March 28, 2014 03:04 · Mar 28, 2014
diff --git a/drupal-auth.conf b/drupal-auth.conf
@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: Tipi Koivisto
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+
+failregex = \|\d*\|user\|<HOST>\|.*Login attempt failed for \s?
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/drupal-comment.conf b/drupal-comment.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+# Author: Peter Lieverdink
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = Submitting address \[<HOST>\] to the firewall
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/drupal-dos.conf b/drupal-dos.conf
@@ -0,0 +1,24 @@
+# Fail2Ban configuration file
+#
+# Author: CK Ng
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+
+# targeting /user/login
+failregex = ^<HOST> -.*\"(GET|POST) /user/login.*
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+# if /user/login is not blocked from search engine bots, add here, e.g.
+# ignoreregex = ^<HOST> -.*\"(GET|POST).*Googlebot
+ignoreregex =
diff --git a/drupal-mollom-spam.conf b/drupal-mollom-spam.conf
@@ -0,0 +1,22 @@
+# Fail2Ban configuration file
+#
+# Author: Peter Lieverdink
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+
+# Grab the dirty spammer by its IP address.
+#
+failregex = \|mollom\|<HOST>\|.*\|Spam:
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
diff --git a/jail.local b/jail.local
@@ -0,0 +1,43 @@
+[drupal-comment]
+
+enabled  = true
+port     = http,https
+protocol = tcp
+filter   = drupal-comment
+logpath  = /var/log/syslog
+maxretry = 0
+bantime  = 604800
+action = iptables-multiport[name=DrupalComment, port="http,https"]
+
+[drupal-mollom-spam]
+
+enabled  = true
+port     = http,https
+filter   = drupal-mollom-spam
+logpath  = /var/log/drupal/drupal.log
+ignoreip = 127.0.0.1
+bantime  = 86400
+maxretry = 1
+action = iptables-multiport[name=DrupalMollom, port="http,https"]
+
+[drupal-auth]
+
+enabled = true
+port    = http,https
+filter  = drupal-auth
+logpath = /var/log/syslog
+maxretry = 3
+bantime = 86400
+action = iptables-multiport[name=DrupalAuth, port="http,https"]
+
+[drupal-dos]
+
+enabled = true
+port    = http,https
+filter  = drupal-dos
+# webserver/site access log
+logpath = /var/log/apache2/access.log
+maxretry = 20
+findtime = 600
+bantime = 604800
+action = iptables-multiport[name=DrupalDoS, port="http,https"]