# Fail2Ban configuration file # # Author: Eduardo Diaz # # This is for ipset protocol 6 (and hopefully later) (ipset v6.14). # for shorewall # # Use this setting in jail.conf to modify use this action instead of a # default one # # banaction = shorewall-ipset-proto6 # # This requires the program ipset which is normally in package called ipset. # # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 # kernels, and you need Shorewall >= 4.5.5 to use this action. # # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a # new shorewall rule to ban an IP address, that rule will affect only new # connections. So if the attacker goes on trying using the same connection # he could even log in. In order to get the same behavior of the iptable # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf # file should me modified with "BLACKLISTNEWONLY=No". # # # Enable shorewall to use a blacklist using iptables creating a file # /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and # similar lines for every jail. To enable restoring you ipset you # must set SAVE_IPSETS=Yes in shorewall.conf . You can read more # about ipsets handling in Shorewall at http://shorewall.net/ipsets.html # # To force creation of the ipset in the case that somebody deletes the # ipset create a file /etc/shorewall/initdone and add one line for # every ipset (this files are in Perl) and add 1 at the end of the file. # The example: # system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 "); # 1; # # To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped # # One line of every ipset # system("/usr/sbin/ipset -quiet destroy f2b-ssh "); # 1; # This must go to the end of the file if not shorewall compilation fails # [Definition] # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = if ! ipset -quiet -name list f2b- >/dev/null; then ipset -quiet -exist create f2b- hash:ip timeout ; fi # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = ipset flush f2b- # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = ipset add f2b- timeout -exist # actionprolong = %(actionban)s # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = ipset del f2b- -exist # Option: default-ipsettime # Notes: specifies default timeout in seconds (handled default ipset timeout only) # Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) default-ipsettime = 0 # Option: ipsettime # Notes: specifies ticket timeout (handled ipset timeout only) # Values: [ NUM ] Default: 0 (managed by fail2ban by unban) ipsettime = 0 # expresion to caclulate timeout from bantime, example: # banaction = %(known/banaction)s[ipsettime=''] timeout-bantime = $([ "" -le 2147483 ] && echo "" || echo 0)