A (mostly) Comprehensive Jail List

Comments: use '#' for comment lines and ';' (following a space) for inline comments
 The DEFAULT allows a global definition of the options. They can be overridden
 in each jail afterwards.
 [DEFAULT]
 "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 ban a host which matches an address in this list. Several addresses can be
 defined using space separator.
 ignoreip = 127.0.0.1/8
 External command that will take an tagged arguments to ignore, e.g. ,
 and return true if the IP is to be ignored. False otherwise.
 #
 ignorecommand = /path/to/command 
 ignorecommand =
 "bantime" is the number of seconds that a host is banned.
 bantime  = 600
 A host is banned if it has generated "maxretry" during the last "findtime"
 seconds.
 findtime  = 600
 "maxretry" is the number of failures before a host get banned.
 maxretry = 3
 "backend" specifies the backend used to get files modification.
 Available options are "pyinotify", "gamin", "polling" and "auto".
 This option can be overridden in each jail as well.
 #
 pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 If pyinotify is not installed, Fail2ban will use auto.
 gamin:     requires Gamin (a file alteration monitor) to be installed.
 If Gamin is not installed, Fail2ban will use auto.
 polling:   uses a polling algorithm which does not require external libraries.
 auto:      will try to use the following backends, in order:
 pyinotify, gamin, polling.
 backend = auto
 "usedns" specifies if jails should trust hostnames in logs,
 warn when DNS lookups are performed, or ignore all hostnames in logs
 #
 yes:   if a hostname is encountered, a DNS lookup will be performed.
 warn:  if a hostname is encountered, a DNS lookup will be performed,
 but it will be logged as a warning.
 no:    if a hostname is encountered, will not be used for banning,
 but it will be logged as info.
 usedns = warn
 This jail corresponds to the standard configuration in Fail2ban.
 The mail-whois action send a notification e-mail with a whois request
 in the body.
 [pam-generic]
 enabled = false
 filter  = pam-generic
 action  = iptables-allports[name=pam,protocol=all]
 logpath = /var/log/secure
 [xinetd-fail]
 enabled = false
 filter  = xinetd-fail
 action  = iptables-allports[name=xinetd,protocol=all]
 logpath = /var/log/daemon*log
 [ssh-iptables]
 enabled  = true
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/secure
 maxretry = 5
 [ssh-ddos]
 enabled  = false
 filter   = sshd-ddos
 action   = iptables[name=SSHDDOS, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 2
 [dropbear]
 enabled  = false
 filter   = dropbear
 action   = iptables[name=dropbear, port=ssh, protocol=tcp]
 logpath  = /var/log/messages
 maxretry = 5
 [proftpd-iptables]
 enabled  = false
 filter   = proftpd
 action   = iptables[name=ProFTPD, port=ftp, protocol=tcp]
            sendmail-whois[name=ProFTPD, dest=you@example.com]
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 [gssftpd-iptables]
 enabled  = false
 filter   = gssftpd
 action   = iptables[name=GSSFTPd, port=ftp, protocol=tcp]
            sendmail-whois[name=GSSFTPd, dest=you@example.com]
 logpath  = /var/log/daemon.log
 maxretry = 6
 [pure-ftpd]
 enabled  = false
 filter   = pure-ftpd
 action   = iptables[name=pureftpd, port=ftp, protocol=tcp]
 logpath  = /var/log/pureftpd.log
 maxretry = 6
 [wuftpd]
 enabled  = false
 filter   = wuftpd
 action   = iptables[name=wuftpd, port=ftp, protocol=tcp]
 logpath  = /var/log/daemon.log
 maxretry = 6
 [sendmail-auth]
 enabled  = false
 filter   = sendmail-auth
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 [sendmail-reject]
 enabled  = false
 filter   = sendmail-reject
 action   = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp]
 logpath  = /var/log/mail.log
 This jail forces the backend to "polling".
 [sasl-iptables]
 enabled  = false
 filter   = postfix-sasl
 backend  = polling
 action   = iptables[name=sasl, port=smtp, protocol=tcp]
            sendmail-whois[name=sasl, dest=you@example.com]
 logpath  = /var/log/mail.log
 ASSP SMTP Proxy Jail
 [assp]
 enabled = false
 filter  = assp
 action  = iptables-multiport[name=assp,port="25,465,587"]
 logpath = /root/path/to/assp/logs/maillog.txt
 Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is
 used to avoid banning the user "myuser".
