Fail2Ban jails are configured in the /etc/fail2ban/jail.local file. Each jail has its own configuration block, and you can customize various parameters to tailor the security policies for specific services or applications.
Basic jail configuration
The basic configuration for a jail typically includes the name of the jail, whether it's enabled, the filter to use, and the logpath (path to the log file being monitored).
[my-custom-service]
enabled = true
filter = my-custom-service
logpath = /var/log/my-custom-service.log
Banning configuration
Options related to banning settings, such as the duration of the ban (bantime), the maximum number of retries before a ban (maxretry), and the time window during which retries are counted (findtime).
[my-custom-service]
bantime = 3600 # Ban duration in seconds (default is 10 minutes)
findtime = 600 # Time window for counting retries in seconds
maxretry = 3 # Maximum number of retries before banning
IP address whitelisting
Allowing certain IP addresses to be exempt from the banning process. Useful for whitelisting trusted entities.
[my-custom-service]
ignoreip = 192.168.1.1 # Single IP or CIDR notation for multiple IPs
Actions configuration
Actions specify what should happen when a rule is triggered. Common actions include banning an IP address, sending notifications, or executing custom scripts.
[my-custom-service]
action = %(action_mw)s # Use the multi-line action to ban and send notification
Notification configuration
Sending notifications via email or other methods when a security event is detected.
[my-custom-service]
action = %(action_mw)s
sendmail-whois[name=my-custom-service, [email protected], [email protected]]
Log rotation configuration
Configuring log rotation parameters to ensure that Fail2Ban continues to work correctly even when log files are rotated.
[my-custom-service]
logfile = /var/log/my-custom-service.log
Filter configuration override
Overriding specific settings from the associated filter. This allows for customization of the filter parameters for a specific jail.
[my-custom-service]
enabled = true
filter = my-custom-service
logpath = /var/log/my-custom-service.log
bantime = 3600
Dynamic configuration
Dynamic settings for reloads and refresh intervals. Some parameters control how often Fail2Ban checks for changes in the configuration.
[DEFAULT]
ignorecommand = /path/to/custom-ignore-command
Database configuration
Database-related options if Fail2Ban is configured to use a database backend for storing persistent data.
[my-custom-service]
dbfile = /var/lib/fail2ban/my-custom-service.sqlite3
Rate limiting
Configuring rate limiting for actions, such as the maximum number of actions per second.
[my-custom-service]
maxmatches = 5 ; Maximum number of matches to send to action
Customize notification content
Customizing the content of notifications to include specific details about the security event.
[my-custom-service]
action = %(action_mw)s
actionban = mail -s "[Fail2Ban] Ban: <name> from <host>" [email protected]
These are examples of common configuration options for Fail2Ban jails. The specific options available can vary depending on the version of Fail2Ban and the service being monitored.