"Fossies" - the Fresh Open Source Software Archive

Member "fail2ban-0.11.1/config/action.d/shorewall-ipset-proto6.conf" (11 Jan 2020, 3111 Bytes) of package /linux/misc/fail2ban-0.11.1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Generic config files source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "shorewall-ipset-proto6.conf": 0.10.5_vs_0.11.1.

    1 # Fail2Ban configuration file
    2 #
    3 # Author: Eduardo Diaz
    4 #
    5 # This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
    6 # for shorewall
    7 #
    8 # Use this setting in jail.conf to modify use this action instead of a
    9 # default one
   10 #
   11 # banaction   = shorewall-ipset-proto6
   12 #
   13 # This requires the program ipset which is normally in package called ipset.
   14 #
   15 # IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
   16 # kernels, and you need Shorewall >= 4.5.5 to use this action.
   17 #
   18 # The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
   19 # file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
   20 # new shorewall rule to ban an IP address, that rule will affect only new
   21 # connections. So if the attacker goes on trying using the same connection
   22 # he could even log in. In order to get the same behavior of the iptable
   23 # action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
   24 # file should me modified with "BLACKLISTNEWONLY=No".
   25 #
   26 #
   27 # Enable shorewall to use a blacklist using iptables creating a file
   28 # /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and
   29 # similar lines for every jail.  To enable restoring you ipset you
   30 # must set SAVE_IPSETS=Yes in shorewall.conf .  You can read more
   31 # about ipsets handling in Shorewall at http://shorewall.net/ipsets.html
   32 #
   33 # To force creation of the ipset in the case that somebody deletes the
   34 # ipset create a file /etc/shorewall/initdone and add one line for
   35 # every ipset (this files are in Perl) and add 1 at the end of the file.
   36 # The example:
   37 # system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 ");
   38 # 1;
   39 #
   40 # To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped
   41 # # One line of every ipset
   42 # system("/usr/sbin/ipset -quiet destroy f2b-ssh ");
   43 # 1; # This must go to the end of the file if not shorewall compilation fails
   44 #
   45 
   46 
   47 [Definition]
   48 
   49 # Option:  actionstart
   50 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
   51 # Values:  CMD
   52 #
   53 actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
   54               then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-timeout>;
   55               fi
   56 
   57 # Option:  actionstop
   58 # Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
   59 # Values:  CMD
   60 #
   61 actionstop = ipset flush f2b-<name>
   62 
   63 # Option:  actionban
   64 # Notes.:  command executed when banning an IP. Take care that the
   65 #          command is executed with Fail2Ban user rights.
   66 # Tags:    See jail.conf(5) man page
   67 # Values:  CMD
   68 #
   69 actionban = ipset add f2b-<name> <ip> timeout <bantime> -exist
   70 
   71 actionprolong = %(actionban)s
   72 
   73 # Option:  actionunban
   74 # Notes.:  command executed when unbanning an IP. Take care that the
   75 #          command is executed with Fail2Ban user rights.
   76 # Tags:    See jail.conf(5) man page
   77 # Values:  CMD
   78 #
   79 actionunban = ipset del f2b-<name> <ip> -exist
   80 
   81 # Option: default-timeout
   82 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
   83 # Values:  [ NUM ]  Default: 600
   84 
   85 default-timeout = 600