Results 1 to 10 of 10

Thread: UFW blocks port 25, with other instabilities

Threaded View

  1. #1
    Join Date
    Jan 2024
    Beans
    7

    UFW blocks port 25, with other instabilities

    I am using
    Code:
    Ubuntu 23.10
    I have 2 issues with my UFW firewall that may or not be related
    The only configuration I have done is
    Code:
    sudo ufw allow 25
    ...
    to the ports I needed, and then added a connection tracking line in my ufw before.rules
    Code:
    *filter
    -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    :ufw-before-input - [0:0]
    :ufw-before-output - [0:0]
    :ufw-before-forward - [0:0]
    :ufw-not-local - [0:0]
    When I reboot and test it, my port test of 25 will fail / just hang.
    Upon clearing my firewall using
    Code:
        sudo iptables -P INPUT ACCEPT
        sudo iptables -P FORWARD ACCEPT
        sudo iptables -P OUTPUT ACCEPT
        sudo iptables -t nat -F
        sudo iptables -t mangle -F
        sudo iptables -F
        sudo iptables -X
    Then my port works

    ~$ telnet mail.domain.com 25
    Trying 149.28.24.41...
    Connected to mail.domain.com.
    Escape character is '^]'.
    220 mail.domain.com ESMTP Exim 4.96 Ubuntu Tue, 27 Feb 2024 00:13:33 +0000
    exit

    Why is my firewall blocking my port 25?

    Also, periodically my ssh port will lock up. The two issues seem to pop up at the same time. I have no clue if they are related.

    My iptables
    Code:
    yoda@mail:~$ sudo iptables -S
    -P INPUT DROP
    -P FORWARD DROP
    -P OUTPUT ACCEPT
    -N f2b-ufw
    -N ufw-after-forward
    -N ufw-after-input
    -N ufw-after-logging-forward
    -N ufw-after-logging-input
    -N ufw-after-logging-output
    -N ufw-after-output
    -N ufw-before-forward
    -N ufw-before-input
    -N ufw-before-logging-forward
    -N ufw-before-logging-input
    -N ufw-before-logging-output
    -N ufw-before-output
    -N ufw-logging-allow
    -N ufw-logging-deny
    -N ufw-not-local
    -N ufw-reject-forward
    -N ufw-reject-input
    -N ufw-reject-output
    -N ufw-skip-to-policy-forward
    -N ufw-skip-to-policy-input
    -N ufw-skip-to-policy-output
    -N ufw-track-forward
    -N ufw-track-input
    -N ufw-track-output
    -N ufw-user-forward
    -N ufw-user-input
    -N ufw-user-limit
    -N ufw-user-limit-accept
    -N ufw-user-logging-forward
    -N ufw-user-logging-input
    -N ufw-user-logging-output
    -N ufw-user-output
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p tcp -j f2b-ufw
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -j ufw-before-logging-input
    -A INPUT -j ufw-before-input
    -A INPUT -j ufw-after-input
    -A INPUT -j ufw-after-logging-input
    -A INPUT -j ufw-reject-input
    -A INPUT -j ufw-track-input
    -A INPUT -s 200.68.165.36/32 -p tcp -m tcp --dport 22 -j ACCEPT
    -A FORWARD -j ufw-before-logging-forward
    -A FORWARD -j ufw-before-forward
    -A FORWARD -j ufw-after-forward
    -A FORWARD -j ufw-after-logging-forward
    -A FORWARD -j ufw-reject-forward
    -A FORWARD -j ufw-track-forward
    -A OUTPUT -j ufw-before-logging-output
    -A OUTPUT -j ufw-before-output
    -A OUTPUT -j ufw-after-output
    -A OUTPUT -j ufw-after-logging-output
    -A OUTPUT -j ufw-reject-output
    -A OUTPUT -j ufw-track-output
    -A f2b-ufw -s 80.66.83.153/32 -j REJECT --reject-with icmp-port-unreachable
    -A f2b-ufw -s 77.90.185.72/32 -j REJECT --reject-with icmp-port-unreachable
    -A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
    -A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
    -A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
    -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
    -A ufw-after-logging-forward -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-after-logging-input -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-forward -j ufw-user-forward
    -A ufw-before-input -i lo -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    -A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
    -A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
    -A ufw-before-input -j ufw-not-local
    -A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
    -A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
    -A ufw-before-input -j ufw-user-input
    -A ufw-before-output -o lo -j ACCEPT
    -A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A ufw-before-output -j ufw-user-output
    -A ufw-logging-allow -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW ALLOW] "
    -A ufw-logging-deny -m conntrack --ctstate INVALID -m limit --limit 3/min --limit-burst 10 -j RETURN
    -A ufw-logging-deny -m limit --limit 3/min --limit-burst 10 -j LOG --log-prefix "[UFW BLOCK] "
    -A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
    -A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
    -A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
    -A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
    -A ufw-not-local -j DROP
    -A ufw-skip-to-policy-forward -j DROP
    -A ufw-skip-to-policy-input -j DROP
    -A ufw-skip-to-policy-output -j ACCEPT
    -A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 465 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 25 -j ACCEPT
    -A ufw-user-input -s 218.92.0.52/32 -j DROP
    -A ufw-user-input -p tcp -m tcp --dport 143 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 993 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 110 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 995 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 80 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 443 -j ACCEPT
    -A ufw-user-input -p tcp -m tcp --dport 53 -j ACCEPT
    -A ufw-user-limit -m limit --limit 3/min -j LOG --log-prefix "[UFW LIMIT BLOCK] "
    -A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
    -A ufw-user-limit-accept -j ACCEPT
    I do have fail2ban and knockd installed and configured to service port 22 but they appear to be error free. but I cannot see how they would be the cause of this.

