I can see all default enabled fail2ban rules pointed to action → hestia[name=XXXXX]. May I know where can I get definition of these actions, seems it’s not inside action.d
Because I would like to add apache-auth rule and want to setup the action.
Thanks
The action is hestia and it’s here /etc/fail2ban/action.d/hestia.conf
❯ cat /etc/fail2ban/action.d/hestia.conf
# Fail2Ban configuration file for hestia
[Definition]
actionstart = /usr/local/hestia/bin/v-add-firewall-chain <name>
actionstop = /usr/local/hestia/bin/v-delete-firewall-chain <name>
actioncheck = iptables -n -L INPUT | grep -q 'fail2ban-<name>[ \t]'
actionban = /usr/local/hestia/bin/v-add-firewall-ban <ip> <name>
actionunban = /usr/local/hestia/bin/v-delete-firewall-ban <ip> <name>
Fail2Ban replaces <name> with the value of name=XXX
Thanks
Got this working now
[apache-iptables]
enabled = true
filter = apache-auth
action = hestia[name=WEB]
logpath = /var/log/apache*/domains/*error.log
maxretry = 5
May I ask you more about fail2ban.
I can see some actions inside hestia.conf, like actionstart, actionstop, actioncheck…etc
May I know how F2B work through these flows? Like when will trigger actioncheck, then action start?
Fail2Ban doesn’t have good official doc.
actionstart: Runs when jail starts, creates firewall chain.
actionstop: Runs when jail stops, removes firewall chain.
actioncheck: Verifies firewall chain exists before banning.
actionban: Blocks IP when threshold exceeded.
actionunban: Unblocks IP when ban time expires.
For this
actioncheck: Verifies firewall chain exists before banning.
So if the CHAIN didnt exist, it won’t add to iptables but the record still stuck at F2B?
Because I’ve put in action = hestia[name=APACHE] to test before (fail2ban-APACHE obviously didn’t exist as CHAIN in iptables). I am afraid messing up the iptables
Thanks