diff --git a/.etckeeper b/.etckeeper
index cd5837b..f128a5c 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -22,12 +22,6 @@ mkdir -p './dnf/aliases.d'
 mkdir -p './dnf/modules.defaults.d'
 mkdir -p './dnf/plugins/copr.d'
 mkdir -p './exports.d'
-mkdir -p './fail2ban/fail2ban.d'
-mkdir -p './firewalld/helpers'
-mkdir -p './firewalld/icmptypes'
-mkdir -p './firewalld/ipsets'
-mkdir -p './firewalld/policies'
-mkdir -p './firewalld/services'
 mkdir -p './glvnd'
 mkdir -p './gnupg'
 mkdir -p './groff/site-font'
@@ -679,181 +673,39 @@ maybe chmod 0644 'exports'
 maybe chmod 0755 'exports.d'
 maybe chmod 0755 'fail2ban'
 maybe chmod 0755 'fail2ban/action.d'
-maybe chmod 0644 'fail2ban/action.d/abuseipdb.conf'
-maybe chmod 0644 'fail2ban/action.d/apf.conf'
-maybe chmod 0644 'fail2ban/action.d/badips.conf'
-maybe chmod 0644 'fail2ban/action.d/badips.py'
 maybe chmod 0644 'fail2ban/action.d/badips.py.rpmnew'
-maybe chmod 0644 'fail2ban/action.d/blocklist_de.conf'
-maybe chmod 0644 'fail2ban/action.d/cloudflare.conf'
-maybe chmod 0644 'fail2ban/action.d/dshield.conf'
-maybe chmod 0644 'fail2ban/action.d/dummy.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-allports.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-common.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-ipset.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-multiport.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-new.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-logging.conf'
-maybe chmod 0644 'fail2ban/action.d/firewallcmd-rich-rules.conf'
-maybe chmod 0644 'fail2ban/action.d/helpers-common.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-allports.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-common.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto4.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6-allports.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-ipset-proto6.conf'
+maybe chmod 0644 'fail2ban/action.d/badips.py.rpmsave'
+maybe chmod 0644 'fail2ban/action.d/iptables-common.conf.rpmsave'
 maybe chmod 0640 'fail2ban/action.d/iptables-ipset.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-multiport-log.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-multiport.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-new.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables-xt_recent-echo.conf'
-maybe chmod 0644 'fail2ban/action.d/iptables.conf'
-maybe chmod 0644 'fail2ban/action.d/mail-whois-common.conf'
 maybe chmod 0644 'fail2ban/action.d/mail.conf.rpmsave'
-maybe chmod 0644 'fail2ban/action.d/mynetwatchman.conf'
-maybe chmod 0644 'fail2ban/action.d/netscaler.conf'
-maybe chmod 0644 'fail2ban/action.d/nftables-allports.conf'
-maybe chmod 0644 'fail2ban/action.d/nftables-multiport.conf'
-maybe chmod 0644 'fail2ban/action.d/nftables.conf'
-maybe chmod 0644 'fail2ban/action.d/nginx-block-map.conf'
-maybe chmod 0644 'fail2ban/action.d/npf.conf'
-maybe chmod 0644 'fail2ban/action.d/nsupdate.conf'
-maybe chmod 0644 'fail2ban/action.d/route.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-buffered.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-common.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-geoip-lines.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipjailmatches.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-whois-ipmatches.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-whois-lines.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-whois-matches.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail-whois.conf'
-maybe chmod 0644 'fail2ban/action.d/sendmail.conf'
-maybe chmod 0644 'fail2ban/action.d/shorewall-ipset-proto6.conf'
-maybe chmod 0644 'fail2ban/action.d/smtp.py'
 maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmnew'
-maybe chmod 0644 'fail2ban/action.d/symbiosis-blacklist-allports.conf'
-maybe chmod 0644 'fail2ban/action.d/xarf-login-attack.conf'
-maybe chmod 0644 'fail2ban/fail2ban.conf'
-maybe chmod 0755 'fail2ban/fail2ban.d'
+maybe chmod 0644 'fail2ban/action.d/smtp.py.rpmsave'
+maybe chmod 0644 'fail2ban/fail2ban.conf.rpmsave'
 maybe chmod 0755 'fail2ban/filter.d'
-maybe chmod 0644 'fail2ban/filter.d/3proxy.conf'
 maybe chmod 0640 'fail2ban/filter.d/a.txt'
-maybe chmod 0644 'fail2ban/filter.d/apache-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-badbots.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-botsearch.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-common.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-fakegooglebot.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-modsecurity.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-nohome.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-noscript.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-overflows.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-pass.conf'
-maybe chmod 0644 'fail2ban/filter.d/apache-shellshock.conf'
-maybe chmod 0644 'fail2ban/filter.d/assp.conf'
-maybe chmod 0644 'fail2ban/filter.d/asterisk.conf'
-maybe chmod 0644 'fail2ban/filter.d/bitwarden.conf'
-maybe chmod 0644 'fail2ban/filter.d/botsearch-common.conf'
-maybe chmod 0644 'fail2ban/filter.d/centreon.conf'
-maybe chmod 0644 'fail2ban/filter.d/common.conf'
-maybe chmod 0644 'fail2ban/filter.d/counter-strike.conf'
-maybe chmod 0644 'fail2ban/filter.d/courier-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/courier-smtp.conf'
-maybe chmod 0644 'fail2ban/filter.d/cyrus-imap.conf'
-maybe chmod 0644 'fail2ban/filter.d/directadmin.conf'
-maybe chmod 0644 'fail2ban/filter.d/domino-smtp.conf'
-maybe chmod 0644 'fail2ban/filter.d/dovecot.conf'
 maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmnew'
-maybe chmod 0644 'fail2ban/filter.d/dropbear.conf'
-maybe chmod 0644 'fail2ban/filter.d/drupal-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/ejabberd-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/exim-common.conf'
-maybe chmod 0644 'fail2ban/filter.d/exim-spam.conf'
-maybe chmod 0644 'fail2ban/filter.d/exim.conf'
-maybe chmod 0644 'fail2ban/filter.d/freeswitch.conf'
-maybe chmod 0644 'fail2ban/filter.d/froxlor-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/gitlab.conf'
-maybe chmod 0644 'fail2ban/filter.d/grafana.conf'
-maybe chmod 0644 'fail2ban/filter.d/groupoffice.conf'
-maybe chmod 0644 'fail2ban/filter.d/gssftpd.conf'
-maybe chmod 0644 'fail2ban/filter.d/guacamole.conf'
-maybe chmod 0644 'fail2ban/filter.d/haproxy-http-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/horde.conf'
+maybe chmod 0644 'fail2ban/filter.d/dovecot.conf.rpmsave'
 maybe chmod 0755 'fail2ban/filter.d/ignorecommands'
-maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot'
-maybe chmod 0644 'fail2ban/filter.d/kerio.conf'
-maybe chmod 0644 'fail2ban/filter.d/lighttpd-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/mongodb-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/monit.conf'
-maybe chmod 0644 'fail2ban/filter.d/murmur.conf'
-maybe chmod 0644 'fail2ban/filter.d/mysqld-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/nagios.conf'
-maybe chmod 0644 'fail2ban/filter.d/named-refused.conf'
