Fail2ban multiport configuration

by

fail2ban-logoWe already know that fail2ban allows the administrator of a system create jails for suspicious IPs addresses that could be attacking our server and services this configuration allows to create multiport jails for those potential threads. Lets go to it !

# ACTIONS
banaction = iptables-multiport

mta = sendmail
protocol = tcp

[ssh-iptables]

enabled = true
port = ssh
filter = sshd
action = iptables[name=SSH, m=multiport ports=”ssh”]
sendmail-whois[name=SSH, dest=mail@domain.com, sender=fail2ban@domain.com]
logpath = /var/log/auth.log
maxretry = 5
bantime = 300

[apache]

enabled = true
port    = http,https
filter  = apache-auth
action  = iptables[name=HTTP, m=multiport ports=”http,https”]
sendmail-whois[name=HTTP, dest=mail@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/apache2/error.log
maxretry = 4
bantime = 60000
findtime = 600

[qmail-vpopmail-pop3-user-notfound]

enabled = true
filter = qmail-vpopmail-pop3-username
action  = iptables[name=POP31, m=multiport ports=”pop3,pop3s”]
sendmail-whois [name=POP31, dest=mail@domain.com, sender=fail2ban@domain.com]
logpath = /var/log/mail.log
maxretry = 5
bantime = 60000
findtime = 600

[qmail-vpopmail-smtp-user-notfound]

enabled = true
filter = qmail-vpopmail-pop3-username
action = iptables[name=POP31, m=multiport ports=”pop3,pop3s”]
sendmail-whois[name=POP3-USR-NOT-FOUND, dest=email@domain.com, sender=fail2ban@domain.com]
logpath = /var/log/mail.log
maxretry = 5
bantime = 60000
findtime = 600

[qmail-vpopmail-pop3-pw-fail]

enabled = true
filter  = qmail-vpopmail-pop3-pw-fail
action  = iptables[name=POP3, m=multiport ports=”pop3,pop3s”]
sendmail-whois[name=POP3-PW-FAIL, dest=email@domain.com, sender=fail2ban@domain.com]
logpath = /var/log/mail.log
maxretry = 5
bantime = 60000
findtime = 600

[dovecot]

enabled = true
filter  = dovecot
action  = iptables[name=DOVECOT, m=multiport ports=”imap,imaps”]
sendmail-whois[name=DOVECOT, dest=email@domain.com, sender=fail2ban@domain.com]
logpath = /var/log/mail.log
maxretry = 5
bantime = 60000
findtime = 600

[apache-webmail-phish]

enabled  = true
filter   = apache-webmail-phish
action  = iptables[name=HTPP, m=multiport ports=”http,https”]
sendmail-whois[name=HTTP, dest=email@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/apache2/error.log
maxretry = 2
bantime = 60000
findtime = 600

Don´t forget to create the REGEX rules for every jail and you are good to go. Good Luck, see you in the next post.

Leave a Comment