ban2fail.cfg

# By default, no number of offenses are tolerated

# Whitelist ourself
MAX_OFFENSES -1 {
   # Put your server's IP addresses here
#   IP= 1.2.3.4
   IP= 127.0.0.1
#   IP= dead:beef::20::32a
   IP= ::1
}

# Allegedly legit servers
MAX_OFFENSES 50 {

# Google Ireland
   IP= 2a00:1450:4864:20::32a
   IP= 2a00:1450:4864:20::336

# Google EU
# Attempted to break in
#   IP= 35.205.240.168

# Google US
   IP= 09.85.216.42
# Attempted to break in
#   IP= 130.211.246.128
   IP= 209.85.166.194
   IP= 209.85.166.195
   IP= 209.85.208.67
   IP= 209.85.214.194
   IP= 209.85.215.173
   IP= 209.85.215.175
   IP= 209.85.215.193
   IP= 209.85.216.42
   IP= 2607:f8b0:4864:20::1034
   IP= 2607:f8b0:4864:20::a46

# Yahoo
   IP= 106.10.244.139

# Outlook
   IP= 40.92.4.30
   IP= 40.107.73.61
   IP= 40.107.74.48
   IP= 40.107.74.72 
   IP= 40.107.76.74
   IP= 40.107.79.52
   IP= 40.107.79.59
   IP= 40.107.80.40
   IP= 40.107.80.53
   IP= 40.107.80.78
   IP= 40.107.82.75
   IP= 52.101.129.30
   IP= 52.101.132.108
   IP= 52.101.136.79
   IP= 52.101.140.230
}

# "trusted" addresses
MAX_OFFENSES 200 {

# me from home
#   IP= 1.2.3.4/20

# Customer
#   IP= 5.6.7.8/24
}

LOGTYPE auth {

   # Where to find the log files
   DIR= /var/log
   PREFIX= auth.log

   # How to read the timestamp
   TIMESTAMP auth_ts {
      # isolates the timestamp from a line matched by a TARGET
      REGEX= ^(.*) srv
      # Passed to strptime() to intrepret the timestamp string
      STRPTIME= %b %d %T
      # These stamps do not include the year, so it is implied.
      FLAGS= GUESS_YEAR
   }

   TARGET imap {
      # Pattern to search for, isolates the IP address
      REGEX= imapd.*Login failed.*\[([0-9.a-f:]+)\]$
      # Assign this as the severity of the offense.
      SEVERITY= 3
   }

   TARGET ssh {
      SEVERITY= 4
      REGEX= sshd.*Failed password.*from ([0-9.a-f:]+) port [0-9]+ ssh2$
      REGEX= sshd.*Invalid user.*from ([0-9.a-f:]+) port
   }

   TARGET negotiate_fail {
      SEVERITY= 2
      REGEX= Unable to negotiate with ([0-9.a-f:]+) port
   }

   TARGET dovecot {
      SEVERITY= 3
      REGEX= dovecot.*authentication failure.*rhost=([0-9.a-f:]+)
   }

}

LOGTYPE exim4 {

   DIR= /var/log/exim4
   PREFIX= mainlog

   TIMESTAMP exim4_ts {
      REGEX= ^([-0-9]+ [0-9:]+)
      STRPTIME= %F %T
   }

   TARGET smtp_auth {
      SEVERITY= 3
      REGEX= [[:alnum:]_]+ authenticator failed for .*\[([0-9.a-f:]+)\]
      REGEX= \[([0-9.a-f:]+)\] [[:alnum:]_]+ authentication mechanism not supported
   } # smtp_auth

   TARGET smtp_send {
      SEVERITY= 9
      REGEX= \[([0-9.a-f:]+)\] P=.*A=[[:alnum:]_]+_server:
   } # smtp_send


   TARGET spam {
      REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*Unrouteable address

      REGEX= : ([0-9.a-f:]+) is listed at zen.spamhaus.org

      REGEX= H=.* \[([0-9.a-f:]+)\].*rejected RCPT.*SPF check failed

      REGEX= \[([0-9.a-f:]+)\]: SMTP error.*: 451 relay

      REGEX= \[([0-9.a-f:]+)\] F=.*rejected RCPT.*Sender verify failed
   } # spam

   TARGET brain_damage {
      REGEX= H=.* \[([0-9.a-f:]+)\].*rejected after DATA: maximum allowed line length

      REGEX= SMTP protocol synchronization error.* rejected.* H=\[([0-9.a-f:]+)\]
   } # brain_damage
}

LOGTYPE apache2 {

   DIR= /var/log/apache2
   PREFIX= access.log

   TIMESTAMP apache2_ts {
      REGEX= ^[0-9.a-f:]+ - - \[([^ ]+)
      STRPTIME= %d/%b/%Y:%T
   }

   TARGET worm {
      REGEX= ^([0-9.a-f:]+) .*(thinkphp|elrekt\.php|download\.php|ysyqq\.php|Login\.php|phpmyadmin|cfgss\.php|wallet\.dat|y000000000000\.cfg)
   }

}

LOGTYPE openvpn {
   DIR= /var/log
   PREFIX= openvpn.log

   TIMESTAMP openvpn_ts {
      REGEX= ^(.*) client/
      STRPTIME= %a %b %d %T %Y
   }

   TARGET client {
      SEVERITY= 9
#Tue Dec  3 10:52:22 2019 client/184.185.212.118:38752 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
#      REGEX= client/([0-9.a-f:]+):[0-9]+ Control Channel:
   }
}