+maybe chmod 0755 'fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmnew'
-maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf'
+maybe chmod 0644 'fail2ban/filter.d/named-refused.conf.rpmsave'
+maybe chmod 0644 'fail2ban/filter.d/nginx-botsearch.conf.rpmsave'
 maybe chmod 0640 'fail2ban/filter.d/nginx-forbidden.conf'
-maybe chmod 0644 'fail2ban/filter.d/nginx-http-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/nginx-limit-req.conf'
-maybe chmod 0644 'fail2ban/filter.d/nsd.conf'
-maybe chmod 0644 'fail2ban/filter.d/openhab.conf'
-maybe chmod 0644 'fail2ban/filter.d/openwebmail.conf'
-maybe chmod 0644 'fail2ban/filter.d/oracleims.conf'
-maybe chmod 0644 'fail2ban/filter.d/pam-generic.conf'
-maybe chmod 0644 'fail2ban/filter.d/perdition.conf'
-maybe chmod 0644 'fail2ban/filter.d/php-url-fopen.conf'
-maybe chmod 0644 'fail2ban/filter.d/phpmyadmin-syslog.conf'
-maybe chmod 0644 'fail2ban/filter.d/portsentry.conf'
 maybe chmod 0640 'fail2ban/filter.d/postfix-auth.conf'
 maybe chmod 0640 'fail2ban/filter.d/postfix-rbl.conf'
 maybe chmod 0644 'fail2ban/filter.d/postfix-sasl.conf'
 maybe chmod 0640 'fail2ban/filter.d/postfix-smtp-reject.conf'
 maybe chmod 0640 'fail2ban/filter.d/postfix-ssl-error.conf'
-maybe chmod 0644 'fail2ban/filter.d/postfix.conf'
-maybe chmod 0644 'fail2ban/filter.d/proftpd.conf'
-maybe chmod 0644 'fail2ban/filter.d/pure-ftpd.conf'
-maybe chmod 0644 'fail2ban/filter.d/qmail.conf'
-maybe chmod 0644 'fail2ban/filter.d/recidive.conf'
-maybe chmod 0644 'fail2ban/filter.d/roundcube-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/screensharingd.conf'
-maybe chmod 0644 'fail2ban/filter.d/selinux-common.conf'
-maybe chmod 0644 'fail2ban/filter.d/selinux-ssh.conf'
-maybe chmod 0644 'fail2ban/filter.d/sendmail-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/sendmail-reject.conf'
-maybe chmod 0644 'fail2ban/filter.d/sieve.conf'
-maybe chmod 0644 'fail2ban/filter.d/slapd.conf'
-maybe chmod 0644 'fail2ban/filter.d/softethervpn.conf'
-maybe chmod 0644 'fail2ban/filter.d/sogo-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/solid-pop3d.conf'
-maybe chmod 0644 'fail2ban/filter.d/squid.conf'
-maybe chmod 0644 'fail2ban/filter.d/squirrelmail.conf'
-maybe chmod 0644 'fail2ban/filter.d/sshd.conf'
+maybe chmod 0644 'fail2ban/filter.d/recidive.conf.rpmsave'
 maybe chmod 0644 'fail2ban/filter.d/sshd.conf.rpmnew'
-maybe chmod 0644 'fail2ban/filter.d/stunnel.conf'
-maybe chmod 0644 'fail2ban/filter.d/suhosin.conf'
-maybe chmod 0644 'fail2ban/filter.d/tine20.conf'
-maybe chmod 0644 'fail2ban/filter.d/traefik-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/uwimap-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/vsftpd.conf'
-maybe chmod 0644 'fail2ban/filter.d/webmin-auth.conf'
-maybe chmod 0644 'fail2ban/filter.d/wuftpd.conf'
-maybe chmod 0644 'fail2ban/filter.d/xinetd-fail.conf'
-maybe chmod 0644 'fail2ban/filter.d/znc-adminlog.conf'
-maybe chmod 0644 'fail2ban/filter.d/zoneminder.conf'
-maybe chmod 0644 'fail2ban/jail.conf'
+maybe chmod 0644 'fail2ban/filter.d/sshd.conf.rpmsave'
+maybe chmod 0644 'fail2ban/jail.conf.rpmsave'
 maybe chmod 0755 'fail2ban/jail.d'
-maybe chmod 0644 'fail2ban/jail.d/00-firewalld.conf'
 maybe chmod 0640 'fail2ban/jail.d/default.conf'
 maybe chmod 0644 'fail2ban/jail.d/recidive.conf'
 maybe chmod 0640 'fail2ban/jail.local'
-maybe chmod 0644 'fail2ban/paths-common.conf'
-maybe chmod 0644 'fail2ban/paths-fedora.conf'
 maybe chmod 0644 'filesystems'
 maybe chmod 0750 'firewalld'
-maybe chmod 0644 'firewalld/firewalld.conf'
-maybe chmod 0750 'firewalld/helpers'
-maybe chmod 0750 'firewalld/icmptypes'
-maybe chmod 0750 'firewalld/ipsets'
-maybe chmod 0644 'firewalld/lockdown-whitelist.xml'
-maybe chmod 0750 'firewalld/policies'
-maybe chmod 0750 'firewalld/services'
 maybe chmod 0750 'firewalld/zones'
 maybe chmod 0644 'firewalld/zones/public.xml'
 maybe chmod 0755 'fonts'
@@ -2689,8 +2541,7 @@ maybe chmod 0644 'logrotate.d/btmp'
 maybe chmod 0644 'logrotate.d/chrony'
 maybe chmod 0644 'logrotate.d/clamav-unofficial-sigs'
 maybe chmod 0644 'logrotate.d/dnf'
-maybe chmod 0644 'logrotate.d/fail2ban'
-maybe chmod 0644 'logrotate.d/firewalld'
+maybe chmod 0644 'logrotate.d/fail2ban.rpmsave'
 maybe chmod 0644 'logrotate.d/httpd'
 maybe chmod 0644 'logrotate.d/iptraf-ng'
 maybe chmod 0644 'logrotate.d/kvm_stat'
@@ -3465,7 +3316,6 @@ maybe chmod 0644 'mock/templates/rocky-8.tpl'
 maybe chmod 0755 'modprobe.d'
 maybe chmod 0644 'modprobe.d/blacklist-firewire.conf'
 maybe chmod 0640 'modprobe.d/cramfs.conf'
-maybe chmod 0644 'modprobe.d/firewalld-sysctls.conf'
 maybe chmod 0644 'modprobe.d/lockd.conf'
 maybe chmod 0644 'modprobe.d/mlx4.conf'
 maybe chmod 0644 'modprobe.d/nodccp.conf'
@@ -3512,12 +3362,6 @@ maybe chmod 0755 'newrelic-infra/logging.d'
 maybe chmod 0644 'newrelic-infra/logging.d/postfix.yml'
 maybe chmod 0644 'nfs.conf'
 maybe chmod 0644 'nfsmount.conf'
-maybe chmod 0700 'nftables'
-maybe chmod 0600 'nftables/main.nft'
-maybe chmod 0600 'nftables/nat.nft'
-maybe chmod 0700 'nftables/osf'
-maybe chmod 0600 'nftables/osf/pf.os'
-maybe chmod 0600 'nftables/router.nft'
 maybe chmod 0755 'nginx'
 maybe chown 'nginx' 'nginx/.anaf'
 maybe chgrp 'nginx' 'nginx/.anaf'
@@ -5119,8 +4963,6 @@ maybe chmod 0644 'sysconfig/chronyd'
 maybe chmod 0755 'sysconfig/console'
 maybe chmod 0644 'sysconfig/cpupower'
 maybe chmod 0644 'sysconfig/crond'
-maybe chmod 0600 'sysconfig/ebtables-config'
-maybe chmod 0644 'sysconfig/firewalld'
 maybe chmod 0644 'sysconfig/firstboot'
 maybe chmod 0644 'sysconfig/garb'
 maybe chmod 0644 'sysconfig/htcacheclean'
@@ -5169,7 +5011,6 @@ maybe chmod 0755 'sysconfig/network-scripts/init.ipv6-global'
 maybe chmod 0644 'sysconfig/network-scripts/network-functions'
 maybe chmod 0644 'sysconfig/network-scripts/network-functions-ipv6'
 maybe chmod 0644 'sysconfig/network-scripts/route-eth0'
-maybe chmod 0600 'sysconfig/nftables.conf'
 maybe chmod 0644 'sysconfig/node_exporter'
 maybe chmod 0644 'sysconfig/nrpe'
 maybe chmod 0644 'sysconfig/opendkim'
diff --git a/fail2ban/action.d/abuseipdb.conf b/fail2ban/action.d/abuseipdb.conf
deleted file mode 100644
index ed958c8..0000000
--- a/fail2ban/action.d/abuseipdb.conf
+++ /dev/null
@@ -1,104 +0,0 @@
-# Fail2ban configuration file
-#
-# Action to report IP address to abuseipdb.com
-# You must sign up to obtain an API key from abuseipdb.com.
-#
-# NOTE: These reports may include sensitive Info.
-# If you want cleaner reports that ensure no user data see the helper script at the below website.
-#
-# IMPORTANT:
-#
-# Reporting an IP of abuse is a serious complaint. Make sure that it is
-# serious. Fail2ban developers and network owners recommend you only use this
-# action for:
-#   * The recidive where the IP has been banned multiple times
-#   * Where maxretry has been set quite high, beyond the normal user typing
-#     password incorrectly.
-#   * For filters that have a low likelihood of receiving human errors
-#
-# This action relies on a api_key being added to the above action conf,
-# and the appropriate categories set.
