mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-10-31 15:53:33 +00:00
164 lines
4.7 KiB
Plaintext
164 lines
4.7 KiB
Plaintext
## Version 2022/08/06
|
|
# Fail2Ban configuration file
|
|
#
|
|
# Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black,
|
|
# Yaroslav O. Halchenko, Alexander Koeppe et al.
|
|
#
|
|
|
|
[Definition]
|
|
|
|
# Option: type
|
|
# Notes.: type of the action.
|
|
# Values: [ oneport | multiport | allports ] Default: oneport
|
|
#
|
|
type = oneport
|
|
|
|
# Option: actionflush
|
|
# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
|
|
# Values: CMD
|
|
#
|
|
actionflush = <iptables> -F f2b-<name>
|
|
|
|
# Option: actionstart
|
|
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
|
|
# Values: CMD
|
|
#
|
|
actionstart = { <iptables> -C f2b-<name> -j <returntype> >/dev/null 2>&1; } || { <iptables> -N f2b-<name> || true; <iptables> -A f2b-<name> -j <returntype>; }
|
|
<_ipt_add_rules>
|
|
|
|
# Option: actionstop
|
|
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
|
|
# Values: CMD
|
|
#
|
|
actionstop = <_ipt_del_rules>
|
|
<actionflush>
|
|
<iptables> -X f2b-<name>
|
|
|
|
# Option: actioncheck
|
|
# Notes.: command executed once before each actionban command
|
|
# Values: CMD
|
|
#
|
|
actioncheck = <_ipt_check_rules>
|
|
|
|
# Option: actionban
|
|
# Notes.: command executed when banning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
# Tags: See jail.conf(5) man page
|
|
# Values: CMD
|
|
#
|
|
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
|
|
|
|
# Option: actionunban
|
|
# Notes.: command executed when unbanning an IP. Take care that the
|
|
# command is executed with Fail2Ban user rights.
|
|
# Tags: See jail.conf(5) man page
|
|
# Values: CMD
|
|
#
|
|
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
|
|
|
|
# Option: pre-rule
|
|
# Notes.: prefix parameter(s) inserted to the begin of rule. No default (empty)
|
|
#
|
|
pre-rule =
|
|
|
|
rule-jump = -j <_ipt_rule_target>
|
|
|
|
# Several capabilities used internaly:
|
|
|
|
_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
|
|
_ipt_for_proto-done = done
|
|
|
|
_ipt_add_rules = <_ipt_for_proto-iter>
|
|
{ %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
|
|
<_ipt_for_proto-done>
|
|
|
|
_ipt_del_rules = <_ipt_for_proto-iter>
|
|
<iptables> -D <chain> %(_ipt_chain_rule)s
|
|
<_ipt_for_proto-done>
|
|
|
|
_ipt_check_rules = <_ipt_for_proto-iter>
|
|
%(_ipt_check_rule)s
|
|
<_ipt_for_proto-done>
|
|
|
|
_ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
|
|
_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
|
|
_ipt_rule_target = f2b-<name>
|
|
|
|
[ipt_oneport]
|
|
|
|
_chain_rule = -p $proto --dport <port> <rule-jump>
|
|
|
|
[ipt_multiport]
|
|
|
|
_chain_rule = -p $proto -m multiport --dports <port> <rule-jump>
|
|
|
|
[ipt_allports]
|
|
|
|
_chain_rule = -p $proto <rule-jump>
|
|
|
|
|
|
[Init]
|
|
|
|
# Option: chain
|
|
# Notes specifies the iptables chain to which the Fail2Ban rules should be
|
|
# added
|
|
# Values: STRING Default: INPUT
|
|
chain = INPUT
|
|
|
|
# Default name of the chain
|
|
#
|
|
name = default
|
|
|
|
# Option: port
|
|
# Notes.: specifies port to monitor
|
|
# Values: [ NUM | STRING ] Default:
|
|
#
|
|
port = ssh
|
|
|
|
# Option: protocol
|
|
# Notes.: internally used by config reader for interpolations.
|
|
# Values: [ tcp | udp | icmp | all ] Default: tcp
|
|
#
|
|
protocol = tcp
|
|
|
|
# Option: blocktype
|
|
# Note: This is what the action does with rules. This can be any jump target
|
|
# as per the iptables man page (section 8). Common values are DROP
|
|
# REJECT, REJECT --reject-with icmp-port-unreachable
|
|
# Values: STRING
|
|
blocktype = REJECT --reject-with icmp-port-unreachable
|
|
|
|
# Option: returntype
|
|
# Note: This is the default rule on "actionstart". This should be RETURN
|
|
# in all (blocking) actions, except REJECT in allowing actions.
|
|
# Values: STRING
|
|
returntype = RETURN
|
|
|
|
# Option: lockingopt
|
|
# Notes.: Option was introduced to iptables to prevent multiple instances from
|
|
# running concurrently and causing irratic behavior. -w was introduced
|
|
# in iptables 1.4.20, so might be absent on older systems
|
|
# See https://github.com/fail2ban/fail2ban/issues/1122
|
|
# Values: STRING
|
|
lockingopt = -w
|
|
|
|
# Option: iptables
|
|
# Notes.: Actual command to be executed, including common to all calls options
|
|
# Values: STRING
|
|
iptables = iptables <lockingopt>
|
|
|
|
|
|
[Init?family=inet6]
|
|
|
|
# Option: blocktype (ipv6)
|
|
# Note: This is what the action does with rules. This can be any jump target
|
|
# as per the iptables man page (section 8). Common values are DROP
|
|
# REJECT, REJECT --reject-with icmp6-port-unreachable
|
|
# Values: STRING
|
|
blocktype = REJECT --reject-with icmp6-port-unreachable
|
|
|
|
# Option: iptables (ipv6)
|
|
# Notes.: Actual command to be executed, including common to all calls options
|
|
# Values: STRING
|
|
iptables = ip6tables <lockingopt>
|