DOC: when to use blocklist.de reporting

Taken from commit 1846056606
2013-12-05 18:06:53 +00:00 · 2013-12-05 18:06:53 +00:00 · f742ed0e4b
parent e810ec009d
commit f742ed0e4b
2 changed files with 14 additions and 1 deletions
--- a/config/action.d/blocklist_de.conf
+++ b/config/action.d/blocklist_de.conf
@ -17,6 +17,16 @@
 #   infected PCs/servers to ensure that the responsible provider can inform
 #   the customer about the infection and disable them
 #
+# IMPORTANT: 
+# 
+# Reporting an IP of abuse is a serious complaint. Make sure that it is
+# serious. Fail2ban developers and network owners recommend you only use this
+# action for:
+#   * The recidive where the IP has been banned multiple times
+#   * Where maxretry has been set quite high, beyond the normal user typing
+#     password incorrectly.
+#   * For filters that have a low likelyhood of receiving human errors
+#

 [Definition]

--- a/config/jail.conf
+++ b/config/jail.conf
@ -533,6 +533,9 @@ action  = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp]
 logpath  = /var/log/audit/audit.log
 maxretry = 5

+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action
+#
 # Report block via blocklist.de fail2ban reporting service API
 # See action.d/blocklist_de.conf for more information
 [ssh-blocklist]
@ -543,4 +546,4 @@ action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=you@example.com, sender=fail2ban@example.com, sendername="Fail2Ban"]
           blocklist_de[email="fail2ban@example.com", apikey="xxxxxx", service=%(filter)s]
 logpath  = /var/log/sshd.log
-maxretry = 5
+maxretry = 20