-#
-# Example, for ssh bruteforce (in section [sshd] of `jail.local`): 
-#   action = %(known/action)s
-#            abuseipdb[abuseipdb_apikey="my-api-key", abuseipdb_category="18,22"]
-#
-# See below for categories.
-#
-# Added to fail2ban by Andrew James Collett (ajcollett)
-
-## abuseIPDB Categories, `the abuseipdb_category` MUST be set in the jail.conf action call.
-# Example, for ssh bruteforce: action = %(action_abuseipdb)s[abuseipdb_category="18,22"]
-# ID	Title	Description
-# 3	  Fraud Orders
-# 4	  DDoS Attack
-# 9	  Open Proxy
-# 10	Web Spam
-# 11	Email Spam
-# 14	Port Scan
-# 18	Brute-Force
-# 19	Bad Web Bot
-# 20	Exploited Host
-# 21	Web App Attack
-# 22	SSH	Secure Shell (SSH) abuse. Use this category in combination with more specific categories.
-# 23	IoT Targeted
-# See https://abuseipdb.com/categories for more descriptions
-
-[Definition]
-
-# bypass action for restored tickets
-norestored = 1
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-#
-#          ** IMPORTANT! **
-#
-#          By default, this posts directly to AbuseIPDB's API, unfortunately
-#          this results in a lot of backslashes/escapes appearing in the
-#          reports. This also may include info like your hostname.
-#          If you have your own web server with PHP available, you can
-#          use my (Shaun's) helper PHP script by commenting out the first #actionban
-#          line below, uncommenting the second one, and pointing the URL at
-#          wherever you install the helper script. For the PHP helper script, see
-#          <https://wiki.shaunc.com/wikka.php?wakka=ReportingToAbuseIPDBWithFail2Ban>
-#
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); curl -sSf "https://api.abuseipdb.com/api/v2/report" -H "Accept: application/json" -H "Key: <abuseipdb_apikey>" --data-urlencode "comment=$lgm" --data-urlencode "ip=<ip>" --data "categories=<abuseipdb_category>"
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban =
-
-[Init]
-# Option:  abuseipdb_apikey
-# Notes    Your API key from abuseipdb.com
-# Values:  STRING  Default: None
-# Register for abuseipdb [https://www.abuseipdb.com], get api key and set below.
-# You will need to set the category in the action call.
-abuseipdb_apikey =
diff --git a/fail2ban/action.d/apf.conf b/fail2ban/action.d/apf.conf
deleted file mode 100644
index 5c4a261..0000000
--- a/fail2ban/action.d/apf.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Fail2Ban configuration file
-# https://www.rfxn.com/projects/advanced-policy-firewall/
-#
-# Note: APF doesn't play nicely with other actions. It has been observed to
-# remove bans created by other iptables based actions. If you are going to use
-# this action, use it for all of your jails.
-#
-# DON'T MIX APF and other IPTABLES based actions
-[Definition]
-
-actionstart = 
-actionstop = 
-actioncheck = 
-actionban = apf --deny <ip> "banned by Fail2Ban <name>"
-actionunban = apf --remove <ip>
-
-[Init]
-
-# Name used in APF configuration
-#
-name = default
-
-# DEV NOTES:
-#
-# Author: Mark McKinstry
diff --git a/fail2ban/action.d/badips.conf b/fail2ban/action.d/badips.conf
deleted file mode 100644
index 6f9513f..0000000
--- a/fail2ban/action.d/badips.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Fail2ban reporting to badips.com
-#
-# Note: This reports an IP only and does not actually ban traffic. Use
-# another action in the same jail if you want bans to occur.
-#
-# Set the category to the appropriate value before use.
-#
-# To get see register and optional key to get personalised graphs see:
-# http://www.badips.com/blog/personalized-statistics-track-the-attackers-of-all-your-servers-with-one-key
-
-[Definition]
-
-actionban = curl --fail  --user-agent "<agent>" http://www.badips.com/add/<category>/<ip>
-
-[Init]
-
-# Option: category
-# Notes.: Values are from the list here: http://www.badips.com/get/categories
-category = 
diff --git a/fail2ban/action.d/badips.py b/fail2ban/action.d/badips.py.rpmsave
similarity index 100%
rename from fail2ban/action.d/badips.py
rename to fail2ban/action.d/badips.py.rpmsave
diff --git a/fail2ban/action.d/blocklist_de.conf b/fail2ban/action.d/blocklist_de.conf
deleted file mode 100644
index ba6d427..0000000
--- a/fail2ban/action.d/blocklist_de.conf
+++ /dev/null
@@ -1,84 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Steven Hiscocks
-#
-#
-
-# Action to report IP address to blocklist.de
-# Blocklist.de must be signed up to at www.blocklist.de
-# Once registered, one or more servers can be added.
-# This action requires the server 'email address' and the associated apikey.
-#
-# From blocklist.de:
-#   www.blocklist.de is a free and voluntary service provided by a
-#   Fraud/Abuse-specialist, whose servers are often attacked on SSH-,
-#   Mail-Login-, FTP-, Webserver- and other services.
-#   The mission is to report all attacks to the abuse departments of the
-#   infected PCs/servers to ensure that the responsible provider can inform
-#   the customer about the infection and disable them
-#
-# IMPORTANT: 
-# 
-# Reporting an IP of abuse is a serious complaint. Make sure that it is
-# serious. Fail2ban developers and network owners recommend you only use this
-# action for:
-#   * The recidive where the IP has been banned multiple times
-#   * Where maxretry has been set quite high, beyond the normal user typing
-#     password incorrectly.
-#   * For filters that have a low likelihood of receiving human errors
-#
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = 
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = curl --fail --data-urlencode "server=<email>" --data "apikey=<apikey>" --data "service=<service>" --data "ip=<ip>" --data-urlencode "logs=<matches><br>" --data 'format=text' --user-agent "<agent>" "https://www.blocklist.de/en/httpreports.html"
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban =
-
-# Option:  email
-# Notes    server email address, as per blocklist.de account
-# Values:  STRING  Default: None
-#
-#email =
-
-# Option:  apikey
-# Notes    your user blocklist.de user account apikey
-# Values:  STRING  Default: None
-#
-#apikey =
-
-# Option:  service
-# Notes    service name you are reporting on, typically aligns with filter name
-#          see http://www.blocklist.de/en/httpreports.html for full list
-# Values:  STRING  Default: None
-#
-#service =
diff --git a/fail2ban/action.d/cloudflare.conf b/fail2ban/action.d/cloudflare.conf
deleted file mode 100644
index 361cb17..0000000
--- a/fail2ban/action.d/cloudflare.conf
+++ /dev/null
@@ -1,83 +0,0 @@
-#
-# Author: Mike Rushton
-#
-# IMPORTANT
-#
-# Please set jail.local's permission to 640 because it contains your CF API key.
-#
-# This action depends on curl (and optionally jq).
-# Referenced from http://www.normyee.net/blog/2012/02/02/adding-cloudflare-support-to-fail2ban by NORM YEE
-#
-# To get your CloudFlare API Key: https://www.cloudflare.com/a/account/my-account
-#
-# CloudFlare API error codes: https://www.cloudflare.com/docs/host-api.html#s4.2
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-# API v1
-#actionban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=ban' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
-# API v4
-actionban = curl -s -o /dev/null -X POST <_cf_api_prms> \
-            -d '{"mode":"block","configuration":{"target":"ip","value":"<ip>"},"notes":"Fail2Ban <name>"}' \
-            <_cf_api_url>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-# API v1
-#actionunban = curl -s -o /dev/null https://www.cloudflare.com/api_json.html -d 'a=nul' -d 'tkn=<cftoken>' -d 'email=<cfuser>' -d 'key=<ip>'
-# API v4
-actionunban = id=$(curl -s -X GET <_cf_api_prms> \
-                   "<_cf_api_url>?mode=block&configuration_target=ip&configuration_value=<ip>&page=1&per_page=1&notes=Fail2Ban%%20<name>" \
-                   | { jq -r '.result[0].id' 2>/dev/null || tr -d '\n' | sed -nE 's/^.*"result"\s*:\s*\[\s*\{\s*"id"\s*:\s*"([^"]+)".*$/\1/p'; })
-              if [ -z "$id" ]; then echo "<name>: id for <ip> cannot be found"; exit 0; fi;
-              curl -s -o /dev/null -X DELETE <_cf_api_prms> "<_cf_api_url>/$id"
-
-_cf_api_url = https://api.cloudflare.com/client/v4/user/firewall/access_rules/rules
-_cf_api_prms = -H 'X-Auth-Email: <cfuser>' -H 'X-Auth-Key: <cftoken>' -H 'Content-Type: application/json'
-
-[Init]
-
-# If you like to use this action with mailing whois lines, you could use the composite action
-# action_cf_mwl predefined in jail.conf, just define in your jail:
-#
-# action = %(action_cf_mwl)s
-# # Your CF account e-mail
-# cfemail  = 
-# # Your CF API Key
-# cfapikey = 
-
-cftoken =
-
-cfuser =
diff --git a/fail2ban/action.d/dshield.conf b/fail2ban/action.d/dshield.conf
deleted file mode 100644
index c128bef..0000000
--- a/fail2ban/action.d/dshield.conf
+++ /dev/null
@@ -1,207 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Russell Odom <russ@gloomytrousers.co.uk>
-# Submits attack reports to DShield (http://www.dshield.org/)
-#
-# You MUST configure at least:
-# <port> (the port that's being attacked - use number not name).
