Fail2Ban jail.local directives reference
Complete reference for Fail2Ban configuration directives in jail.local including ban thresholds and actions.
Fail2Ban jail.local directives reference
Complete reference for Fail2Ban configuration directives in jail.local including ban thresholds and actions.
Fail2Ban [DEFAULT] Section Directives
| Directive | Description | Default | Example |
|---|---|---|---|
bantime | Duration an IP is banned. Accepts seconds or time suffixes (m, h, d). | 10m | bantime = 1h |
findtime | Time window during which
maxretry failures must occur to trigger a ban. | 10m | findtime = 10m |
maxretry | Number of failures within
findtime before Fail2Ban bans the IP. | 5 | maxretry = 3 |
ignoreip | Space-separated list of IPs, CIDR ranges, or hostnames to never ban. | 127.0.0.1/8 ::1 | ignoreip = 127.0.0.1/8 203.0.113.10 |
backend | How Fail2Ban reads log files. Values:
auto,
systemd,
pyinotify,
polling. | auto | backend = systemd |
banaction | Action to execute when banning an IP. Refers to a file in
/etc/fail2ban/action.d/. | iptables-multiport | banaction = nftables-multiport |
banaction_allports | Action to execute for all-port bans. | iptables-allports | banaction_allports = ufw |
action | Combined action template.
action_ (ban only),
action_mw (ban + whois email),
action_mwl (ban + whois + log lines). | %(action_)s | action = %(action_mwl)s |
Fail2Ban Jail Directives
| Directive | Description | Default | Example |
|---|---|---|---|
enabled | Whether the jail is active. Must be
true to function. | false | enabled = true |
port | Port(s) to block in the ban action. Accepts names or numbers. | service-specific | port = http,https |
filter | Filter file name (without
.conf) from
/etc/fail2ban/filter.d/. | jail name | filter = sshd |
logpath | Path to the log file Fail2Ban monitors. Supports glob patterns. | service-specific | logpath = /var/log/nginx/error.log |
journalmatch | systemd journal match expression (used with
backend = systemd). | none | journalmatch = _SYSTEMD_UNIT=sshd.service |
Fail2Ban Filter Directives
| Directive | Description | Example |
|---|---|---|
failregex | Python regex pattern(s) matching failed authentication log lines.
<HOST> captures the offending IP. | failregex = ^Failed password for .* from <HOST> |
ignoreregex | Regex pattern(s) to exclude from matching even if
failregex matches. | ignoreregex = ^.* from 127\.0\.0\.1$ |
datepattern | Custom date/time format if Fail2Ban cannot auto-detect the timestamp. | datepattern = %%Y-%%m-%%d %%H:%%M:%%S |