JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          jail.conf - configuration for the fail2ban server

          fail2ban.conf fail2ban.d/*.conf fail2ban.local

          jail.conf jail.d/*.conf jail.local jail.d/*.local

          action.d/*.conf action.d/*.local action.d/*.py

          filter.d/*.conf filter.d/*.local

          Fail2ban has four configuration file types:

               Fail2Ban global configuration (such as logging)

               Filters specifying how to detect authentication fail-

               Actions defining the commands for banning and unbanning
               of IP address

               Jails defining combinations of Filters with Actions.

          *.conf files are distributed by Fail2Ban.  It is recommended
          that *.conf files should remain unchanged to ease upgrades.
          If needed, customizations should be provided in *.local
          files.  For example, if you would like to enable the [ssh-
          iptables-ipset] jail specified in jail.conf, create
          jail.local containing


               enabled = true

          In .local files specify only the settings you would like to

     Page 1                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          change and the rest of the configuration will then come from
          the corresponding .conf file which is parsed first.

          jail.d/ and fail2ban.d/

               In addition to .local, for jail.conf or fail2ban.conf
               file there can be a corresponding .d/ directory con-
               taining additional .conf files. The order e.g. for jail
               configuration would be:

               jail.d/*.conf (in alphabetical order)
               jail.d/*.local (in alphabetical order).

               i.e. all .local files are parsed after .conf files in
               the original configuration file and files under .d
               directory.  Settings in the file parsed later take
               precedence over identical entries in previously parsed
               files.  Files are ordered alphabetically, e.g.

               fail2ban.d/01_custom_log.conf - to use a different log
               jail.d/01_enable.conf - to enable a specific jail
               jail.d/02_custom_port.conf - to change the port(s) of a

          Configuration files have sections, those specified with
          [section name], and name = value pairs. For those name items
          that can accept multiple values, specify the values sepa-
          rated by spaces, or in separate lines space indented at the
          beginning of the line before the second value.

          Configuration files can include other (defining common vari-
          ables) configuration files, which is often used in Filters
          and Actions. Such inclusions are defined in a section called

               indicates that the specified file is to be parsed
               before the current file.

               indicates that the specified file is to be parsed after
               the current file.

          Using Python "string interpolation" mechanisms, other defi-
          nitions are allowed and can later be used within other defi-
          nitions as %(name)s.

     Page 2                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          Fail2ban has more advanced syntax (similar python extended
          interpolation). This extended interpolation is using
          %(section/parameter)s to denote a value from a foreign sec-
          Besides cross section interpolation the value of parameter
          in [DEFAULT] section can be retrieved with
          Fail2ban supports also another feature named
          %(known/parameter)s (means last known option with name
          parameter). This interpolation makes possible to extend a
          stock filter or jail regexp in .local file (opposite to sim-
          ply set failregex/ignoreregex that overwrites it), e.g.

          baduseragents = IE|wget|%(my-settings/baduseragents)s
          failregex = %(known/failregex)s

          Additionally to interpolation %(known/parameter)s, that does
          not works for filter/action init parameters, an interpola-
          tion tag <known/parameter> can be used (means last known
          init definition of filters or actions with name parameter).
          This interpolation makes possible to extend a parameters of
          stock filter or action directly in jail inside
          jail.conf/jail.local file without creating a separately
          filter.d/*.local file, e.g.

          # filter.d/test.conf:
          test.method = GET
          baduseragents = IE|wget
          failregex = ^%(__prefix_line)\s+"<test.method>"\s+test\s+regexp\s+-\s+useragent=(?:<baduseragents>)

          # jail.local:
          # use filter "test", overwrite method to "POST" and extend known bad agents with "badagent":
          filter = test[test.method=POST, baduseragents="badagent|<known/baduseragents>"]

          Comments: use '#' for comment lines and '; ' (space is
          important) for inline comments. When using Python2.X, '; '
          can only be used on the first line due to an Python library