-#
-# You SHOULD also provide:
-# <myip> (your public IP address, if it's not the address of eth0)
-# <userid> (your DShield userID, if you have one - recommended, but reports will
-# be used anonymously if not)
-# <protocol> (the protocol in use - defaults to tcp)
-#
-# Best practice is to provide <port> and <protocol> in jail.conf like this:
-# action = dshield[port=1234,protocol=tcp]
-#
-# ...and create "dshield.local" with contents something like this:
-# [Init]
-# myip = 10.0.0.1
-# userid = 12345
-#
-# Other useful configuration values are <mailargs> (you can use for specifying
-# a different sender address for the report e-mails, which should match what is
-# configured at DShield), and <lines>/<minreportinterval>/<maxbufferage> (to
-# configure how often the buffer is flushed).
-#
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = if [ -f <tmpfile>.buffer ]; then
-                 cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
-                 date +%%s > <tmpfile>.lastsent
-             fi
-             rm -f <tmpfile>.buffer <tmpfile>.first
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-# See http://www.dshield.org/specs.html for more on report format/notes
-#
-# Note: We are currently using <time> for the timestamp because no tag is
-# available to indicate the timestamp of the log message(s) which triggered the
-# ban. Therefore the timestamps we are using in the report, whilst often only a
-# few seconds out, are incorrect. See
-# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
-#
-actionban = TZONE=`date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'`
-            DATETIME="`perl -e '@t=localtime(<time>);printf "%%4d-%%02d-%%02d %%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'` $TZONE"
-	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
-	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
-            printf %%b "$DATETIME\t<userid>\t<failures>\t<ip>\t<srcport>\t<myip>\t<port>\t$PROTOCOL\t<tcpflags>\n" >> <tmpfile>.buffer
-            NOW=`date +%%s`
-            if [ ! -f <tmpfile>.first ]; then
-                echo <time> | cut -d. -f1 > <tmpfile>.first
-            fi
-            if [ ! -f <tmpfile>.lastsent ]; then
-                echo 0 > <tmpfile>.lastsent
-            fi
-            LOGAGE=$(($NOW - `cat <tmpfile>.first`))
-            LASTREPORT=$(($NOW - `cat <tmpfile>.lastsent`))
-            LINES=$( wc -l <tmpfile>.buffer | awk '{ print $1 }' )
-            if [ $LINES -ge <lines> && $LASTREPORT -gt <minreportinterval> ] || [ $LOGAGE -gt <maxbufferage> ]; then
-                cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ $TZONE Fail2Ban" <mailargs> <dest>
-                rm -f <tmpfile>.buffer <tmpfile>.first
-                echo $NOW > <tmpfile>.lastsent
-            fi
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = if [ -f <tmpfile>.first ]; then
-                  NOW=`date +%%s`
-                  LOGAGE=$(($NOW - `cat <tmpfile>.first`))
-                  if [ $LOGAGE -gt <maxbufferage> ]; then
-                      cat <tmpfile>.buffer | <mailcmd> "FORMAT DSHIELD USERID <userid> TZ `date +%%z | sed 's/\([+-]..\)\(..\)/\1:\2/'` Fail2Ban" <mailargs> <dest>
-                      rm -f <tmpfile>.buffer <tmpfile>.first
-                      echo $NOW > <tmpfile>.lastsent
-                  fi
-              fi
-
-
-[Init]
-# Option:  port
-# Notes.:  The target port for the attack (numerical). MUST be provided in the
-#          jail config, as it cannot be detected here.
-# Values:  [ NUM ]
-#
-port = ???
-
-# Option:  userid
-# Notes.:  Your DShield user ID. Should be provided either in the jail config or
-#          in a .local file.
-#          Register at https://secure.dshield.org/register.html
-# Values:  [ NUM ]
-#
-userid = 0
-
-# Option:  myip
-# Notes.:  The target IP for the attack (your public IP). Should be provided
-#          either in the jail config or in a .local file unless your PUBLIC IP
-#          is the first IP assigned to eth0
-# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
-#          which in most cases will be a private IP, and therefore incorrect
-#
-myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
-
-# Option:  protocol
-# Notes.:  The protocol over which the attack is happening
-# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
-#
-protocol = tcp
-
-# Option:  lines
-# Notes.:  How many lines to buffer before making a report. Regardless of this,
-#          reports are sent a minimum of <minreportinterval> apart, or if the
-#          buffer contains an event over <maxbufferage> old, or on shutdown
-# Values:  [ NUM ]
-#
-lines = 50
-
-# Option:  minreportinterval
-# Notes.:  Minimum period (in seconds) that must elapse before we submit another
-#          batch of reports. DShield request a minimum of 1 hour (3600 secs)
-#          between reports.
-# Values:  [ NUM ]
-#
-minreportinterval = 3600
-
-# Option:  maxbufferage
-# Notes.:  Maximum age (in seconds) of the oldest report in the buffer before we
-#          submit the batch, even if we haven't reached <lines> yet. Note that
-#          this is only checked on each ban/unban, and that we always send
-#          anything in the buffer on shutdown. Must be greater than
-# Values:  [ NUM ]
-#
-maxbufferage = 21600
-
-# Option:  srcport
-# Notes.:  The source port of the attack. You're unlikely to have this info, so
-#          you can leave the default
-# Values:  [ NUM ]
-#
-srcport = ???
-
-# Option:  tcpflags
-# Notes.:  TCP flags on attack. You're unlikely to have this info, so you can
-#          leave empty
-# Values:  [ STRING ]
-#
-tcpflags =
-
-# Option:  mailcmd
-# Notes.:  Your system mail command. Is passed 2 args: subject and recipient
-# Values:  CMD
-#
-mailcmd = mail -s
-
-# Option:  mailargs
-# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
-#          CC reports to another address:
-#              -c me@example.com
-#          Appear to come from a different address (the From address must match
-#          the one configured at DShield - the '--' indicates arguments to be
-#          passed to Sendmail):
-#              -- -f me@example.com
-# Values:  [ STRING ]
-#
-mailargs =
-
-# Option:  dest
-# Notes.:  Destination e-mail address for reports
-# Values:  [ STRING ]
-#
-dest = reports@dshield.org
-
-# Option:  tmpfile
-# Notes.:  Base name of temporary files used for buffering
-# Values:  [ STRING ]
-#
-tmpfile = /var/run/fail2ban/tmp-dshield
-
diff --git a/fail2ban/action.d/dummy.conf b/fail2ban/action.d/dummy.conf
deleted file mode 100644
index eb07e32..0000000
--- a/fail2ban/action.d/dummy.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = if [ ! -z '<target>' ]; then touch <target>; fi;
-              printf %%b "<init>\n" <to_target>
-              echo "%(debug)s started"
-
-# Option:  actionflush
-# Notes.:  command executed once to flush (clear) all IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = printf %%b "-*\n" <to_target>
-              echo "%(debug)s clear all"
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = if [ ! -z '<target>' ]; then rm -f <target>; fi;
-             echo "%(debug)s stopped"
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = 
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "+<ip>\n" <to_target>
-            echo "%(debug)s banned <ip> (family: <family>)"
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = printf %%b "-<ip>\n" <to_target>
-              echo "%(debug)s unbanned <ip> (family: <family>)"
-
-
-debug = [<name>] <actname> <target> --
-
-[Init]
-
-init = 123
-
-target = /var/run/fail2ban/fail2ban.dummy
-to_target = >> <target>
diff --git a/fail2ban/action.d/firewallcmd-allports.conf b/fail2ban/action.d/firewallcmd-allports.conf
deleted file mode 100644
index de0e7f9..0000000
--- a/fail2ban/action.d/firewallcmd-allports.conf
+++ /dev/null
@@ -1,45 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Donald Yandt 
-# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
-
-
-[INCLUDES]
-
-before = firewallcmd-common.conf
-
-[Definition]
-
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -j f2b-<name>
-
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
-
-
-# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-recidive$'
-
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
-
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
-
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
-
-# DEV NOTES:
-#
-# Author: Donald Yandt 
-# Uses "FirewallD" instead of the "iptables daemon".
