mirror of https://github.com/fail2ban/fail2ban
52 lines
1.7 KiB
Plaintext
52 lines
1.7 KiB
Plaintext
# Fail2Ban filter for repeat bans
|
|
#
|
|
# This filter monitors the fail2ban log file, and enables you to add long
|
|
# time bans for ip addresses that get banned by fail2ban multiple times.
|
|
#
|
|
# Reasons to use this: block very persistent attackers for a longer time,
|
|
# stop receiving email notifications about the same attacker over and
|
|
# over again.
|
|
#
|
|
# This jail is only useful if you set the 'findtime' and 'bantime' parameters
|
|
# in jail.conf to a higher value than the other jails. Also, this jail has its
|
|
# drawbacks, namely in that it works only with iptables, or if you use a
|
|
# different blocking mechanism for this jail versus others (e.g. hostsdeny
|
|
# for most jails, and shorewall for this one).
|
|
|
|
[INCLUDES]
|
|
|
|
# Read common prefixes. If any customizations available -- read them from
|
|
# common.local
|
|
before = common.conf
|
|
|
|
[DEFAULT]
|
|
|
|
_daemon = (?:fail2ban(?:-server|\.actions)\s*)
|
|
|
|
# The name of the jail that this filter is used for. In jail.conf, name the jail using
|
|
# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]`
|
|
_jailname = recidive
|
|
|
|
failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
|
|
|
|
[lt_short]
|
|
_daemon = (?:fail2ban(?:-server|\.actions)?\s*)
|
|
failregex = ^%(__prefix_line)s(?:\s*fail2ban(?:\.actions)?\s*%(__pid_re)s?:\s+)?(?:NOTICE\s+)?\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
|
|
|
|
[lt_journal]
|
|
_daemon = <lt_short/_daemon>
|
|
failregex = <lt_short/failregex>
|
|
|
|
[Definition]
|
|
|
|
_daemon = <lt_<logtype>/_daemon>
|
|
failregex = <lt_<logtype>/failregex>
|
|
|
|
datepattern = ^{DATE}
|
|
|
|
ignoreregex =
|
|
|
|
journalmatch = _SYSTEMD_UNIT=fail2ban.service
|
|
|
|
# Author: Tom Hendrikx, modifications by Amir Caspi
|