[Git][qa/jenkins.debian.net][master] 2 commits: fail2ban.conf as shipped in bookworm

Sat Oct 21 23:57:15 BST 2023


Holger Levsen pushed to branch master at Debian QA / jenkins.debian.net


Commits:
aaa68e7b by Holger Levsen at 2023-10-22T00:53:45+02:00
fail2ban.conf as shipped in bookworm

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
b02d22f0 by Holger Levsen at 2023-10-22T00:56:51+02:00
jenkins nodes: configure fail2ban to ban failed ssh attempts

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -


2 changed files:

- + hosts/common/etc/fail2ban/fail2ban.conf
- + hosts/common/etc/fail2ban/jail.d/local.conf


Changes:

=====================================
hosts/common/etc/fail2ban/fail2ban.conf
=====================================
@@ -0,0 +1,93 @@
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [DEFAULT]
+# loglevel = DEBUG
+#
+
+[DEFAULT]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         CRITICAL
+#         ERROR
+#         WARNING
+#         NOTICE
+#         INFO
+#         DEBUG
+# Values: [ LEVEL ]  Default: INFO
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
+#
+#logtarget = /var/log/fail2ban.log
+logtarget = SYSTEMD-JOURNAL
+
+# Option: syslogsocket
+# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
+#        auto uses platform.system() to determine predefined paths
+# Values: [ auto | FILE ]  Default: auto
+syslogsocket = auto
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# Option: allowipv6
+# Notes.: Allows IPv6 interface:
+#         Default: auto
+# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
+#allowipv6 = auto
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+#         A value of ":memory:" means database is only stored in memory 
+#         and data is lost when fail2ban is stopped.
+#         A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 1d
+
+# Options: dbmaxmatches
+# Notes.: Number of matches stored in database per ticket (resolvable via 
+#         tags <ipmatches>/<ipjailmatches> in actions)
+# Values: [ INT ] Default: 10
+dbmaxmatches = 10
+
+[Definition]
+
+
+[Thread]
+
+# Options: stacksize
+# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
+#         and must be 0 or a positive integer value of at least 32.
+# Values: [ SIZE ] Default: 0 (use platform or configured default)
+#stacksize = 0


=====================================
hosts/common/etc/fail2ban/jail.d/local.conf
=====================================
@@ -0,0 +1,9 @@
+[DEFAULT]
+backend = systemd
+maxretry = 3
+bantime = 1d
+
+[sshd]
+enabled = true
+port = ssh
+action   = iptables-multiport[name=sshd, port="ssh", protocol=tcp]



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/5e911744524cd2f2d968fd2185749ad92ac9caa9...b02d22f00f81064eaeba24e35c434683012b1418

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/compare/5e911744524cd2f2d968fd2185749ad92ac9caa9...b02d22f00f81064eaeba24e35c434683012b1418
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20231021/387c1a5a/attachment-0001.htm>
