Sync all fail2ban config files with upstream (2025)

action.d/abuseipdb.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2024/05/20
 # Fail2ban configuration file
 #
 # Action to report IP address to abuseipdb.com
@@ -81,7 +81,7 @@ actioncheck =
 #          use my (Shaun's) helper PHP script by commenting out the first #actionban
 #          line below, uncommenting the second one, and pointing the URL at
 #          wherever you install the helper script. For the PHP helper script, see
-#          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
+#          <https://github.com/parseword/fail2ban-abuseipdb/>
 #
 # Tags:    See jail.conf(5) man page
 # Values:  CMD

action.d/apprise.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2024/09/02
 # Fail2Ban configuration file
 #
 # Author: Chris Caron <lead2gold@gmail.com>
@@ -11,7 +11,7 @@
 # Notes.:  command executed once at the start of Fail2Ban.
 # Values:  CMD
 #
-actionstart = printf %%b "The jail <name> as been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
+actionstart = printf %%b "The jail <name> has been started successfully." | <apprise> -t "[Fail2Ban] <name>: started on `uname -n`"
 
 # Option:  actionstop
 # Notes.:  command executed once at the end of Fail2Ban

action.d/blocklist_de.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2019/06/29
 # Fail2Ban configuration file
 #
 # Author: Steven Hiscocks
@@ -31,6 +31,9 @@
 
 [Definition]
 
+# bypass reporting of restored (already reported) tickets:
+norestored = 1
+
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD

action.d/bsd-ipfw.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2023/11/18
 # Fail2Ban configuration file
 #
 # Author: Nick Munger
@@ -81,7 +81,7 @@ block = ip
 # Option:  blocktype
 # Notes.:  How to block the traffic. Use a action from man 5 ipfw
 #          Common values: deny, unreach port, reset
-#          ACTION defination at the top of man ipfw for allowed values.
+#          ACTION definition at the top of man ipfw for allowed values.
 # Values:  STRING
 #
 blocktype = unreach port

action.d/cloudflare-token.conf

@@ -1,4 +1,4 @@
-## Version 2022/12/15
+## Version 2025/03/01
 #
 # Author: Logic-32
 #
@@ -51,11 +51,12 @@ actionban = curl -s -X POST "<_cf_api_url>" \
 #          <time>  unix timestamp of the ban time
 # Values:  CMD
 #
-actionunban = id=$(curl -s -X GET "<_cf_api_url>?mode=<cfmode>&notes=<notes>&configuration.target=<cftarget>&configuration.value=<ip>" \
-                       <_cf_api_prms> \
-                       | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
-                       | tr -d ' "' \
-                       | head -n 1)
+actionunban = id=$(curl -s -G -X GET "<_cf_api_url>" \
+              --data-urlencode "mode=<cfmode>" --data-urlencode "notes=<notes>" --data-urlencode "configuration.target=<cftarget>" --data-urlencode "configuration.value=<ip>" \
+              <_cf_api_prms> \
+                  | awk -F"[,:}]" '{for(i=1;i<=NF;i++){if($i~/'id'\042/){print $(i+1)}}}' \
+                  | tr -d ' "' \
+                  | head -n 1)
               if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found using target <cftarget>"; exit 0; fi; \
               curl -s -X DELETE "<_cf_api_url>/$id" \
                   <_cf_api_prms> \

action.d/complain.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2023/11/22
 # Fail2Ban configuration file
 #
 # Author: Russell Odom <russ@gloomytrousers.co.uk>, Daniel Black
@@ -17,7 +17,7 @@
 #
 # Please do not use this action unless you are certain that fail2ban
 # does not result in "false positives" for your deployment.  False
-# positive reports could serve a mis-favor to the original cause by
+# positive reports could serve a misfavor to the original cause by
 # flooding corresponding contact addresses, and complicating the work
 # of administration personnel responsible for handling (verified) legit
 # complains.

action.d/firewallcmd-ipset.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2024/11/07
 # Fail2Ban action file for firewall-cmd/ipset
 #
 # This requires:
@@ -19,36 +19,36 @@ before = firewallcmd-common.conf
 
 [Definition]
 
-actionstart = <ipstype_<ipsettype>/actionstart>
+actionstart = <ipsbackend_<ipsetbackend>/actionstart>
               firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
 
-actionflush = <ipstype_<ipsettype>/actionflush>
+actionflush = <ipsbackend_<ipsetbackend>/actionflush>
 
 actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
              <actionflush>
-             <ipstype_<ipsettype>/actionstop>
+             <ipsbackend_<ipsetbackend>/actionstop>
 
-actionban = <ipstype_<ipsettype>/actionban>
+actionban = <ipsbackend_<ipsetbackend>/actionban>
 
 # actionprolong = %(actionban)s
 
-actionunban = <ipstype_<ipsettype>/actionunban>
+actionunban = <ipsbackend_<ipsetbackend>/actionunban>
 
