1JAIL.CONF(5)                Fail2Ban Configuration                JAIL.CONF(5)
2
3
4

NAME

6       jail.conf - configuration for the fail2ban server
7

SYNOPSIS

9       fail2ban.conf fail2ban.d/*.conf fail2ban.local fail2ban.d/*.local
10
11       jail.conf jail.d/*.conf jail.local jail.d/*.local
12
13       action.d/*.conf action.d/*.local action.d/*.py
14
15       filter.d/*.conf filter.d/*.local
16
17

DESCRIPTION

19       Fail2ban has four configuration file types:
20
21
22       fail2ban.conf
23              Fail2Ban global configuration (such as logging)
24
25       filter.d/*.conf
26              Filters specifying how to detect authentication failures
27
28       action.d/*.conf
29              Actions  defining  the  commands for banning and unbanning of IP
30              address
31
32       jail.conf
33              Jails defining combinations of Filters with Actions.
34
35
36

CONFIGURATION FILES FORMAT

38       *.conf files are distributed  by  Fail2Ban.   It  is  recommended  that
39       *.conf files should remain unchanged to ease upgrades.  If needed, cus‐
40       tomizations should be provided in *.local files.  For example,  if  you
41       would  like  to  enable  the  [ssh-iptables-ipset]  jail  specified  in
42       jail.conf, create jail.local containing
43
44
45       jail.local
46              [ssh-iptables-ipset]
47
48              enabled = true
49
50
51       In .local files specify only the settings you would like to change  and
52       the  rest  of  the  configuration will then come from the corresponding
53       .conf file which is parsed first.
54
55
56       jail.d/ and fail2ban.d/
57
58              In addition to .local, for jail.conf or fail2ban.conf file there
59              can be a corresponding .d/ directory containing additional .conf
60              files. The order e.g. for jail configuration would be:
61
62              jail.conf
63              jail.d/*.conf (in alphabetical order)
64              jail.local
65              jail.d/*.local (in alphabetical order).
66
67              i.e. all .local files are parsed after .conf files in the origi‐
68              nal  configuration  file and files under .d directory.  Settings
69              in the file parsed later take precedence over identical  entries
70              in  previously  parsed files.  Files are ordered alphabetically,
71              e.g.
72
73              fail2ban.d/01_custom_log.conf - to use a different log path
74              jail.d/01_enable.conf - to enable a specific jail
75              jail.d/02_custom_port.conf - to change the port(s) of a jail.
76
77       Configuration files have sections, those specified with [section name],
78       and  name  = value pairs. For those name items that can accept multiple
79       values, specify the values separated by spaces, or  in  separate  lines
80       space indented at the beginning of the line before the second value.
81
82
83       Configuration  files can include other (defining common variables) con‐
84       figuration files, which is often used in Filters and Actions. Such  in‐
85       clusions are defined in a section called [INCLUDES]:
86
87
88       before indicates  that  the  specified  file is to be parsed before the
89              current file.
90
91       after  indicates that the specified file is to be parsed after the cur‐
92              rent file.
93
94       Using  Python  "string interpolation" mechanisms, other definitions are
95       allowed and can later be used within other definitions as %(name)s.
96
97       Fail2ban has more advanced syntax (similar python  extended  interpola‐
98       tion).  This  extended  interpolation is using %(section/parameter)s to
99       denote a value from a foreign section.
100       Besides cross section interpolation the value of parameter in [DEFAULT]
101       section can be retrieved with %(default/parameter)s.
102       Fail2ban supports also another feature named %(known/parameter)s (means
103       last known option with name parameter). This interpolation makes possi‐
104       ble to extend a stock filter or jail regexp in .local file (opposite to
105       simply set failregex/ignoreregex that overwrites it), e.g.
106
107              baduseragents = IE|wget|%(my-settings/baduseragents)s
108              failregex = %(known/failregex)s
109                          useragent=%(baduseragents)s
110
111       Additionally to interpolation %(known/parameter)s, that does not  works
112       for  filter/action init parameters, an interpolation tag <known/parame‐
113       ter> can be used (means last known init definition of  filters  or  ac‐
114       tions with name parameter). This interpolation makes possible to extend
115       a parameters  of  stock  filter  or  action  directly  in  jail  inside
116       jail.conf/jail.local  file without creating a separately filter.d/*.lo‐
117       cal file, e.g.
118
119              # filter.d/test.conf:
120              [Init]
121              test.method = GET
122              baduseragents = IE|wget
123              [Definition]
124              failregex = ^%(__prefix_line)\s+"<test.method>"\s+test\s+regexp\s+-\s+useragent=(?:<baduseragents>)
125
126              # jail.local:
127              [test]
128              # use filter "test", overwrite method to "POST" and extend known bad agents with "badagent":
129              filter = test[test.method=POST, baduseragents="badagent|<known/baduseragents>"]
130
131       Comments: use '#' for comment lines and '; ' (space is  important)  for
132       inline  comments.  When  using  Python2.X, '; ' can only be used on the
133       first line due to an Python library bug.
134
135