     FAIL2BAN CONFIGURATION FILE(S) (fail2ban.conf)
          The items that can be set in section [Definition] are:

               verbosity level of log output: CRITICAL, ERROR, WARN-
               corresponding numeric value (50-5). Default: INFO
               (equal 20)

     Page 3                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               log target: filename, SYSLOG, STDERR or STDOUT.
               Default: STDOUT if not set in
               Note. If fail2ban running as systemd-service, for log-
               ging to the systemd-journal, the logtarget could be set
               to STDOUT
               Only a single log target can be specified.  If you
               change logtarget from the default value and you are
               using logrotate -- also adjust or disable rotation in
               the corresponding configuration file (e.g.
               /etc/logrotate.d/fail2ban on Debian systems).

               socket filename.  Default:
               This is used for communication with the fail2ban server
               daemon. Do not remove this file when Fail2ban is run-
               ning. It will not be possible to communicate with the
               server afterwards.

               PID filename.  Default: /var/run/fail2ban/fail2ban.pid
               This is used to store the process ID of the fail2ban

               Database filename. Default:
               This defines where the persistent data for fail2ban is
               stored. This persistent data allows bans to be rein-
               stated and continue reading log files from the last
               read position when fail2ban is restarted. A value of
               None disables this feature.

               Max number of matches stored in database per ticket.
               Default: 10
               This option sets the max number of matched log-lines
               could be stored per ticket in the database. This also
               affects values resolvable via tags <ipmatches> and
               <ipjailmatches> in actions.

               Database purge age in seconds. Default: 86400 (24hours)
               This sets the age at which bans should be purged from
               the database.

          The config parameters of section [Thread] are:


     Page 4                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          Stack size of each thread in fail2ban. Default: 0 (platform
          or configured default)
          This specifies the stack size (in KiB) to be used for subse-
          quently created threads, and must be 0 or a positive integer
          value of at least 32.

          The following options are applicable to any jail. They
          appear in a section specifying the jail name or in the
          [DEFAULT] section which defines default values to be used if
          not specified in the individual section.

               name of the filter -- filename of the filter in
               /etc/fail2ban/filter.d/ without the .conf/.local exten-
               Only one filter can be specified.

               filename(s) of the log files to be monitored, separated
               by new lines.
               Globs -- paths containing * and ? or [0-9] -- can be
               used however only the files that exist at start up
               matching this glob pattern will be considered.

               Optional space separated option 'tail' can be added to
               the end of the path to cause the log file to be read
               from the end, else default 'head' option reads file
               from the beginning

               Ensure syslog or the program that generates the log
               file isn't configured to compress repeated log messages
               to "*last message repeated 5 time*s" otherwise it will
               fail to detect. This is called RepeatedMsgReduction in
               rsyslog and should be Off.

               encoding of log files used for decoding. Default value
               of "auto" uses current system locale.

               Force the time zone for log lines that don't have one.

               If this option is not specified, log lines from which
               no explicit time zone has been found are interpreted by
               fail2ban in its own system time zone, and that may turn
               to be inappropriate. While the best practice is to con-
               figure the monitored applications to include explicit
               offsets, this option is meant to handle cases where
               that is not possible.

     Page 5                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               The supported time zones in this option are those with
               fixed offset: Z, UTC[+-]hhmm (you can also use GMT as
               an alias to UTC).

               This option has no effect on log lines on which an
               explicit time zone has been found.  Examples:

                       logtimezone = UTC
                       logtimezone = UTC+0200
                       logtimezone = GMT-0100

               banning action (default iptables-multiport) typically
               specified in the [DEFAULT] section for all jails.
               This parameter will be used by the standard substitu-
               tion of action and can be redefined central in the
               [DEFAULT] section inside jail.local (to apply it to all
               jails at once) or separately in each jail, where this
               substitution will be used.

