From a982613a11a5318351afe763d42eaa1c66636ff2 Mon Sep 17 00:00:00 2001
From: Bram Prieshof <bprieshof@noreply@ictmaatwerk.com>
Date: Wed, 1 Jul 2020 12:10:28 +0200
Subject: [PATCH] Added fail2ban Config files

---
 config/fail2ban/filter-vsftpd.local | 19 +++++++++++
 config/fail2ban/jail-vsftp.local    |  6 ++++
 config/fail2ban/jail.local          | 52 +++++++++++++++++++++++++++++
 3 files changed, 77 insertions(+)
 create mode 100644 config/fail2ban/filter-vsftpd.local
 create mode 100644 config/fail2ban/jail-vsftp.local
 create mode 100644 config/fail2ban/jail.local

diff --git a/config/fail2ban/filter-vsftpd.local b/config/fail2ban/filter-vsftpd.local
new file mode 100644
index 0000000..958921d
--- /dev/null
+++ b/config/fail2ban/filter-vsftpd.local
@@ -0,0 +1,19 @@
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$
+ignoreregex = 
+
diff --git a/config/fail2ban/jail-vsftp.local b/config/fail2ban/jail-vsftp.local
new file mode 100644
index 0000000..a5942e4
--- /dev/null
+++ b/config/fail2ban/jail-vsftp.local
@@ -0,0 +1,6 @@
+[vsftpd]
+enabled = true
+port = ftp,ftp-data,ftps,ftps-data
+logpath = %(vsftpd_log)s
+maxretry = 5
+bantime = 60m
diff --git a/config/fail2ban/jail.local b/config/fail2ban/jail.local
new file mode 100644
index 0000000..0909fb2
--- /dev/null
+++ b/config/fail2ban/jail.local
@@ -0,0 +1,52 @@
+ # External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 10m
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 10m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+backend = auto
+
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = <known/chain>
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+banaction = ufw
+banaction_allports = ufw