 [ssh-tcpwrapper]
 enabled     = false
 filter      = sshd
 action      = hostsdeny[daemon_list=sshd]
               sendmail-whois[name=SSH, dest=you@example.com]
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 Here we use blackhole routes for not requiring any additional kernel support
 to store large volumes of banned IPs
 [ssh-route]
 enabled  = false
 filter   = sshd
 action   = route
 logpath  = /var/log/sshd.log
 maxretry = 5
 Here we use a combination of Netfilter/Iptables and IPsets
 for storing large volumes of banned IPs
 #
 IPset comes in two versions. See ipset -V for which one to use
 requires the ipset package and kernel support.
 [ssh-iptables-ipset4]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/sshd.log
 maxretry = 5
 [ssh-iptables-ipset6]
 enabled  = false
 filter   = sshd
 action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
 logpath  = /var/log/sshd.log
 maxretry = 5
 bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
 table number must be unique.
  
 This will create a deny rule for that table ONLY if a rule
 for the table doesn't ready exist.
 #
 [ssh-bsd-ipfw]
 enabled  = false
 filter   = sshd
 action   = bsd-ipfw[port=ssh,table=1]
 logpath  = /var/log/auth.log
 maxretry = 5
 This jail demonstrates the use of wildcards in "logpath".
 Moreover, it is possible to give other files on a new line.
 [apache-tcpwrapper]
 enabled  = false
 filter     = apache-auth
 action   = hostsdeny
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 6
 [apache-modsecurity]
 enabled  = false
 filter     = apache-modsecurity
 action   = iptables-multiport[name=apache-modsecurity,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [apache-overflows]
 enabled  = false
 filter     = apache-overflows
 action   = iptables-multiport[name=apache-overflows,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [apache-nohome]
 enabled  = false
 filter     = apache-nohome
 action   = iptables-multiport[name=apache-nohome,port="80,443"]
 logpath  = /var/log/apache/error.log
            /home/www/myhomepage/error.log
 maxretry = 2
 [nginx-http-auth]
 enabled = false
 filter  = nginx-http-auth
 action  = iptables-multiport[name=nginx-http-auth,port="80,443"]
 logpath = /var/log/nginx/error.log
 [squid]
 enabled = false
 filter  = squid
 action  = iptables-multiport[name=squid,port="80,443,8080"]
 logpath = /var/log/squid/access.log
 The hosts.deny path can be defined with the "file" argument if it is
 not in /etc.
 [postfix-tcpwrapper]
 enabled  = false
 filter   = postfix
 action   = hostsdeny[file=/not/a/standard/path/hosts.deny]
            sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/postfix.log
 bantime  = 300
 [cyrus-imap]
 enabled = false
 filter  = cyrus-imap
 action  = iptables-multiport[name=cyrus-imap,port="143,993"]
 logpath = /var/log/mail*log
 [courierlogin]
 enabled = false
 filter  = courierlogin
 action  = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"]
 logpath = /var/log/mail*log
 [couriersmtp]
 enabled = false
 filter  = couriersmtp
 action  = iptables-multiport[name=couriersmtp,port="25,465,587"]
 logpath = /var/log/mail*log
 [qmail-rbl]
 enabled = false
 filter  = qmail
 action  = iptables-multiport[name=qmail-rbl,port="25,465,587"]
 logpath = /service/qmail/log/main/current
 [sieve]
 enabled = false
 filter  = sieve
 action  = iptables-multiport[name=sieve,port="25,465,587"]
 logpath = /var/log/mail*log
 Do not ban anybody. Just report information about the remote host.
 A notification is sent at most every 600 seconds (bantime).
 [vsftpd-notification]
 enabled  = false
 filter   = vsftpd
 action   = sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
 Same as above but with banning the IP address.
 [vsftpd-iptables]
 enabled  = false
 filter   = vsftpd
 action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
            sendmail-whois[name=VSFTPD, dest=you@example.com]
 logpath  = /var/log/vsftpd.log
 maxretry = 5
 bantime  = 1800
 Ban hosts which agent identifies spammer robots crawling the web
 for email addresses. The mail outputs are buffered.
