How to use so called action variables in fail2ban?

fail2ban

I've seen a few mentions of these in the docs and misc scripts, but nothing concrete on exactly how they are used. Could anyone give me some examples?

Is it just a case of 

myvar=7
.
.
.
[ssh]
bantime=%(myvar)s

If so what is the point?

Secondly, how do I use the "Action shortcuts" in the jail.conf? e.g. action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"], any docs on this?


If you take a look at the rules that are included with fail2ban you'll notice that they use these variables to make things neater and more parameterized. For example in the included jail.conf they've used them to make general action rules that they can then use when defining the various jails.

Example

Here are some basic variables at the top.

# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost

# Sender email address used solely for some actions
sender = root@localhost

# Default protocol
protocol = tcp

# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535

These variables are then used in other variables to construct some basic actions.

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
            %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

Notice here that they're constructing a general purpose action called, action_ which is made using other variables, such as, %(banaction)s, %(port)s, `%(protocol)s, etc.

From the man jail.conf man page:

Using Python "string interpolation" mechanisms, other definitions are allowed and can later be used within other definitions as %(name)s. For example.

         baduseragents = IE|wget
         failregex = useragent=%(baduseragents)s

So the %(...)s are part of the Python language. If you search for them you'll eventually find this page from the Python language's specification, specifically this section titled: 5.6.2. String Formatting Operations. There is an example on this page:

>>> print '%(language)s has %(number)03d quote types.' % \
...       {"language": "Python", "number": 2}
Python has 002 quote types.

The %(...string...)s is called a string formatting or interpolation operator in Python. The s at the end of the %(...string...) is a flag, specifying that any Python objects that may be passed to it, get converted to strings. From the link I referenced, there's a table with all the flags allowed:

  ss#1

The % specifies where you want the specifier to begin, and the (...string...) is what Python variable we want to have expanded here.

Related

Ubuntu 14.04 getting ping: sendmsg: Operation not permitted
Can PXE boot of Hyper-V VMs be disabled?
How can I change Qemu KVM machine architecture from 440fx to q35 with virsh edit or virt-manager
Why do some host volumes in Docker containers give the error "too many levels of symbolic links"?
Unable to open WireShark in CentOS 6.5
The impact of Apache graceful restarts and user experience
Forwarding Ports on Centos 7
OpenVPN don't start: --cert fails with 'client.crt': No such file or directory
su: /bin/bash: Resource temporarily unavailable
Map IP to another IP
Installed new version of php but Apache still using the old version
htop res & virt colors