# cat mariadb.conf 
[mysqld-auth]
enabled = true
filter   = mysqld-auth
port     = 3306
maxretry = 3
bantime = 600
logpath  = /var/log/mariadb/mariadb.log

# cat sshd.conf 
[sshd]
enabled = true
port = ssh
action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

# cat apache.conf 
[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s


[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1


[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

# cat phpmyadmin.conf 
[apache-phpmyadmin]
enabled         = true
filter          = apache-phpmyadmin
port            = http,https
logpath         = %(apache_error_log)s

# cat vsftpd.conf 
[vsftpd]
enabled = true
action = firewallcmd-ipset
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
maxretry = 5
bantime = 86400

# fail2ban-client status
Status
|- Number of jail:    7
`- Jail list:    apache-auth, apache-badbots, apache-noscript, apache-phpmyadmin, mysqld-auth, sshd, vsftpd

2021-01-17 03:21:01,701 fail2ban.server         [1946315]: INFO    rollover performed on /var/log/fail2ban.log
2021-01-18 15:57:58,443 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 15:57:56
2021-01-18 15:58:27,996 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 15:58:27
2021-01-18 16:33:27,754 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:33:26
2021-01-18 16:36:11,575 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:36:11
2021-01-18 16:38:34,093 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:38:34
2021-01-18 16:42:36,770 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:42:36
2021-01-18 16:43:25,860 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:43:25
2021-01-18 16:43:30,011 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-18 16:43:30
2021-01-18 16:43:30,048 fail2ban.actions        [1946315]: NOTICE  [apache-auth] Ban X.X.X.X
2021-01-18 16:46:47,191 fail2ban.filter         [1946315]: INFO    [apache-noscript] Found X.X.X.X - 2021-01-18 16:46:47
2021-01-18 16:53:30,230 fail2ban.actions        [1946315]: NOTICE  [apache-auth] Unban X.X.X.X
2021-01-20 17:05:52,030 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:05:49
2021-01-20 17:06:11,305 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:06:11
2021-01-20 17:26:12,969 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:26:11
2021-01-20 17:37:16,932 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:37:15
2021-01-20 17:42:30,524 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:42:28
2021-01-20 17:43:13,690 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:43:13
2021-01-20 17:47:55,469 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:47:55
2021-01-20 17:51:28,139 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:51:27
2021-01-20 17:58:29,335 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:58:27
2021-01-20 17:59:10,809 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 17:59:10
2021-01-20 18:02:53,134 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 18:02:53
2021-01-20 18:03:09,328 fail2ban.filter         [1946315]: INFO    [apache-auth] Found X.X.X.X - 2021-01-20 18:03:09
2021-01-20 18:03:09,440 fail2ban.actions        [1946315]: NOTICE  [apache-auth] Ban X.X.X.X
2021-01-20 18:13:09,467 fail2ban.actions        [1946315]: NOTICE  [apache-auth] Unban X.X.X.X
2021-01-20 18:26:37,156 fail2ban.filter         [1946315]: INFO    [apache-noscript] Found X.X.X.X - 2021-01-20 18:26:34
2021-01-20 21:05:15,632 fail2ban.filter         [1946315]: INFO    [apache-noscript] Found X.X.X.X - 2021-01-20 21:05:13
2021-01-21 14:15:06,038 fail2ban.filter         [1946315]: INFO    [sshd] Found X.X.X.X - 2021-01-21 14:15:01

# fail2ban-client -d
['set', 'syslogsocket', 'auto']
['set', 'loglevel', 'INFO']
['set', 'logtarget', '/var/log/fail2ban.log']
['set', 'dbfile', '/var/lib/fail2ban/fail2ban.sqlite3']
['set', 'dbmaxmatches', 10]