    Code:
    /etc/fail2ban/jail.conf
    Code:
     yoda@mail:~$ sudo cat /etc/fail2ban/jail.conf
    [sudo] password for yoda: 
    #
    # WARNING: heavily refactored in 0.9.0 release.  Please review and
    #          customize settings for your setup.
    #
    # Changes:  in most of the cases you should not modify this
    #           file, but provide customizations in jail.local file,
    #           or separate .conf files under jail.d/ directory, e.g.:
    #
    # HOW TO ACTIVATE JAILS:
    #
    # YOU SHOULD NOT MODIFY THIS FILE.
    #
    # It will probably be overwritten or improved in a distribution update.
    #
    # Provide customizations in a jail.local file or a jail.d/customisation.local.
    # For example to change the default bantime for all jails and to enable the
    # ssh-iptables jail the following (uncommented) would appear in the .local file.
    # See man 5 jail.conf for details.
    #
    # [DEFAULT]
    # bantime = 1h
    #
    # [sshd]
    # enabled = true
    #
    # See jail.conf(5) man page for more information
    
    
    
    # Comments: use '#' for comment lines and ';' (following a space) for inline comments
    
    
    [INCLUDES]
    
    #before = paths-distro.conf
    before = paths-debian.conf
    
    # The DEFAULT allows a global definition of the options. They can be overridden
    # in each jail afterwards.
    
    [DEFAULT]
    
    #
    # MISCELLANEOUS OPTIONS
    #
    
    # "bantime.increment" allows to use database for searching of previously banned ip's to increase a 
    # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
    #bantime.increment = true
    
    # "bantime.rndtime" is the max number of seconds using for mixing with random time 
    # to prevent "clever" botnets calculate exact time IP can be unbanned again:
    #bantime.rndtime = 
    
    # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
    #bantime.maxtime = 
    
    # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
    # default value of factor is 1 and with default value of formula, the ban time 
    # grows by 1, 2, 4, 8, 16 ...
    #bantime.factor = 1
    
    # "bantime.formula" used by default to calculate next value of ban time, default value below,
    # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
    #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
    #
    # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
    #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
    
    # "bantime.multipliers" used to calculate next value of ban time instead of formula, corresponding
    # previously ban count and given "bantime.factor" (for multipliers default is 1);
    # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, 
    # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
    #bantime.multipliers = 1 2 4 8 16 32 64
    # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
    # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
    #bantime.multipliers = 1 5 30 60 300 720 1440 2880
    
    # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed 
    # cross over all jails, if false (default), only current jail of the ban IP will be searched
    #bantime.overalljails = false
    
    # --------------------
    
    # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
    # (default is true). Fail2ban will not ban a host which matches such addresses.
    #ignoreself = true
    
    # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
    # will not ban a host which matches an address in this list. Several addresses
    # can be defined using space (and/or comma) separator.
    #ignoreip = 127.0.0.1/8 ::1
    
