# Fail2Ban filter for repeat bans # # This filter monitors the fail2ban log file, and enables you to add long # time bans for ip addresses that get banned by fail2ban multiple times. # # Reasons to use this: block very persistent attackers for a longer time, # stop receiving email notifications about the same attacker over and # over again. # # This jail is only useful if you set the 'findtime' and 'bantime' parameters # in jail.conf to a higher value than the other jails. Also, this jail has its # drawbacks, namely in that it works only with iptables, or if you use a # different blocking mechanism for this jail versus others (e.g. hostsdeny # for most jails, and shorewall for this one). [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [DEFAULT] _daemon = (?:fail2ban(?:-server|\.actions)\s*) # The name of the jail that this filter is used for. In jail.conf, name the jail using # this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`, # default all jails excepting recidive _jailname = (?!recidive\])[^\]]* failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[<_jailname>\]\s+Ban\s+ [lt_short] _daemon = (?:fail2ban(?:-server|\.actions)?\s*) failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[<_jailname>\]\s+Ban\s+ [lt_journal] _daemon = failregex = [Definition] _daemon = /_daemon> failregex = /failregex> datepattern = ^{DATE} ignoreregex = journalmatch = _SYSTEMD_UNIT=fail2ban.service # Author: Tom Hendrikx, modifications by Amir Caspi