['set', 'dbpurgeage', '1d']
['add', 'sshd', 'systemd']
['set', 'sshd', 'usedns', 'warn']
['set', 'sshd', 'prefregex', '^<F-MLFID>\\s*(?:\\S+\\s+)?(?:sshd(?:\\[\\d+\\])?:?\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?</F-MLFID>(?:(?:error|fatal): (?:PAM: )?)?<F-CONTENT>.+</F-CONTENT>$']
['set', 'sshd', 'maxlines', 1]
['multi-set', 'sshd', 'addfailregex', ['^[aA]uthentication (?:failure|error|failed) for <F-USER>.*</F-USER> from <HOST>( via \\S+)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User not known to the underlying authentication module for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^Failed publickey for invalid user <F-USER>(?P<cond_user>\\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^Failed (?:<F-NOFAIL>publickey</F-NOFAIL>|\\S+) for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)', '^<F-USER>ROOT</F-USER> LOGIN REFUSED FROM <HOST>', '^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not listed in AllowUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because listed in DenyUsers(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because not in any group(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^refused connect from \\S+ \\(<HOST>\\)', '^Received <F-MLFFORGET>disconnect</F-MLFFORGET> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*3: .*: Auth fail(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because a group is listed in DenyGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', "^User <F-USER>\\S+|.*?</F-USER> from <HOST> not allowed because none of user's groups are listed in AllowGroups(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$", '^<F-NOFAIL>pam_[a-z]+\\(sshd:auth\\):\\s+authentication failure;</F-NOFAIL>(?:\\s+(?:(?:logname|e?uid|tty)=\\S*)){0,4}\\s+ruser=<F-ALT_USER>\\S*</F-ALT_USER>\\s+rhost=<HOST>(?:\\s+user=<F-USER>\\S*</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^maximum authentication attempts exceeded for <F-USER>.*</F-USER> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}(?: ssh\\d*)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^User <F-USER>\\S+|.*?</F-USER> not allowed because account is locked(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*', '^<F-MLFFORGET>Disconnecting</F-MLFFORGET>(?: from)?(?: (?:invalid|authenticating)) user <F-USER>\\S+</F-USER> <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*Change of username or service not allowed:\\s*.*\\[preauth\\]\\s*$', '^Disconnecting: Too many authentication failures(?: for <F-USER>\\S+|.*?</F-USER>)?(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*$', '^<F-NOFAIL>Received <F-MLFFORGET>disconnect</F-MLFFORGET></F-NOFAIL> from <HOST>(?: (?:port \\d+|on \\S+)){0,2}:\\s*11:', '^<F-NOFAIL><F-MLFFORGET>(Connection closed|Disconnected)</F-MLFFORGET></F-NOFAIL> (?:by|from)(?: (?:invalid|authenticating) user <F-USER>\\S+|.*?</F-USER>)? <HOST>(?:(?: (?:port \\d+|on \\S+|\\[preauth\\])){0,3}\\s*|\\s*)$', '^<F-MLFFORGET><F-MLFGAINED>Accepted \\w+</F-MLFGAINED></F-MLFFORGET> for <F-USER>\\S+</F-USER> from <HOST>(?:\\s|$)', '^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>']]
['set', 'sshd', 'datepattern', '{^LN-BEG}']
['set', 'sshd', 'addjournalmatch', '_SYSTEMD_UNIT=sshd.service', '+', '_COMM=sshd']
['set', 'sshd', 'maxretry', 5]
['set', 'sshd', 'maxmatches', 5]
['set', 'sshd', 'findtime', '10m']
['set', 'sshd', 'bantime', '86400']
['set', 'sshd', 'bantime.increment', True]
['set', 'sshd', 'ignorecommand', '']
['set', 'sshd', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'sshd', 'logencoding', 'auto']
['set', 'sshd', 'addaction', 'firewallcmd-ipset']
