Subversion Repositories configs

Rev

Rev 192 | Details | Compare with Previous | Last modification | View Log | RSS feed

Rev Author Line No. Line
192 - 1 
# Fail2Ban configuration file
2 
#
3 
# Author: Eduardo Diaz
4 
#
5 
# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
6 
# for shorewall
7 
#
8 
# Use this setting in jail.conf to modify use this action instead of a
9 
# default one
10 
#
11 
# banaction   = shorewall-ipset-proto6
12 
#
13 
# This requires the program ipset which is normally in package called ipset.
14 
#
15 
# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
16 
# kernels, and you need Shorewall >= 4.5.5 to use this action.
17 
#
18 
# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
19 
# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
20 
# new shorewall rule to ban an IP address, that rule will affect only new
21 
# connections. So if the attacker goes on trying using the same connection
22 
# he could even log in. In order to get the same behavior of the iptable
23 
# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
24 
# file should me modified with "BLACKLISTNEWONLY=No".
25 
#
26 
#
27 
# Enable shorewall to use a blacklist using iptables creating a file
28 
# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and
29 
# similar lines for every jail.  To enable restoring you ipset you
30 
# must set SAVE_IPSETS=Yes in shorewall.conf .  You can read more
31 
# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html
32 
#
33 
# To force creation of the ipset in the case that somebody deletes the
34 
# ipset create a file /etc/shorewall/initdone and add one line for
35 
# every ipset (this files are in Perl) and add 1 at the end of the file.
36 
# The example:
37 
# system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 ");
38 
# 1;
39 
#
40 
# To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped
41 
# # One line of every ipset
42 
# system("/usr/sbin/ipset -quiet destroy f2b-ssh ");
43 
# 1; # This must go to the end of the file if not shorewall compilation fails
44 
#
45 
 
46 
 
47 
[Definition]
48 
 
49 
# Option:  actionstart
50 
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
51 
# Values:  CMD
52 
#
53 
actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
193 - 54 
              then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
192 - 55 
              fi
56 
 
57 
# Option:  actionstop
58 
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
59 
# Values:  CMD
60 
#
61 
actionstop = ipset flush f2b-<name>
62 
 
63 
# Option:  actionban
64 
# Notes.:  command executed when banning an IP. Take care that the
65 
#          command is executed with Fail2Ban user rights.
66 
# Tags:    See jail.conf(5) man page
67 
# Values:  CMD
68 
#
193 - 69 
actionban = ipset add f2b-<name> <ip> timeout <ipsettime> -exist
192 - 70 
 
193 - 71 
# actionprolong = %(actionban)s
192 - 72 
 
73 
# Option:  actionunban
74 
# Notes.:  command executed when unbanning an IP. Take care that the
75 
#          command is executed with Fail2Ban user rights.
76 
# Tags:    See jail.conf(5) man page
77 
# Values:  CMD
78 
#
79 
actionunban = ipset del f2b-<name> <ip> -exist
80 
 
193 - 81 
# Option: default-ipsettime
192 - 82 
# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
193 - 83 
# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
84 
default-ipsettime = 0
192 - 85 
 
193 - 86 
# Option: ipsettime
87 
# Notes:  specifies ticket timeout (handled ipset timeout only)
88 
# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
89 
ipsettime = 0
90 
 
91 
# expresion to caclulate timeout from bantime, example:
92 
# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
93 
timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)