How to *add* rules in local fail2ban filter definition?

Michael Kjörling asked:

I have installed fail2ban as packaged by Debian on a server under my control. Since I have some failregexes from before, I’m putting those into the local filter definition file so they will be considered as well. Hence, I end up with e.g. /etc/fail2ban/filter.d/sshd.conf and /etc/fail2ban/filter.d/sshd.local. This is the way it is recommended to be set up and it appears to be working just fine for what it is.

However, in the .local file, I’m actually replacing the whole list of failregexes from the .conf file. The documentation doesn’t seem to indicate there is any other way of doing it, and to get it to work, I’ve simply copied the distribution-supplied .conf file to a .local file and made some additions.

It would be really nice if I can simply amend the list, benefiting from the work of the upstream and Debian maintainers in staying abreast of changes to the distribution-maintained log entry filter regexes.

The only real workaround I can think of is to actually create two jails, one using the distribution-provided configuration and one using my own. This would appear to have the (fairly significant) downside that they are treated as independent jails (which you’d expect with such a setup).

Surely I can’t be the only one wanting to just add a few failregexes of my own to an already existing collection, with a minimum of maintenance hassle.

Is it possible to amend the lists of failregex and ignoreregex within a fail2ban filter definition through a site-local or host-local file, without making any changes to the corresponding global or distribution-supplied file? If it is, then how to do it?

My answer:


Let us take a look at part of the /etc/fail2ban/filter.d/sshd.conf file.

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf

So you might think you could add here: after = sshd.local and cause it to read such a file; any settings in it would then override those in this file.

And it works. Except you can’t simply amend entries to failregex or any other directive; you can only replace them.

Your feeling is correct. This is definitely a shortcoming of the fail2ban configuration file formats. I’d complain to the developer.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.