====== Fail2Ban ======

===== Test jail =====
<code ini /etc/fail2ban/paths-test.conf>
[INCLUDES]
before = paths-common.conf
after  = paths-overrides.local

[DEFAULT]
test_logs = /var/log/test*.log
</code>


<code ini /etc/fail2ban/filter.d/testjail.conf>
[INCLUDES]
before = common.conf

[Definition]
_daemon = test
failregex = ^%(__prefix_line)s.*fail2ban([ \d]*)?test IP: <HOST>.*$
</code>

<code ini /etc/fail2ban/jail.local>
[INCLUDES]
before = paths-test.conf

[DEFAULT]
bantime  = 86400
findtime = 86400
banaction = dummy
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
             %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

action = %(action_mwl)s

[testjail]
enabled = true
port    = ssh
logpath = %(test_logs)s
filter   = testjail
maxretry = 2
</code>

Testing:

  systemctl restart fail2ban

  echo "$(date +'%b %d %T') $(hostname) test: fail2ban 1 test IP: 192.168.1.15" >> /var/log/test2.log
  echo "$(date +'%b %d %T') $(hostname) test: fail2ban 1 test IP: 192.168.1.15" >> /var/log/test.log

===== Save custom config =====

  destination=/root/temp/fail2ban.local
  find /etc/fail2ban -type f -name "*.local" | rsync -av --files-from=- / "$destination"/

  host=host.example.com; port=22; id=~/.ssh/identity; dest=./
  ssh -p $port -i $id root@$host 'cd /etc/fail2ban && find . -type f -name "*.local"' \
  | rsync -e "ssh -p $port -i $id" -avi -R --files-from=- $host:/etc/fail2ban/ $dest/fail2ban/$host/

===== Unban =====

<code sh>
# ip=194.230.155.162
# jail=dovecot         # from "Subject: [Fail2Ban] dovecot: banned 194.230.155.162 ..."

# ipset -n list
...
f2b
...

# ipset list f2b | grep $ip
194.230.155.162 timeout 77556

# fail2ban-client -v -v set $jail unbanip $ip
INFO   Loading configs for fail2ban under /etc/fail2ban 
DEBUG  Reading configs for fail2ban under /etc/fail2ban 
DEBUG  Reading config files: /etc/fail2ban/fail2ban.conf
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO     Loading files: ['/etc/fail2ban/fail2ban.conf']
INFO   Using socket file /var/run/fail2ban/fail2ban.sock
DEBUG  OK : '194.230.155.162'
DEBUG  Beautify '194.230.155.162' with ['set', 'dovecot', 'unbanip', '194.230.155.162']
194.230.155.162

# ipset list f2b | grep $ip
</code>

===== Divers =====

  * [[https://sourceforge.net/p/fail2ban/mailman/message/36707260/ | Fail2ban-users: Reload action without full service restart?]]
  * [[https://github.com/fail2ban/fail2ban/issues/976 | Multiple Logpaths prevent starting when action_mwl is used · Issue #976]]
  * [[https://github.com/fail2ban/fail2ban/issues/727 | action_mwl and multi logs breaks start up · Issue #727]]

{{tag>public linux}}