 [apache-badbots]
 enabled  = false
 filter   = apache-badbots
 action   = iptables-multiport[name=BadBots, port="http,https"]
            sendmail-buffered[name=BadBots, lines=5, dest=you@example.com]
 logpath  = /var/www/*/logs/access_log
 bantime  = 172800
 maxretry = 1
 Use shorewall instead of iptables.
 [apache-shorewall]
 enabled  = false
 filter   = apache-noscript
 action   = shorewall
            sendmail[name=Postfix, dest=you@example.com]
 logpath  = /var/log/apache2/error_log
 Monitor roundcube server
 [roundcube-iptables]
 enabled  = false
 filter   = roundcube-auth
 action   = iptables-multiport[name=RoundCube, port="http,https"]
 logpath  = /var/log/roundcube/userlogins
 Monitor SOGo groupware server
 [sogo-iptables]
 enabled  = false
 filter   = sogo-auth
 without proxy this would be:
 port    = 20000
 action   = iptables-multiport[name=SOGo, port="http,https"]
 logpath  = /var/log/sogo/sogo.log
 [groupoffice]
 enabled  = false
 filter   = groupoffice
 action   = iptables-multiport[name=groupoffice, port="http,https"]
 logpath  = /home/groupoffice/log/info.log 
 [openwebmail]
 enabled  = false
 filter   = openwebmail
 logpath  = /var/log/openwebmail.log
 action   = ipfw
            sendmail-whois[name=openwebmail, dest=you@example.com]
 maxretry = 5
 [horde]
 enabled  = false
 filter   = horde
 logpath  = /var/log/horde/horde.log
 action   = iptables-multiport[name=horde, port="http,https"]
 maxretry = 5
 Ban attackers that try to use PHP's URL-fopen() functionality
 through GET/POST variables. - Experimental, with more than a year
 of usage in production environments.
 [php-url-fopen]
 enabled  = false
 action   = iptables-multiport[name=php-url-open, port="http,https"]
 filter   = php-url-fopen
 logpath  = /var/www/*/logs/access_log
 maxretry = 1
 [suhosin]
 enabled  = false
 filter   = suhosin
 action   = iptables-multiport[name=suhosin, port="http,https"]
 adapt the following two items as needed
 logpath  = /var/log/lighttpd/error.log
 maxretry = 2
 [lighttpd-auth]
 enabled  = false
 filter   = lighttpd-auth
 action   = iptables-multiport[name=lighttpd-auth, port="http,https"]
 adapt the following two items as needed
 logpath  = /var/log/lighttpd/error.log
 maxretry = 2
 This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
 option is overridden in this jail. Moreover, the action "mail-whois" defines
 the variable "name" which contains a comma using "". The characters '' are
 valid too.
 [ssh-ipfw]
 enabled  = false
 filter   = sshd
 action   = ipfw[localhost=192.168.0.1]
            sendmail-whois[name="SSH,IPFW", dest=you@example.com]
 logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1
 !!! WARNING !!!
 Since UDP is connection-less protocol, spoofing of IP and imitation
 of illegal actions is way too simple.  Thus enabling of this filter
 might provide an easy way for implementing a DoS against a chosen
 victim. See
 http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 Please DO NOT USE this jail unless you know what you are doing.
 #
 IMPORTANT: see filter.d/named-refused for instructions to enable logging
 This jail blocks UDP traffic for DNS requests.
 [named-refused-udp]
 #
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=udp]
 sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 IMPORTANT: see filter.d/named-refused for instructions to enable logging
 This jail blocks TCP traffic for DNS requests.
 [named-refused-tcp]
 enabled  = false
 filter   = named-refused
 action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
            sendmail-whois[name=Named, dest=you@example.com]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 [nsd]
 enabled = false
 filter  = nsd
 action  = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp]
           iptables-multiport[name=nsd-udp, port="domain", protocol=udp]
 logpath = /var/log/nsd.log
 [asterisk]
 enabled  = false
 filter   = asterisk
 action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
            iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [freeswitch]
 enabled  = false
 filter   = freeswitch
 logpath  = /var/log/freeswitch.log
 maxretry = 10
 action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
            iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
 [ejabberd-auth]
 enabled = false
 filter = ejabberd-auth
 logpath = /var/log/ejabberd/ejabberd.log
 action   = iptables[name=ejabberd, port=xmpp-client, protocol=tcp]
 Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 use [asterisk] for new jails
 [asterisk-tcp]
 enabled  = false
 filter   = asterisk
 action   = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed )
 use [asterisk] for new jails
 [asterisk-udp]
 enabled  = false
 filter     = asterisk
 action   = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp]
            sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
 logpath  = /var/log/asterisk/messages
 maxretry = 10
 [mysqld-iptables]
 enabled  = false
 filter   = mysqld-auth
 action   = iptables[name=mysql, port=3306, protocol=tcp]
            sendmail-whois[name=MySQL, dest=root, sender=fail2ban@example.com]
 logpath  = /var/log/mysqld.log
 maxretry = 5
 [mysqld-syslog]
 enabled  = false
 filter   = mysqld-auth
 action   = iptables[name=mysql, port=3306, protocol=tcp]
 logpath  = /var/log/daemon.log
 maxretry = 5
 Jail for more extended banning of persistent abusers
 !!! WARNING !!!
