1# Fail2Ban configuration file 2# 3# Author: Daniel Black 4# 5# This is for ipset protocol 6 (and hopefully later) (ipset v6.14). 6# Use ipset -V to see the protocol and version. Version 4 should use 7# iptables-ipset-proto4.conf. 8# 9# This requires the program ipset which is normally in package called ipset. 10# 11# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels. 12# 13# If you are running on an older kernel you make need to patch in external 14# modules which probably won't be protocol version 6. 15# 16# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de> 17# made config file IPv6 capable (see new section Init?family=inet6) 18 19[INCLUDES] 20 21before = iptables-common.conf 22 23[Definition] 24 25# Option: actionstart 26# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). 27# Values: CMD 28# 29actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt> 30 <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype> 31 32# Option: actionflush 33# Notes.: command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action) 34# Values: CMD 35# 36actionflush = ipset flush <ipmset> 37 38# Option: actionstop 39# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) 40# Values: CMD 41# 42actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype> 43 <actionflush> 44 ipset destroy <ipmset> 45 46# Option: actionban 47# Notes.: command executed when banning an IP. Take care that the 48# command is executed with Fail2Ban user rights. 49# Tags: See jail.conf(5) man page 50# Values: CMD 51# 52actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist 53 54# actionprolong = %(actionban)s 55 56# Option: actionunban 57# Notes.: command executed when unbanning an IP. Take care that the 58# command is executed with Fail2Ban user rights. 59# Tags: See jail.conf(5) man page 60# Values: CMD 61# 62actionunban = ipset del <ipmset> <ip> -exist 63 64[Init] 65 66# Option: default-ipsettime 67# Notes: specifies default timeout in seconds (handled default ipset timeout only) 68# Values: [ NUM ] Default: 0 (no timeout, managed by fail2ban by unban) 69default-ipsettime = 0 70 71# Option: ipsettime 72# Notes: specifies ticket timeout (handled ipset timeout only) 73# Values: [ NUM ] Default: 0 (managed by fail2ban by unban) 74ipsettime = 0 75 76# expresion to caclulate timeout from bantime, example: 77# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>'] 78timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0) 79 80ipmset = f2b-<name> 81familyopt = 82 83 84[Init?family=inet6] 85 86ipmset = f2b-<name>6 87familyopt = family inet6 88