Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

Select Badges

Select Supported Platforms

Select Status


fail2ban (51) Versions 6.0.0

Installs and configures fail2ban

cookbook 'fail2ban', '= 6.0.0', :supermarket
cookbook 'fail2ban', '= 6.0.0'
knife supermarket install fail2ban
knife supermarket download fail2ban
Quality 100%

fail2ban Cookbook

Build Status Cookbook Version

Installs and configures fail2ban, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules. On Redhat systems this cookbook will enable the EPEL repository in order to retrieve the fail2ban package.



  • Debian/Ubuntu
  • RHEL/CentOS/Scientific/Amazon/Oracle
  • Fedora
  • OpenSUSE


  • Chef 13.0+


  • yum-epel



Installs the fail2ban package, manages 2 templates: /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf, and manages the fail2ban service.


This cookbook has a set of configuration options for fail2ban

  • default['fail2ban']['loglevel'] = 'INFO'
  • default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
  • default['fail2ban']['syslogsocket'] = 'auto'
  • default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
  • default['fail2ban']['pidfile'] = '/var/run/fail2ban/'
  • default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
  • default['fail2ban']['dbpurgeage'] = 86_400

The CRITICAL and NOTICE log levels are only available on fail2ban >= 0.9.x. If they are used on a system with an older version of fail2ban, they will be mapped to ERROR and INFO respectively.

The syslogsocket, dbfile, and dbpurgeage options are only applicable to fail2ban >= 0.9.x

This cookbook has a set of configuration options for jail.conf

  • default['fail2ban']['ignoreip'] = ''
  • default['fail2ban']['findtime'] = 600
  • default['fail2ban']['bantime'] = 300
  • default['fail2ban']['maxretry'] = 5
  • default['fail2ban']['backend'] = 'polling'
  • default['fail2ban']['email'] = 'root@localhost'
  • default['fail2ban']['sendername'] = 'Fail2Ban'
  • default['fail2ban']['action'] = 'action_'
  • default['fail2ban']['banaction'] = 'iptables-multiport'
  • default['fail2ban']['mta'] = 'sendmail'
  • default['fail2ban']['protocol'] = 'tcp'
  • default['fail2ban']['chain'] = 'INPUT'

This cookbook makes use of a hash to compile the jail.local-file and filter config files:

default['fail2ban']['services'] = {
  'ssh' => {
        "enabled" => "true",
        "port" => "ssh",
        "filter" => "sshd",
        "logpath" => node['fail2ban']['auth_log'],
        "maxretry" => "6"
  'smtp' => {
        "enabled" => "true",
        "port" => "smtp",
        "filter" => "smtp",
        "logpath" => node['fail2ban']['auth_log'],
        "maxretry" => "6"

The following attributes can be used per service:

  • enabled
  • port
  • filter
  • logpath
  • maxretry
  • protocol
  • banaction
  • bantime

Creating custom fail2ban filters:

default['fail2ban']['filters'] = {
  'nginx-proxy' => {
        "failregex" => ["^ -.*GET http.*"],
        "ignoreregex" => []

Issues related to rsyslog

If you are using rsyslog parameter "$RepeatedMsgReduction on" in rsyslog.conf file
then you can get "Last message repeated N times" in system log file (for example auth.log).
Fail2ban will not work because the internal counter maxretry will not expand the repeated messages.
Change parameter "$RepeatedMsgReduction off" in rsyslog.conf file for maximum accuracy of failed login attempts.

This rsyslog parameter is default ON for ubuntu 12.04 LTS for example.

License and Author

Author:: Joshua Timberman ()

Copyright:: 2009-2016, Chef Software, Inc

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

fail2ban Cookbook CHANGELOG

This file is used to list changes made in each version of the fail2ban cookbook.

6.0.0 (2019-05-08)

  • Require Chef 13 or later
  • Add support for Amazon Linux on Chef 13+
  • Add support for Ubuntu 18.04
  • Add new fail2ban_jail and fain2ban_filter resources that allow you to define individual filters and jails within your own recipes instead of using the monolithic attribute config. With the introduction of these resources the existing attribute driven workflow has been deprecated and will eventually be removed. Thank you OpenStreetMap for these great new resources.

5.0.2 (2018-07-18)

  • Update specs to the latest platform versions
  • Testing updates
  • Delete jail.d/00-firewalld.conf on CentOS like we delete jail.d/defaults-debian.conf on Ubuntu)
  • Move templates out of the default directory

5.0.1 (2018-02-15)

  • Update the minimum supported Chef release to 12.9 since we're using the Ohai package plugin now. We highly recommend you run at least the very latest Chef 12 reelase which includes additional packabe plugin fixes.