FAIL2BAN CONFIGURATION FILE(S) (fail2ban.conf)

137       The items that can be set in section [Definition] are:
138
139       loglevel
140              verbosity level of log output: CRITICAL, ERROR, WARNING, NOTICE,
141              INFO,  DEBUG,  TRACEDEBUG,  HEAVYDEBUG  or corresponding numeric
142              value (50-5). Default: INFO (equal 20)
143
144       logtarget
145              log target: filename, SYSLOG, STDERR or STDOUT. Default:  STDOUT
146              if not set in fail2ban.conf/fail2ban.local
147              Note. If fail2ban running as systemd-service, for logging to the
148              systemd-journal, the logtarget could be set to STDOUT
149              Only a single log target can be specified.  If you  change  log‐
150              target  from  the  default  value and you are using logrotate --
151              also adjust or disable rotation in the corresponding  configura‐
152              tion file (e.g. /etc/logrotate.d/fail2ban on Debian systems).
153
154       socket socket filename.  Default: /var/run/fail2ban/fail2ban.sock
155              This  is used for communication with the fail2ban server daemon.
156              Do not remove this file when Fail2ban is running. It will not be
157              possible to communicate with the server afterwards.
158
159       pidfile
160              PID filename.  Default: /var/run/fail2ban/fail2ban.pid
161              This is used to store the process ID of the fail2ban server.
162
163       allowipv6
164              option  to  allow IPv6 interface - auto, yes (on, true, 1) or no
165              (off, false, 0).  Default: auto
166              This value can be used to declare fail2ban whether IPv6  is  al‐
167              lowed or not.
168
169       dbfile Database filename. Default: /var/lib/fail2ban/fail2ban.sqlite3
170              This  defines  where the persistent data for fail2ban is stored.
171              This persistent data allows bans to be reinstated  and  continue
172              reading  log  files from the last read position when fail2ban is
173              restarted. A value of None disables this feature.
174
175       dbmaxmatches
176              Max number of matches stored in database per ticket. Default: 10
177              This option sets the max number of matched  log-lines  could  be
178              stored  per ticket in the database. This also affects values re‐
179              solvable via tags <ipmatches> and <ipjailmatches> in actions.
180
181       dbpurgeage
182              Database purge age in seconds. Default: 86400 (24hours)
183              This sets the age at which bans should be purged from the  data‐
184              base.
185
186       The config parameters of section [Thread] are:
187
188
189       stacksize
190              Stack  size  of each thread in fail2ban. Default: 0 (platform or
191              configured default)
192              This specifies the stack size (in KiB) to  be  used  for  subse‐
193              quently  created  threads,  and  must be 0 or a positive integer
194              value of at least 32.
195
196

JAIL CONFIGURATION FILE(S) (jail.conf)