               the same as banaction but for some "allports" jails
               like "pam-generic" or "recidive" (default iptables-

               action(s) from /etc/fail2ban/action.d/ without the
               .conf/.local extension.
               Arguments can be passed to actions to override the
               default values from the [Init] section in the action
               file. Arguments are specified by:


               Values can also be quoted (required when value includes
               a ","). More that one action can be specified (in sepa-
               rate lines).

               boolean value (default true) indicates the banning of
               own IP addresses should be prevented

               list of IPs not to ban. They can include a DNS resp.
               CIDR mask too. The option affects additionally to
               ignoreself (if true) and don't need to contain own DNS
               resp. IPs of the running host.

               command that is executed to determine if the current
               candidate IP for banning (or failure-ID for raw IDs)

     Page 6                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               should not be banned. The option affects additionally
               to ignoreself and ignoreip and will be first executed
               if both don't hit.
               IP will not be banned if command returns successfully
               (exit code 0).  Like ACTION FILES, tags like <ip> are
               can be included in the ignorecommand value and will be
               substituted before execution.

               provide cache parameters (default disabled) for ignore
               failure check (caching of the result from `ignoreip`,
               `ignoreself` and `ignorecommand`), syntax:

                       ignorecache = key="<F-USER>@<ip-host>", max-count=100, max-time=5m
                       ignorecommand = if [ "<F-USER>" = "technical" ] && [ "<ip-host>" = "my-host.example.com" ]; then exit 0; fi;
                                       exit 1
               This will cache the result of ignorecommand (does not
               call it repeatedly) for 5 minutes (cache time) for max-
               imal 100 entries (cache size), using values substituted
               like "user@host" as cache-keys.  Set option ignorecache
               to empty value disables the cache.

               effective ban duration (in seconds or time abbreviation

               time interval (in seconds or time abbreviation format)
               before the current time where failures will count
               towards a ban.

               number of failures that have to occur in the last find-
               time seconds to ban then IP.

               backend to be used to detect changes in the logpath.
               It defaults to "auto" which will try "pyinotify",
               "gamin", "systemd" before "polling". Any of these can
               be specified. "pyinotify" is only valid on Linux sys-
               tems with the "pyinotify" Python libraries. "gamin"
               requires the "gamin" libraries.

               use DNS to resolve HOST names that appear in the logs.
               By default it is "warn" which will resolve hostnames to
               IPs however it will also log a warning. If you are
               using DNS here you could be blocking the wrong IPs due
               to the asymmetric nature of reverse DNS (that the
               application used to write the domain name to log) com-
               pared to forward DNS that fail2ban uses to resolve this
               back to an IP (but not necessarily the same one).

     Page 7                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               Ideally you should configure your applications to log a
               real IP. This can be set to "yes" to prevent warnings
               in the log or "no" to disable DNS resolution altogether
               (thus ignoring entries where hostname, not an IP is

               regex (Python regular expression) to parse a common
               part containing in every message (see prefregex in sec-
               tion FILTER FILES for details).

               regex (Python regular expression) to be added to the
               filter's failregexes (see failregex in section FILTER
               FILES for details). If this is useful for others using
               your application please share you regular expression
               with the fail2ban developers by reporting an issue (see
               REPORTING BUGS below).

               regex which, if the log line matches, would cause
               Fail2Ban not consider that line.  This line will be
               ignored even if it matches a failregex of the jail or
               any of its filters.

               max number of matched log-lines the jail would hold in
               memory per ticket. By default it is the same value as
               maxretry of jail (or default).  This option also
               affects values resolvable via tag <matches> in actions.

