From Fail2ban
Jump to: navigation, search


Currently, some nice new features like removing the date before matching, multi-line matching, "log decompression", new tags in failregex, etc, would be rather difficult to add. A plugin-based chain would probably be a good solution for these new features. I would be easier for people to hack on fail2ban too.


As of version 0.8.1, filter.py contains most of the matching code (read a line, find the timestamp, try to match the failregex, etc). Filter is a kind of "abstract" class (sorry I'm a Java developer). There is currently 2 "concrete" classes, FilterPoll and FilterGamin. Thus, those classes could be the start of the chain, reading lines from log files and feeding the plugin chain.

Plugin chain

There is 2 kind of plugins: system plugins and user plugins. System plugins are hard-wired in the chain and cannot be disabled or moved. User plugins can be configured, enabled or disabled by the user.

System plugins

Log decompresser
Date parser/remover

This plugin parses the date in the log line using the existing DateDetector. It removes the date from the log line too.

Prefix remover

This plugin removes syslog daemon specific information (process identifier and name). A PrefixDetector will be probably needed.

Regex matcher

This plugin runs the failregex on the log line.

Key selector

This plugin selects the regex group that has to taken as primary key.

Database storage

This plugin stores information about a break-in attempt.

Ban ticket generator

This plugin generates ban ticket when needed.

User plugins

Multi-line buffer
/etc/passwd checker


The last plugin in the chain is "Ban ticket generator" which will generate a ban request as needed. It should be possible to use the existing Action and Actions classes.