    # External command that will take an tagged arguments to ignore, e.g. <ip>,
    # and return true if the IP is to be ignored. False otherwise.
    #
    # ignorecommand = /path/to/command <ip>
    ignorecommand =
    
    # "bantime" is the number of seconds that a host is banned.
    bantime  = 20000m
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 10m
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 5
    
    # "maxmatches" is the number of matches stored in ticket (resolvable via tag <matches> in actions).
    maxmatches = %(maxretry)s
    
    # "backend" specifies the backend used to get files modification.
    # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
    # This option can be overridden in each jail as well.
    #
    # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
    #              If pyinotify is not installed, Fail2ban will use auto.
    # gamin:     requires Gamin (a file alteration monitor) to be installed.
    #              If Gamin is not installed, Fail2ban will use auto.
    # polling:   uses a polling algorithm which does not require external libraries.
    # systemd:   uses systemd python library to access the systemd journal.
    #              Specifying "logpath" is not valid for this backend.
    #              See "journalmatch" in the jails associated filter config
    # auto:      will try to use the following backends, in order:
    #              pyinotify, gamin, polling.
    #
    # Note: if systemd backend is chosen as the default but you enable a jail
    #       for which logs are present only in its own log files, specify some other
    #       backend for that jail (e.g. polling) and provide empty value for
    #       journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
    backend = auto
    
    # "usedns" specifies if jails should trust hostnames in logs,
    #   warn when DNS lookups are performed, or ignore all hostnames in logs
    #
    # yes:   if a hostname is encountered, a DNS lookup will be performed.
    # warn:  if a hostname is encountered, a DNS lookup will be performed,
    #        but it will be logged as a warning.
    # no:    if a hostname is encountered, will not be used for banning,
    #        but it will be logged as info.
    # raw:   use raw value (no hostname), allow use it for no-host filters/actions (example user)
    usedns = warn
    
    # "logencoding" specifies the encoding of the log files handled by the jail
    #   This is used to decode the lines from the log file.
    #   Typical examples:  "ascii", "utf-8"
    #
    #   auto:   will use the system locale setting
    logencoding = auto
    
    # "enabled" enables the jails.
    #  By default all jails are disabled, and it should stay this way.
    #  Enable only relevant to your setup jails in your .local or jail.d/*.conf
    #
    # true:  jail will be enabled and log files will get monitored for changes
    # false: jail is not enabled
    enabled = false
    
    
    # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
    mode = normal
    
    # "filter" defines the filter to use by the jail.
    #  By default jails have names matching their filter name
    #
    filter = %(__name__)s[mode=%(mode)s]
    
    
    #
    # ACTIONS
    #
    
    # Some options used for actions
    
    # Destination email address used solely for the interpolations in
    # jail.{conf,local,d/*} configuration files.
    destemail = root@localhost
    
    # Sender email address used solely for some actions
    sender = root@<fq-hostname>
    
    # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
    # mailing. Change mta configuration parameter to mail if you want to
    # revert to conventional 'mail'.
    mta = sendmail
    
    # Default protocol
    protocol = tcp
    
    # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
    chain = <known/chain>
    
    # Ports to be banned
    # Usually should be overridden in a particular jail
    port = 0:65535
    
    # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
    fail2ban_agent = Fail2Ban/%(fail2ban_version)s
    
    #
    # Action shortcuts. To be used to define action parameter
    
    # Default banning action (e.g. iptables, iptables-new,
    # iptables-multiport, shorewall, etc) It is used to define
    # action_* variables. Can be overridden globally or per
    # section within jail.local file
    banaction = iptables-multiport
    banaction_allports = iptables-allports
    
    # The simplest action to take: ban only
    action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report to the destemail.
    action_mw = %(action_)s
                %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
    
    # ban & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_mwl = %(action_)s
                 %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
    
    # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
    #
    # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
    # to the destemail.
    action_xarf = %(action_)s
                 xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
    
    # ban & send a notification to one or more of the 50+ services supported by Apprise.
    # See https://github.com/caronc/apprise/wiki for details on what is supported.
    #
    # You may optionally over-ride the default configuration line (containing the Apprise URLs)
    # by using 'apprise[config="/alternate/path/to/apprise.cfg"]' otherwise
    # /etc/fail2ban/apprise.conf is sourced for your supported notification configuration.
    # action = %(action_)s
    #          apprise
    
    # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
    # to the destemail.
    action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                    %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
    