          Available options are listed below.

               requires pyinotify (a file alteration monitor) to be
               installed. If pyinotify is not installed, Fail2ban will
               use auto.

               requires Gamin (a file alteration monitor) to be
               installed. If Gamin is not installed, Fail2ban will use

               uses a polling algorithm which does not require exter-
               nal libraries.

               uses systemd python library to access the systemd jour-
               nal. Specifying logpath is not valid for this backend

     Page 8                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               and instead utilises journalmatch from the jails asso-
               ciated filter config. Multiple systemd-specific flags
               can be passed to the backend, including journalpath and
               journalfiles, to explicitly set the path to a directory
               or set of files. journalflags, which by default is 4
               and excludes user session files, can be set to include
               them with journalflags=1, see the python-systemd docu-
               mentation for other settings and further details. Exam-

               backend = systemd[journalpath=/run/log/journal/machine-1]
               backend = systemd[journalfiles="/path/to/system.journal, /path/to/user.journal"]
               backend = systemd[journalflags=1]

          Each jail can be configured with only a single filter, but
          may have multiple actions. By default, the name of a action
          is the action filename, and in the case of Python actions,
          the ".py" file extension is stripped. Where multiple of the
          same action are to be used, the actname option can be
          assigned to the action to avoid duplication e.g.:

          enabled = true
          action = smtp.py[dest=chris@example.com, actname=smtp-chris]
                   smtp.py[dest=sally@example.com, actname=smtp-sally]

          The time entries in fail2ban configuration (like findtime or
          bantime) can be provided as integer in seconds or as string
          using special abbreviation format (e. g. 600 is the same as

          Abbreviation tokens:

               years?, yea?, yy?
               months?, mon?
               weeks?, wee?, ww?
               days?, da, dd?
               hours?, hou?, hh?
               minutes?, min?, mm?
               seconds?, sec?, ss?

               The question mark (?) means the optional character, so day as well as days can be used.

          You can combine multiple tokens in format (separated with
          space resp. without separator), e. g.: 1y 6mo or 1d12h30m.
          Note that tokens m as well as mm means minutes, for month
          use abbreviation mo or mon.

     Page 9                      Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          The time format can be tested using fail2ban-client:

               fail2ban-client --str2sec 1d12h

     ACTION CONFIGURATION FILES (action.d/*.conf)
          Action files specify which commands are executed to ban and
          unban an IP address.

          Like with jail.conf files, if you desire local changes cre-
          ate an [actionname].local file in the /etc/fail2ban/action.d
          directory and override the required settings.

          Action files have two sections, Definition and Init .

          The [Init] section enables action-specific settings. In
          jail.conf/jail.local these can be overridden for a particu-
          lar jail as options of the action's specification in that

          The following commands can be present in the [Definition]

               command(s) executed when the jail starts.

               command(s) executed when the jail stops.

               command(s) ran before any other action. It aims to ver-
               ify if the environment is still ok.

               command(s) that bans the IP address after maxretry log
               lines matches within last findtime seconds.

               command(s) that unbans the IP address after bantime.

          The [Init] section allows for action-specific settings. In
          jail.conf/jail.local these can be overwritten for a particu-
          lar jail as options to the jail. The following are special
          tags which can be set in the [Init] section:

               The maximum period of time in seconds that a command
               can executed, before being killed.

          Commands specified in the [Definition] section are executed
          through a system shell so shell redirection and process con-
          trol is allowed. The commands should return 0, otherwise

     Page 10                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          error would be logged.  Moreover if actioncheck exits with
          non-0 status, it is taken as indication that firewall status
          has changed and fail2ban needs to reinitialize itself (i.e.
          issue actionstop and actionstart commands).  Tags are
          enclosed in <>.  All the elements of [Init] are tags that
          are replaced in all action commands.  Tags can be added by
          the fail2ban-client using the "set <JAIL> action <ACT>" com-
          mand. <br> is a tag that is always a new line (\n).

          More than a single command is allowed to be specified. Each
          command needs to be on a separate line and indented with
          whitespace(s) without blank lines. The following example
          defines two commands to be executed.

           actionban = iptables -I fail2ban-<name> --source <ip> -j
                       echo ip=<ip>, match=<match>, time=<time> >>

        Action Tags
          The following tags are substituted in the actionban, actio-
          nunban and actioncheck (when called before
          actionban/actionunban) commands.

          ip   IPv4 IP address to be banned. e.g.

               number of times the failure occurred in the log file.
               e.g. 3

               As per failures, but total of all failures for that ip
               address across all jails from the fail2ban persistent
               database. Therefore the database must be set for this
               tag to function.

