diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf new file mode 100644 index 00000000..bbb48008 --- /dev/null +++ b/config/filter.d/recidive.conf @@ -0,0 +1,38 @@ +# Fail2Ban configuration file +# +# Author: Tom Hendrikx, modifications by Amir Caspi +# +# This filter monitors the fail2ban log file, and enables you to add long +# time bans for ip addresses that get banned by fail2ban multiple times. +# Reasons to use this: block very persistent attackers for a longer time, +# stop receiving email notifications about the same attacker over and +# over again. +# +# This jail is only useful if you set the 'findtime' and 'bantime' parameters +# in jail.conf to a higher value than the other jails. Also, this jail has its +# drawbacks, namely in that it works only with iptables, or if you use a +# different blocking mechanism for this jail versus others (e.g. hostsdeny +# for most jails, and shorewall for this one). +# + +[Definition] + +# The name of the jail that this filter is used for. In jail.conf, name the +# jail using this filter 'recidive', or change this line! +_jailname = recidive + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +# Ignore our own bans, to keep our counts exact. +ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+ diff --git a/config/jail.conf b/config/jail.conf index 3560464d..435b12f0 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -264,3 +264,14 @@ action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 +# Jail for more extended banning of persistent abusers +[recidive] + +enabled = false +filter = recidive +logpath = /var/log/fail2ban.log +action = iptables-allports[name=recidive] + sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +bantime = 604800 # 1 week +findtime = 86400 # 1 day +maxretry = 5 diff --git a/files/gentoo-initd b/files/gentoo-initd index f652d86c..163b4f2e 100755 --- a/files/gentoo-initd +++ b/files/gentoo-initd @@ -19,7 +19,8 @@ # # $Revision$ -opts="reload showlog" +extra_commands="showlog" +extra_started_commands="reload" FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"