198       The following options are applicable to any jail. They appear in a sec‐
199       tion specifying the jail name or in the [DEFAULT] section which defines
200       default values to be used if not specified in the individual section.
201
202       filter name  of   the   filter   --   filename   of   the   filter   in
203              /etc/fail2ban/filter.d/ without the .conf/.local extension.
204              Only one filter can be specified.
205
206       logpath
207              filename(s)  of  the log files to be monitored, separated by new
208              lines.
209              Globs -- paths containing * and ? or [0-9] -- can be  used  how‐
210              ever  only  the  files that exist at start up matching this glob
211              pattern will be considered.
212
213              Optional space separated option 'tail' can be added to  the  end
214              of  the path to cause the log file to be read from the end, else
215              default 'head' option reads file from the beginning
216
217              Ensure syslog or the program that generates the log  file  isn't
218              configured  to  compress repeated log messages to "*last message
219              repeated 5 time*s" otherwise it will fail  to  detect.  This  is
220              called RepeatedMsgReduction in rsyslog and should be Off.
221
222       logencoding
223              encoding of log files used for decoding. Default value of "auto"
224              uses current system locale.
225
226       logtimezone
227              Force the time zone for log lines that don't have one.
228
229              If this option is not specified, log lines  from  which  no  ex‐
230              plicit  time  zone has been found are interpreted by fail2ban in
231              its own system time zone, and that may turn to be inappropriate.
232              While  the  best practice is to configure the monitored applica‐
233              tions to include explicit offsets, this option is meant to  han‐
234              dle cases where that is not possible.
235
236              The  supported  time  zones  in this option are those with fixed
237              offset: Z, UTC[+-]hhmm (you can also use  GMT  as  an  alias  to
238              UTC).
239
240              This option has no effect on log lines on which an explicit time
241              zone has been found.  Examples:
242
243                      logtimezone = UTC
244                      logtimezone = UTC+0200
245                      logtimezone = GMT-0100
246
247
248       banaction
249              banning action (default iptables-multiport) typically  specified
250              in the [DEFAULT] section for all jails.
251              This  parameter will be used by the standard substitution of ac‐
252              tion and can be redefined central in the [DEFAULT]  section  in‐
253              side jail.local (to apply it to all jails at once) or separately
254              in each jail, where this substitution will be used.
255
256       banaction_allports
257              the same as banaction but for some "allports" jails  like  "pam-
258              generic" or "recidive" (default iptables-allports).
259
260       action action(s)  from /etc/fail2ban/action.d/ without the .conf/.local
261              extension.
262              Arguments can be passed to actions to override the default  val‐
263              ues  from  the  [Init] section in the action file. Arguments are
264              specified by:
265
266                     [name=value,name2=value,name3="values,values"]
267
268              Values can also be quoted (required when value includes a  ",").
269              More that one action can be specified (in separate lines).
270
271       ignoreself
272              boolean value (default true) indicates the banning of own IP ad‐
273              dresses should be prevented
274
275       ignoreip
276              list of IPs not to ban. They can include a DNS resp.  CIDR  mask
277              too. The option affects additionally to ignoreself (if true) and
278              don't need to contain own DNS resp. IPs of the running host.
279
280       ignorecommand
281              command that is executed to determine if the  current  candidate
282              IP for banning (or failure-ID for raw IDs) should not be banned.
283              The option affects additionally to ignoreself and  ignoreip  and
284              will be first executed if both don't hit.
285              IP will not be banned if command returns successfully (exit code
286              0).  Like ACTION FILES, tags like <ip> are can  be  included  in
287              the  ignorecommand  value  and will be substituted before execu‐
288              tion.
289
290       ignorecache
291              provide cache parameters (default disabled) for  ignore  failure
292              check  (caching  of the result from `ignoreip`, `ignoreself` and
293              `ignorecommand`), syntax:
294
295                      ignorecache = key="<F-USER>@<ip-host>", max-count=100, max-time=5m
296                      ignorecommand = if [ "<F-USER>" = "technical" ] && [ "<ip-host>" = "my-host.example.com" ]; then exit 0; fi;
297                                      exit 1
298              This will cache the result of ignorecommand (does  not  call  it