-#
-#
-# Output:
-
-# actionstart:
-# $ firewall-cmd --direct --add-chain ipv4 filter f2b-recidive
-# success
-# $ firewall-cmd --direct --add-rule ipv4 filter f2b-recidive 1000 -j RETURN
-# success
-# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -j f2b-recidive
-# success
-
diff --git a/fail2ban/action.d/firewallcmd-common.conf b/fail2ban/action.d/firewallcmd-common.conf
deleted file mode 100644
index 4abe531..0000000
--- a/fail2ban/action.d/firewallcmd-common.conf
+++ /dev/null
@@ -1,76 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Donald Yandt
-#
-
-[Init]
-
-# Option:  name
-# Notes    Default name of the chain
-# Values:  STRING
-name = default
-
-# Option   port
-# Notes    Can also use port numbers separated by a comma and in rich-rules comma and/or space.
-# Value    STRING Default: 1:65535
-port = 1:65535
-
-# Option:  protocol
-# Notes    [ tcp | udp | icmp | all ]
-# Values:  STRING Default: tcp
-protocol = tcp
-
-# Option:  family(ipv4)
-# Notes    specifies the socket address family type
-# Values:  STRING  
-family = ipv4
-
-# Option:  chain
-# Notes    specifies the firewalld chain to which the Fail2Ban rules should be
-#          added
-# Values:  STRING  Default: INPUT_direct
-chain = INPUT_direct
-
-# Option:  zone
-# Notes    use command firewall-cmd --get-active-zones to see a list of all active zones. See firewalld man pages for more information on zones
-# Values:  STRING  Default: public
-zone = public
-
-# Option:  service
-# Notes    use command firewall-cmd --get-services to see a list of services available
-#          Examples services: amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps 
-#          freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kadmin kerberos 
-#          kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s 
-#          postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp squid ssh synergy 
-#          telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
-# Values:  STRING Default: ssh 
-service = ssh
-
-# Option:  rejecttype (ipv4)
-# Notes    See iptables/firewalld man pages for ipv4 reject types. 
-# Values:  STRING
-rejecttype = icmp-port-unreachable
-
-# Option:  blocktype (ipv4/ipv6)
-# Notes    See iptables/firewalld man pages for jump targets. Common values are REJECT, 
-#          REJECT --reject-with icmp-port-unreachable, DROP
-# Values:  STRING
-blocktype = REJECT --reject-with <rejecttype>
-
-# Option:  rich-blocktype (ipv4/ipv6)
-# Notes    See firewalld man pages for jump targets. Common values are reject, 
-#          reject type="icmp-port-unreachable", drop
-# Values:  STRING
-rich-blocktype = reject type='<rejecttype>'
-
-[Init?family=inet6]
-
-# Option:  family(ipv6)
-# Notes    specifies the socket address family type
-# Values:  STRING  
-family = ipv6
-
-# Option:  rejecttype (ipv6)
-# Note:    See iptables/firewalld man pages for ipv6 reject types. 
-# Values:  STRING
-rejecttype = icmp6-port-unreachable
diff --git a/fail2ban/action.d/firewallcmd-ipset.conf b/fail2ban/action.d/firewallcmd-ipset.conf
deleted file mode 100644
index c89a024..0000000
--- a/fail2ban/action.d/firewallcmd-ipset.conf
+++ /dev/null
@@ -1,88 +0,0 @@
-# Fail2Ban action file for firewall-cmd/ipset
-#
-# This requires:
-# ipset (package: ipset)
-# firewall-cmd (package: firewalld)
-#
-# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
-# Use ipset -V to see the protocol and version.
-#
-# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
-#
-# If you are running on an older kernel you make need to patch in external
-# modules.
-
-[INCLUDES]
-
-before = firewallcmd-common.conf
-
-[Definition]
-
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
-
-actionflush = ipset flush <ipmset>
-
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 <actiontype> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
-#          added
-# Values:  [ STRING ]
-#
-chain = INPUT_direct
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-# Option: actiontype
-# Notes.: defines additions to the blocking rule
-# Values: leave empty to block all attempts from the host
-# Default: Value of the multiport
-actiontype = <multiport>
-
-# Option: allports
-# Notes.: default addition to block all ports
-# Usage.: use in jail config:  banaction = firewallcmd-ipset[actiontype=<allports>]
-#         for all protocols:   banaction = firewallcmd-ipset[actiontype=""]
-allports = -p <protocol>
-
-# Option: multiport
-# Notes.: addition to block access only to specific ports
-# Usage.: use in jail config:  banaction = firewallcmd-ipset[actiontype=<multiport>]
-multiport = -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)"
-
-ipmset = f2b-<name>
-familyopt =
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
-
-
-# DEV NOTES:
-#
-# Author: Edgar Hoch and Daniel Black
-# firewallcmd-new / iptables-ipset-proto6 combined for maximium goodness
diff --git a/fail2ban/action.d/firewallcmd-multiport.conf b/fail2ban/action.d/firewallcmd-multiport.conf
deleted file mode 100644
index 0c401f1..0000000
--- a/fail2ban/action.d/firewallcmd-multiport.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Donald Yandt 
-# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
-
-[INCLUDES]
-
-before = firewallcmd-common.conf
-
-[Definition]
-
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m conntrack --ctstate NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
-
-# Example actioncheck: firewall-cmd --direct --get-chains ipv4 filter | sed -e 's, ,\n,g' | grep -q '^f2b-apache-modsecurity$'
-
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q '^f2b-<name>$'
-
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
-
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
diff --git a/fail2ban/action.d/firewallcmd-new.conf b/fail2ban/action.d/firewallcmd-new.conf
deleted file mode 100644
index 7b08603..0000000
--- a/fail2ban/action.d/firewallcmd-new.conf
+++ /dev/null
@@ -1,47 +0,0 @@
-# Fail2Ban configuration file
-#
-# Because of the --remove-rules in stop this action requires firewalld-0.3.8+
-
-[INCLUDES]
-
-before = firewallcmd-common.conf
-
-[Definition]
-
-actionstart = firewall-cmd --direct --add-chain <family> filter f2b-<name>
-              firewall-cmd --direct --add-rule <family> filter f2b-<name> 1000 -j RETURN
-              firewall-cmd --direct --add-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-
-actionstop = firewall-cmd --direct --remove-rule <family> filter <chain> 0 -m state --state NEW -p <protocol> -m multiport --dports "$(echo '<port>' | sed s/:/-/g)" -j f2b-<name>
-             firewall-cmd --direct --remove-rules <family> filter f2b-<name>
-             firewall-cmd --direct --remove-chain <family> filter f2b-<name>
-
-actioncheck = firewall-cmd --direct --get-chains <family> filter | sed -e 's, ,\n,g' | grep -q 'f2b-<name>$'
-
-actionban = firewall-cmd --direct --add-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
-
-actionunban = firewall-cmd --direct --remove-rule <family> filter f2b-<name> 0 -s <ip> -j <blocktype>
-
-# DEV NOTES:
-#
-# Author: Edgar Hoch
-# Copied from iptables-new.conf and modified for use with firewalld by Edgar Hoch.
-#  It uses "firewall-cmd" instead of "iptables".
-#
-# Output:
-# 
-# $ firewall-cmd --direct --add-chain ipv4 filter fail2ban-name
-# success
-# $ firewall-cmd --direct --add-rule ipv4 filter fail2ban-name 1000 -j RETURN
-# success
-# $ sudo firewall-cmd --direct --add-rule ipv4 filter INPUT_direct 0 -m state --state NEW -p tcp -m multiport --dports 22 -j fail2ban-name
-# success
-# $ firewall-cmd --direct --get-chains ipv4 filter
-# fail2ban-name
-# $ firewall-cmd --direct --get-chains ipv4 filter  | od -h
-# 0000000 6166 6c69 6232 6e61 6e2d 6d61 0a65
-# $ firewall-cmd --direct --get-chains ipv4 filter | grep -Eq 'fail2ban-name( |$)' ; echo $?