['multi-set', 'sshd', 'action', 'firewallcmd-ipset', [['actionstart', 'ipset create <ipmset> hash:ip timeout 0 <familyopt>\nfirewall-cmd --direct --add-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo \'1:65535\' | sed s/:/-/g)" -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>'], ['actionstop', 'firewall-cmd --direct --remove-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo \'1:65535\' | sed s/:/-/g)" -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>\nipset flush <ipmset>\nipset destroy <ipmset>'], ['actionflush', 'ipset flush <ipmset>'], ['actionban', 'ipset add <ipmset> <ip> timeout 0 -exist'], ['actionunban', 'ipset del <ipmset> <ip> -exist'], ['name', 'sshd'], ['actname', 'firewallcmd-ipset'], ['port', '1:65535'], ['protocol', 'tcp'], ['family', 'ipv4'], ['chain', 'INPUT_direct'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable'], ['default-ipsettime', '0'], ['ipsettime', '0'], ['timeout-bantime', '$([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)'], ['actiontype', '<multiport>'], ['allports', '-p <protocol>'], ['multiport', '-p <protocol> -m multiport --dports "$(echo \'<port>\' | sed s/:/-/g)"'], ['ipmset', 'f2b-<name>'], ['familyopt', ''], ['ipmset?family=inet6', 'f2b-<name>6'], ['familyopt?family=inet6', 'family inet6']]]
['add', 'apache-auth', 'auto']
['set', 'apache-auth', 'usedns', 'warn']
['set', 'apache-auth', 'prefregex', '^\\[\\]\\s\\[(:?error|(?!evasive)\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] (?:AH\\d+: )?<F-CONTENT>.+</F-CONTENT>$']
['multi-set', 'apache-auth', 'addfailregex', ['^client (?:denied by server configuration|used wrong authentication scheme)\\b', '^user (?!`)<F-USER>(?:\\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\\b', '^Authorization of user <F-USER>(?:\\S*|.*?)</F-USER> to access .*? failed\\b', '^([A-Z]\\w+: )?user <F-USER>(?:\\S*|.*?)</F-USER>: password mismatch\\b', "^([A-Z]\\w+: )?user `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\\b", '^([A-Z]\\w+: )?invalid nonce .* received - length is not\\b', "^([A-Z]\\w+: )?realm mismatch - got `(?:[^']*|.*?)' but expected\\b", "^([A-Z]\\w+: )?unknown algorithm `(?:[^']*|.*?)' received\\b", "^invalid qop `(?:[^']*|.*?)' received\\b", '^([A-Z]\\w+: )?invalid nonce .*? received - user attempted time travel\\b', '^(?:No h|H)ostname \\S+ provided via SNI(?:, but no hostname provided| and hostname \\S+ provided| for a name based virtual host)\\b']]
['set', 'apache-auth', 'datepattern', '{^LN-BEG}']
['set', 'apache-auth', 'maxretry', 5]
['set', 'apache-auth', 'maxmatches', 5]
['set', 'apache-auth', 'findtime', '10m']
['set', 'apache-auth', 'bantime', '10m']
['set', 'apache-auth', 'bantime.increment', True]
['set', 'apache-auth', 'ignorecommand', '']
['set', 'apache-auth', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'apache-auth', 'logencoding', 'auto']
['set', 'apache-auth', 'addlogpath', '/var/log/httpd/error_log', 'head']
['set', 'apache-auth', 'addlogpath', '/var/log/httpd/ssl_error_log', 'head']
['set', 'apache-auth', 'addaction', 'iptables-multiport']
['multi-set', 'apache-auth', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-apache-auth\n<iptables> -A f2b-apache-auth -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports http,https -j f2b-apache-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-auth\n<iptables> -F f2b-apache-auth\n<iptables> -X f2b-apache-auth'], ['actionflush', '<iptables> -F f2b-apache-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-apache-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-apache-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-apache-auth -s <ip> -j <blocktype>'], ['name', 'apache-auth'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['add', 'apache-badbots', 'auto']
['set', 'apache-badbots', 'usedns', 'warn']
