[RFE]: Mix `<fid>` and `<ip>` in a ban action about fail2ban HOT 2 CLOSED

Yes, they can be combined, but only if your banning action intended to ban by <fid> too (meant the intruders with the same <fid> will be blocked, so it is not allowed to do further attempts for them, regardless from which IP it arrived). Otherwise (you'll still ban by IP in action), fail2ban would internally think the <fid> is banned, and so doesn't execute the action, even if new failure has different<ip>. Tag <fid> is unique identifier for the ban.
If it must be banned by a combination, either <F-ID> must include both data (the IP is also part of it), for instance <F-ID>[^@]*@<ADDR></F-ID> instead of <F-ID>[^@]*</F-ID>@<ADDR>.
Or you have to use tuples as ID (see #2755 (comment) fo details).

If the IP belong to the ban (and another tags are just informative, use <ADDR> for IP and instead of <F-ID> something other <F-*> (but no ID), for instance <F-USER> for user name (and you can use it as <F-USER> in acton too). So in this case the identifier of ban remains the IP (and it is also banned by IP regardless the user name).

As for your actual result, it is unexpected... I don't know why it uses IP as fid... Which fail2ban version is it? Did you restart the jail after changes in the config?

from fail2ban.

Thank you so much for the great explanations!

I tried what you suggested and it worked. Out of curiosity, I tried my old code again and it worked too! So it might have been the fact that I fixed my SELinux issue that resolved the problem.

Here's the policy I added, in case it might be useful to the community:

module sh_policy 1.0;

require {
        type kmod_exec_t;
        type ssh_exec_t;
        type rpcd_t;
        type autofs_t;
        type ssh_home_t;
        type ssh_port_t;
        type fail2ban_t;
        type default_t;
        type krb5_keytab_t;
        class dir search;
        class file { execute execute_no_trans getattr map open read };
        class tcp_socket name_connect;
}

#============= fail2ban_t ==============
allow fail2ban_t autofs_t:dir search;
allow fail2ban_t default_t:file { execute getattr };
allow fail2ban_t krb5_keytab_t:dir search;
allow fail2ban_t ssh_exec_t:file { execute execute_no_trans getattr open read };

#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
allow fail2ban_t ssh_exec_t:file map;
allow fail2ban_t ssh_home_t:dir search;
allow fail2ban_t ssh_home_t:file { getattr open read };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow fail2ban_t ssh_port_t:tcp_socket name_connect;

#============= rpcd_t ==============
allow rpcd_t kmod_exec_t:file getattr;

Sorry for the inconvenience

from fail2ban.