Difference between revisions of "FEATURE Split config"

From Fail2ban
Jump to: navigation, search
(v10F9G <a href="http://jsjlitnenfva.com/">jsjlitnenfva</a>, [url=http://kmavaupbbsqu.com/]kmavaupbbsqu[/url], [link=http://qgdclqimaudi.com/]qgdclqimaudi[/link], http://ziatrnhibqwq.com/)
(Undo revision 2695 by 200.31.106.242 (Talk))
Line 1: Line 1:
v10F9G  <a href="http://jsjlitnenfva.com/">jsjlitnenfva</a>, [url=http://kmavaupbbsqu.com/]kmavaupbbsqu[/url], [link=http://qgdclqimaudi.com/]qgdclqimaudi[/link], http://ziatrnhibqwq.com/
+
== Split configuration file ==
 +
 
 +
{{Fail2ban}} has a single (atomic) configuration file <tt>/etc/fail2ban.conf</tt> until 0.7.0. This file became quite lengthy since it keeps several kind of parameters: general settings, mail settings, section settings, etc. The proposal is to split this configuration file into several ones. fail2ban-client would process config files and provide respective commands to running fail2ban-server. So the server knows nothing about config files.
 +
 
 +
 
 +
Every configuration files will be stored in the <tt>/etc/fail2ban</tt> directory.
 +
* <tt>/etc/fail2ban/fail2ban.conf</tt> (file) will contain the general settings.
 +
* <tt>/etc/fail2ban/jails.conf</tt> (file) will contain the jails definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime
 +
* <tt>/etc/fail2ban/filter.d</tt> (dir) will contain the filter settings: primarily it is failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
 +
** <tt>/etc/fail2ban/filter.d/sshd.conf</tt> (file) will contain filter settings for OpenSSH server.
 +
** <tt>/etc/fail2ban/filter.d/apache-auth.conf</tt> (file) will contain filter settings for Apache authentication.
 +
* <tt>/etc/fail2ban/action.d</tt> (dir) will contain the action settings, ie how to react if a specific filter was matched specified (look jails.conf above) number of times
 +
** <tt>/etc/fail2ban/action.d/iptables.conf</tt> (file) will contain the settings for banning an IP address using Netfilter/Iptables.
 +
** <tt>/etc/fail2ban/action.d/hosts.conf</tt> (file) will contain the settings for banning an IP address using TCPWrapper.
 +
Not implemented part of ideas
 +
* <tt>/etc/fail2ban/pattern.d</tt> (dir) will contain regular expression templates.
 +
** <tt>/etc/fail2ban/pattern.d/standard-date.conf</tt> (file) will contain a regular expression matching a standard date format.
 +
* <tt>/etc/fail2ban/filter.d</tt> (dir) : The files included in this directory can benefit from the templates in <tt>/etc/fail2ban/pattern.d</tt>.
 +
 
 +
Any user change should be done in a <tt>''file''.local</tt> file instead of <tt>''file''.conf</tt>. First <tt>''file''.conf</tt> and then <tt>''file''.local</tt>  are read. This way, settings in <tt>.local</tt> override <tt>.conf</tt>. This should avoid conflict between user and package settings when upgrading.
 +
 
 +
[[Category:Feature]]

Revision as of 13:18, 4 October 2010

Split configuration file

Fail2ban has a single (atomic) configuration file /etc/fail2ban.conf until 0.7.0. This file became quite lengthy since it keeps several kind of parameters: general settings, mail settings, section settings, etc. The proposal is to split this configuration file into several ones. fail2ban-client would process config files and provide respective commands to running fail2ban-server. So the server knows nothing about config files.


Every configuration files will be stored in the /etc/fail2ban directory.

  • /etc/fail2ban/fail2ban.conf (file) will contain the general settings.
  • /etc/fail2ban/jails.conf (file) will contain the jails definitions (one filter and one or more actions). Actions get triggered if filter matches maxfailures times within findtime
  • /etc/fail2ban/filter.d (dir) will contain the filter settings: primarily it is failregex option. No timeregex should be necessary - they are guessed from the set of known. If not recognized - please add it as before (pre 0.7)
    • /etc/fail2ban/filter.d/sshd.conf (file) will contain filter settings for OpenSSH server.
    • /etc/fail2ban/filter.d/apache-auth.conf (file) will contain filter settings for Apache authentication.
  • /etc/fail2ban/action.d (dir) will contain the action settings, ie how to react if a specific filter was matched specified (look jails.conf above) number of times
    • /etc/fail2ban/action.d/iptables.conf (file) will contain the settings for banning an IP address using Netfilter/Iptables.
    • /etc/fail2ban/action.d/hosts.conf (file) will contain the settings for banning an IP address using TCPWrapper.

Not implemented part of ideas

  • /etc/fail2ban/pattern.d (dir) will contain regular expression templates.
    • /etc/fail2ban/pattern.d/standard-date.conf (file) will contain a regular expression matching a standard date format.
  • /etc/fail2ban/filter.d (dir) : The files included in this directory can benefit from the templates in /etc/fail2ban/pattern.d.

Any user change should be done in a file.local file instead of file.conf. First file.conf and then file.local are read. This way, settings in .local override .conf. This should avoid conflict between user and package settings when upgrading.