['set', 'apache-badbots', 'addfailregex', '^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:Atomic_Email_Hunter/4\\.0|atSpider/1\\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\\.6|ContactBot/0\\.2|ContentSmartz|DataCha0s/2\\.0|DBrowse 1\\.4b|DBrowse 1\\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\\.0\\.x|ISC Systems iRc Search 2\\.1|IUPUI Research Bot v 1\\.9a|LARBIN-EXPERIMENTAL \\(efp@gmx\\.net\\)|LetsCrawl\\.com/1\\.0 \\+http\\://letscrawl\\.com/|Lincoln State Web Browser|LMQueueBot/0\\.2|LWP\\:\\:Simple/5\\.803|Mac Finder 1\\.0\\.xx|MFC Foundation Class Library 4\\.0|Microsoft URL Control - 6\\.00\\.8xxx|Missauga Locate 1\\.0\\.0|Missigua Locator 1\\.9|Missouri College Browse|Mizzu Labs 2\\.2|Mo College 1\\.9|MVAClient|Mozilla/2\\.0 \\(compatible; NEWT ActiveX; Win32\\)|Mozilla/3\\.0 \\(compatible; Indy Library\\)|Mozilla/3\\.0 \\(compatible; scan4mail \\(advanced version\\) http\\://www\\.peterspages\\.net/?scan4mail\\)|Mozilla/4\\.0 \\(compatible; Advanced Email Extractor v2\\.xx\\)|Mozilla/4\\.0 \\(compatible; Iplexx Spider/1\\.0 http\\://www\\.iplexx\\.at\\)|Mozilla/4\\.0 \\(compatible; MSIE 5\\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\\.0 efp@gmx\\.net|Mozilla/5\\.0 \\(Version\\: xxxx Type\\:xx\\)|NameOfAgent \\(CMS Spider\\)|NASA Search 1\\.0|Nsauditor/1\\.x|PBrowse 1\\.4b|PEval 1\\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\\.0\\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\\.com|ShablastBot 1\\.0|snap\\.com beta crawler v0|Snapbot/1\\.0|Snapbot/1\\.0 \\(Snap Shots, \\+http\\://www\\.snap\\.com\\)|sogou develop spider|Sogou Orion spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sogou spider|Sogou web spider/3\\.0\\(\\+http\\://www\\.sogou\\.com/docs/help/webmasters\\.htm#07\\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\\.2|User-Agent\\: Mozilla/4\\.0 \\(compatible; MSIE 6\\.0; Windows NT 5\\.1\\)|VadixBot|WebVulnCrawl\\.unknown/1\\.0 libwww-perl/5\\.803|Wells Search II|WEP Search 00|EmailCollector|WebEMailExtrac|TrackBack/1\\.02|sogou music spider|(?:Mozilla/\\d+\\.\\d+ )?Jorgee)"$']
['set', 'apache-badbots', 'datepattern', '^[^\\[]*\\[({DATE})\n{^LN-BEG}']
['set', 'apache-badbots', 'maxretry', 1]
['set', 'apache-badbots', 'maxmatches', 1]
['set', 'apache-badbots', 'findtime', '10m']
['set', 'apache-badbots', 'bantime', '48h']
['set', 'apache-badbots', 'bantime.increment', True]
['set', 'apache-badbots', 'ignorecommand', '']
['set', 'apache-badbots', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'apache-badbots', 'logencoding', 'auto']
['set', 'apache-badbots', 'addlogpath', '/var/log/httpd/access_log', 'head']
['set', 'apache-badbots', 'addlogpath', '/var/log/httpd/ssl_access_log', 'head']
['set', 'apache-badbots', 'addaction', 'iptables-multiport']
['multi-set', 'apache-badbots', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-apache-badbots\n<iptables> -A f2b-apache-badbots -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports http,https -j f2b-apache-badbots'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-badbots\n<iptables> -F f2b-apache-badbots\n<iptables> -X f2b-apache-badbots'], ['actionflush', '<iptables> -F f2b-apache-badbots'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-apache-badbots[ \\t]'"], ['actionban', '<iptables> -I f2b-apache-badbots 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-apache-badbots -s <ip> -j <blocktype>'], ['name', 'apache-badbots'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['add', 'apache-noscript', 'auto']
['set', 'apache-noscript', 'usedns', 'warn']
['set', 'apache-noscript', 'prefregex', '^\\[\\]\\s\\[(:?error|\\S+:\\S+)\\]( \\[pid \\d+(:\\S+ \\d+)?\\])? \\[client <HOST>(:\\d{1,5})?\\] (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$']
['multi-set', 'apache-noscript', 'addfailregex', ['^(?:does not exist|not found or unable to stat): /\\S*(?:php(?:[45]|[.-]cgi)?|\\.asp|\\.exe|\\.pl|\\bcgi-bin/)\\b', "^'/\\S*(?:php(?:[45]|[.-]cgi)?|\\.asp|\\.exe|\\.pl|\\bcgi-bin/)\\S*' not found or unable to stat", "^error '[Pp]rimary script unknown(?:\\\\n)?'"]]
