From 009702bd12220dc3843547883e1cd7a65f4c26aa Mon Sep 17 00:00:00 2001
From: danry25 <adn5412@gmail.com>
Date: Thu, 11 Oct 2018 11:22:35 -0700
Subject: [PATCH] Changed Fail2ban settings, updated Readme (#191)

* Made fail2ban settings more consistent across OSes, disabled HTTP ratelimit permaban on Debian as auto-refresh behaviour in FusionPBX can trigger it.

* Increase nginx-404 ban back to 1 hour
---
 README.md                             | 11 +++++++----
 centos/resources/fail2ban/jail.local  |  6 +++---
 debian/resources/fail2ban/jail.local  |  6 +++---
 devuan/resources/fail2ban/jail.local  |  6 +++---
 freebsd/resources/fail2ban/jail.local |  4 ++--
 5 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index ffc6129..21ab55f 100755
--- a/README.md
+++ b/README.md
@@ -1,9 +1,9 @@
 
 FusionPBX Install
 --------------------------------------
-A quick install guide for a FusionPBX install. It is recommended to start the install on a minimal install of the operating system.
-
+A quick install guide for a FusionPBX install. It is recommended to start the install on a minimal install of the operating system. Notes on further tweaking your configuration are at end of the file.
 
+## Operating Systems
 ### Debian
 Debian 8 is the preferred operating system by the FreeSWITCH developers. It supports the latest video dependencies. If you want to do video mixing use Debian. Download Debian 8 Jessie from here https://cdimage.debian.org/cdimage/archive/
 
@@ -13,7 +13,7 @@ cd /usr/src/fusionpbx-install.sh/debian && ./install.sh
 ```
 ### Devuan
 If you like Debian but rather not bother with systemd, Devuan is a "drop in" replacement.
-Version 1 is bassed on Jessie. So you will find the same packages available.
+Version 1 is bassed on Jessie, so you will find the same packages available.
 Please note that the source installation and installation on ARM is not fully tested.
 
 ```sh
@@ -45,10 +45,13 @@ cd /usr/src/fusionpbx-install.sh/centos && ./install.sh
 *  Click to download the zip file and extract it.
 *  Extract the zip file
 *  Navigate to install.ps1
-*  Click on install.ps1 then right click on install.ps1 then choose Run with Powershell 
+*  Click on install.ps1 then right click on install.ps1 then choose Run with Powershell
 *  If you are not already Administrator you will have to choose run as Administrator
 
 ```sh
 
 Master https://github.com/fusionpbx/fusionpbx-install.sh/archive/master.zip
 ```
+
+## Security Considerations
+Fail2ban is installed and pre-configured for all operating systems this repository works on besides Windows, but the default settings may not be ideal depending on your needs. Please take a look at the jail file (/etc/fail2ban/jail.local on Debian/Devuan) to configure it to suit your application and security model!
diff --git a/centos/resources/fail2ban/jail.local b/centos/resources/fail2ban/jail.local
index b37612f..5c2cbc2 100755
--- a/centos/resources/fail2ban/jail.local
+++ b/centos/resources/fail2ban/jail.local
@@ -95,7 +95,7 @@ port     = 80,443
 protocol = tcp
 filter   = nginx-404
 logpath  = /var/log/nginx/access*.log
-bantime  = 600
+bantime  = 3600
 findtime = 60
 maxretry = 120
 
@@ -103,11 +103,11 @@ maxretry = 120
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 240 pages in 60 seconds, or 4p/s average, is suspicious)
 # Block for two full days.
-enabled  = true
+enabled  = false
 port     = 80,443
 protocol = tcp
 filter   = nginx-dos
 logpath  = /var/log/nginx/access*.log
 findtime = 60
-bantime  = 172800
+bantime  = 86400
 maxretry = 240
diff --git a/debian/resources/fail2ban/jail.local b/debian/resources/fail2ban/jail.local
index 068436e..dfe42b0 100755
--- a/debian/resources/fail2ban/jail.local
+++ b/debian/resources/fail2ban/jail.local
@@ -104,7 +104,7 @@ action   = iptables-allports[name=fusionpbx-mac, protocol=all]
 #          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
 maxretry = 5
 findtime = 300
-bantime  = -1
+bantime  = 86400
 
 [nginx-404]
 enabled  = true
@@ -120,12 +120,12 @@ maxretry = 120
 [nginx-dos]
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 240 pages in 60 seconds, or 4p/s average, is suspicious)
-enabled  = true
+enabled  = false
 port     = 80,443
 protocol = tcp
 filter   = nginx-dos
 logpath  = /var/log/nginx/access*.log
 action   = iptables-allports[name=nginx-dos, protocol=all]
 findtime = 60
-bantime  = -1
+bantime  = 86400
 maxretry = 240
diff --git a/devuan/resources/fail2ban/jail.local b/devuan/resources/fail2ban/jail.local
index fc3b4d2..f0c1963 100755
--- a/devuan/resources/fail2ban/jail.local
+++ b/devuan/resources/fail2ban/jail.local
@@ -95,7 +95,7 @@ port     = 80,443
 protocol = tcp
 filter   = nginx-404
 logpath  = /var/log/nginx/access*.log
-bantime  = 600
+bantime  = 3600
 findtime = 60
 maxretry = 120
 
@@ -103,11 +103,11 @@ maxretry = 120
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 240 pages in 60 seconds, or 4p/s average, is suspicious)
 # Block for two full days.
-enabled  = true
+enabled  = false
 port     = 80,443
 protocol = tcp
 filter   = nginx-dos
 logpath  = /var/log/nginx/access*.log
 findtime = 60
-bantime  = 172800
+bantime  = 86400
 maxretry = 240
diff --git a/freebsd/resources/fail2ban/jail.local b/freebsd/resources/fail2ban/jail.local
index 994f8ae..3597910 100755
--- a/freebsd/resources/fail2ban/jail.local
+++ b/freebsd/resources/fail2ban/jail.local
@@ -86,7 +86,7 @@ bantime  = 3600
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 240 pages in 60 seconds, or 4p/s average, is suspicious)
 # Block for two full days.
-enabled  = true
+enabled  = false
 port     = 80,443
 protocol = tcp
 filter   = nginx-dos
@@ -94,4 +94,4 @@ logpath  = /var/log/nginx/access*.log
 findtime = 60
 maxretry = 240
 banaction = pf
-bantime  = 172800
+bantime  = 86400