Difference between revisions of "FEATURE Split config"

From Fail2ban
Jump to: navigation, search
(Undo revision 4504 by Mary81 (talk))
Line 1: Line 1:
 
== Split configuration file ==
 
== Split configuration file ==
  
{{Fail2ban}} has a single (atomic) configuration file <tt>/etc/fail2ban.conf</tt> until 0.7.0. This file became quite lengthy since it keeps several kind of parameters: general settings, mail settings, section settings, etc. The proposal is to split this configuration file into several ones. fail2ban-client would process config files and provide respective commands to running fail2ban-server. So the server knows nothing about config files.
+
{{Fail2ban}} had a single (atomic) configuration file <tt>/etc/fail2ban.conf</tt> until 0.7.0. This file became quite lengthy since it held several kind of parameters: general settings, mail settings, section settings, etc. The proposal was to split this configuration file into several ones. Fail2ban-client now processes the config files and provides respective commands to running fail2ban-server. So the server daemon knows nothing about config files.
  
  
Every configuration files will be stored in the <tt>/etc/fail2ban</tt> directory.
+
Every configuration file will be stored in the <tt>/etc/fail2ban</tt> directory.
 
* <tt>/etc/fail2ban/fail2ban.conf</tt> (file) will contain the general settings.
 
* <tt>/etc/fail2ban/fail2ban.conf</tt> (file) will contain the general settings.
* <tt>/etc/fail2ban/jails.conf</tt> (file) will contain the jails definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime
+
* <tt>/etc/fail2ban/jails.conf</tt> (file) will contain the jail definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime.
* <tt>/etc/fail2ban/filter.d</tt> (dir) will contain the filter settings: primarily it is failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
+
* <tt>/etc/fail2ban/filter.d</tt> (dir) will contain the filter settings. This is primarily a failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
 
** <tt>/etc/fail2ban/filter.d/sshd.conf</tt> (file) will contain filter settings for OpenSSH server.
 
** <tt>/etc/fail2ban/filter.d/sshd.conf</tt> (file) will contain filter settings for OpenSSH server.
 
** <tt>/etc/fail2ban/filter.d/apache-auth.conf</tt> (file) will contain filter settings for Apache authentication.
 
** <tt>/etc/fail2ban/filter.d/apache-auth.conf</tt> (file) will contain filter settings for Apache authentication.
* <tt>/etc/fail2ban/action.d</tt> (dir) will contain the action settings, ie how to react if a specific filter was matched specified (look jails.conf above) number of times
+
* <tt>/etc/fail2ban/action.d</tt> (dir) will contain the action settings, i.e. how to react if a specific filter was matched specified (look jails.conf above) number of times
 
** <tt>/etc/fail2ban/action.d/iptables.conf</tt> (file) will contain the settings for banning an IP address using Netfilter/Iptables.
 
** <tt>/etc/fail2ban/action.d/iptables.conf</tt> (file) will contain the settings for banning an IP address using Netfilter/Iptables.
 
** <tt>/etc/fail2ban/action.d/hosts.conf</tt> (file) will contain the settings for banning an IP address using TCPWrapper.
 
** <tt>/etc/fail2ban/action.d/hosts.conf</tt> (file) will contain the settings for banning an IP address using TCPWrapper.
Line 18: Line 18:
 
* <tt>/etc/fail2ban/filter.d</tt> (dir) : The files included in this directory can benefit from the templates in <tt>/etc/fail2ban/pattern.d</tt>.
 
* <tt>/etc/fail2ban/filter.d</tt> (dir) : The files included in this directory can benefit from the templates in <tt>/etc/fail2ban/pattern.d</tt>.
  
Any user change should be done in a <tt>''file''.local</tt> file instead of <tt>''file''.conf</tt>. First <tt>''file''.conf</tt> and then <tt>''file''.local</tt> are read. This way, settings in <tt>.local</tt> override <tt>.conf</tt>. This should avoid conflict between user and package settings when upgrading.
+
Any user change should be done in a <tt>''file''.local</tt> file instead of <tt>''file''.conf</tt>. .Conf files <tt>''file''.conf</tt> are ready first, and then <tt>''file''.local</tt> are read. This way, settings in <tt>.local</tt> override <tt>.conf</tt>. This should avoid conflicts between user and package settings when upgrading.
  
 
[[Category:Feature]]
 
[[Category:Feature]]

Revision as of 04:17, 10 February 2017

Split configuration file

Fail2ban had a single (atomic) configuration file /etc/fail2ban.conf until 0.7.0. This file became quite lengthy since it held several kind of parameters: general settings, mail settings, section settings, etc. The proposal was to split this configuration file into several ones. Fail2ban-client now processes the config files and provides respective commands to running fail2ban-server. So the server daemon knows nothing about config files.


Every configuration file will be stored in the /etc/fail2ban directory.

  • /etc/fail2ban/fail2ban.conf (file) will contain the general settings.
  • /etc/fail2ban/jails.conf (file) will contain the jail definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime.
  • /etc/fail2ban/filter.d (dir) will contain the filter settings. This is primarily a failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
    • /etc/fail2ban/filter.d/sshd.conf (file) will contain filter settings for OpenSSH server.
    • /etc/fail2ban/filter.d/apache-auth.conf (file) will contain filter settings for Apache authentication.
  • /etc/fail2ban/action.d (dir) will contain the action settings, i.e. how to react if a specific filter was matched specified (look jails.conf above) number of times
    • /etc/fail2ban/action.d/iptables.conf (file) will contain the settings for banning an IP address using Netfilter/Iptables.
    • /etc/fail2ban/action.d/hosts.conf (file) will contain the settings for banning an IP address using TCPWrapper.

Not implemented part of ideas

  • /etc/fail2ban/pattern.d (dir) will contain regular expression templates.
    • /etc/fail2ban/pattern.d/standard-date.conf (file) will contain a regular expression matching a standard date format.
  • /etc/fail2ban/filter.d (dir) : The files included in this directory can benefit from the templates in /etc/fail2ban/pattern.d.

Any user change should be done in a file.local file instead of file.conf. .Conf files file.conf are ready first, and then file.local are read. This way, settings in .local override .conf. This should avoid conflicts between user and package settings when upgrading.