1# Fail2Ban configuration file
2#
3# Author: Daniel Black
4#
5# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
6# Use ipset -V to see the protocol and version. Version 4 should use
7# iptables-ipset-proto4.conf.
8#
9# This requires the program ipset which is normally in package called ipset.
10#
11# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
12#
13# If you are running on an older kernel you make need to patch in external
14# modules which probably won't be protocol version 6.
15#
16# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
17#       made config file IPv6 capable (see new section Init?family=inet6)
18
19[INCLUDES]
20
21before = iptables-common.conf
22
23[Definition]
24
25# Option:  actionstart
26# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
27# Values:  CMD
28#
29actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
30              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
31
32# Option:  actionflush
33# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
34# Values:  CMD
35#
36actionflush = ipset flush <ipmset>
37
38# Option:  actionstop
39# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
40# Values:  CMD
41#
42actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
43             <actionflush>
44             ipset destroy <ipmset>
45
46# Option:  actionban
47# Notes.:  command executed when banning an IP. Take care that the
48#          command is executed with Fail2Ban user rights.
49# Tags:    See jail.conf(5) man page
50# Values:  CMD
51#
52actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
53
54# actionprolong = %(actionban)s
55
56# Option:  actionunban
57# Notes.:  command executed when unbanning an IP. Take care that the
58#          command is executed with Fail2Ban user rights.
59# Tags:    See jail.conf(5) man page
60# Values:  CMD
61#
62actionunban = ipset del <ipmset> <ip> -exist
63
64[Init]
65
66# Option: default-ipsettime
67# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
68# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
69default-ipsettime = 0
70
71# Option: ipsettime
72# Notes:  specifies ticket timeout (handled ipset timeout only)
73# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
74ipsettime = 0
75
76# expresion to caclulate timeout from bantime, example:
77# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
78timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
79
80ipmset = f2b-<name>
81familyopt =
82
83
84[Init?family=inet6]
85
86ipmset = f2b-<name>6
87familyopt = family inet6
88