# Fail2ban Jail Configuration for Homelab
# Deploy to: /etc/fail2ban/jail.local
# 
# Setup commands:
#   sudo cp config/fail2ban/jail.local /etc/fail2ban/
#   sudo systemctl restart fail2ban
#   sudo systemctl enable fail2ban

[DEFAULT]
# Ban settings
bantime = 3600
findtime = 600
maxretry = 5
banaction = ufw
backend = systemd

# Ignore local networks and your management IPs
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8

# Email notifications (configure if needed)
# destemail = your-email@domain.com
# sender = fail2ban@homelab
# action = %(action_mwl)s

#
# SSH Protection (Critical - Primary attack vector)
#
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 7200
findtime = 300

[sshd-ddos]
enabled = true
port = 2222
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
bantime = 3600
findtime = 60

#
# Web Service Protection
#
[nginx-http-auth]
enabled = true
filter = nginx-http-auth
logpath = /var/log/nginx/error.log
maxretry = 3
bantime = 3600

[nginx-badbots]
enabled = true
filter = nginx-badbots
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400
findtime = 600

[nginx-noscript]
enabled = true
filter = nginx-noscript
logpath = /var/log/nginx/access.log
maxretry = 6
bantime = 86400

[nginx-noproxy]
enabled = true
filter = nginx-noproxy
logpath = /var/log/nginx/access.log
maxretry = 2
bantime = 86400

#
# Docker/Container Protection
#
[gitea-auth]
enabled = true
filter = gitea-auth
logpath = /opt/docker/gitea/data/log/gitea.log
maxretry = 5
bantime = 1800
findtime = 300

#
# System Protection
#
[systemd-auth]
enabled = true
filter = systemd-auth
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
findtime = 300