP servers
-#
-
[nginx-http-auth]
enabled = true
-port = http,https
logpath = /var/log/nginx/*error.log
+port = http,https
[nginx-botsearch]
enabled = true
@@ -335,10 +77,6 @@ maxretry = 2
{% endif %}
{% if inventory_hostname in groups.docker and inventory_hostname not in groups.docker_nextcloud %}
-#
-# Docker containers
-#
-
[docker-traefik-auth]
chain = DOCKER-USER
enabled = true
diff --git a/templates/jail.Ubuntu22.j2 b/templates/jail.Ubuntu22.j2
index a0ede6e..23342d4 100644
--- a/templates/jail.Ubuntu22.j2
+++ b/templates/jail.Ubuntu22.j2
@@ -51,6 +51,7 @@ port = http,https
[nginx-botsearch]
enabled = true
+
logpath = /var/log/gitlab/nginx/*error.log
maxretry = 2
port = http,https
diff --git a/templates/jail.Ubuntu24.j2 b/templates/jail.Ubuntu24.j2
new file mode 100644
index 0000000..23342d4
--- /dev/null
+++ b/templates/jail.Ubuntu24.j2
@@ -0,0 +1,91 @@
+[INCLUDES]
+before = paths-debian.conf
+
+[DEFAULT]
+# MISC
+ignoreip = 127.0.0.1/8{% if inventory_hostname in groups.docker | default([]) %} 172.16.0.0/12 192.168.0.0/16{% endif %}{% for host in groups.docker_nagios | default([]) %} {{ hostvars[host].ansible_host }}/32{% endfor %}
+
+ignorecommand =
+bantime = 86400 ; ban for 1 day
+findtime = 3600 ; search for 1 hour
+maxretry = 3
+maxmatches = %(maxretry)s
+backend = polling
+usedns = warn
+logencoding = auto
+enabled = false
+mode = normal
+filter = %(__name__)s[mode=%(mode)s]
+
+# ACTIONS
+destemail = {{ default_maintenance_email }}
+sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
+mta = sendmail
+protocol = tcp
+chain = INPUT
+port = 0:65535
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+banaction = iptables-multiport
+banaction_allports = iptables-allports
+action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action = %(action_)s
+
+# JAILS
+[sshd]
+backend = systemd
+enabled = true
+logpath = /var/log/auth.log
+mode = aggressive
+port = {{ default_sshd_port }}
+
+{% if inventory_hostname in groups.gitlab | default([]) %}
+[gitlab]
+enabled = true
+logpath = /var/log/gitlab/gitlab-rails/application.log
+port = http,https
+
+[nginx-http-auth]
+enabled = true
+logpath = /var/log/gitlab/nginx/*error.log
+port = http,https
+
+[nginx-botsearch]
+enabled = true
+
+logpath = /var/log/gitlab/nginx/*error.log
+maxretry = 2
+port = http,https
+
+{% endif %}
+{% if inventory_hostname in groups.odoo_server | default([]) or inventory_hostname in groups.owncloud_server | default([]) %}
+[nginx-http-auth]
+enabled = true
+logpath = /var/log/nginx/*error.log
+port = http,https
+
+[nginx-botsearch]
+enabled = true
+logpath = /var/log/nginx/*error.log
+maxretry = 2
+port = http,https
+
+{% endif %}
+[recidive]
+banaction = %(banaction_allports)s
+bantime = 1w
+enabled = true
+findtime = 1d
+logpath = /var/log/fail2ban.log
+{% if inventory_hostname in groups.docker | default([]) and inventory_hostname not in groups.docker_nextcloud | default([]) %}
+
+[traefik-auth]
+chain = FORWARD
+enabled = true
+{% if docker_userns_remap %}
+logpath = /var/lib/docker/{{ dockremap_subuid | default("*") }}.{{ dockremap_subgid | default("*") }}/volumes/inverseproxy_logs/_data/access.log
+{% else %}
+logpath = /var/lib/docker/volumes/inverseproxy_logs/_data/access.log
+{% endif %}
+mode = aggressive
+port = http,https
+{% endif %}
--
GitLab