    # Report block via blocklist.de fail2ban reporting service API
    # 
    # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
    # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
    # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
    # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in 
    # corresponding jail.d/my-jail.local file).
    #
    action_blocklist_de  = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
    
    # Report ban via abuseipdb.com.
    #
    # See action.d/abuseipdb.conf for usage example and details.
    #
    action_abuseipdb = abuseipdb
    
    # Choose default action.  To change, just override value of 'action' with the
    # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
    # globally (section [DEFAULT]) or per specific section
    action = %(action_)s
    
    
    #
    # JAILS
    #
    
    #
    # SSH servers
    #
    
    #[sshd]
    
    # To use more aggressive sshd modes set filter parameter "mode" in jail.local:
    # normal (default), ddos, extra or aggressive (combines all).
    # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
    #mode   = normal
    #port    = ssh
    #logpath = %(sshd_log)s
    #backend = %(sshd_backend)s
    
    
    [dropbear]
    
    port     = ssh
    logpath  = %(dropbear_log)s
    backend  = %(dropbear_backend)s
    
    
    [selinux-ssh]
    
    port     = ssh
    logpath  = %(auditd_log)s
    
    
    #
    # HTTP servers
    #
    
    [apache-auth]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    
    
    [apache-badbots]
    # Ban hosts which agent identifies spammer robots crawling the web
    # for email addresses. The mail outputs are buffered.
    port     = http,https
    logpath  = %(apache_access_log)s
    bantime  = 48h
    maxretry = 1
    
    
    [apache-noscript]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    
    
    [apache-overflows]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-nohome]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-botsearch]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-fakegooglebot]
    
    port     = http,https
    logpath  = %(apache_access_log)s
    maxretry = 1
    ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot <ip>
    
    
    [apache-modsecurity]
    
    port     = http,https
    logpath  = %(apache_error_log)s
    maxretry = 2
    
    
    [apache-shellshock]
    
    port    = http,https
    logpath = %(apache_error_log)s
    maxretry = 1
    
    
    [openhab-auth]
    
    filter = openhab
    banaction = %(banaction_allports)s
    logpath = /opt/openhab/logs/request.log
    
    
    # To use more aggressive http-auth modes set filter parameter "mode" in jail.local:
    # normal (default), aggressive (combines all), auth or fallback
    # See "tests/files/logs/nginx-http-auth" or "filter.d/nginx-http-auth.conf" for usage example and details.
    [nginx-http-auth]
    # mode = normal
    port    = http,https
    logpath = %(nginx_error_log)s
    
    # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module` 
    # and define `limit_req` and `limit_req_zone` as described in nginx documentation
    # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
    # or for example see in 'config/filter.d/nginx-limit-req.conf'
    [nginx-limit-req]
    port    = http,https
    logpath = %(nginx_error_log)s
    
    [nginx-botsearch]
    
    port     = http,https
    logpath  = %(nginx_error_log)s
    
    [nginx-bad-request]
    port    = http,https
    logpath = %(nginx_access_log)s
    
    # Ban attackers that try to use PHP's URL-fopen() functionality
    # through GET/POST variables. - Experimental, with more than a year
    # of usage in production environments.
    
    [php-url-fopen]
    
    port    = http,https
    logpath = %(nginx_access_log)s
              %(apache_access_log)s
    
    
    [suhosin]
    
    port    = http,https
    logpath = %(suhosin_log)s
    
    
    [lighttpd-auth]
    # Same as above for Apache's mod_auth
    # It catches wrong authentifications
    port    = http,https
    logpath = %(lighttpd_error_log)s
    
    
    #
    # Webmail and groupware servers
    #
    
    [roundcube-auth]
    
    port     = http,https
    logpath  = %(roundcube_errors_log)s
    # Use following line in your jail.local if roundcube logs to journal.
    #backend = %(syslog_backend)s
    
    
    [openwebmail]
    
    port     = http,https
    logpath  = /var/log/openwebmail.log
    
    
    [horde]
    
    port     = http,https
    logpath  = /var/log/horde/horde.log
    
    
    [groupoffice]
    
    port     = http,https
    logpath  = /home/groupoffice/log/info.log
    
    
    [sogo-auth]
    # Monitor SOGo groupware server
    # without proxy this would be:
    # port    = 20000
    port     = http,https
    logpath  = /var/log/sogo/sogo.log
    
