ENH: add example jail for ipset

2012-12-31 14:38:51 +11:00 · 2012-12-31 14:38:51 +11:00 · da0ba8ab4c
parent 9221886df6
commit da0ba8ab4c
1 changed files with 20 additions and 0 deletions
--- a/config/jail.conf
+++ b/config/jail.conf
@ -101,6 +101,26 @@ action      = hostsdeny
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log

+# Here we use a combination of Netfilter/Iptables and IPsets
+# for storing large volumes of banned IPs
+#
+# IPset comes in two versions. See ipset -V for which one to use
+# requires the ipset package and kernel support.
+[ssh-iptables-ipset4]
+
+enabled  = false
+filter   = sshd
+action   = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
+logpath  = /var/log/sshd.log
+maxretry = 5
+
+[ssh-iptables-ipset6]
+enabled  = false
+filter   = sshd
+action   = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
+logpath  = /var/log/sshd.log
+maxretry = 5
+
 # This jail demonstrates the use of wildcards in "logpath".
 # Moreover, it is possible to give other files on a new line.