299              repeatedly)  for  5 minutes (cache time) for maximal 100 entries
300              (cache size),  using  values  substituted  like  "user@host"  as
301              cache-keys.   Set option ignorecache to empty value disables the
302              cache.
303
304       bantime
305              effective ban duration (in seconds or time abbreviation format).
306
307       findtime
308              time interval (in seconds or time  abbreviation  format)  before
309              the current time where failures will count towards a ban.
310
311       maxretry
312              number  of failures that have to occur in the last findtime sec‐
313              onds to ban the IP.
314
315       backend
316              backend to be used to detect changes in the logpath.
317              It defaults to "auto" which will try "pyinotify", "gamin", "sys‐
318              temd"  before  "polling". Any of these can be specified. "pyino‐
319              tify" is only valid on Linux systems with the "pyinotify" Python
320              libraries. "gamin" requires the "gamin" libraries.
321
322       usedns use  DNS  to  resolve HOST names that appear in the logs. By de‐
323              fault it is "warn" which will resolve hostnames to  IPs  however
324              it  will also log a warning. If you are using DNS here you could
325              be blocking the wrong IPs due to the asymmetric  nature  of  re‐
326              verse DNS (that the application used to write the domain name to
327              log) compared to forward DNS that fail2ban uses to resolve  this
328              back  to  an  IP (but not necessarily the same one). Ideally you
329              should configure your applications to log a real IP. This can be
330              set  to  "yes" to prevent warnings in the log or "no" to disable
331              DNS resolution altogether (thus ignoring entries where hostname,
332              not an IP is logged)..
333
334       prefregex
335              regex  (Python  regular  expression) to parse a common part con‐
336              taining in every message (see prefregex in section FILTER  FILES
337              for details).
338
339       failregex
340              regex  (Python  regular  expression) to be added to the filter's
341              failregexes (see failregex in section FILTER FILES for details).
342              If this is useful for others using your application please share
343              you regular expression with the fail2ban developers by reporting
344              an issue (see REPORTING BUGS below).
345
346       ignoreregex
347              regex  which,  if the log line matches, would cause Fail2Ban not
348              consider that line.  This  line  will  be  ignored  even  if  it
349              matches a failregex of the jail or any of its filters.
350
351       maxmatches
352              max  number  of  matched log-lines the jail would hold in memory
353              per ticket. By default it is the same value as maxretry of  jail
354              (or  default).   This  option also affects values resolvable via
355              tag <matches> in actions.
356
357
358   Backends
359       Available options are listed below.
360
361       pyinotify
362              requires pyinotify (a file alteration monitor) to be  installed.
363              If pyinotify is not installed, Fail2ban will use auto.
364
365       gamin  requires  Gamin  (a file alteration monitor) to be installed. If
366              Gamin is not installed, Fail2ban will use auto.
367
368       polling
369              uses a polling algorithm which does  not  require  external  li‐
370              braries.
371
372       systemd
373              uses systemd python library to access the systemd journal. Spec‐
374              ifying logpath  is  not  valid  for  this  backend  and  instead
375              utilises  journalmatch  from the jails associated filter config.
376              Multiple systemd-specific flags can be passed  to  the  backend,
377              including  journalpath  and  journalfiles, to explicitly set the
378              path to a directory or set of files. journalflags, which by  de‐
379              fault  is  4  and excludes user session files, can be set to in‐
380              clude them with journalflags=1, see the python-systemd  documen‐
381              tation for other settings and further details. Examples:
382
383              backend = systemd[journalpath=/run/log/journal/machine-1]
384              backend = systemd[journalfiles="/path/to/system.journal, /path/to/user.journal"]
385              backend = systemd[journalflags=1]
386
387
388   Actions
389       Each  jail  can  be  configured with only a single filter, but may have
390       multiple actions. By default, the name of a action is the action  file‐
391       name,  and  in  the case of Python actions, the ".py" file extension is
392       stripped. Where multiple of the same action are to be used, the actname
393       option can be assigned to the action to avoid duplication e.g.:
394
395       [ssh-iptables-ipset]
396       enabled = true
397       action = smtp.py[dest=chris@example.com, actname=smtp-chris]
398                smtp.py[dest=sally@example.com, actname=smtp-sally]
399
400

