# Fail2Ban configuration file # # Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, # Yaroslav O. Halchenko, Alexander Koeppe et al. # [Definition] # Option: type # Notes.: type of the action. # Values: [ oneport | multiport | allports ] Default: oneport # type = oneport # Option: actionflush # Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) # Values: CMD # actionflush = -F f2b- # Option: actionstart # Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). # Values: CMD # actionstart = { -C f2b- -j >/dev/null 2>&1; } || { -N f2b- || true; -A f2b- -j ; } <_ipt_add_rules> # Option: actionstop # Notes.: command executed at the stop of jail (or at the end of Fail2Ban) # Values: CMD # actionstop = <_ipt_del_rules> -X f2b- # Option: actioncheck # Notes.: command executed once before each actionban command # Values: CMD # actioncheck = <_ipt_check_rules> # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionban = -I f2b- 1 -s -j # Option: actionunban # Notes.: command executed when unbanning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: See jail.conf(5) man page # Values: CMD # actionunban = -D f2b- -s -j # Option: pre-rule # Notes.: prefix parameter(s) inserted to the begin of rule. No default (empty) # pre-rule = rule-jump = -j <_ipt_rule_target> # Several capabilities used internaly: _ipt_for_proto-iter = for proto in $(echo '' | sed 's/,/ /g'); do _ipt_for_proto-done = done _ipt_add_rules = <_ipt_for_proto-iter> { %(_ipt_check_rule)s >/dev/null 2>&1; } || { -I %(_ipt_chain_rule)s; } <_ipt_for_proto-done> _ipt_del_rules = <_ipt_for_proto-iter> -D %(_ipt_chain_rule)s <_ipt_for_proto-done> _ipt_check_rules = <_ipt_for_proto-iter> %(_ipt_check_rule)s <_ipt_for_proto-done> _ipt_chain_rule = /_chain_rule> _ipt_check_rule = -C %(_ipt_chain_rule)s _ipt_rule_target = f2b- [ipt_oneport] _chain_rule = -p $proto --dport

[ipt_multiport] _chain_rule = -p $proto -m multiport --dports

[ipt_allports] _chain_rule = -p $proto [Init] # Option: chain # Notes specifies the iptables chain to which the Fail2Ban rules should be # added # Values: STRING Default: INPUT chain = INPUT # Default name of the chain # name = default # Option: port # Notes.: specifies port to monitor # Values: [ NUM | STRING ] Default: # port = ssh # Option: protocol # Notes.: internally used by config reader for interpolations. # Values: [ tcp | udp | icmp | all ] Default: tcp # protocol = tcp # Option: blocktype # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp-port-unreachable # Option: returntype # Note: This is the default rule on "actionstart". This should be RETURN # in all (blocking) actions, except REJECT in allowing actions. # Values: STRING returntype = RETURN # Option: lockingopt # Notes.: Option was introduced to iptables to prevent multiple instances from # running concurrently and causing irratic behavior. -w was introduced # in iptables 1.4.20, so might be absent on older systems # See https://github.com/fail2ban/fail2ban/issues/1122 # Values: STRING lockingopt = -w # Option: iptables # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = iptables [Init?family=inet6] # Option: blocktype (ipv6) # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp6-port-unreachable # Values: STRING blocktype = REJECT --reject-with icmp6-port-unreachable # Option: iptables (ipv6) # Notes.: Actual command to be executed, including common to all calls options # Values: STRING iptables = ip6tables