5.0.0 (2018-02-14)

  • Add new logic to detect the fail2ban version and apply appropriate config for 0.8 vs > 0.8. This makes sure we're using the current on newer systems while still supporting Ubuntu 14.04
  • Remove defunct syslog config statements from very old fail2ban releases

4.0.1 (2017-04-26)

  • Update apache2 license string

4.0.0 (2017-03-14)

NOTE The next version of this cookbook will be a rewrite to use custom resources and eliminate attributes. This should be backwards compatible to previous versions of the cookbook, but there are some changes that might break current assumptions so doing a major bump.

  • [#33] Fix ubuntu platforms
  • Add ubuntu platform guards to default recipe
  • Update README to be more clear with regards to rsyslog
  • Remove defaults-debian.conf on ubuntu platforms, that assumes ssh enabled on nodes.
  • Modify metadata dependency to Chef 12.5+
  • Modify chef spec to remove service start, enable on resources as on debian platforms the service is started by install of package
  • Make test kitchen show deprecation errors
  • Remove EOL debian and ubuntu logic from default recipe

3.1.0 (2016-11-14)

  • Add support for jail ignorecommand

3.0.0 (2016-09-16)

  • Testing updates
  • Require Chef 12.1+
  • Add opensuse and opensuseleap to the metadata

v2.3.1 (2016-07-20)

  • Added fixture cookbook
  • Cleanup of kitchen configurations
  • [#38] Default config values to avoid warning from pbanderas
  • [#37] Add support for 'sendername' setting on config from Restless-ET
  • [#35] Add support for configuring service backend from ares
  • many updates to testing
  • [#25] Allow jail actions of either format from rchekaluk
  • Add OpenSUSE platform

v2.3.0 (2015-08-22)

  • Updated Berksfile to 3.0 format
  • Added "generated by chef" comment headers to all templates
  • Added missing bantime service attribute to the readme
  • Resolved all rubocop warnings
  • Added yum-epel to the readme as a dependency
  • Removed the dependency on the yum cookbook. This cookbook only requires yum-epel, which handles the yum dependency
  • Added a chefignore file to prevent unnecessary files from being uploaded to the chef-server
  • Changed fail2ban package to install only vs. upgrading. Administrators should be able to choose when packages are upgraded
  • Change file mode definitions to be strings to preserve the leading zeros
  • Added testing / cookbook version badges to the readme
  • Added source_url and issues_url metadata for Chef 12
  • Add basic cookbook convergence chefspec tests
  • Updated the testing and contributing docs to more recent versions
  • Bumped all development and testing gems to the latest versions
  • Expanded Travis testing to ruby 2/2.1/2.2
  • Changed Opscode to Chef Software in all locations

v2.2.1 (2014-10-15)

  • [#24] Add default value for pidfile


  • 15 - Fix small typo in for smtp

  • 16 - Support custom fail2ban filters

  • 21 - Service and defaults improvements, Fedora support



  • COOK-3899 - Allow action override in service block


Updating for cookbook yum ~> 3.0 Fixing style or rubocop Updating test bits


fixing metadata version error. locking to 3.0


Locking yum dependency to '< 3'


[COOK-2530] Allow customisation of jail.local


New Feature

  • COOK-3383 - Add clarifying caveat about rsyslog in README


  • COOK-3249 - Fix default jail.conf on CentOS


  • COOK-2748 - Handle /etc.init.d/fail2ban status for older versions



  • [COOK-2588]: Fail2ban needs to store the socket in the correct location
  • [COOK-2592]: fail2ban: Update jail file template to match current config file


  • [COOK-2292] - Add fail2ban support for RHEL using EPEL
  • [COOK-2426] - Fail2ban cookbook needs syslog tunables in config file
  • Development repository only: test kitchen 1.0.alpha support


  • [COOK-2291] - Add additional tunables to the fail2ban cookbook


  • [COOK-2217] - Users should be able to configure the email address fail2ban uses to send messages


  • Current public release.

Collaborator Number Metric

6.0.0 passed this metric

Contributing File Metric

6.0.0 passed this metric

Foodcritic Metric

6.0.0 passed this metric

No Binaries Metric

6.0.0 passed this metric

Testing File Metric

6.0.0 passed this metric

Version Tag Metric

6.0.0 passed this metric