File: //etc/fail2ban/jail.conf
# Fail2Ban configuration file.
#
# Managed by Puppet, do not change manually
#
# This file was composed for RHEL systems from the
# original file provided by the RPM
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.
#
#
#
[INCLUDES]
before = paths-fedora.conf
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1 10.30.110.0/26 10.102.182.0/23 10.220.148.0/23 10.230.148.0/23 10.220.136.0/23 10.230.136.0/23 10.220.128.0/23 10.230.128.0/23 186.202.9.198 163.116.233.77 186.202.153.0/24 186.202.154.0/24 186.202.155.0/24 186.202.96.64/26 186.202.96.192/26 186.202.96.0/26 186.202.96.128/26 186.202.98.0/23 186.202.97.0/24 186.202.100.192/26 186.202.102.0/23 186.202.110.119/32 186.202.125.144/32 186.202.168.0/22 186.202.173.144/28 187.45.236.2 187.45.236.3 187.45.251.0/24 187.45.252.0/25 187.45.253.0/24 187.45.253.0/23 187.45.254.0/24 187.45.255.0/24 179.188.11.0/24 179.188.12.0/24 179.188.41.24 179.188.48.0/24 179.188.54.0/23 191.252.51.0/24 191.252.83.0/24 191.252.158.0/28 191.252.158.224/28 200.234.206.0/24 177.153.48.0/23 177.153.54.0/23 177.153.56.0/23 179.188.23.0/24 179.188.46.0/23 179.188.50.0/23 179.188.52.0/23 186.202.13.0/24 187.45.238.0/23 189.126.122.0/24 189.126.126.0/23 200.234.217.0/24 64.233.160.0/19 66.102.0.0/20 66.249.64.0/19 72.14.192.0/18 74.125.0.0/16 173.194.0.0/16 207.126.144.0/20 209.85.128.0/17 216.58.192.0/19 216.239.32.0/19 10.32.32.0/24 192.178.0.0/15 54.88.218.97/32 18.215.140.160/32 18.213.114.129/32 18.206.34.84/32 91.108.5.0/24 8.8.4.0/24 8.8.8.0/24 8.34.208.0/20 8.35.192.0/20 23.236.48.0/20 23.251.128.0/19 34.0.0.0/15 34.2.0.0/16 34.3.0.0/23 34.3.3.0/24 34.3.4.0/24 34.3.8.0/21 34.3.16.0/20 34.3.32.0/19 34.3.64.0/18 34.4.0.0/14 34.8.0.0/13 34.16.0.0/12 34.32.0.0/11 34.64.0.0/10 34.128.0.0/10 35.184.0.0/13 35.192.0.0/14 35.196.0.0/15 35.198.0.0/16 35.199.0.0/17 35.199.128.0/18 35.200.0.0/13 35.208.0.0/12 35.224.0.0/12 35.240.0.0/13 57.140.192.0/18 64.15.112.0/20 66.22.228.0/23 70.32.128.0/19 104.154.0.0/15 104.196.0.0/14 104.237.160.0/19 107.167.160.0/19 107.178.192.0/18 108.59.80.0/20 108.170.192.0/18 108.177.0.0/17 130.211.0.0/16 136.22.160.0/20 136.22.176.0/21 136.22.184.0/23 136.22.186.0/24 136.124.0.0/15 142.250.0.0/15 146.148.0.0/17 152.65.208.0/22 152.65.214.0/23 152.65.218.0/23 152.65.222.0/23 152.65.224.0/19 162.120.128.0/17 162.216.148.0/22 162.222.176.0/21 172.110.32.0/21 172.217.0.0/16 172.253.0.0/16 173.255.112.0/20 192.178.0.0/15 192.158.28.0/22 193.186.4.0/24 199.36.154.0/23 199.36.156.0/24 199.192.112.0/22 199.223.232.0/21 207.223.160.0/20 208.65.152.0/22 208.68.108.0/22 208.81.188.0/22 208.117.224.0/19 216.73.80.0/20 34.100.182.96/28 34.101.50.144/28 34.118.254.0/28 34.118.66.0/28 34.126.178.96/28 34.146.150.144/28 34.147.110.144/28 34.151.74.144/28 34.152.50.64/28 34.154.114.144/28 34.155.98.32/28 34.165.18.176/28 34.175.160.64/28 34.176.130.16/28 34.22.85.0/27 34.65.242.112/28 34.80.50.80/28 34.88.194.0/28 34.89.10.80/28 34.96.162.48/28 35.247.243.240/28 34.116.16.0/27 34.127.128.0/27 34.98.136.0/27 35.187.128.0/27 35.243.16.0/27 10.0.7.34/32 186.202.36.40/32 10.30.173.230/32 10.30.173.229/32 10.30.173.228/32 10.30.173.227/32 10.30.173.226/32 179.188.13.114/32 179.188.13.115/32 179.188.13.116/32 179.188.13.117/32 179.188.13.118/32
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 3
#"backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is choses as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = firewallcmd-rich-rules[actiontype=]
banaction_allports = firewallcmd-rich-rules[actiontype=allports]
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s