TIME ABBREVIATION FORMAT

402       The  time  entries in fail2ban configuration (like findtime or bantime)
403       can be provided as integer in seconds or as string using special abbre‐
404       viation format (e. g. 600 is the same as 10m).
405
406
407       Abbreviation tokens:
408
409              years?, yea?, yy?
410              months?, mon?
411              weeks?, wee?, ww?
412              days?, da, dd?
413              hours?, hou?, hh?
414              minutes?, min?, mm?
415              seconds?, sec?, ss?
416
417              The question mark (?) means the optional character, so day as well as days can be used.
418
419       You  can  combine multiple tokens in format (separated with space resp.
420       without separator), e. g.: 1y 6mo or 1d12h30m.
421       Note that tokens m as well as mm means minutes, for month use abbrevia‐
422       tion mo or mon.
423
424       The time format can be tested using fail2ban-client:
425
426              fail2ban-client --str2sec 1d12h
427
428

ACTION CONFIGURATION FILES (action.d/*.conf)

430       Action files specify which commands are executed to ban and unban an IP
431       address.
432
433       Like with jail.conf files, if you desire local changes create  an  [ac‐
434       tionname].local  file in the /etc/fail2ban/action.d directory and over‐
435       ride the required settings.
436
437       Action files have two sections, Definition and Init .
438
439       The   [Init]   section    enables    action-specific    settings.    In
440       jail.conf/jail.local  these  can be overridden for a particular jail as
441       options of the action's specification in that jail.
442
443       The following commands can be present in the [Definition] section.
444
445       actionstart
446              command(s) executed when the jail starts.
447
448       actionstop
449              command(s) executed when the jail stops.
450
451       actioncheck
452              command(s) ran before any other action. It aims to verify if the
453              environment is still ok.
454
455       actionban
456              command(s)  that  bans  the  IP address after maxretry log lines
457              matches within last findtime seconds.
458
459       actionunban
460              command(s) that unbans the IP address after bantime.
461
462       The  [Init]   section   allows   for   action-specific   settings.   In
463       jail.conf/jail.local  these can be overwritten for a particular jail as
464       options to the jail. The following are special tags which can be set in
465       the [Init] section:
466
467       timeout
468              The  maximum  period  of time in seconds that a command can exe‐
469              cuted, before being killed.
470
471       Commands specified in the [Definition] section are executed  through  a
472       system  shell  so shell redirection and process control is allowed. The
473       commands should return 0, otherwise error would be logged.  Moreover if
474       actioncheck  exits  with  non-0  status, it is taken as indication that
475       firewall status has changed and fail2ban needs to  reinitialize  itself
476       (i.e. issue actionstop and actionstart commands).  Tags are enclosed in
477       <>.  All the elements of [Init] are tags that are replaced in  all  ac‐
478       tion commands.  Tags can be added by the fail2ban-client using the "set
479       <JAIL> action <ACT>" command. <br> is a tag that is always a  new  line
480       (\n).
481
482       More  than  a  single  command is allowed to be specified. Each command
483       needs to be on a separate line and indented with whitespace(s)  without
484       blank lines. The following example defines two commands to be executed.
485
486        actionban = iptables -I fail2ban-<name> --source <ip> -j DROP
487                    echo     ip=<ip>,     match=<match>,     time=<time>    >>
488       /var/log/fail2ban.log
489
490
491   Action Tags
492       The following tags are substituted in the  actionban,  actionunban  and
493       actioncheck (when called before actionban/actionunban) commands.
494
495       ip     IPv4 IP address to be banned. e.g. 192.168.0.2
496
497       failures
498              number of times the failure occurred in the log file. e.g. 3
499
500       ipfailures
501              As  per  failures, but total of all failures for that ip address
502              across all jails from the fail2ban persistent  database.  There‐
503              fore the database must be set for this tag to function.
504
505       ipjailfailures
506              As  per  ipfailures, but total based on the IPs failures for the
507              current jail.
508
509       time   UNIX (epoch) time of the ban. e.g. 1357508484
510
511       matches
512              concatenated string of the log file lines of  the  matches  that
513              generated  the ban. Many characters interpreted by shell get es‐
514              caped to prevent injection, nevertheless use with caution.
515
516       ipmatches
517              As per matches, but includes all lines for the IP which are con‐
518              tained  with  the  fail2ban  persistent  database. Therefore the
519              database must be set for this tag to function.
520
521       ipjailmatches
522              As per ipmatches, but matches are limited for the IP and for the
523              current jail.
524
525

PYTHON ACTION FILES

527       Python based actions can also be used, where the file name must be [ac‐
528       tionname].py. The Python file must  contain  a  variable  Action  which
529       points  to  Python class. This class must implement a minimum interface
530       as described by fail2ban.server.action.ActionBase, which can be  inher‐
531       ited from to ease implementation.
532
533

FILTER FILES (filter.d/*.conf)

