# Fail2Ban configuration file
#
# Author: Tom Hendrikx, modifications by Amir Caspi 
# 
# This filter monitors the fail2ban log file, and enables you to add long 
# time bans for ip addresses that get banned by fail2ban multiple times.
# Reasons to use this: block very persistent attackers for a longer time, 
# stop receiving email notifications about the same attacker over and 
# over again.
#
# This jail is only useful if you set the 'findtime' and 'bantime' parameters 
# in jail.conf to a higher value than the other jails. Also, this jail has its
# drawbacks, namely in that it works only with iptables, or if you use a 
# different blocking mechanism for this jail versus others (e.g. hostsdeny 
# for most jails, and shorewall for this one).
#


[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

[Definition]

_daemon = fail2ban.actions


# The name of the jail that this filter is used for. In jail.conf, name the 
# jail using this filter 'recidive', or change this line!
_jailname = recidive

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>\S+)
# Values:  TEXT
#
failregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[(?:.*)\]\s+Ban\s+<HOST>\s*$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
# Ignore our own bans, to keep our counts exact.
ignoreregex = ^(%(__prefix_line)s|,\d{3} fail2ban.actions:\s+)WARNING\s+\[%(_jailname)s\]\s+Ban\s+<HOST>\s*$