['set', 'apache-noscript', 'datepattern', '{^LN-BEG}']
['set', 'apache-noscript', 'maxretry', 5]
['set', 'apache-noscript', 'maxmatches', 5]
['set', 'apache-noscript', 'findtime', '10m']
['set', 'apache-noscript', 'bantime', '10m']
['set', 'apache-noscript', 'bantime.increment', True]
['set', 'apache-noscript', 'ignorecommand', '']
['set', 'apache-noscript', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'apache-noscript', 'logencoding', 'auto']
['set', 'apache-noscript', 'addlogpath', '/var/log/httpd/error_log', 'head']
['set', 'apache-noscript', 'addlogpath', '/var/log/httpd/ssl_error_log', 'head']
['set', 'apache-noscript', 'addaction', 'iptables-multiport']
['multi-set', 'apache-noscript', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-apache-noscript\n<iptables> -A f2b-apache-noscript -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports http,https -j f2b-apache-noscript'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-noscript\n<iptables> -F f2b-apache-noscript\n<iptables> -X f2b-apache-noscript'], ['actionflush', '<iptables> -F f2b-apache-noscript'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-apache-noscript[ \\t]'"], ['actionban', '<iptables> -I f2b-apache-noscript 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-apache-noscript -s <ip> -j <blocktype>'], ['name', 'apache-noscript'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['add', 'vsftpd', 'auto']
['set', 'vsftpd', 'usedns', 'warn']
['multi-set', 'vsftpd', 'addfailregex', ['^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?vsftpd(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?vsftpd(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?\\(?pam_unix(?:\\(\\S+\\))?\\)?:?\\s+authentication failure; logname=\\S* uid=\\S* euid=\\S* tty=(ftp)? ruser=\\S* rhost=<HOST>(?:\\s+user=.*)?\\s*$', '^ \\[pid \\d+\\] \\[[^\\]]+\\] FAIL LOGIN: Client "<HOST>"(?:\\s*$|,)']]
['set', 'vsftpd', 'datepattern', '{^LN-BEG}']
['set', 'vsftpd', 'maxretry', 5]
['set', 'vsftpd', 'maxmatches', 5]
['set', 'vsftpd', 'findtime', '10m']
['set', 'vsftpd', 'bantime', '86400']
['set', 'vsftpd', 'bantime.increment', True]
['set', 'vsftpd', 'ignorecommand', '']
['set', 'vsftpd', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'vsftpd', 'logencoding', 'auto']
['set', 'vsftpd', 'addlogpath', '/var/log/vsftpd.log', 'head']
['set', 'vsftpd', 'addaction', 'firewallcmd-ipset']
['multi-set', 'vsftpd', 'action', 'firewallcmd-ipset', [['actionstart', 'ipset create <ipmset> hash:ip timeout 0 <familyopt>\nfirewall-cmd --direct --add-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo \'1:65535\' | sed s/:/-/g)" -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>'], ['actionstop', 'firewall-cmd --direct --remove-rule <family> filter INPUT_direct 0 -p tcp -m multiport --dports "$(echo \'1:65535\' | sed s/:/-/g)" -m set --match-set <ipmset> src -j REJECT --reject-with <rejecttype>\nipset flush <ipmset>\nipset destroy <ipmset>'], ['actionflush', 'ipset flush <ipmset>'], ['actionban', 'ipset add <ipmset> <ip> timeout 0 -exist'], ['actionunban', 'ipset del <ipmset> <ip> -exist'], ['name', 'vsftpd'], ['actname', 'firewallcmd-ipset'], ['port', '1:65535'], ['protocol', 'tcp'], ['family', 'ipv4'], ['chain', 'INPUT_direct'], ['zone', 'public'], ['service', 'ssh'], ['rejecttype', 'icmp-port-unreachable'], ['blocktype', 'REJECT --reject-with <rejecttype>'], ['rich-blocktype', "reject type='<rejecttype>'"], ['family?family=inet6', 'ipv6'], ['rejecttype?family=inet6', 'icmp6-port-unreachable'], ['default-ipsettime', '0'], ['ipsettime', '0'], ['timeout-bantime', '$([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)'], ['actiontype', '<multiport>'], ['allports', '-p <protocol>'], ['multiport', '-p <protocol> -m multiport --dports "$(echo \'<port>\' | sed s/:/-/g)"'], ['ipmset', 'f2b-<name>'], ['familyopt', ''], ['ipmset?family=inet6', 'f2b-<name>6'], ['familyopt?family=inet6', 'family inet6']]]
['add', 'mysqld-auth', 'auto']
['set', 'mysqld-auth', 'usedns', 'warn']
