On 7/8/20 9:24 AM, Tom Hendrikx wrote:
Hi Yassine,
The shorewall action does not ban on a per-jail basis, but puts all
ip-addresses on a single blacklist, as that is how shorewall works.
In the original recidive implementation (which I wrote) it was
especially mentioned that you shouldn't use the same jail action for
the recidive jail as for the other jails just because of this: I used
the shorewall jail too.
In short: don't use the 'shorewall' action, or use the 'iptables'
action for the recidive jail (and 'shorewall' for the regular jails).
Kind regards,
Tom
Dear Tom,
That's a reasonsable tradeoff :) thanks for the idea.
As for your comment about using different jails, here's what the debian
package ships :
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
But to be honest, I have not read the release notes or readme. I have
just done that now, but the debian maintainers forgot to mention this is
seems. At least for this version of f2b I'm using (0.8.13).
Now here is my new recidive jail :
[recidive]
enabled = true
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive,
logpath=/var/log/fail2ban.log, [email protected],
[email protected]]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
Yassine.
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