 Make sure that your loglevel specified in fail2ban.conf/.local
 is not at DEBUG level -- which might then cause fail2ban to fall into
 an infinite loop constantly feeding itself with non-informative lines
 [recidive]
 enabled  = false
 filter   = recidive
 logpath  = /var/log/fail2ban.log
 action   = iptables-allports[name=recidive,protocol=all]
            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
 bantime  = 604800  ; 1 week
 findtime = 86400   ; 1 day
 maxretry = 5
 PF is a BSD based firewall
 [ssh-pf]
 enabled  = false
 filter   = sshd
 action   = pf
 logpath  = /var/log/sshd.log
 maxretry = 5
 [3proxy]
 enabled = false
 filter  = 3proxy
 action  = iptables[name=3proxy, port=3128, protocol=tcp]
 logpath = /var/log/3proxy.log
 [exim]
 enabled = false
 filter  = exim
 action  = iptables-multiport[name=exim,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [exim-spam]
 enabled = false
 filter  = exim-spam
 action  = iptables-multiport[name=exim-spam,port="25,465,587"]
 logpath = /var/log/exim/mainlog
 [perdition]
 enabled = false
 filter  = perdition
 action  = iptables-multiport[name=perdition,port="110,143,993,995"]
 logpath = /var/log/maillog
 [uwimap-auth]
 enabled = false
 filter  = uwimap-auth
 action  = iptables-multiport[name=uwimap-auth,port="110,143,993,995"]
 logpath = /var/log/maillog
 [osx-ssh-ipfw]
 enabled  = false
 filter   = sshd
 action   = osx-ipfw
 logpath  = /var/log/secure.log
 maxretry = 5
 [ssh-apf]
 enabled = false
 filter  = sshd
 action  = apf[name=SSH]
 logpath = /var/log/secure
 maxretry = 5
 [osx-ssh-afctl]
 enabled  = false
 filter   = sshd
 action   = osx-afctl[bantime=600]
 logpath  = /var/log/secure.log
 maxretry = 5
 [webmin-auth]
 enabled = false
 filter  = webmin-auth
 action  = iptables-multiport[name=webmin,port="10000"]
 logpath = /var/log/auth.log
 dovecot defaults to logging to the mail syslog facility
 but can be set by syslog_facility in the dovecot configuration.
 [dovecot]
 enabled = false
 filter  = dovecot
 action  = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
 logpath = /var/log/mail.log
 [dovecot-auth]
 enabled = false
 filter  = dovecot
 action  = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp]
 logpath = /var/log/secure
 [solid-pop3d]
 enabled = false
 filter  = solid-pop3d
 action  = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp]
 logpath = /var/log/mail.log
 [selinux-ssh]
 enabled  = false
 filter   = selinux-ssh
 action   = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5
 See the IMPORTANT note in action.d/blocklist_de.conf for when to
 use this action
 #
 Report block via blocklist.de fail2ban reporting service API
 See action.d/blocklist_de.conf for more information
 [ssh-blocklist]
 enabled  = false
 filter   = sshd
 action   = iptables[name=SSH, port=ssh, protocol=tcp]
            sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
            blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
 logpath  = /var/log/sshd.log
 maxretry = 20
 consider low maxretry and a long bantime
 nobody except your own Nagios server should ever probe nrpe
 [nagios]
 enabled  = false
 filter   = nagios
 action   = iptables[name=Nagios, port=5666, protocol=tcp]
            sendmail-whois[name=Nagios, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
 logpath  = /var/log/messages     ; nrpe.cfg may define a different log_facility
 maxretry = 1