fail2ban/config/filter.d/recidive.conf

# Fail2Ban configuration file
#
# Author: Tom Hendrikx, modifications by Amir Caspi 
# 
# This filter monitors the fail2ban log file, and enables you to add long 
# time bans for ip addresses that get banned by fail2ban multiple times.
# Reasons to use this: block very persistent attackers for a longer time, 
# stop receiving email notifications about the same attacker over and 
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a 
# different blocking mechanism for this jail versus others (e.g. hostsdeny 
# for most jails, and shorewall for this one).
#
# Configuration example for jail.conf:
#
# [recidive]
# enabled  = true
# filter   = recidive
# logpath  = /var/log/fail2ban.log
# action   = iptables-allports[name=recidive]
#            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
# findtime = 604800
# bantime  = 86400
# maxretry = 5
#
# $Revision: $
#

[Definition]

# The name of the jail that this filter is used for. In jail.conf, name the 
# jail using this filter 'recidive', or change this line!
_jailname = recidive

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST>

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
# Ignore our own bans, to keep our counts exact.
ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 13 years ago			`# Fail2Ban configuration file`
			`#`
			`# Author: Tom Hendrikx, modifications by Amir Caspi`
			`#`
			`# This filter monitors the fail2ban log file, and enables you to add long`
			`# time bans for ip addresses that get banned by fail2ban multiple times.`
			`# Reasons to use this: block very persistent attackers for a longer time,`
			`# stop receiving email notifications about the same attacker over and`
			`# over again.`
			`#`
			`# This jail is only useful if you set the 'findtime' and 'bantime' parameters`
			`# in jail.conf to a higher value than the other jails. Also, this jail has its`
			`# drawbacks, namely in that it works only with iptables, or if you use a`
			`# different blocking mechanism for this jail versus others (e.g. hostsdeny`
			`# for most jails, and shorewall for this one).`
			`#`
			`# Configuration example for jail.conf:`
			`#`
			`# [recidive]`
			`# enabled = true`
			`# filter = recidive`
			`# logpath = /var/log/fail2ban.log`
			`# action = iptables-allports[name=recidive]`
			`# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]`
			`# findtime = 604800`
			`# bantime = 86400`
			`# maxretry = 5`
			`#`
			`# $Revision: $`
			`#`

			`[Definition]`

			`# The name of the jail that this filter is used for. In jail.conf, name the`
			`# jail using this filter 'recidive', or change this line!`
			`_jailname = recidive`

			`# Option: failregex`
			`# Notes.: regex to match the password failures messages in the logfile. The`
			`# host must be matched by a group named "host". The tag "<HOST>" can`
			`# be used for standard IP/hostname matching and is only an alias for`
			`# (?:::f{4,6}:)?(?P<host>\S+)`
			`# Values: TEXT`
			`#`
			`failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST>`

			`# Option: ignoreregex`
			`# Notes.: regex to ignore. If this regex matches, the line is ignored.`
			`# Values: TEXT`
			`#`
			`# Ignore our own bans, to keep our counts exact.`
			`ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>`