-# 0
-# $ firewall-cmd -V
-# 0.3.8
-
diff --git a/fail2ban/action.d/firewallcmd-rich-logging.conf b/fail2ban/action.d/firewallcmd-rich-logging.conf
deleted file mode 100644
index 21e4508..0000000
--- a/fail2ban/action.d/firewallcmd-rich-logging.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Fail2Ban configuration file
-#
-# Authors: Donald Yandt, Sergey G. Brester
-# 
-# Because of the rich rule commands requires firewalld-0.3.1+
-# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
-# by chain. So for an example all deny rules will be listed under <zone>_deny and all log rules under <zone>_log. 
-#
-# Also this action logs banned access attempts so you can filter that and increase ban time for offenders.
-#
-# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
-#
-# This is an derivative of firewallcmd-rich-rules.conf, see there for details and other parameters.
-
-[INCLUDES]
-
-before = firewallcmd-rich-rules.conf
-
-[Definition]
-
-rich-suffix = log prefix='f2b-<name>' level='<level>' limit value='<rate>/m' <rich-blocktype>
-
-[Init]
-
-# log levels are "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug"
-level = info
-
-# log rate per minute
-rate = 1
diff --git a/fail2ban/action.d/firewallcmd-rich-rules.conf b/fail2ban/action.d/firewallcmd-rich-rules.conf
deleted file mode 100644
index 803d7d1..0000000
--- a/fail2ban/action.d/firewallcmd-rich-rules.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Donald Yandt 
-# 
-# Because of the rich rule commands requires firewalld-0.3.1+
-# This action uses firewalld rich-rules which gives you a cleaner iptables since it stores rules according to zones and not
-# by chain. So for an example all deny rules will be listed under <zone>_deny. 
-#
-# If you use the --permanent rule you get a xml file in /etc/firewalld/zones/<zone>.xml that can be shared and parsed easliy
-#
-# Example commands to view rules:
-# firewall-cmd [--zone=<zone>] --list-rich-rules
-# firewall-cmd [--zone=<zone>] --list-all
-# firewall-cmd [--zone=zone] --query-rich-rule='rule'
-
-[INCLUDES]
-
-before = firewallcmd-common.conf
-
-[Definition]
-
-actionstart = 
-
-actionstop = 
-
-actioncheck = 
-
-#you can also use zones and/or service names. 
-#
-# zone example: 
-# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' port port='<port>' protocol='<protocol>' <rich-blocktype>"
-#
-# service name example:
-# firewall-cmd --zone=<zone> --add-rich-rule="rule family='ipv4' source address='<ip>' service name='<service>' <rich-blocktype>"
-#
-# Because rich rules can only handle single or a range of ports we must split ports and execute the command for each port. Ports can be single and ranges separated by a comma or space for an example: http, https, 22-60, 18 smtp 
-
-fwcmd_rich_rule = rule family='<family>' source address='<ip>' port port='$p' protocol='<protocol>' %(rich-suffix)s
-
-actionban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --add-rich-rule="%(fwcmd_rich_rule)s"; done
-	   
-actionunban = ports="$(echo '<port>' | sed s/:/-/g)"; for p in $(echo $ports | tr ", " " "); do firewall-cmd --remove-rich-rule="%(fwcmd_rich_rule)s"; done
-
-rich-suffix = <rich-blocktype>
\ No newline at end of file
diff --git a/fail2ban/action.d/helpers-common.conf b/fail2ban/action.d/helpers-common.conf
deleted file mode 100644
index 03422a8..0000000
--- a/fail2ban/action.d/helpers-common.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-[DEFAULT]
-
-# Usage:
-#   _grep_logs_args = 'test'
-#   (printf %%b "Log-excerpt contains 'test':\n"; %(_grep_logs)s; printf %%b "Log-excerpt contains 'test':\n") | mail ...
-#
-_grep_logs = logpath="<logpath>"; grep <grepopts> %(_grep_logs_args)s $logpath | <greplimit>
-# options `-wF` used to match only whole words and fixed string (not as pattern)
-_grep_logs_args = -wF "<ip>"
-
-# Used for actions, that should not by executed if ticket was restored:
-_bypass_if_restored = if [ '<restored>' = '1' ]; then exit 0; fi;
-
-[Init]
-greplimit = tail -n <grepmax>
-grepmax = 1000
-grepopts = -m <grepmax>
diff --git a/fail2ban/action.d/iptables-allports.conf b/fail2ban/action.d/iptables-allports.conf
deleted file mode 100644
index caf9ab8..0000000
--- a/fail2ban/action.d/iptables-allports.conf
+++ /dev/null
@@ -1,55 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
-#
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
diff --git a/fail2ban/action.d/iptables-common.conf b/fail2ban/action.d/iptables-common.conf.rpmsave
similarity index 100%
rename from fail2ban/action.d/iptables-common.conf
rename to fail2ban/action.d/iptables-common.conf.rpmsave
diff --git a/fail2ban/action.d/iptables-ipset-proto4.conf b/fail2ban/action.d/iptables-ipset-proto4.conf
deleted file mode 100644
index 99ebbf8..0000000
--- a/fail2ban/action.d/iptables-ipset-proto4.conf
+++ /dev/null
@@ -1,65 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-#
-# This is for ipset protocol 4 (ipset v4.2). If you have a later version
-# of ipset try to use the iptables-ipset-proto6.conf as it does some things
-# nicer.
-# 
-# This requires the program ipset which is normally in package called ipset.
-#
-# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
-#
-# If you are running on an older kernel you make need to patch in external
-# modules. Debian squeeze can do this with:
-#   apt-get install xtables-addons-source 
-#   module-assistant auto-install xtables-addons
-#
-# Debian wheezy and above uses protocol 6
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset --create f2b-<name> iphash
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
-
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset --flush f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set f2b-<name> src -j <blocktype>
-             <actionflush>
-             ipset --destroy f2b-<name>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset --test f2b-<name> <ip> ||  ipset --add f2b-<name> <ip>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset --test f2b-<name> <ip> && ipset --del f2b-<name> <ip>
-
-[Init]
-
diff --git a/fail2ban/action.d/iptables-ipset-proto6-allports.conf b/fail2ban/action.d/iptables-ipset-proto6-allports.conf
deleted file mode 100644
index 67d7947..0000000
--- a/fail2ban/action.d/iptables-ipset-proto6-allports.conf
+++ /dev/null
@@ -1,87 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-#
-# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
-# Use ipset -V to see the protocol and version. Version 4 should use
-# iptables-ipset-proto4.conf.
-#
-# This requires the program ipset which is normally in package called ipset.
-#
-# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
-#
-# If you are running on an older kernel you make need to patch in external
-# modules which probably won't be protocol version 6.
-#
-# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
-#       made config file IPv6 capable (see new section Init?family=inet6)
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
diff --git a/fail2ban/action.d/iptables-ipset-proto6.conf b/fail2ban/action.d/iptables-ipset-proto6.conf
deleted file mode 100644
index 8760102..0000000
--- a/fail2ban/action.d/iptables-ipset-proto6.conf
+++ /dev/null
@@ -1,87 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-#
-# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
-# Use ipset -V to see the protocol and version. Version 4 should use
-# iptables-ipset-proto4.conf.
-#
-# This requires the program ipset which is normally in package called ipset.
-#
-# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0 kernels.
-#
-# If you are running on an older kernel you make need to patch in external
-# modules.
