fail2banUFW/etc/fail2ban/jail.local

[DEFAULT]

#######
### This file overrides the default settings found in /etc/fail2ban/jail.conf
### Customizations should be written here so that updates do NOT overwrite them!
#######


### List of IP addresses to ignore (aka NEVER ban).  This is usually just the
### localhost but could also be static IPs of admin machines that remotely
### connect, etc.
## You can use an IP address, CIDR mask or DNS host here.  Multiple addresses
## can be separated by a space or comma.
## Suggest: 127.0.0.1/8 (IP4 localhost subnet) and ::1 (IP6 localhost)
ignoreip = 127.0.0.1/8 ::1

### Amount of time (in seconds) than an offending system should be banned.
## Suggest 1800 (30 min).  This is long enough to discourage probe 'scripts'.
bantime = 1800

### Timeframes:  A system is banned if it generates 'maxretry' number of
### connection attempts within 'findtime' seconds.  This can be either, or
### a combination of, invalid login attempts, port-probes, connections to a
### closed port, etc.
## Suggest: 5 attempts within 5 minutes (agressive).  Some people like 20
## within 10 min (moderate).
maxretry = 5
findtime = 300


#
# ACTIONS
#

### The destination email address for actions that involve email notifications.
destemail = account@domain.tld

### The sender email for actions that are sending emails.
### Note: 'sendername' doesn't seem to work, it's usually overriden by the MTA.
sender = thismachine@domain.tld

### The MTA to use for sending email.  If you follow my standard setup as
### outlined at https://mytechiethoughts.com, then you are probably using msmtp
### which means you can use the default here: sendmail.  MOST setups can also
### just use the default too.
mta = sendmail


#
# Action shortcuts
#

### The action to be taken by default to ACTUALLY ban an offending system.
### The specific jail configuration file can override the default ban action.
### This references an action outlined in the configuration files or, more
### likely, a configuration file in /etc/fail2ban/action.d/
## Suggest: /etc/fail2ban/action.d/ufw.conf ('ufw', the .conf is implied)
## assuming you are using UFW and it's enabled, of course.
banaction = ufw

### This is the full command processed by Fail2Ban when banning a system.
### For example, executing 'banaction' and then sending an email notification.
### Thus, 'banaction' is part of the overall 'action'.
### Defaults can be referenced in jail.conf
### If using predefined actions, put it between the brackes like:
###    %(action_here)s
### leaving the '%' at the beginning and the 's' at the end.
## The most useful ones to start out with are:
## action_ = just execute 'banaction'
## action_mw = 'banaction' and email a whois report to destemail
## action_mwl = 'banaction' and email a whois report & log lines to destemail
action = %(action_mwl)s
Custom defaults for jails 2018-09-29 17:06:57 -06:00			`[DEFAULT]`

Added header note to config file 2018-09-29 17:08:01 -06:00			`#######`
			`### This file overrides the default settings found in /etc/fail2ban/jail.conf`
			`### Customizations should be written here so that updates do NOT overwrite them!`
			`#######`


Custom defaults for jails 2018-09-29 17:06:57 -06:00			`### List of IP addresses to ignore (aka NEVER ban). This is usually just the`
			`### localhost but could also be static IPs of admin machines that remotely`
			`### connect, etc.`
			`## You can use an IP address, CIDR mask or DNS host here. Multiple addresses`
			`## can be separated by a space or comma.`
			`## Suggest: 127.0.0.1/8 (IP4 localhost subnet) and ::1 (IP6 localhost)`
			`ignoreip = 127.0.0.1/8 ::1`

			`### Amount of time (in seconds) than an offending system should be banned.`
			`## Suggest 1800 (30 min). This is long enough to discourage probe 'scripts'.`
			`bantime = 1800`

			`### Timeframes: A system is banned if it generates 'maxretry' number of`
			`### connection attempts within 'findtime' seconds. This can be either, or`
			`### a combination of, invalid login attempts, port-probes, connections to a`
			`### closed port, etc.`
			`## Suggest: 5 attempts within 5 minutes (agressive). Some people like 20`
			`## within 10 min (moderate).`
			`maxretry = 5`
			`findtime = 300`


			`#`
			`# ACTIONS`
			`#`

			`### The destination email address for actions that involve email notifications.`
			`destemail = account@domain.tld`

			`### The sender email for actions that are sending emails.`
			`### Note: 'sendername' doesn't seem to work, it's usually overriden by the MTA.`
			`sender = thismachine@domain.tld`

			`### The MTA to use for sending email. If you follow my standard setup as`
			`### outlined at https://mytechiethoughts.com, then you are probably using msmtp`
			`### which means you can use the default here: sendmail. MOST setups can also`
			`### just use the default too.`
			`mta = sendmail`


			`#`
			`# Action shortcuts`
			`#`

			`### The action to be taken by default to ACTUALLY ban an offending system.`
			`### The specific jail configuration file can override the default ban action.`
			`### This references an action outlined in the configuration files or, more`
			`### likely, a configuration file in /etc/fail2ban/action.d/`
			`## Suggest: /etc/fail2ban/action.d/ufw.conf ('ufw', the .conf is implied)`
			`## assuming you are using UFW and it's enabled, of course.`
			`banaction = ufw`

			`### This is the full command processed by Fail2Ban when banning a system.`
			`### For example, executing 'banaction' and then sending an email notification.`
			`### Thus, 'banaction' is part of the overall 'action'.`
			`### Defaults can be referenced in jail.conf`
			`### If using predefined actions, put it between the brackes like:`
			`### %(action_here)s`
			`### leaving the '%' at the beginning and the 's' at the end.`
			`## The most useful ones to start out with are:`
			`## action_ = just execute 'banaction'`
			`## action_mw = 'banaction' and email a whois report to destemail`
			`## action_mwl = 'banaction' and email a whois report & log lines to destemail`
			`action = %(action_mwl)s`