    
    [tine20]
    
    logpath  = /var/log/tine20/tine20.log
    port     = http,https
    
    
    #
    # Web Applications
    #
    #
    
    [drupal-auth]
    
    port     = http,https
    logpath  = %(syslog_daemon)s
    backend  = %(syslog_backend)s
    
    [guacamole]
    
    port     = http,https
    logpath  = /var/log/tomcat*/catalina.out
    #logpath  = /var/log/guacamole.log
    
    [monit]
    #Ban clients brute-forcing the monit gui login
    port = 2812
    logpath  = /var/log/monit
               /var/log/monit.log
    
    
    [webmin-auth]
    
    port    = 10000
    logpath = %(syslog_authpriv)s
    backend = %(syslog_backend)s
    
    
    [froxlor-auth]
    
    port    = http,https
    logpath  = %(syslog_authpriv)s
    backend  = %(syslog_backend)s
    
    
    #
    # HTTP Proxy servers
    #
    #
    
    [squid]
    
    port     =  80,443,3128,8080
    logpath = /var/log/squid/access.log
    
    
    [3proxy]
    
    port    = 3128
    logpath = /var/log/3proxy.log
    
    
    #
    # FTP servers
    #
    
    
    [proftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(proftpd_log)s
    backend  = %(proftpd_backend)s
    
    
    [pure-ftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(pureftpd_log)s
    backend  = %(pureftpd_backend)s
    
    
    [gssftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(syslog_daemon)s
    backend  = %(syslog_backend)s
    
    
    [wuftpd]
    
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(wuftpd_log)s
    backend  = %(wuftpd_backend)s
    
    
    [vsftpd]
    # or overwrite it in jails.local to be
    # logpath = %(syslog_authpriv)s
    # if you want to rely on PAM failed login attempts
    # vsftpd's failregex should match both of those formats
    port     = ftp,ftp-data,ftps,ftps-data
    logpath  = %(vsftpd_log)s
    
    
    #
    # Mail servers
    #
    
    # ASSP SMTP Proxy Jail
    [assp]
    
    port     = smtp,465,submission
    logpath  = /root/path/to/assp/logs/maillog.txt
    
    
    [courier-smtp]
    
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [postfix]
    # To use another modes set filter parameter "mode" in jail.local:
    mode    = more
    port    = smtp,465,submission
    logpath = %(postfix_log)s
    backend = %(postfix_backend)s
    
    
    [postfix-rbl]
    
    filter   = postfix[mode=rbl]
    port     = smtp,465,submission
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    maxretry = 1
    
    
    [sendmail-auth]
    
    port    = submission,465,smtp
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [sendmail-reject]
    # To use more aggressive modes set filter parameter "mode" in jail.local:
    # normal (default), extra or aggressive
    # See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.
    #mode    = normal
    port     = smtp,465,submission
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [qmail-rbl]
    
    filter  = qmail
    port    = smtp,465,submission
    logpath = /service/qmail/log/main/current
    
    
    # dovecot defaults to logging to the mail syslog facility
    # but can be set by syslog_facility in the dovecot configuration.
    [dovecot]
    
    port    = pop3,pop3s,imap,imaps,submission,465,sieve
    logpath = %(dovecot_log)s
    backend = %(dovecot_backend)s
    
    
    [sieve]
    
    port   = smtp,465,submission
    logpath = %(dovecot_log)s
    backend = %(dovecot_backend)s
    
    
    [solid-pop3d]
    
    port    = pop3,pop3s
    logpath = %(solidpop3d_log)s
    
    
    [exim]
    # see filter.d/exim.conf for further modes supported from filter:
    #mode = normal
    port   = smtp,465,submission
    logpath = %(exim_main_log)s
    
    
    [exim-spam]
    
    port   = smtp,465,submission
    logpath = %(exim_main_log)s
    
    
    [kerio]
    
    port    = imap,smtp,imaps,465
    logpath = /opt/kerio/mailserver/store/logs/security.log
    
    
    #
    # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
    # all relevant ports get banned
    #
    
    [courier-auth]
    
    port     = smtp,465,submission,imap,imaps,pop3,pop3s
    logpath  = %(syslog_mail)s
    backend  = %(syslog_backend)s
    
    
    [postfix-sasl]
    
    filter   = postfix[mode=auth]
    port     = smtp,465,submission,imap,imaps,pop3,pop3s
    # You might consider monitoring /var/log/mail.warn instead if you are
    # running postfix since it would provide the same log lines at the
    # "warn" level but overall at the smaller filesize.
    logpath  = %(postfix_log)s
    backend  = %(postfix_backend)s
    
