From 095afdd613e1ba3670f73cda0a1abb3f037ad0fd Mon Sep 17 00:00:00 2001
From: hhf <hhf@noreply.localhost>
Date: Fri, 6 Dec 2024 16:05:56 +0530
Subject: [PATCH] Update install-mailcow-ubuntu.sh

---
 install-mailcow-ubuntu.sh | 49 ++++++++++++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 9 deletions(-)

diff --git a/install-mailcow-ubuntu.sh b/install-mailcow-ubuntu.sh
index db5c51a..f9d0965 100644
--- a/install-mailcow-ubuntu.sh
+++ b/install-mailcow-ubuntu.sh
@@ -74,32 +74,63 @@ cat > /etc/fail2ban/jail.local << EOL
 bantime = 1h
 findtime = 10m
 maxretry = 3
+banaction = ufw
+backend = systemd
+
+ignoreip = 127.0.0.1/8 ::1
+findtime = 10m
+bantime = 1h
+maxretry = 3
 
 [sshd]
 enabled = true
 port = ssh
 filter = sshd
-logpath = /var/log/auth.log
+logpath = %(sshd_log)s
 maxretry = 3
-EOL
+bantime = 1d
 
-# Create SSH honeypot configuration
-cat > /etc/fail2ban/jail.d/ssh-honeypot.conf << EOL
 [ssh-honeypot]
 enabled = true
-filter = ssh-honeypot
-logpath = /var/log/auth.log
+filter = sshd
+logpath = %(sshd_log)s
 maxretry = 1
 bantime = 1d
 findtime = 1d
 EOL
 
-cat > /etc/fail2ban/filter.d/ssh-honeypot.conf << EOL
+# Configure fail2ban filter
+cat > /etc/fail2ban/filter.d/sshd.local << EOL
 [Definition]
-failregex = ^%(__prefix_line)s(?:error: PAM: )?Authentication failure for .* from <HOST>
-ignoreregex =
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for .* from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s))?\s*$
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: .*: Auth fail$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^%(__prefix_line)s[aA]uthentication (?:failure|error) for .* from <HOST>(?:\s+\[preauth\])?\s*$
+ignoreregex = 
 EOL
 
+# Create fail2ban systemd override directory
+mkdir -p /etc/systemd/system/fail2ban.service.d/
+
+# Create override file
+cat > /etc/systemd/system/fail2ban.service.d/override.conf << EOL
+[Service]
+ExecStart=
+ExecStart=/usr/bin/fail2ban-server -xf start
+EOL
+
+# Reload systemd daemon
+systemctl daemon-reload
+
 # Restart fail2ban
 systemctl restart fail2ban