Arpad Krejczinger
9fbc311c2d
- config/fail2ban/jail.local: Main jail configuration with SSH, web, and service protection - config/fail2ban/filter.d/sshd-ddos.conf: SSH connection flooding protection - config/fail2ban/filter.d/nginx-badbots.conf: Web scanner and bot detection - config/fail2ban/filter.d/gitea-auth.conf: Gitea authentication failure detection - Includes deployment instructions for automated IP banning
98 lines
1.7 KiB
Plaintext
98 lines
1.7 KiB
Plaintext
# Fail2ban Jail Configuration for Homelab
|
|
# Deploy to: /etc/fail2ban/jail.local
|
|
#
|
|
# Setup commands:
|
|
# sudo cp config/fail2ban/jail.local /etc/fail2ban/
|
|
# sudo systemctl restart fail2ban
|
|
# sudo systemctl enable fail2ban
|
|
|
|
[DEFAULT]
|
|
# Ban settings
|
|
bantime = 3600
|
|
findtime = 600
|
|
maxretry = 5
|
|
banaction = ufw
|
|
backend = systemd
|
|
|
|
# Ignore local networks and your management IPs
|
|
ignoreip = 127.0.0.1/8 ::1 192.168.0.0/16 10.0.0.0/8
|
|
|
|
# Email notifications (configure if needed)
|
|
# destemail = your-email@domain.com
|
|
# sender = fail2ban@homelab
|
|
# action = %(action_mwl)s
|
|
|
|
#
|
|
# SSH Protection (Critical - Primary attack vector)
|
|
#
|
|
[sshd]
|
|
enabled = true
|
|
port = 2222
|
|
filter = sshd
|
|
logpath = /var/log/auth.log
|
|
maxretry = 3
|
|
bantime = 7200
|
|
findtime = 300
|
|
|
|
[sshd-ddos]
|
|
enabled = true
|
|
port = 2222
|
|
filter = sshd-ddos
|
|
logpath = /var/log/auth.log
|
|
maxretry = 6
|
|
bantime = 3600
|
|
findtime = 60
|
|
|
|
#
|
|
# Web Service Protection
|
|
#
|
|
[nginx-http-auth]
|
|
enabled = true
|
|
filter = nginx-http-auth
|
|
logpath = /var/log/nginx/error.log
|
|
maxretry = 3
|
|
bantime = 3600
|
|
|
|
[nginx-badbots]
|
|
enabled = true
|
|
filter = nginx-badbots
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 2
|
|
bantime = 86400
|
|
findtime = 600
|
|
|
|
[nginx-noscript]
|
|
enabled = true
|
|
filter = nginx-noscript
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 6
|
|
bantime = 86400
|
|
|
|
[nginx-noproxy]
|
|
enabled = true
|
|
filter = nginx-noproxy
|
|
logpath = /var/log/nginx/access.log
|
|
maxretry = 2
|
|
bantime = 86400
|
|
|
|
#
|
|
# Docker/Container Protection
|
|
#
|
|
[gitea-auth]
|
|
enabled = true
|
|
filter = gitea-auth
|
|
logpath = /opt/docker/gitea/data/log/gitea.log
|
|
maxretry = 5
|
|
bantime = 1800
|
|
findtime = 300
|
|
|
|
#
|
|
# System Protection
|
|
#
|
|
[systemd-auth]
|
|
enabled = true
|
|
filter = systemd-auth
|
|
logpath = /var/log/auth.log
|
|
maxretry = 5
|
|
bantime = 3600
|
|
findtime = 300 |