    
    [perdition]
    
    port   = imap,imaps,pop3,pop3s
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [squirrelmail]
    
    port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks
    logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
    
    
    [cyrus-imap]
    
    port   = imap,imaps
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    [uwimap-auth]
    
    port   = imap,imaps
    logpath = %(syslog_mail)s
    backend = %(syslog_backend)s
    
    
    #
    #
    # DNS servers
    #
    
    
    # !!! WARNING !!!
    #   Since UDP is connection-less protocol, spoofing of IP and imitation
    #   of illegal actions is way too simple.  Thus enabling of this filter
    #   might provide an easy way for implementing a DoS against a chosen
    #   victim. See
    #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
    #   Please DO NOT USE this jail unless you know what you are doing.
    #
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks UDP traffic for DNS requests.
    # [named-refused-udp]
    #
    # filter   = named-refused
    # port     = domain,953
    # protocol = udp
    # logpath  = /var/log/named/security.log
    
    # IMPORTANT: see filter.d/named-refused for instructions to enable logging
    # This jail blocks TCP traffic for DNS requests.
    
    [named-refused]
    
    port     = domain,953
    logpath  = /var/log/named/security.log
    
    
    [nsd]
    
    port     = 53
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath = /var/log/nsd.log
    
    
    #
    # Miscellaneous
    #
    
    [asterisk]
    
    port     = 5060,5061
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/asterisk/messages
    maxretry = 10
    
    
    [freeswitch]
    
    port     = 5060,5061
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/freeswitch.log
    maxretry = 10
    
    
    # enable adminlog; it will log to a file inside znc's directory by default.
    [znc-adminlog]
    
    port     = 6667
    logpath  = /var/lib/znc/moddata/adminlog/znc.log
    
    
    # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
    # equivalent section:
    # log-warnings = 2
    #
    # for syslog (daemon facility)
    # [mysqld_safe]
    # syslog
    #
    # for own logfile
    # [mysqld]
    # log-error=/var/log/mysqld.log
    [mysqld-auth]
    
    port     = 3306
    logpath  = %(mysql_log)s
    backend  = %(mysql_backend)s
    
    
    [mssql-auth]
    # Default configuration for Microsoft SQL Server for Linux
    # See the 'mssql-conf' manpage how to change logpath or port
    logpath = /var/opt/mssql/log/errorlog
    port = 1433
    filter = mssql-auth
    
    
    # Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
    [mongodb-auth]
    # change port when running with "--shardsvr" or "--configsvr" runtime operation
    port     = 27017
    logpath  = /var/log/mongodb/mongodb.log
    
    
    # Jail for more extended banning of persistent abusers
    # !!! WARNINGS !!!
    # 1. Make sure that your loglevel specified in fail2ban.conf/.local
    #    is not at DEBUG level -- which might then cause fail2ban to fall into
    #    an infinite loop constantly feeding itself with non-informative lines
    # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
    #    to maintain entries for failed logins for sufficient amount of time
    [recidive]
    
    logpath  = /var/log/fail2ban.log
    banaction = %(banaction_allports)s
    bantime  = 1w
    findtime = 1d
    
    
    # Generic filter for PAM. Has to be used with action which bans all
    # ports such as iptables-allports, shorewall
    
    [pam-generic]
    # pam-generic filter can be customized to monitor specific subset of 'tty's
    banaction = %(banaction_allports)s
    logpath  = %(syslog_authpriv)s
    backend  = %(syslog_backend)s
    
    
    [xinetd-fail]
    
    banaction = iptables-multiport-log
    logpath   = %(syslog_daemon)s
    backend   = %(syslog_backend)s
    maxretry  = 2
    
    
    # stunnel - need to set port for this
    [stunnel]
    
    logpath = /var/log/stunnel4/stunnel.log
    
    
    [ejabberd-auth]
    
    port    = 5222
    logpath = /var/log/ejabberd/ejabberd.log
    
    
    [counter-strike]
    
    logpath = /opt/cstrike/logs/L[0-9]*.log
    tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
    udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
    action_  = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]
    
    [softethervpn]
    port     = 500,4500
    protocol = udp
    logpath  = /usr/local/vpnserver/security_log/*/sec.log
    
    [gitlab]
    port    = http,https
    logpath = /var/log/gitlab/gitlab-rails/application.log
    
