From 95c812346d6f2abf0cdd9155efa2b3ac65a3b169 Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Sun, 16 Apr 2023 22:17:58 +0200
Subject: [PATCH] config-examples: update fail2ban config examples with current
 DMS default values (#3258)

Co-authored-by: Casper <casperklein@users.noreply.github.com>
---
 config-examples/fail2ban-fail2ban.cf | 49 ++++++++++++++++++++--------
 config-examples/fail2ban-jail.cf     | 12 +++++--
 2 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/config-examples/fail2ban-fail2ban.cf b/config-examples/fail2ban-fail2ban.cf
index 8ed2833c..00e9a25f 100644
--- a/config-examples/fail2ban-fail2ban.cf
+++ b/config-examples/fail2ban-fail2ban.cf
@@ -5,11 +5,11 @@
 # Changes:  in most of the cases you should not modify this
 #           file, but provide customizations in fail2ban.local file, e.g.:
 #
-# [Definition]
+# [DEFAULT]
 # loglevel = DEBUG
 #
 
-[Definition]
+[DEFAULT]
 
 # Option: loglevel
 # Notes.: Set the log level output.
@@ -19,26 +19,26 @@
 #         NOTICE
 #         INFO
 #         DEBUG
-# Values: [ LEVEL ]  Default: ERROR
+# Values: [ LEVEL ]  Default: INFO
 #
-#loglevel = INFO
+loglevel = INFO
 
 # Option: logtarget
-# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
 #         Only one log target can be specified.
 #         If you change logtarget from the default value and you are
 #         using logrotate -- also adjust or disable rotation in the
 #         corresponding configuration file
 #         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ]  Default: STDERR
 #
-#logtarget = /var/log/fail2ban.log
+logtarget = /var/log/fail2ban.log
 
 # Option: syslogsocket
 # Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
 #        auto uses platform.system() to determine predefined paths
 # Values: [ auto | FILE ]  Default: auto
-#syslogsocket = auto
+syslogsocket = auto
 
 # Option: socket
 # Notes.: Set the socket file. This is used to communicate with the daemon. Do
@@ -46,24 +46,47 @@
 #         communicate with the server afterwards.
 # Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
 #
-#socket = /var/run/fail2ban/fail2ban.sock
+socket = /var/run/fail2ban/fail2ban.sock
 
 # Option: pidfile
 # Notes.: Set the PID file. This is used to store the process ID of the
 #         fail2ban server.
 # Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
 #
-#pidfile = /var/run/fail2ban/fail2ban.pid
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# Option: allowipv6
+# Notes.: Allows IPv6 interface:
+#         Default: auto
+# Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
+#allowipv6 = auto
 
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
-#         A value of ":memory:" means database is only stored in memory 
+#         A value of ":memory:" means database is only stored in memory
 #         and data is lost when fail2ban is stopped.
 #         A value of "None" disables the database.
 # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
-#dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
 
 # Options: dbpurgeage
 # Notes.: Sets age at which bans should be purged from the database
 # Values: [ SECONDS ] Default: 86400 (24hours)
-#dbpurgeage = 1d
+dbpurgeage = 1d
+
+# Options: dbmaxmatches
+# Notes.: Number of matches stored in database per ticket (resolvable via
+#         tags <ipmatches>/<ipjailmatches> in actions)
+# Values: [ INT ] Default: 10
+dbmaxmatches = 10
+
+[Definition]
+
+
+[Thread]
+
+# Options: stacksize
+# Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
+#         and must be 0 or a positive integer value of at least 32.
+# Values: [ SIZE ] Default: 0 (use platform or configured default)
+#stacksize = 0
diff --git a/config-examples/fail2ban-jail.cf b/config-examples/fail2ban-jail.cf
index 9611e7e0..73b5bd47 100644
--- a/config-examples/fail2ban-jail.cf
+++ b/config-examples/fail2ban-jail.cf
@@ -1,14 +1,14 @@
 [DEFAULT]
 
 # "bantime" is the number of seconds that a host is banned.
-bantime = 3h
+bantime = 1w
 
 # A host is banned if it has generated "maxretry" during the last "findtime"
 # seconds.
-findtime = 10m
+findtime = 1w
 
 # "maxretry" is the number of failures before a host get banned.
-maxretry = 3
+maxretry = 2
 
 # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
 # will not ban a host which matches an address in this list. Several addresses
@@ -25,9 +25,15 @@ enabled = true
 
 [postfix]
 enabled = true
+# See https://github.com/fail2ban/fail2ban/blob/27294c4b9ee5d5568a1d5f83af744ea39d5a1acb/config/filter.d/postfix.conf#L58
+# `mode=aggressive` basically combines more filters to match more lines, and hence, apply rules
+# more aggressively. The same goes for the `postfix-sasl` jail.
+mode = aggressive
+
 
 [postfix-sasl]
 enabled = true
+mode = aggressive
 
 # This jail is used for manual bans.
 # To ban an IP address use: setup.sh fail2ban ban <IP>