inital fail2ban addition

config/fail2ban/Filters/nextcloud.filter

@@ -0,0 +1,4 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

config/fail2ban/Filters/phpmyadmin-authlog.filter

@@ -0,0 +1,11 @@
+# Fail2Ban filter for the phpMyAdmin-Authlog
+#
+
+[INCLUDES]
+
+before = common.conf
+
+[Definition]
+
+failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
+

config/fail2ban/Jails/nextcloud_unconfigured

@@ -0,0 +1,9 @@
+[nextcloud_SITEname]
+enabled = true
+port     = http,https
+protocol = tcp
+filter = nextcloud
+maxretry = 20
+bantime = 900
+findtime = 900
+logpath = /var/log/nextcloud/SITEname

config/fail2ban/Jails/nginx-Basic-auth_unconfigured

@@ -0,0 +1,5 @@
+[nginx-auth-SITEname]
+enabled  = true
+filter   = nginx-http-auth
+port     = http,https
+logpath  = /var/log/nginx/SITEname-error.log

config/fail2ban/Jails/phpmyadmin.jail

@@ -0,0 +1,5 @@
+[phpmyadmin]
+enabled  = true
+port    = http,https
+filter   = phpmyadmin-authlog
+logpath  = /var/log/PhpMyAdmin/PhpMyAdmin_auth.log

config/fail2ban/Jails/sshd-jail.jail

@@ -0,0 +1,2 @@
+[sshd]
+enabled = true

config/fail2ban/Jails/wordpress-syslog.jail

@@ -0,0 +1,11 @@
+[wordpress-hard]
+enabled = true
+filter = wordpress-hard
+logpath = /var/log/auth.log
+port = http,https
+
+[wordpress-soft]
+enabled = true
+filter = wordpress-soft
+logpath = /var/log/auth.log
+port = http,https

config/fail2ban/jail.local

@@ -0,0 +1,53 @@
+[DEFAULT]
+# External command that will take an tagged arguments to ignore, e.g. <ip>,
+# and return true if the IP is to be ignored. False otherwise.
+#
+# ignorecommand = /path/to/command <ip>
+ignorecommand =
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = 10m
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime  = 10m
+
+# "maxretry" is the number of failures before a host get banned.
+maxretry = 5
+
+backend = auto
+
+
+
+#
+# ACTIONS
+#
+
+# Some options used for actions
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local,d/*} configuration files.
+destemail = root@localhost
+
+# Sender email address used solely for some actions
+sender = root@<fq-hostname>
+
+# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
+# mailing. Change mta configuration parameter to mail if you want to
+# revert to conventional 'mail'.
+mta = sendmail
+
+# Default protocol
+protocol = tcp
+
+# Specify chain where jumps would need to be added in ban-actions expecting parameter chain
+chain = <known/chain>
+
+# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+
+#
+# Action shortcuts. To be used to define action parameter
+
+banaction = ufw
+banaction_allports = ufw

config/fail2ban/nextcloud.conf

@@ -1,4 +0,0 @@
-[Definition]
-failregex=^{"reqId":".<em>","remoteAddr":".</em>","app":"core","message":"Login failed: '.<em>' &#40;Remote IP: '<HOST>'&#41;","level":2,"time":".</em>"}$
-        ^{"reqId":".<em>","level":2,"time":".</em>","remoteAddr":".<em>","app":"core".</em>","message":"Login failed: '.<em>' &#40;Remote IP: '<HOST>'&#41;".</em>}$
-        ^.<em>\"remoteAddr\":\"<HOST>\".</em>Trusted domain error.*$

config/fail2ban/nextcloud.local

@@ -1,11 +0,0 @@
-[nextcloud]
-ignoreip = 192.168.1.0/24
-backend = auto
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 3
-bantime = 36000
-findtime = 36000
-logpath = /var/nextcloud/data/nextcloud.log

config/fail2ban/sshd.local

@@ -1,6 +0,0 @@
-[sshd]
-enabled = true
-port = 4242
-filter = sshd
-logpath = /var/log/auth.log
-maxretry = 5

config/fail2ban/wordpress.conf

@@ -1,2 +0,0 @@
-[Definition]
-failregex = <HOST>.*POST.*(wp-login\.php|xmlrpc\.php).* 200

config/fail2ban/wordpress.local

@@ -1,7 +0,0 @@
-[wordpress]
-enabled = true
-port = http,https
-filter = wordpress
-logpath = /var/log/nginx/access.log
-maxretry = 10
-bantime = 3600