    [grafana]
    port    = http,https
    logpath = /var/log/grafana/grafana.log
    
    [bitwarden]
    port    = http,https
    logpath = /home/*/bwdata/logs/identity/Identity/log.txt
    
    [centreon]
    port    = http,https
    logpath = /var/log/centreon/login.log
    
    # consider low maxretry and a long bantime
    # nobody except your own Nagios server should ever probe nrpe
    [nagios]
    
    logpath  = %(syslog_daemon)s     ; nrpe.cfg may define a different log_facility
    backend  = %(syslog_backend)s
    maxretry = 1
    
    
    [oracleims]
    # see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
    logpath = /opt/sun/comms/messaging64/log/mail.log_current
    banaction = %(banaction_allports)s
    
    [directadmin]
    logpath = /var/log/directadmin/login.log
    port = 2222
    
    [portsentry]
    logpath  = /var/lib/portsentry/portsentry.history
    maxretry = 1
    
    [pass2allow-ftp]
    # this pass2allow example allows FTP traffic after successful HTTP authentication
    port         = ftp,ftp-data,ftps,ftps-data
    # knocking_url variable must be overridden to some secret value in jail.local
    knocking_url = /knocking/
    filter       = apache-pass[knocking_url="%(knocking_url)s"]
    # access log of the website with HTTP auth
    logpath      = %(apache_access_log)s
    blocktype    = RETURN
    returntype   = DROP
    action       = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,
                            actionstart_on_demand=false, actionrepair_on_unban=true]
    bantime      = 1h
    maxretry     = 1
    findtime     = 1
    
    
    [murmur]
    # AKA mumble-server
    port     = 64738
    action_  = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]
               %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]
    logpath  = /var/log/mumble-server/mumble-server.log
    
    
    [screensharingd]
    # For Mac OS Screen Sharing Service (VNC)
    logpath  = /var/log/system.log
    logencoding = utf-8
    
    [haproxy-http-auth]
    # HAProxy by default doesn't log to file you'll need to set it up to forward
    # logs to a syslog server which would then write them to disk.
    # See "haproxy-http-auth" filter for a brief cautionary note when setting
    # maxretry and findtime.
    logpath  = /var/log/haproxy.log
    
    [slapd]
    port    = ldap,ldaps
    logpath = /var/log/slapd.log
    
    [domino-smtp]
    port    = smtp,ssmtp
    logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
    
    [phpmyadmin-syslog]
    port    = http,https
    logpath = %(syslog_authpriv)s
    backend = %(syslog_backend)s
    
    
    [zoneminder]
    # Zoneminder HTTP/HTTPS web interface auth
    # Logs auth failures to apache2 error log
    port    = http,https
    logpath = %(apache_error_log)s
    
    [traefik-auth]
    # to use 'traefik-auth' filter you have to configure your Traefik instance,
    # see `filter.d/traefik-auth.conf` for details and service example.
    port    = http,https
    logpath = /var/log/traefik/access.log
    
    [scanlogd]
    logpath = %(syslog_local0)s
    banaction = %(banaction_allports)s
    
    [monitorix]
    port    = 8080
    logpath = /var/log/monitorix-httpd
    
    [ufw]
    enabled=true
    filter=ufw.aggressive
    action=iptables-allports
    logpath=/var/log/ufw.log
    maxretry=1
    bantime=-1
    Code:
    yoda@mail:~$ sudo cat /etc/fail2ban/jail.d/sshd.conf
    Code:
    #[sshd]
    #enabled = true
    #port = ssh
    #filter = sshd
    #logpath = /var/log/auth.log
    #maxretry = 4
    #bantime = 1200m
    #ignoreip = whitelist-IP
    #mode = aggressive
    
    [recidive]
    
    #enabled = true
    #port = ssh
    #logpath  = /var/log/fail2ban.log
    #banaction = %(banaction_allports)s
    #bantime  = 1y
    #findtime = 1d
    #maxretry = 3
    Code:
    yoda@mail:~$ sudo cat /etc/fail2ban/filter.d/ufw.aggressive.conf
    Code:
     [Definition]
    failregex = [UFW BLOCK].+SRC=<HOST> DST
    ignoreregex =
    What keeps blocking my smtp port 25? Bonus question. What keeps blocking my port 22?
    Last edited by brads-u; February 27th, 2024 at 02:42 AM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •