1# Fail2Ban filter for repeat bans 2# 3# This filter monitors the fail2ban log file, and enables you to add long 4# time bans for ip addresses that get banned by fail2ban multiple times. 5# 6# Reasons to use this: block very persistent attackers for a longer time, 7# stop receiving email notifications about the same attacker over and 8# over again. 9# 10# This jail is only useful if you set the 'findtime' and 'bantime' parameters 11# in jail.conf to a higher value than the other jails. Also, this jail has its 12# drawbacks, namely in that it works only with iptables, or if you use a 13# different blocking mechanism for this jail versus others (e.g. hostsdeny 14# for most jails, and shorewall for this one). 15 16[INCLUDES] 17 18# Read common prefixes. If any customizations available -- read them from 19# common.local 20before = common.conf 21 22[Definition] 23 24_daemon = (?:fail2ban(?:-server|\.actions)\s*) 25 26# The name of the jail that this filter is used for. In jail.conf, name the jail using 27# this filter 'recidive', or supply another name with `filter = recidive[_jailname="jail"]` 28_jailname = recidive 29 30failregex = ^%(__prefix_line)s(?:\s*fail2ban\.actions\s*%(__pid_re)s?:\s+)?NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$ 31 32datepattern = ^{DATE} 33 34ignoreregex = 35 36journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 37 38# Author: Tom Hendrikx, modifications by Amir Caspi 39