Advanced Usage of Action Variables and Shortcuts in Fail2ban Configuration


2 views

Action variables in fail2ban allow you to define reusable parameters that can be referenced throughout your configuration files. They work similarly to variables in programming languages, promoting DRY (Don't Repeat Yourself) principles in your jail configurations.

# Define custom variables at the top of your jail.local
[INCLUDES]
my_custom_bantime = 3600
my_ssh_ports = 22,2222

[sshd]
enabled = true
port = %(my_ssh_ports)s
bantime = %(my_custom_bantime)s

These variables become particularly useful when:

  • Maintaining consistency across multiple jails
  • Creating environment-specific configurations
  • Implementing complex ban rules with shared parameters
# Example of shared configuration
[INCLUDES]
high_security_bantime = 86400
common_ports = 22,80,443

[sshd]
port = %(common_ports)s
bantime = %(high_security_bantime)s

[nginx-badbots]
port = %(common_ports)s

Fail2ban provides several built-in action shortcuts that simplify common banning operations. These are essentially predefined action templates that use the same variable substitution mechanism.

# Default action shortcut in jail.conf
action = %(action_)s

# Which typically expands to:
action = %(banaction)s[name=%(__name__)s, port="%(port)s", 
       protocol="%(protocol)s", chain="%(chain)s"]

You can define your own action shortcuts for specialized scenarios:

# Custom action definition
action_custom_mail = %(action_mwl)s[dest="security@example.com", 
                    sender="fail2ban@example.com"]

[sshd]
action = %(action_custom_mail)s
         %(action_)s

Fail2ban supports complex variable expressions including:

# Using conditionals in variables
action_conditional = %(action_)s
                    %(action_mwl)s[dest=%(destemail)s, 
                    chain=%(chain)s, 
                    protocol=%(protocol)s] if %(sendmail)s
  • Place common variables in [INCLUDES] section
  • Use descriptive names for custom variables
  • Document variables with comments
  • Test configurations after variable changes
# Well-documented variable example
[INCLUDES]
# Global ban time in seconds (24 hours)
global_bantime = 86400  

# Comma-separated list of SSH ports
ssh_ports = 22,2222,22222

Action variables in fail2ban allow you to define reusable values that can be referenced throughout your configuration files. They follow standard INI-style variable substitution syntax and are particularly useful for:

  • Maintaining consistent values across multiple jails
  • Creating configuration templates
  • Simplifying complex parameter expressions

Here's the correct syntax for defining and using action variables:

[DEFAULT]
# Define variables in DEFAULT section for global access
custom_bantime = 86400
logpath_pattern = /var/log/%(__name__)s.log

[sshd]
# Reference the variables using %()s syntax
bantime = %(custom_bantime)s
logpath = %(logpath_pattern)s

Let me show you some real-world scenarios where action variables shine:

[DEFAULT]
# Common ports configuration
ssh_port = 22
web_ports = 80,443
db_port = 3306

[sshd]
port = %(ssh_port)s

[apache]
port = %(web_ports)s

[mysqld]
port = %(db_port)s

Another powerful use case is with complex action commands:

[DEFAULT]
# Define common action components
email_subject = "[fail2ban] %(host)s: %(__name__)s banned"
email_from = fail2ban@example.com
email_to = admin@example.com

[sshd]
action = %(action_mw)s
         %(action_)s

Action shortcuts are predefined variable placeholders that expand to common configurations. The most frequently used ones include:

  • %(banaction)s - Default ban action defined in jail.conf
  • %(__name__)s - Current jail name
  • %(chain)s - iptables chain name
  • %(port)s - Port specification from jail config

Here's how they're typically used in action definitions:

[DEFAULT]
banaction = iptables-multiport
chain = INPUT

[sshd]
action = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

Combining both action variables and shortcuts for a sophisticated setup:

[DEFAULT]
# Global variables
notification_email = security-team@example.com
ban_duration = 1h
findtime = 10m
maxretry = 5

# Action template
action_template = %(banaction)s[name=%(__name__)s, bantime="%(ban_duration)s", port="%(port)s"]
                 sendmail-whois[name=%(__name__)s, dest="%(notification_email)s"]

[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
action = %(action_template)s

This approach allows you to maintain consistent actions across multiple jails while customizing specific parameters.

When troubleshooting variable issues, use fail2ban-client to inspect the final configuration:

fail2ban-client get sshd action
fail2ban-client get sshd bantime

This will show you the fully resolved values after all variable substitutions have been applied.