['set', 'mysqld-auth', 'addfailregex', "^(?:\\[\\])?\\s*(?:<[^.]+\\.[^.]+>\\s+)?(?:\\S+\\s+)?(?:kernel:\\s?\\[ *\\d+\\.\\d+\\]:?\\s+)?(?:@vserver_\\S+\\s+)?(?:(?:(?:\\[\\d+\\])?:\\s+[\\[\\(]?mysqld(?:\\(\\S+\\))?[\\]\\)]?:?|[\\[\\(]?mysqld(?:\\(\\S+\\))?[\\]\\)]?:?(?:\\[\\d+\\])?:?)\\s+)?(?:\\[ID \\d+ \\S+\\]\\s+)?(?:(?:\\d{6}|\\d{4}-\\d{2}-\\d{2})[ T]\\s?\\d{1,2}:\\d{2}:\\d{2} )?(?:\\d+ )?\\[\\w+\\] (?:\\[[^\\]]+\\] )*Access denied for user '<F-USER>[^']+</F-USER>'@'<HOST>' (to database '[^']*'|\\(using password: (YES|NO)\\))*\\s*$"]
['set', 'mysqld-auth', 'datepattern', '{^LN-BEG}']
['set', 'mysqld-auth', 'maxretry', 3]
['set', 'mysqld-auth', 'maxmatches', 3]
['set', 'mysqld-auth', 'findtime', '10m']
['set', 'mysqld-auth', 'bantime', '600']
['set', 'mysqld-auth', 'bantime.increment', True]
['set', 'mysqld-auth', 'ignorecommand', '']
['set', 'mysqld-auth', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'mysqld-auth', 'logencoding', 'auto']
['set', 'mysqld-auth', 'addlogpath', '/var/log/mariadb/mariadb.log', 'head']
['set', 'mysqld-auth', 'addaction', 'iptables-multiport']
['multi-set', 'mysqld-auth', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-mysqld-auth\n<iptables> -A f2b-mysqld-auth -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports 3306 -j f2b-mysqld-auth'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports 3306 -j f2b-mysqld-auth\n<iptables> -F f2b-mysqld-auth\n<iptables> -X f2b-mysqld-auth'], ['actionflush', '<iptables> -F f2b-mysqld-auth'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-mysqld-auth[ \\t]'"], ['actionban', '<iptables> -I f2b-mysqld-auth 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-mysqld-auth -s <ip> -j <blocktype>'], ['name', 'mysqld-auth'], ['port', '3306'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['add', 'apache-phpmyadmin', 'auto']
['set', 'apache-phpmyadmin', 'usedns', 'warn']
['set', 'apache-phpmyadmin', 'addfailregex', '.*\\[client <HOST>:[0-9]+\\] phpmyadmin: authentification failed.*']
['set', 'apache-phpmyadmin', 'maxretry', 5]
['set', 'apache-phpmyadmin', 'maxmatches', 5]
['set', 'apache-phpmyadmin', 'findtime', '10m']
['set', 'apache-phpmyadmin', 'bantime', '10m']
['set', 'apache-phpmyadmin', 'bantime.increment', True]
['set', 'apache-phpmyadmin', 'ignorecommand', '']
['set', 'apache-phpmyadmin', 'addignoreip', '127.0.0.1/8', '172.20.50.1/24']
['set', 'apache-phpmyadmin', 'logencoding', 'auto']
['set', 'apache-phpmyadmin', 'addlogpath', '/var/log/httpd/error_log', 'head']
['set', 'apache-phpmyadmin', 'addlogpath', '/var/log/httpd/ssl_error_log', 'head']
['set', 'apache-phpmyadmin', 'addaction', 'iptables-multiport']
['multi-set', 'apache-phpmyadmin', 'action', 'iptables-multiport', [['actionstart', '<iptables> -N f2b-apache-phpmyadmin\n<iptables> -A f2b-apache-phpmyadmin -j RETURN\n<iptables> -I INPUT -p tcp -m multiport --dports http,https -j f2b-apache-phpmyadmin'], ['actionstop', '<iptables> -D INPUT -p tcp -m multiport --dports http,https -j f2b-apache-phpmyadmin\n<iptables> -F f2b-apache-phpmyadmin\n<iptables> -X f2b-apache-phpmyadmin'], ['actionflush', '<iptables> -F f2b-apache-phpmyadmin'], ['actioncheck', "<iptables> -n -L INPUT | grep -q 'f2b-apache-phpmyadmin[ \\t]'"], ['actionban', '<iptables> -I f2b-apache-phpmyadmin 1 -s <ip> -j <blocktype>'], ['actionunban', '<iptables> -D f2b-apache-phpmyadmin -s <ip> -j <blocktype>'], ['name', 'apache-phpmyadmin'], ['port', 'http,https'], ['protocol', 'tcp'], ['chain', '<known/chain>'], ['actname', 'iptables-multiport'], ['blocktype', 'REJECT --reject-with icmp-port-unreachable'], ['returntype', 'RETURN'], ['lockingopt', '-w'], ['iptables', 'iptables <lockingopt>'], ['blocktype?family=inet6', 'REJECT --reject-with icmp6-port-unreachable'], ['iptables?family=inet6', 'ip6tables <lockingopt>']]]
['start', 'sshd']
['start', 'apache-auth']
['start', 'apache-badbots']
['start', 'apache-noscript']
['start', 'vsftpd']
['start', 'mysqld-auth']
['start', 'apache-phpmyadmin']