-[ipstype_ipset]
+[ipsbackend_ipset]
 
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
 
 actionflush = ipset flush <ipmset>
 
-actionstop = ipset destroy <ipmset>
+actionstop = ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
 
 actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 
 actionunban = ipset -exist del <ipmset> <ip>
 
-[ipstype_firewalld]
+[ipsbackend_firewalld]
 
-actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=hash:ip --option=timeout=<default-ipsettime> <firewalld_familyopt>
+actionstart = firewall-cmd --direct --new-ipset=<ipmset> --type=<ipsettype> --option=timeout=<default-ipsettime> --option=maxelem=<maxelem> <firewalld_familyopt>
 
 # TODO: there doesn't seem to be an explicit way to invoke the ipset flush function using firewall-cmd
 actionflush = 
@@ -61,6 +61,11 @@ actionunban = firewall-cmd --ipset=<ipmset> --remove-entry=<ip>
 
 [Init]
 
+# Option: ipsettype
+# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
+# Values: hash:ip, hash:net, etc... Default: hash:ip
+ipsettype = hash:ip
+
 # Option:  chain
 # Notes    specifies the iptables chain to which the fail2ban rules should be
 #          added
@@ -78,15 +83,21 @@ default-ipsettime = 0
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
 
-# expresion to caclulate timeout from bantime, example:
+# Option: maxelem
+# Notes:  maximal number of elements which can be stored in the ipset
+#         You may want to increase this for long-duration/high-volume jails
+# Values: [ NUM ] Default: 65536
+maxelem = 65536
+
+# expression to calculate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 
-# Option: ipsettype
-# Notes.: defines type of ipset used for match-set (firewalld or ipset)
+# Option: ipsetbackend
+# Notes.: defines the backend of ipset used for match-set (firewalld or ipset)
 # Values: firewalld or ipset
 # Default: ipset
-ipsettype = ipset
+ipsetbackend = ipset
 
 # Option: actiontype
 # Notes.: defines additions to the blocking rule
@@ -119,4 +130,4 @@ firewalld_familyopt = --option=family=inet6
 # DEV NOTES:
 #
 # Author: Edgar Hoch, Daniel Black, Sergey Brester and Mihail Politaev
-# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
+# firewallcmd-new / iptables-ipset-proto6 combined for maximum goodness

action.d/firewallcmd-rich-rules.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2024/08/07
 # Fail2Ban configuration file
 #
 # Author: Donald Yandt 
@@ -36,7 +36,7 @@ actioncheck =
 #
 # Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 
 
-fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
+fwcmd_rich_rule = rule family=\"<family>\" source address=\"<ip>\" port port=\"$p\" protocol=\"<protocol>\" %(rich-suffix)s
 
 actionban = ports="<port>"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
 

action.d/iptables-ipset-proto4.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2023/11/18
 # Fail2Ban configuration file
 #
 # Author: Daniel Black
@@ -28,7 +28,7 @@ before = iptables.conf
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = ipset --create f2b-<name> iphash
+actionstart = ipset --create f2b-<name> maxelem <maxelem> iphash
               <_ipt_add_rules>
 
 
@@ -62,6 +62,14 @@ actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
 #
 actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
 
-# Several capabilities used internaly:
+# Several capabilities used internally:
 
 rule-jump = -m set --match-set f2b-<name> src -j <blocktype>
+
+[Init]
+
+# Option: maxelem
+# Notes:  maximal number of elements which can be stored in the ipset
+#         You may want to increase this for long-duration/high-volume jails
+# Values: [ NUM ] Default: 65536
+maxelem = 65536

action.d/iptables-ipset.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2024/11/07
 # Fail2Ban configuration file
 #
 # Authors: Sergey G Brester (sebres), Daniel Black, Alexander Koeppe
@@ -25,7 +25,7 @@ before = iptables.conf
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
 # Values:  CMD
 #
-actionstart = ipset -exist create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
+actionstart = ipset -exist create <ipmset> <ipsettype> timeout <default-ipsettime> maxelem <maxelem> <familyopt>
               <_ipt_add_rules>
 
 # Option:  actionflush
@@ -40,7 +40,7 @@ actionflush = ipset flush <ipmset>
 #
 actionstop = <_ipt_del_rules>
              <actionflush>
-             ipset destroy <ipmset>
+             ipset destroy <ipmset> 2>/dev/null || { sleep 1; ipset destroy <ipmset>; }
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the
@@ -60,13 +60,18 @@ actionban = ipset -exist add <ipmset> <ip> timeout <ipsettime>
 #
 actionunban = ipset -exist del <ipmset> <ip>
 
-# Several capabilities used internaly:
+# Several capabilities used internally:
 
 rule-jump = -m set --match-set <ipmset> src -j <blocktype>
 
 
 [Init]
 
