fail2ban/config/filter.d/recidive.conf

# Fail2Ban filter for repeat bans
#
# This filter monitors the fail2ban log file, and enables you to add long 
# time bans for ip addresses that get banned by fail2ban multiple times.
#
# Reasons to use this: block very persistent attackers for a longer time, 
# stop receiving email notifications about the same attacker over and 
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a 
# different blocking mechanism for this jail versus others (e.g. hostsdeny 
# for most jails, and shorewall for this one).

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[DEFAULT]

_daemon = (?:fail2ban(?:-server|\.actions)\s*)

# The name of the jail that this filter is used for. In jail.conf, name the jail using
# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`,
# default all jails excepting recidive
_jailname = (?!recidive\])[^\]]*

failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[<_jailname>\]\s+Ban\s+<HOST>

[lt_short]
_daemon = (?:fail2ban(?:-server|\.actions)?\s*)
failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[<_jailname>\]\s+Ban\s+<HOST>

[lt_journal]
_daemon = <lt_short/_daemon>
failregex = <lt_short/failregex>

[Definition]

_daemon = <lt_<logtype>/_daemon>
failregex = <lt_<logtype>/failregex>

datepattern = ^{DATE}

ignoreregex = 

journalmatch = _SYSTEMD_UNIT=fail2ban.service

# Author: Tom Hendrikx, modifications by Amir Caspi
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Fail2Ban filter for repeat bans`
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 2012-01-26 22:33:01 +00:00			`#`
			`# This filter monitors the fail2ban log file, and enables you to add long`
			`# time bans for ip addresses that get banned by fail2ban multiple times.`
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`#`
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 2012-01-26 22:33:01 +00:00			`# Reasons to use this: block very persistent attackers for a longer time,`
			`# stop receiving email notifications about the same attacker over and`
			`# over again.`
			`#`
			`# This jail is only useful if you set the 'findtime' and 'bantime' parameters`
			`# in jail.conf to a higher value than the other jails. Also, this jail has its`
			`# drawbacks, namely in that it works only with iptables, or if you use a`
			`# different blocking mechanism for this jail versus others (e.g. hostsdeny`
			`# for most jails, and shorewall for this one).`
ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target 2013-09-15 15:22:42 +00:00
			`[INCLUDES]`

			`# Read common prefixes. If any customizations available -- read them from`
			`# common.local`
			`before = common.conf`
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 2012-01-26 22:33:01 +00:00
filter.d/recidive.conf: conditional RE depending on logtype (for file or journal) 2024-03-11 16:49:06 +00:00			`[DEFAULT]`
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 2012-01-26 22:33:01 +00:00
filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 12:56:38 +00:00			`_daemon = (?:fail2ban(?:-server\|\.actions)\s*)`
ENH: filter.d/recidive - anchor regex at start and support f2b SYSLOG target 2013-09-15 15:22:42 +00:00
filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 12:56:38 +00:00			`# The name of the jail that this filter is used for. In jail.conf, name the jail using`
`filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail); closes gh-3769 2024-06-21 11:24:46 +00:00			# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`,
			`# default all jails excepting recidive`
			`_jailname = (?!recidive\])[^\]]*`
Fix for https://github.com/fail2ban/fail2ban/issues/19 Based on previous work as documented in the bug by Amir and myself, plus some enhancements and documentation added to the file itself rather than a URL (they rot). 2012-01-26 22:33:01 +00:00
`filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail); closes gh-3769 2024-06-21 11:24:46 +00:00			`failregex = ^%(__prefix_line)s(?:\sfail2ban\.actions\s%(__pid_re)s?:\s+)?NOTICE\s+\[<_jailname>\]\s+Ban\s+<HOST>`
filter.d/recidive.conf: conditional RE depending on logtype (for file or journal) 2024-03-11 16:49:06 +00:00
			`[lt_short]`
			`_daemon = (?:fail2ban(?:-server\|\.actions)?\s*)`
`filter.d/recidive.conf` - restore possibility to set jail name in the filter, _jailname is positive now (but by default it uses now negative lookahead to exclude recidive jail); closes gh-3769 2024-06-21 11:24:46 +00:00			`failregex = ^%(__prefix_line)s(?:\sfail2ban(?:\.actions)?\s%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[<_jailname>\]\s+Ban\s+<HOST>`
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00
filter.d/recidive.conf: conditional RE depending on logtype (for file or journal) 2024-03-11 16:49:06 +00:00			`[lt_journal]`
			`_daemon = <lt_short/_daemon>`
			`failregex = <lt_short/failregex>`

			`[Definition]`

			`_daemon = <lt_<logtype>/_daemon>`
			`failregex = <lt_<logtype>/failregex>`

filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 12:56:38 +00:00			`datepattern = ^{DATE}`
Add ignoreregex to avoid warning on start 2014-11-12 10:05:56 +00:00
filter.d/recidive.conf: fixed if logging into systemd-journal (SYSLOG) with daemon name in prefix, gh-2069 2018-03-09 12:56:38 +00:00			`ignoreregex =`
NF: Add systemd journal backend 2013-05-09 23:15:07 +00:00
Change Regex Recidive and journalmatch For Systemd Match 2024-03-10 09:56:35 +00:00			`journalmatch = _SYSTEMD_UNIT=fail2ban.service`
MRG: 0.8.11 to 0.9 Epnoc of selinux is now true UTC Merge multiline support and date detection in filter 2013-11-02 04:59:05 +00:00
DOC: in filters, put user relevant doc at top, and developer info at bottom, and remove all the repetative blindly copied stuff that appears in the jail man page 2013-10-30 13:02:59 +00:00			`# Author: Tom Hendrikx, modifications by Amir Caspi`