# /etc/fail2ban/filter.d/blacklist.conf # Fail2Ban Blacklist for Repeat Offenders (filter.d) # # Author: Mitchell Krog # Version: 1.1 # GitHub: https://github.com/mitchellkrogza/Fail2Ban-Blacklist-JAIL-for-Repeat-Offenders-with-Perma-Extended-Banning # Tested On: Fail2Ban 0.91 # Server: Ubuntu 16.04 # Firewall: IPTables # # Dependancies: requires blacklist.conf in /etc/fail2ban/action.d folder # requires jail settings called [blacklist] # requires ip.blacklist file in /etc/fail2ban # create with sudo touch /etc/fail2ban/ip.blacklist # # Drawbacks: Only works with IPTables # # Based on: the Recidive Jail from Fail2Ban # # This filter based on the recidive filter, monitors the fail2ban log file, # and enables you to add long time bans for ip addresses that get banned # by fail2ban multiple times. # # Reasons to use this: Block persistent attackers for very long periods of time. # Controlled through a simple ip.blocklist text file # # Only works with IPTables # Your settings for this custom jail [blacklist] in jail.conf should have higher # 'findtime' and 'bantime' parameters set to a higher value than all the other jails. # # This custom action requires a custom jail in your # jail.local file for Fail2Ban # # Your jail file would be configured as follows # # [blacklist] # enabled = true # logpath = /var/log/fail2ban.* # filter = blacklist # banaction = blacklist # bantime = 31536000 ; 1 year # findtime = 31536000 ; 1 year # maxretry = 10 # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = fail2ban\.actions\s* # The name of the jail that this filter is used for. In jail.conf, name the # jail using this filter 'blacklist', or change this line! _jailname = blacklist failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+\s*$ ignoreregex = [Init] journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5 # Author: Mitchell Krog