               As per ipfailures, but total based on the IPs failures
               for the current jail.

          time UNIX (epoch) time of the ban. e.g. 1357508484

               concatenated string of the log file lines of the
               matches that generated the ban. Many characters inter-
               preted by shell get escaped to prevent injection, nev-
               ertheless use with caution.

               As per matches, but includes all lines for the IP which
               are contained with the fail2ban persistent database.

     Page 11                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               Therefore the database must be set for this tag to

               As per ipmatches, but matches are limited for the IP
               and for the current jail.

          Python based actions can also be used, where the file name
          must be [actionname].py. The Python file must contain a
          variable Action which points to Python class. This class
          must implement a minimum interface as described by
          fail2ban.server.action.ActionBase, which can be inherited
          from to ease implementation.

     FILTER FILES (filter.d/*.conf)
          Filter definitions are those in
          /etc/fail2ban/filter.d/*.conf and filter.d/*.local.

          These are used to identify failed authentication attempts in
          log files and to extract the host IP address (or hostname if
          usedns is true).

          Like action files, filter files are ini files. The main sec-
          tion is the [Definition] section.

          There are several standard filter definitions used in the
          [Definition] section:

               is the regex (regular expression) to parse a common
               part containing in every message, which is applied
               after datepattern found a match, before the search for
               any failregex or ignoreregex would start.
               If this regex doesn't match the process is starting
               immediately with next message and search for any fail-
               regex does not occur.
               If prefregex contains <F-CONTENT>...</F-CONTENT>, the
               part of message enclosed between this tags will be
               extracted and herafter used as whole message for search
               with failregex or ignoreregex.

               For example:
                       prefregex = ^%(__prefix_line)s (?:ERROR|FAILURE) <F-CONTENT>.+</F-CONTENT>$
                       failregex = ^user not found
                                   ^authentication failed
                                   ^unknown authentication method

               You can use prefregex in order to:

     Page 12                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

                    - specify 1 common regex to match some common part
                    present in every messages (do avoid unneeded match
                    in every failregex if you have more as one);

                    - to cut some interesting part of message only (to
                    simplify failregex) enclosed between tags <F-
                    CONTENT> and </F-CONTENT>;

                    - to gather some failure identifier (e. g. some
                    prefix matched by <F-MLFID>...<F-MLFID/> tag) to
                    identify several messages belonging to same ses-
                    sion, where a connect message containing IP fol-
                    lowed by failure message(s) that are not contain
                    IP; this provides a new multi-line parsing method
                    as replacement for old (slow an ugly) multi-line
                    parsing using buffering window (maxlines > 1 and

                    - to ignore some wrong, too long or even unneeded
                    messages (a.k.a. parasite log traffic) which can
                    be also present in journal, before failregex
                    search would take place.

               is the regex (regular expression) that will match
               failed attempts. The standard replacement tags can be
               used as part of the regex:

                    <HOST> - common regex for IP addresses and host-
                    names (if usedns is enabled). Fail2Ban will work
                    out which one of these it actually is.

                    <ADDR> - regex for IP addresses (both families).

                    <IP4> - regex for IPv4 addresses.

                    <IP6> - regex for IPv6 addresses (also IP enclosed
                    in brackets).

                    <DNS> - regex to match hostnames.

                    <CIDR> - helper regex to match CIDR (simple inte-
                    ger form of net-mask).

                    <SUBNET> - regex to match sub-net adresses (in
                    form of IP/CIDR, also single IP is matched, so
                    part /CIDR is optional).

               NOTE: the failregex will be applied to the remaining
               part of message after prefregex processing (if speci-
               fied), which in turn takes place after datepattern

     Page 13                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

               processing (whereby the string of timestamp matching
               the best pattern, cut out from the message).

