Difference between revisions of "FEATURE Split config"

From Fail2ban
Jump to: navigation, search
 
 
(13 intermediate revisions by 9 users not shown)
Line 1: Line 1:
 
== Split configuration file ==
 
== Split configuration file ==
  
{{Fail2ban}} has a unique configuration file <tt>/etc/fail2ban.conf</tt> until 0.7.0. This file is quite big with several kind of parameters: general settings, mail settings, section settings, etc. It would be better to split this configuration file into several ones.
+
{{Fail2ban}} had a single (atomic) configuration file <tt>/etc/fail2ban.conf</tt> until 0.7.0. This file became quite lengthy since it held several kind of parameters: general settings, mail settings, section settings, etc. The proposal was to split this configuration file into several ones. Fail2ban-client now processes the config files and provides respective commands to running fail2ban-server. So the server daemon knows nothing about config files.
  
* Every configuration files will be stored in the <tt>/etc/fail2ban</tt> directory.
+
 
 +
Every configuration file will be stored in the <tt>/etc/fail2ban</tt> directory.
 
* <tt>/etc/fail2ban/fail2ban.conf</tt> (file) will contain the general settings.
 
* <tt>/etc/fail2ban/fail2ban.conf</tt> (file) will contain the general settings.
* <tt>/etc/fail2ban/notification.conf</tt> (file) will contain the notification settings (e-mail).
+
* <tt>/etc/fail2ban/jails.conf</tt> (file) will contain the jail definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime.
* <tt>/etc/fail2ban/pattern.d</tt> (dir) will contain regular expression templates.
+
* <tt>/etc/fail2ban/filter.d</tt> (dir) will contain the filter settings. This is primarily a failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
** <tt>/etc/fail2ban/pattern.d/standard-date.conf</tt> (file) will contain a regular expression matching a standard date format.
+
* <tt>/etc/fail2ban/filter.d</tt> (dir) will contain the filter settings. The files included in this directory can benefit from the templates in <tt>/etc/fail2ban/pattern.d</tt>.
+
 
** <tt>/etc/fail2ban/filter.d/sshd.conf</tt> (file) will contain filter settings for OpenSSH server.
 
** <tt>/etc/fail2ban/filter.d/sshd.conf</tt> (file) will contain filter settings for OpenSSH server.
 
** <tt>/etc/fail2ban/filter.d/apache-auth.conf</tt> (file) will contain filter settings for Apache authentication.
 
** <tt>/etc/fail2ban/filter.d/apache-auth.conf</tt> (file) will contain filter settings for Apache authentication.
* <tt>/etc/fail2ban/action.d</tt> (dir) will contain the action settings.
+
* <tt>/etc/fail2ban/action.d</tt> (dir) will contain the action settings, i.e. how to react if a specific filter was matched specified (look jails.conf above) number of times
 
** <tt>/etc/fail2ban/action.d/iptables.conf</tt> (file) will contain the settings for banning an IP address using Netfilter/Iptables.
 
** <tt>/etc/fail2ban/action.d/iptables.conf</tt> (file) will contain the settings for banning an IP address using Netfilter/Iptables.
 
** <tt>/etc/fail2ban/action.d/hosts.conf</tt> (file) will contain the settings for banning an IP address using TCPWrapper.
 
** <tt>/etc/fail2ban/action.d/hosts.conf</tt> (file) will contain the settings for banning an IP address using TCPWrapper.
* <tt>/etc/fail2ban/jail.d</tt> (dir) will contain jail definition. This is a combination of filter and actions.
+
The following ideas are not yet implemented
 +
* <tt>/etc/fail2ban/pattern.d</tt> (dir) will contain regular expression templates.
 +
** <tt>/etc/fail2ban/pattern.d/standard-date.conf</tt> (file) will contain a regular expression matching a standard date format.
 +
* <tt>/etc/fail2ban/filter.d</tt> (dir) : The files included in this directory can benefit from the templates in <tt>/etc/fail2ban/pattern.d</tt>.
 +
 
 +
Localization
 +
Any configuration changes should be done in a <tt>''file''.local</tt> file instead of <tt>''file''.conf</tt>. .Conf files <tt>''file''.conf</tt> are ready first, and then <tt>''file''.local</tt> are read. This way, settings in <tt>.local</tt> override <tt>.conf</tt>. This should avoid conflicts between user and package settings when upgrading.
  
 
[[Category:Feature]]
 
[[Category:Feature]]

Latest revision as of 03:20, 10 February 2017

Split configuration file

Fail2ban had a single (atomic) configuration file /etc/fail2ban.conf until 0.7.0. This file became quite lengthy since it held several kind of parameters: general settings, mail settings, section settings, etc. The proposal was to split this configuration file into several ones. Fail2ban-client now processes the config files and provides respective commands to running fail2ban-server. So the server daemon knows nothing about config files.


Every configuration file will be stored in the /etc/fail2ban directory.

  • /etc/fail2ban/fail2ban.conf (file) will contain the general settings.
  • /etc/fail2ban/jails.conf (file) will contain the jail definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime.
  • /etc/fail2ban/filter.d (dir) will contain the filter settings. This is primarily a failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
    • /etc/fail2ban/filter.d/sshd.conf (file) will contain filter settings for OpenSSH server.
    • /etc/fail2ban/filter.d/apache-auth.conf (file) will contain filter settings for Apache authentication.
  • /etc/fail2ban/action.d (dir) will contain the action settings, i.e. how to react if a specific filter was matched specified (look jails.conf above) number of times
    • /etc/fail2ban/action.d/iptables.conf (file) will contain the settings for banning an IP address using Netfilter/Iptables.
    • /etc/fail2ban/action.d/hosts.conf (file) will contain the settings for banning an IP address using TCPWrapper.

The following ideas are not yet implemented

  • /etc/fail2ban/pattern.d (dir) will contain regular expression templates.
    • /etc/fail2ban/pattern.d/standard-date.conf (file) will contain a regular expression matching a standard date format.
  • /etc/fail2ban/filter.d (dir) : The files included in this directory can benefit from the templates in /etc/fail2ban/pattern.d.

Localization Any configuration changes should be done in a file.local file instead of file.conf. .Conf files file.conf are ready first, and then file.local are read. This way, settings in .local override .conf. This should avoid conflicts between user and package settings when upgrading.