diff --git a/config/filter.d/recidive.conf b/config/filter.d/recidive.conf new file mode 100644 index 00000000..ce8a83ff --- /dev/null +++ b/config/filter.d/recidive.conf @@ -0,0 +1,52 @@ +# Fail2Ban configuration file +# +# Author: Tom Hendrikx, modifications by Amir Caspi +# +# This filter monitors the fail2ban log file, and enables you to add long +# time bans for ip addresses that get banned by fail2ban multiple times. +# Reasons to use this: block very persistent attackers for a longer time, +# stop receiving email notifications about the same attacker over and +# over again. +# +# This jail is only useful if you set the 'findtime' and 'bantime' parameters +# in jail.conf to a higher value than the other jails. Also, this jail has its +# drawbacks, namely in that it works only with iptables, or if you use a +# different blocking mechanism for this jail versus others (e.g. hostsdeny +# for most jails, and shorewall for this one). +# +# Configuration example for jail.conf: +# +# [recidive] +# enabled = true +# filter = recidive +# logpath = /var/log/fail2ban.log +# action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +# findtime = 604800 +# bantime = 86400 +# maxretry = 5 +# +# $Revision: $ +# + +[Definition] + +# The name of the jail that this filter is used for. In jail.conf, name the +# jail using this filter 'recidive', or change this line! +_jailname = recidive + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P\S+) +# Values: TEXT +# +failregex = fail2ban.actions:\s+WARNING\s+\[(.*)\]\s+Ban\s+ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +# Ignore our own bans, to keep our counts exact. +ignoreregex = fail2ban.actions:\s+WARNING\s+\[%(_jailname)s\]\s+Ban\s+