From f94a121663b631752dcb671114b4975f24886c5e Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Thu, 26 Jan 2012 23:33:01 +0100
Subject: [PATCH 1/3] Fix for https://github.com/fail2ban/fail2ban/issues/19

Based on previous work as documented in the bug by Amir and myself,
plus some enhancements and documentation added to the file itself rather
than a URL (they rot).
---
 config/filter.d/recidive.conf | 52 +++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 config/filter.d/recidive.conf

diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf
new file mode 100644
index 00000000..ce8a83ff
--- /dev/null
+++ b/config/filter.d/recidive.conf
@@ -0,0 +1,52 @@
+# Fail2Ban configuration file
+#
+# Author: Tom Hendrikx, modifications by Amir Caspi 
+# 
+# This filter monitors the fail2ban log file, and enables you to add long 
+# time bans for ip addresses that get banned by fail2ban multiple times.
+# Reasons to use this: block very persistent attackers for a longer time, 
+# stop receiving email notifications about the same attacker over and 
+# over again.
+#
+# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
+# in jail.conf to a higher value than the other jails. Also, this jail has its
+# drawbacks, namely in that it works only with iptables, or if you use a 
+# different blocking mechanism for this jail versus others (e.g. hostsdeny 
+# for most jails, and shorewall for this one).
+#
+# Configuration example for jail.conf:
+#
+# [recidive]
+# enabled  = true
+# filter   = recidive
+# logpath  = /var/log/fail2ban.log
+# action   = iptables-allports[name=recidive]
+#            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
+# findtime = 604800
+# bantime  = 86400
+# maxretry = 5
+#
+# $Revision: $
+#
+
+[Definition]
+
+# The name of the jail that this filter is used for. In jail.conf, name the 
+# jail using this filter 'recidive', or change this line!
+_jailname = recidive
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+# Ignore our own bans, to keep our counts exact.
+ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>

From 0eaa4c2750467029bdfddd81f2889480a85c3eae Mon Sep 17 00:00:00 2001
From: Tom Hendrikx <tom@whyscream.net>
Date: Thu, 26 Jan 2012 23:41:55 +0100
Subject: [PATCH 2/3] gentoo init scipt: $opts variable is deprecated See
 http://forums.gentoo.org/viewtopic-t-899018.html

---
 files/gentoo-initd | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/files/gentoo-initd b/files/gentoo-initd
index f652d86c..163b4f2e 100755
--- a/files/gentoo-initd
+++ b/files/gentoo-initd
@@ -19,7 +19,8 @@
 # 
 # $Revision$
 
-opts="reload showlog"
+extra_commands="showlog"
+extra_started_commands="reload"
 
 FAIL2BAN="/usr/bin/fail2ban-client ${FAIL2BAN_OPTIONS}"
 

From 1807be5a8cd6af237fcd231067ee169486d6ac10 Mon Sep 17 00:00:00 2001
From: Yaroslav Halchenko <debian@onerussian.com>
Date: Thu, 26 Jan 2012 23:28:44 -0500
Subject: [PATCH 3/3] ENH: moved jail definition for recidive into jail.conf +
 swapped/commented durations + non-groupping ?:

thanks @cepheid666 for the useful comments
---
 config/filter.d/recidive.conf | 16 +---------------
 config/jail.conf              | 11 +++++++++++
 2 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf
index ce8a83ff..bbb48008 100644
--- a/config/filter.d/recidive.conf
+++ b/config/filter.d/recidive.conf
@@ -14,20 +14,6 @@
 # different blocking mechanism for this jail versus others (e.g. hostsdeny 
 # for most jails, and shorewall for this one).
 #
-# Configuration example for jail.conf:
-#
-# [recidive]
-# enabled  = true
-# filter   = recidive
-# logpath  = /var/log/fail2ban.log
-# action   = iptables-allports[name=recidive]
-#            sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
-# findtime = 604800
-# bantime  = 86400
-# maxretry = 5
-#
-# $Revision: $
-#
 
 [Definition]
 
@@ -42,7 +28,7 @@ _jailname = recidive
 #          (?:::f{4,6}:)?(?P<host>\S+)
 # Values:  TEXT
 #
-failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+<HOST>
+failregex = fail2ban.actions:\s+WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>
 
 # Option:  ignoreregex
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
diff --git a/config/jail.conf b/config/jail.conf
index 3560464d..435b12f0 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -264,3 +264,14 @@ action   = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
 logpath  = /var/log/named/security.log
 ignoreip = 168.192.0.1
 
+# Jail for more extended banning of persistent abusers
+[recidive]
+
+enabled  = false
+filter   = recidive
+logpath  = /var/log/fail2ban.log
+action   = iptables-allports[name=recidive]
+           sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
+bantime  = 604800  # 1 week
+findtime = 86400   # 1 day
+maxretry = 5