-#
-# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
-#       made config file IPv6 capable (see new section Init?family=inet6)
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = ipset create <ipmset> hash:ip timeout <default-ipsettime> <familyopt>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = ipset flush <ipmset>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -m set --match-set <ipmset> src -j <blocktype>
-             <actionflush>
-             ipset destroy <ipmset>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add <ipmset> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del <ipmset> <ip> -exist
-
-[Init]
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
-
-ipmset = f2b-<name>
-familyopt =
-
-
-[Init?family=inet6]
-
-ipmset = f2b-<name>6
-familyopt = family inet6
diff --git a/fail2ban/action.d/iptables-multiport-log.conf b/fail2ban/action.d/iptables-multiport-log.conf
deleted file mode 100644
index df126db..0000000
--- a/fail2ban/action.d/iptables-multiport-log.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Guido Bozzetto
-# Modified: Cyril Jaquier
-#
-# make "f2b-<name>" chain to match drop IP
-# make "f2b-<name>-log" chain to log and drop
-# insert a jump to f2b-<name> from -I <chain> if proto/port match
-#
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> 1 -p <protocol> -m multiport --dports <port> -j f2b-<name>
-              <iptables> -N f2b-<name>-log
-              <iptables> -I f2b-<name>-log -j LOG --log-prefix "$(expr f2b-<name> : '\(.\{1,23\}\)'):DROP " --log-level warning -m limit --limit 6/m --limit-burst 2
-              <iptables> -A f2b-<name>-log -j <blocktype>
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action)
-# Values:  CMD
-#
-actionflush = <iptables> -F f2b-<name>
-              <iptables> -F f2b-<name>-log
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-             <iptables> -X f2b-<name>-log
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L f2b-<name>-log >/dev/null
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j f2b-<name>-log
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j f2b-<name>-log
-
-[Init]
-
diff --git a/fail2ban/action.d/iptables-multiport.conf b/fail2ban/action.d/iptables-multiport.conf
deleted file mode 100644
index 41b00c5..0000000
--- a/fail2ban/action.d/iptables-multiport.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Modified by Yaroslav Halchenko for multiport banning
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
diff --git a/fail2ban/action.d/iptables-new.conf b/fail2ban/action.d/iptables-new.conf
deleted file mode 100644
index 39a1709..0000000
--- a/fail2ban/action.d/iptables-new.conf
+++ /dev/null
@@ -1,54 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Copied from iptables.conf and modified by Yaroslav Halchenko 
-#  to fulfill the needs of bugreporter dbts#350746.
-#
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -m state --state NEW -p <protocol> --dport <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
diff --git a/fail2ban/action.d/iptables-xt_recent-echo.conf b/fail2ban/action.d/iptables-xt_recent-echo.conf
deleted file mode 100644
index 9744922..0000000
--- a/fail2ban/action.d/iptables-xt_recent-echo.conf
+++ /dev/null
@@ -1,79 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
-#
-# Modified: Alexander Koeppe <format_c@online.de>, Serg G. Brester <serg.brester@sebres.de>
-#       made config file IPv6 capable
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-# Changing iptables rules requires root privileges. If fail2ban is
-# configured to run as root, firewall setup can be performed by
-# fail2ban automatically. However, if fail2ban is configured to run as
-# a normal user, the configuration must be done by some other means
-# (e.g. using static firewall configuration with the
-# iptables-persistent package).
-# 
-# Explanation of the rule below:
-#    Check if any packets coming from an IP on the <iptname>
-#    list have been seen in the last 3600 seconds. If yes, update the
-#    timestamp for this IP and drop the packet. If not, let the packet
-#    through.
-#
-#    Fail2ban inserts blacklisted hosts into the <iptname> list
-#    and removes them from the list after some time, according to its
-#    own rules. The 3600 second timeout is independent and acts as a
-#    safeguard in case the fail2ban process dies unexpectedly. The
-#    shorter of the two timeouts actually matters.
-actionstart = if [ `id -u` -eq 0 ];then <iptables> -I <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
-
-# Option:  actionflush
-#
-# [TODO] Flushing is currently not implemented for xt_recent
-#
-actionflush = 
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = echo / > /proc/net/xt_recent/<iptname>
-             if [ `id -u` -eq 0 ];then <iptables> -D <chain> -m recent --update --seconds 3600 --name <iptname> -j <blocktype>;fi
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = test -e /proc/net/xt_recent/<iptname>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = echo +<ip> > /proc/net/xt_recent/<iptname>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = echo -<ip> > /proc/net/xt_recent/<iptname>
-
-[Init]
-
-iptname              = f2b-<name>
-
-[Init?family=inet6]
-
-iptname = f2b-<name>6
diff --git a/fail2ban/action.d/iptables.conf b/fail2ban/action.d/iptables.conf
deleted file mode 100644
index 8ed5fda..0000000
--- a/fail2ban/action.d/iptables.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <iptables> -N f2b-<name>
-              <iptables> -A f2b-<name> -j <returntype>
-              <iptables> -I <chain> -p <protocol> --dport <port> -j f2b-<name>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = <iptables> -D <chain> -p <protocol> --dport <port> -j f2b-<name>
-             <actionflush>
-             <iptables> -X f2b-<name>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
-
-[Init]
-
diff --git a/fail2ban/action.d/mail-whois-common.conf b/fail2ban/action.d/mail-whois-common.conf
deleted file mode 100644
index ecf3a5d..0000000
--- a/fail2ban/action.d/mail-whois-common.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# Fail2Ban configuration file
-#
-# Common settings for mail actions
-#
-# Users can override the defaults in mail-whois-common.local
-
-[INCLUDES]
-
-# Load customizations if any available
-after = mail-whois-common.local
-
-[DEFAULT]
-#original character set of whois output will be sent to mail program
-_whois = whois <ip> || echo "missing whois program"
-
-# use heuristics to convert charset of whois output to a target
-# character set before sending it to a mail program
-# make sure you have 'file' and 'iconv' commands installed when opting for that
-_whois_target_charset = UTF-8
-_whois_convert_charset = (%(_whois)s) |
-                         { WHOIS_OUTPUT=$(cat) ; WHOIS_CHARSET=$(printf %%b "$WHOIS_OUTPUT" | file -b --mime-encoding -) ; printf %%b "$WHOIS_OUTPUT" | iconv -f $WHOIS_CHARSET -t %(_whois_target_charset)s//TRANSLIT - ; }
-
-# choose between _whois and _whois_convert_charset in mail-whois-common.local
-# or other *.local which include mail-whois-common.conf.
-_whois_command = %(_whois)s
-#_whois_command = %(_whois_convert_charset)s
-
-[Init]
diff --git a/fail2ban/action.d/mynetwatchman.conf b/fail2ban/action.d/mynetwatchman.conf
deleted file mode 100644
index b0ab2cc..0000000
--- a/fail2ban/action.d/mynetwatchman.conf
+++ /dev/null
@@ -1,143 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Russell Odom <russ@gloomytrousers.co.uk>
-# Submits attack reports to myNetWatchman (http://www.mynetwatchman.com/)
-#
-# You MUST configure at least:
-# <port> (the port that's being attacked - use number not name).
-# <mnwlogin> (your mNW login).
-# <mnwpass> (your mNW password).
-#
-# You SHOULD also provide:
-# <myip> (your public IP address, if it's not the address of eth0)
-# <protocol> (the protocol in use - defaults to tcp)
-#
-# Best practice is to provide <port> and <protocol> in jail.conf like this:
-# action = mynetwatchman[port=1234,protocol=udp]
-#
-# ...and create "mynetwatchman.local" with contents something like this:
-# [Init]
-# mnwlogin = me@example.com
-# mnwpass = SECRET
-# myip = 10.0.0.1
-#
-# Another useful configuration value is <getcmd>, if you don't have wget
-# installed (an example config for curl is given below)
-#
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-#
-# Note: We are currently using <time> for the timestamp because no tag is
-# available to indicate the timestamp of the log message(s) which triggered the
-# ban. Therefore the timestamps we are using in the report, whilst often only a
-# few seconds out, are incorrect. See
-# http://sourceforge.net/tracker/index.php?func=detail&aid=2017795&group_id=121032&atid=689047
-#
-actionban = MNWLOGIN=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwlogin>'`
-            MNWPASS=`perl -e '$s=shift;$s=~s/([\W])/"%%".uc(sprintf("%%2.2x",ord($1)))/eg;print $s' '<mnwpass>'`
-	    PROTOCOL=`awk '{IGNORECASE=1;if($1=="<protocol>"){print $2;exit}}' /etc/protocols`
-	    if [ -z "$PROTOCOL" ]; then PROTOCOL=<protocol>; fi
-	    DATETIME=`perl -e '@t=gmtime(<time>);printf "%%4d-%%02d-%%02d+%%02d:%%02d:%%02d",1900+$t[5],$t[4]+1,$t[3],$t[2],$t[1],$t[0]'`
-            <getcmd> "<mnwurl>?AT=2&AV=0&AgentEmail=$MNWLOGIN&AgentPassword=$MNWPASS&AttackerIP=<ip>&SrcPort=<srcport>&ProtocolID=$PROTOCOL&DestPort=<port>&AttackCount=<failures>&VictimIP=<myip>&AttackDateTime=$DATETIME" 2>&1 >> <tmpfile>.out && grep -q 'Attack Report Insert Successful' <tmpfile>.out && rm -f <tmpfile>.out
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban =
-
-[Init]
-# Option:  port
-# Notes.:  The target port for the attack (numerical). MUST be provided in
-#          the jail config, as it cannot be detected here.
