diff --git a/roles/bootstrap/files/fail2ban/filter.d/custom_proftpd.conf b/roles/bootstrap/files/fail2ban/filter.d/custom_proftpd.conf new file mode 100644 index 0000000..9a77adf --- /dev/null +++ b/roles/bootstrap/files/fail2ban/filter.d/custom_proftpd.conf @@ -0,0 +1,16 @@ +# fail2ban filter for the ProFTPD FTP daemon +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = proftpd + +failregex = \(\S+\[\]\)[: -]+ USER \S+: no such user found from \S+ \[[0-9.]+\] to \S+:\S+\s*$ + \(\S+\[\]\)[: -]+ USER \S+ \(Login failed\):.*\s+$ + \(\S+\[\]\)[: -]+ Maximum login attempts \([0-9]+\) exceeded, connection refused.*\s+$ + \(\S+\[\]\)[: -]+ SECURITY VIOLATION: \S+ login attempted\.\s+$ + \(\S+\[\]\)[: -]+ Maximum login attempts \(\d+\) exceeded\s+$ + +ignoreregex = \ No newline at end of file diff --git a/roles/bootstrap/files/fail2ban/jail.d/proftpd.local b/roles/bootstrap/files/fail2ban/jail.d/proftpd.local new file mode 100644 index 0000000..cc4d45a --- /dev/null +++ b/roles/bootstrap/files/fail2ban/jail.d/proftpd.local @@ -0,0 +1,7 @@ +[proftpd] + +enabled = true +port = 990 +filter = custom_proftpd +logpath = /var/log/proftpd.log +maxretry = 6 \ No newline at end of file diff --git a/roles/bootstrap/files/fail2ban/jail.d/sshd.local b/roles/bootstrap/files/fail2ban/jail.d/sshd.local new file mode 100644 index 0000000..3ee0dee --- /dev/null +++ b/roles/bootstrap/files/fail2ban/jail.d/sshd.local @@ -0,0 +1,35 @@ +[sshd] + +# ========================== +# SSH Jail Configuration +# ========================== + +# Enable the SSH jail to monitor and protect against brute-force attacks. +enabled = true + +# Port Fail2Ban should monitor for SSH connections. +# If you run SSH on a custom port, replace 'ssh' with the actual port number (e.g., 2222). +port = ssh + +# Filter definition to use. +# 'sshd' refers to the default filter that matches common SSH authentication failures. +filter = sshd + +# Log file location. +# '%(sshd_log)s' uses the default value set by the system, typically /var/log/auth.log or journalctl. +logpath = %(sshd_log)s + +# Backend for reading logs. +# 'systemd' is recommended if your system uses journalctl for logging. +backend = systemd + +# ========================== +# SSH-Specific Overrides +# ========================== + +# Time window to evaluate failed login attempts. +# If 'maxretry' failures occur within this time, the IP will be banned. +findtime = 5m + +# Number of failed attempts allowed before triggering a ban. +maxretry = 4