535       Filter  definitions are those in /etc/fail2ban/filter.d/*.conf and fil‐
536       ter.d/*.local.
537
538       These are used to identify failed authentication attempts in log  files
539       and to extract the host IP address (or hostname if usedns is true).
540
541       Like  action files, filter files are ini files. The main section is the
542       [Definition] section.
543
544       There are several standard filter definitions used in the  [Definition]
545       section:
546
547       prefregex
548              is  the  regex  (regular expression) to parse a common part con‐
549              taining in every message, which  is  applied  after  datepattern
550              found  a  match,  before  the search for any failregex or ignor‐
551              eregex would start.
552              If this regex doesn't match the process is starting  immediately
553              with next message and search for any failregex does not occur.
554              If  prefregex  contains  <F-CONTENT>...</F-CONTENT>, the part of
555              message enclosed between this tags will be  extracted  and  her‐
556              after  used as whole message for search with failregex or ignor‐
557              eregex.
558
559              For example:
560                      prefregex = ^%(__prefix_line)s (?:ERROR|FAILURE) <F-CONTENT>.+</F-CONTENT>$
561                      failregex = ^user not found
562                                  ^authentication failed
563                                  ^unknown authentication method
564
565              You can use prefregex in order to:
566
567                     - specify 1  common  regex  to  match  some  common  part
568                     present in every messages (do avoid unneeded match in ev‐
569                     ery failregex if you have more as one);
570
571                     - to cut some interesting part of message only  (to  sim‐
572                     plify  failregex)  enclosed  between tags <F-CONTENT> and
573                     </F-CONTENT>;
574
575                     - to gather some failure identifier (e.  g.  some  prefix
576                     matched  by  <F-MLFID>...<F-MLFID/> tag) to identify sev‐
577                     eral messages belonging to same session, where a  connect
578                     message containing IP followed by failure message(s) that
579                     are not contain IP; this provides a new multi-line  pars‐
580                     ing  method  as replacement for old (slow an ugly) multi-
581                     line parsing using buffering window  (maxlines  >  1  and
582                     <SKIPLINES>);
583
584                     -  to  ignore  some wrong, too long or even unneeded mes‐
585                     sages (a.k.a. parasite log traffic)  which  can  be  also
586                     present  in  journal,  before failregex search would take
587                     place.
588
589
590       failregex
591              is the regex (regular expression) that  will  match  failed  at‐
592              tempts. The standard replacement tags can be used as part of the
593              regex:
594
595                     <HOST> - common regex for IP addresses and hostnames  (if
596                     usedns  is  enabled). Fail2Ban will work out which one of
597                     these it actually is.
598
599                     <ADDR> - regex for IP addresses (both families).
600
601                     <IP4> - regex for IPv4 addresses.
602
603                     <IP6> - regex for IPv6 addresses.
604
605                     <DNS> - regex to match hostnames.
606
607                     <CIDR> - helper regex to match CIDR (simple integer  form
608                     of net-mask).
609
610                     <SUBNET>  -  regex to match sub-net addresses (in form of
611                     IP/CIDR, also single IP is matched, so part /CIDR is  op‐
612                     tional).
613
614                     <F-ID>...</F-ID>  -  free regex capturing group targeting
615                     identifier used for ban (instead of IP address  or  host‐
616                     name).
617
618                     <F-*>...</F-*>  - free regex capturing named group stored
619                     in ticket, which can be used in action.
620                     For example <F-USER>[^@]+</F-USER> matches and stores a user name, that can be used in action with interpolation tag <F-USER>.
621
622                     <F-ALT_*n>...</F-ALT_*n> - free regex capturing alternative named group stored in ticket.
623                     For example first found matched value defined in regex as <F-ALT_USER>, <F-ALT_USER1> or <F-ALT_USER2> would be stored as <F-USER> (if direct match is not found or empty).
624
625              Every of abovementioned tags can be specified in prefregex and in failregex, thereby if specified in both, the value matched in failregex overwrites a value matched in prefregex.
626              All standard tags like IP4 or IP6 can be also specified with custom regex using <F-*>...</F-*> syntax, for example (?:ip4:<F-IP4>\S+</F-IP4>|ip6:<F-IP6>\S+</F-IP6>).
