Update page '6. jail.local'
Asif Bacchus
parent
9826867c7f
commit
86db4e9e66
@ -1 +1,40 @@
|
|||||||
Welcome to the Wiki.
|
# Customizations: jail.local
|
||||||
|
As with all F2B settings, you should always be working with the .local files so that updates do not overwrite your custom settings. This repo sets the following and these are the minimum options I suggest you review on any new set up.
|
||||||
|
|
||||||
|
This file customizes the defaults applied to all jail configurations used by F2B. This sets things like the default amount of time a system is banned, what actions should be used for banning systems and whether or not you get email notifications, etc.
|
||||||
|
|
||||||
|
## ignoreip
|
||||||
|
|
||||||
|
This setting tells F2B which IP addresses/ranges/hostnames should **never** be banned. In general, this should be the localhost only. However, if you connect by remote using a particular machine, you might also want to exempt it from any possible bans. You can specify more than one entry by separating them with a space or comma. In this case, I've added the IP4 and IP6 defintions for localhost.
|
||||||
|
|
||||||
|
```Ini
|
||||||
|
ignoreip = 127.0.0.1/8 ::1
|
||||||
|
```
|
||||||
|
|
||||||
|
### A note about the local subnet
|
||||||
|
|
||||||
|
It's often touted that the local subnet should be included in the ignore list so that if your system is providing something like filesharing or media serving, your LAN machines are never banned. I do *NOT* do this and you'll see later that I've actually set up the filter to prevent the need for this in most home/SOHO cases. I suggest you think about whether or not exempting your LAN is a good idea. Certainly there are cases where it's necessary, but remember that your LAN can be a very common attack vector on server systems. This is because workstation computers are often not used by tech-savvy users and get compromised much more often than a server. By not having them subject to banning, malicious software on workstations can constantly hammer your server from within the LAN and end up doing more damage than external systems which are subject to firewalls and ip banning. Food for thought...
|
||||||
|
|
||||||
|
## Timeframes
|
||||||
|
|
||||||
|
You should customize the relevant timeframes to your requirements and this will likely take a little experimentation. F2B checks for a system making '*maxretry*' failed attempts to connect or login within '*findtime*' seconds and, if that happens, bans the system for '*bantime*' seconds.
|
||||||
|
|
||||||
|
I like using settings as below which state, "ban any system for 30 minutes that makes 5 invalid connection attempts within a 5 minute period".
|
||||||
|
|
||||||
|
```ini
|
||||||
|
bantime = 1800
|
||||||
|
maxretry = 5
|
||||||
|
findtime = 300
|
||||||
|
```
|
||||||
|
|
||||||
|
Some people find this too aggressive and prefer settings such as 10 attempts in 20 minutes, for example, which would look like:
|
||||||
|
|
||||||
|
```ini
|
||||||
|
bantime = 1800
|
||||||
|
maxretry = 10
|
||||||
|
findtime = 1200
|
||||||
|
```
|
||||||
|
|
||||||
|
Again, this will be up to you to determine what is appropriate for your environment and users. Remember that invididual jails can override these defaults.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user