+# Option: ipsettype
+# Notes:  specifies type of set, see `man --pager='less -p "^SET TYPES"' ipset` for details
+# Values: hash:ip, hash:net, etc... Default: hash:ip
+ipsettype = hash:ip
+
 # Option: default-ipsettime
 # Notes:  specifies default timeout in seconds (handled default ipset timeout only)
 # Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
@@ -77,7 +82,13 @@ default-ipsettime = 0
 # Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
 ipsettime = 0
 
-# expresion to caclulate timeout from bantime, example:
+# Option: maxelem
+# Notes:  maximal number of elements which can be stored in the ipset
+#         You may want to increase this for long-duration/high-volume jails
+# Values: [ NUM ] Default: 65536
+maxelem = 65536
+
+# expression to calculate timeout from bantime, example:
 # banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
 timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
 

action.d/iptables-new.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2020/02/14
 # Fail2Ban configuration file
 #
 # Author: Cyril Jaquier

action.d/iptables-xt_recent-echo.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2025/04/16
 # Fail2Ban configuration file
 #
 # Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
@@ -13,8 +13,9 @@ before = iptables.conf
 [Definition]
 
 _ipt_chain_rule = -m recent --update --seconds 3600 --name <iptname> -j <blocktype>
-_ipt_for_proto-iter =
-_ipt_for_proto-done =
+_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt-iter =
+_ipt-done =
 
 # Option:  actionstart
 # Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
@@ -61,7 +62,7 @@ actionstop = echo / > /proc/net/xt_recent/<iptname>
 # Notes.:  command executed as invariant check (error by ban)
 # Values:  CMD
 #
-actioncheck = { <iptables> -C <chain> %(_ipt_chain_rule)s; } && test -e /proc/net/xt_recent/<iptname>
+actioncheck = { %(_ipt_check_rule)s >/dev/null 2>&1; } && test -e /proc/net/xt_recent/<iptname>
 
 # Option:  actionban
 # Notes.:  command executed when banning an IP. Take care that the

action.d/iptables.conf

@@ -1,4 +1,4 @@
-## Version 2022/08/06
+## Version 2025/04/16
 # Fail2Ban configuration file
 #
 # Authors: Sergey G. Brester (sebres), Cyril Jaquier, Daniel Black, 
@@ -63,25 +63,25 @@ pre-rule =
 
 rule-jump = -j <_ipt_rule_target>
 
-# Several capabilities used internaly:
+# Several capabilities used internally:
 
-_ipt_for_proto-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
-_ipt_for_proto-done = done
+_ipt-iter = for chain in $(echo '<chain>' | sed 's/,/ /g'); do for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
+_ipt-done = done; done
 
-_ipt_add_rules = <_ipt_for_proto-iter>
-              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I <chain> %(_ipt_chain_rule)s; }
-              <_ipt_for_proto-done>
+_ipt_add_rules = <_ipt-iter>
+              { %(_ipt_check_rule)s >/dev/null 2>&1; } || { <iptables> -I $chain %(_ipt_chain_rule)s; }
+              <_ipt-done>
 
-_ipt_del_rules = <_ipt_for_proto-iter>
-              <iptables> -D <chain> %(_ipt_chain_rule)s
-              <_ipt_for_proto-done>
+_ipt_del_rules = <_ipt-iter>
+              <iptables> -D $chain %(_ipt_chain_rule)s
+              <_ipt-done>
 
-_ipt_check_rules = <_ipt_for_proto-iter>
+_ipt_check_rules = <_ipt-iter>
               %(_ipt_check_rule)s
-              <_ipt_for_proto-done>
+              <_ipt-done>
 
 _ipt_chain_rule = <pre-rule><ipt_<type>/_chain_rule>
-_ipt_check_rule = <iptables> -C <chain> %(_ipt_chain_rule)s
+_ipt_check_rule = <iptables> -C $chain %(_ipt_chain_rule)s
 _ipt_rule_target = f2b-<name>
 
 [ipt_oneport]
@@ -100,8 +100,9 @@ _chain_rule = -p $proto <rule-jump>
 [Init]
 
 # Option:  chain
-# Notes    specifies the iptables chain to which the Fail2Ban rules should be
-#          added
+# Notes    specifies the iptables chains to which the Fail2Ban rules should be
+#          added. May be a single chain (e.g. INPUT) or a comma separated list
+#          (e.g. INPUT, FORWARD)
 # Values:  STRING  Default: INPUT
 chain = INPUT
 
@@ -136,7 +137,7 @@ returntype = RETURN
 
 # Option:  lockingopt
 # Notes.:  Option was introduced to iptables to prevent multiple instances from
-#          running concurrently and causing irratic behavior.  -w was introduced
+#          running concurrently and causing erratic behavior.  -w was introduced
 #          in iptables 1.4.20, so might be absent on older systems
 #          See https://github.com/fail2ban/fail2ban/issues/1122
 # Values:  STRING