627              Tags <ADDR>, <HOST> and <SUBNET> would also match the IP address enclosed in square brackets.
628
629              NOTE: the failregex will be applied to the remaining part of message after prefregex processing (if specified), which in turn takes place after datepattern processing (whereby the string of timestamp matching the best pattern, cut out from the message).
630
631              For multiline regexs (parsing with maxlines greater that 1) the tag <SKIPLINES> can be used to separate lines. This allows lines between the matched lines to continue to be searched for other failures. The tag can be used multiple times.
632              This is an obsolete handling and if the lines contain some common identifier, better would be to use new handling (with tags <F-MLFID>...<F-MLFID/>).
633
634
635       ignoreregex
636              is the regex to identify log entries that should be ignored by Fail2Ban, even if they match failregex.
637
638
639       maxlines
640              specifies the maximum number of lines to buffer to match multi-line regexs. For some log formats this will not required to be changed. Other logs may require to increase this value if a particular log file is frequently written to.
641
642       datepattern
643              specifies a custom date pattern/regex as an alternative to the default date detectors e.g. %%Y-%%m-%%d %%H:%%M(?::%%S)?.
644              For a list of valid format directives, see Python library documentation for strptime behaviour.
645              NOTE: due to config file string substitution, that %'s must be escaped by an % in config files.
646              Also, special values of Epoch (UNIX Timestamp), TAI64N and ISO8601 can be used as datepattern.
647              Normally the regexp generated for datepattern additionally gets word-start and word-end boundaries to avoid accidental match inside of some word in a message.
648              There are several prefixes and words with special meaning that could be specified with custom datepattern to control resulting regex:
649
650                     {DEFAULT} - can be used to add default date patterns of fail2ban.
651
652                     {DATE} - can be used as part of regex that will be replaced with default date patterns.
653
654                     {^LN-BEG} - prefix (similar to ^) changing word-start boundary to line-start boundary (ignoring up to 2 characters). If used as value (not as a prefix), it will also set all default date patterns (similar to {DEFAULT}), but anchored at begin of message line.
655
656                     {UNB} - prefix to disable automatic word boundaries in regex.
657
658                     {NONE} - value would allow one to find failures totally without date-time in log message. Filter will use now as a timestamp (or last known timestamp from previous line with timestamp).
659
660       journalmatch
661              specifies the systemd journal match used to filter the journal entries. See journalctl(1) and systemd.journal-fields(7) for matches syntax and more details on special journal fields. This option is only valid for the systemd backend.
662
663       Similar to actions, filters may have an [Init] section also (optional since v.0.10). All parameters of both sections [Definition] and [Init] can be overridden (redefined or extended) in jail.conf or jail.local (or in related filter.d/filter-name.local).
664       Every option supplied in the jail to the filter overwrites the value specified in [Init] section, which in turm would overwrite the value in [Definition] section.
665       Besides the standard settings of filter both sections can be used to initialize filter-specific options.
666
667       Filters can also have a section called [INCLUDES]. This is used to read other configuration files.
668
669
670       before indicates that this file is read before the [Definition] section.
671
672
673       after  indicates that this file is read after the [Definition] section.
674
675

AUTHOR

677       Fail2ban    was     originally     written     by     Cyril     Jaquier
678       <cyril.jaquier@fail2ban.org>.   At the moment it is maintained and fur‐
679       ther developed by Yaroslav O. Halchenko <debian@onerussian.com>, Daniel
680       Black   <daniel.subs@internode.on.net>  and  Steven  Hiscocks  <steven-
681       fail2ban@hiscocks.me.uk> along with  a  number  of  contributors.   See
682       THANKS file shipped with Fail2Ban for a full list.  Manual page written
683       by Daniel Black and Yaroslav Halchenko.
684

REPORTING BUGS

686       Report bugs to https://github.com/fail2ban/fail2ban/issues
687
689       Copyright © 2013 the Fail2Ban Team
690       Copyright of modifications held by their respective authors.
691       Licensed under the GNU General Public License v2 (GPL) or (at your  op‐
692       tion) any later version.
693

SEE ALSO

695       fail2ban-server(1)
696
697
698
699Fail2Ban                         November 2015                    JAIL.CONF(5)
Impressum