               For multiline regexs (parsing with maxlines greater
               that 1) the tag <SKIPLINES> can be used to separate
               lines. This allows lines between the matched lines to
               continue to be searched for other failures. The tag can
               be used multiple times.
               This is an obsolete handling and if the lines contain
               some common identifier, better would be to use new han-
               dling (with tags <F-MLFID>...<F-MLFID/>).

               is the regex to identify log entries that should be
               ignored by Fail2Ban, even if they match failregex.

               specifies the maximum number of lines to buffer to
               match multi-line regexs. For some log formats this will
               not required to be changed. Other logs may require to
               increase this value if a particular log file is fre-
               quently written to.

               specifies a custom date pattern/regex as an alternative
               to the default date detectors e.g. %%Y-%%m-%%d
               %%H:%%M(?::%%S)?.  For a list of valid format direc-
               tives, see Python library documentation for strptime
               NOTE: due to config file string substitution, that %'s
               must be escaped by an % in config files.
               Also, special values of Epoch (UNIX Timestamp), TAI64N
               and ISO8601 can be used as datepattern.
               Normally the regexp generated for datepattern addition-
               ally gets word-start and word-end boundaries to avoid
               accidental match inside of some word in a message.
               There are several prefixes and words with special mean-
               ing that could be specified with custom datepattern to
               control resulting regex:

                    {DEFAULT} - can be used to add default date pat-
                    terns of fail2ban.

                    {DATE} - can be used as part of regex that will be
                    replaced with default date patterns.

                    {^LN-BEG} - prefix (similar to ^) changing word-
                    start boundary to line-start boundary (ignoring up
                    to 2 characters). If used as value (not as a pre-
                    fix), it will also set all default date patterns

     Page 14                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

                    (similar to {DEFAULT}), but anchored at begin of
                    message line.

                    {UNB} - prefix to disable automatic word bound-
                    aries in regex.

                    {NONE} - value would allow to find failures
                    totally without date-time in log message. Filter
                    will use now as a timestamp (or last known times-
                    tamp from previous line with timestamp).

               specifies the systemd journal match used to filter the
               journal entries. See journalctl(1) and
               systemd.journal-fields(7) for matches syntax and more
               details on special journal fields. This option is only
               valid for the systemd backend.

          Similar to actions, filters may have an [Init] section also
          (optional since v.0.10). All parameters of both sections
          [Definition] and [Init] can be overridden (redefined or
          extended) in jail.conf or jail.local (or in related
          filter.d/filter-name.local).  Every option supplied in the
          jail to the filter overwrites the value specified in [Init]
          section, which in turm would overwrite the value in [Defini-
          tion] section.  Besides the standard settings of filter both
          sections can be used to initialize filter-specific options.

          Filters can also have a section called [INCLUDES]. This is
          used to read other configuration files.

               indicates that this file is read before the [Defini-
               tion] section.

               indicates that this file is read after the [Definition]

          Fail2ban was originally written by Cyril Jaquier
          <cyril.jaquier@fail2ban.org>.  At the moment it is main-
          tained and further developed by Yaroslav O. Halchenko
          <debian@onerussian.com>, Daniel Black
          <daniel.subs@internode.on.net> and Steven Hiscocks <steven-
          fail2ban@hiscocks.me.uk> along with a number of contribu-
          tors.  See THANKS file shipped with Fail2Ban for a full
          list.  Manual page written by Daniel Black and Yaroslav Hal-

     Page 15                     Fail2Ban            (printed 5/26/22)

     JAIL.CONF(5)             (November 2015)             JAIL.CONF(5)

          Report bugs to https://github.com/fail2ban/fail2ban/issues

          Copyright c 2013 the Fail2Ban Team
          Copyright of modifications held by their respective authors.
          Licensed under the GNU General Public License v2 (GPL) or
          (at your option) any later version.


     Page 16                     Fail2Ban            (printed 5/26/22)