-# Values:  [ NUM ]  Default: ???
-#
-port = 0
-
-# Option:  mnwlogin
-# Notes.:  Your mNW login e-mail address. MUST be provided either in the jail
-#          config or in a .local file.
-#          Register at http://www.mynetwatchman.com/reg.asp
-# Values:  [ STRING ]  Default: (empty)
-#
-mnwlogin =
-
-# Option:  mnwpass
-# Notes.:  The password corresponding to your mNW login e-mail address. MUST be
-#          provided either in the jail config or in a .local file.
-# Values:  [ STRING ]  Default: (empty)
-#
-mnwpass =
-
-# Option:  myip
-# Notes.:  The target IP for the attack (your public IP). Should be overridden
-#          either in the jail config or in a .local file unless your PUBLIC IP
-#          is the first IP assigned to eth0
-# Values:  [ an IP address ]  Default: Tries to find the IP address of eth0,
-#          which in most cases will be a private IP, and therefore incorrect
-#
-myip = `ip -4 addr show dev eth0 | grep inet | head -n 1 | sed -r 's/.*inet ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}).*/\1/'`
-
-# Option:  protocol
-# Notes.:  The protocol over which the attack is happening
-# Values:  [ tcp | udp | icmp | (any other protocol name from /etc/protocols) | NUM ] Default: tcp
-#
-protocol = tcp
-
-# Option:  agent
-# Default: Fail2ban
-agent = Fail2ban
-
-# Option:  getcmd
-# Notes.:  A command to fetch a URL. Should output page to STDOUT
-# Values:  CMD  Default: wget
-#
-getcmd = wget --no-verbose --tries=3 --waitretry=10 --connect-timeout=10 --read-timeout=60 --retry-connrefused --output-document=- --user-agent=<agent>
-# Alternative value:
-# getcmd = curl --silent --show-error --retry 3 --connect-timeout 10 --max-time 60 --user-agent <agent>
-
-# Option:  srcport
-# Notes.:  The source port of the attack. You're unlikely to have this info, so
-#          you can leave the default
-# Values:  [ NUM ]  Default: 0
-#
-srcport = 0
-
-# Option:  mnwurl
-# Notes.:  The report service URL on the mNW site
-# Values:  STRING  Default: http://mynetwatchman.com/insertwebreport.asp
-#
-mnwurl = http://mynetwatchman.com/insertwebreport.asp
-
-# Option:  tmpfile
-# Notes.:  Base name of temporary files
-# Values:  [ STRING ]  Default: /var/run/fail2ban/tmp-mynetwatchman
-#
-tmpfile = /var/run/fail2ban/tmp-mynetwatchman
diff --git a/fail2ban/action.d/netscaler.conf b/fail2ban/action.d/netscaler.conf
deleted file mode 100644
index 87f7e7b..0000000
--- a/fail2ban/action.d/netscaler.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Fail2ban Citrix Netscaler Action
-# by Juliano Jeziorny
-# juliano@jeziorny.eu
-#
-# The script will add offender IPs to a dataset on netscaler, the dataset can then be used to block the IPs at a cs/vserver or global level
-# This dataset is then used to block IPs using responder policies on the netscaler.
-# 
-# The script assumes using HTTPS with unsecure certificate to access the netscaler, 
-# if you have a valid certificate installed remove the -k from the curl lines, or if you want http change it accordingly (and remove the -k)
-# 
-# This action depends on curl
-#
-# You need to populate the 3 options inside Init
-#
-# ns_host: IP or hostname of netslcaer appliance
-# ns_auth: username:password, suggest base64 encoded for a little added security (echo -n "username:password" | base64)
-# ns_dataset:  Name of the netscaler dataset holding the IPs to be blocked.
-# 
-# For further details on how to use it please check http://blog.ckzone.eu/2017/01/fail2ban-action-for-citrix-netscaler.html
-
-[Init]
-ns_host = 
-ns_auth = 
-ns_dataset = 
-
-[Definition]
-actionstart = curl -kH 'Authorization: Basic <ns_auth>' https://<ns_host>/nitro/v1/config
-
-actioncheck = 
-
-actionban = curl -k -H 'Authorization: Basic <ns_auth>' -X PUT -d '{"policydataset_value_binding":{"name":"<ns_dataset>","value":"<ip>"}}' https://<ns_host>/nitro/v1/config/
-
-actionunban = curl -H 'Authorization: Basic <ns_auth>' -X DELETE -k "https://<ns_host>/nitro/v1/config/policydataset_value_binding/<ns_dataset>?args=value:<ip>"
diff --git a/fail2ban/action.d/nftables-allports.conf b/fail2ban/action.d/nftables-allports.conf
deleted file mode 100644
index 908abe4..0000000
--- a/fail2ban/action.d/nftables-allports.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
-# Modified: Alexander Belykh <albel727@ngs.ru>
-#                       adapted for nftables
-#
-# Obsolete: superseded by nftables[type=allports]
-
-[INCLUDES]
-
-before = nftables.conf
-
-[Definition]
-
-type = allports
diff --git a/fail2ban/action.d/nftables-multiport.conf b/fail2ban/action.d/nftables-multiport.conf
deleted file mode 100644
index ba3ec92..0000000
--- a/fail2ban/action.d/nftables-multiport.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
-# Modified: Alexander Belykh <albel727@ngs.ru>
-#                       adapted for nftables
-#
-# Obsolete: superseded by nftables[type=multiport]
-
-[INCLUDES]
-
-before = nftables.conf
-
-[Definition]
-
-type = multiport
\ No newline at end of file
diff --git a/fail2ban/action.d/nftables.conf b/fail2ban/action.d/nftables.conf
deleted file mode 100644
index 77cf366..0000000
--- a/fail2ban/action.d/nftables.conf
+++ /dev/null
@@ -1,203 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Daniel Black
-# Author: Cyril Jaquier
-# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
-# 			made active on all ports from original iptables.conf
-# Modified: Alexander Belykh <albel727@ngs.ru>
-#                       adapted for nftables
-#
-# This is a included configuration file and includes the definitions for the nftables
-# used in all nftables based actions by default.
-#
-# The user can override the defaults in nftables-common.local
-# Example: redirect flow to honeypot
-#
-# [Init]
-# table_family = ip
-# chain_type = nat
-# chain_hook = prerouting
-# chain_priority = -50
-# blocktype = counter redirect to 2222
-
-[INCLUDES]
-
-after = nftables-common.local
-
-[Definition]
-
-# Option:  type
-# Notes.:  type of the action.
-# Values:  [ multiport | allports ]  Default: multiport
-#
-type = multiport
-
-rule_match-custom =
-rule_match-allports = meta l4proto \{ <protocol> \}
-rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
-match = <rule_match-<type>>
-
-# Option:  rule_stat
-# Notes.:  statement for nftables filter rule.
-#          leaving it empty will block all (include udp and icmp)
-# Values:  nftables statement
-#
-rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>
-
-# optional interator over protocol's:
-_nft_for_proto-custom-iter =
-_nft_for_proto-custom-done =
-_nft_for_proto-allports-iter =
-_nft_for_proto-allports-done =
-_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
-_nft_for_proto-multiport-done = done
-
-_nft_list = <nftables> -a list chain <table_family> <table> <chain>
-_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'
-
-_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
-              <_nft_for_proto-<type>-iter>
-              <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
-              <_nft_for_proto-<type>-done>
-_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
-               <nftables> delete rule <table_family> <table> <chain> $hdl; done
-              <nftables> delete set <table_family> <table> <addr_set>
-
-# Option:  _nft_shutdown_table
-# Notes.:  command executed after the stop in order to delete table (it checks that no sets are available):
-# Values:  CMD
-#
-_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
-                        <nftables> delete table <table_family> <table>
-                      }
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = <nftables> add table <table_family> <table>
-              <nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
-              %(_nft_add_set)s
-
-# Option:  actionflush
-# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
-#          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
-# Values:  CMD
-#
-actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
-              %(_nft_del_set)s
-              %(_nft_add_set)s
-              }
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = %(_nft_del_set)s
-             <_nft_shutdown_table>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}
-
-[Init]
-
-# Option:  table
-# Notes.:  main table to store chain and sets (automatically created on demand)
-# Values:  STRING  Default: f2b-table
-table = f2b-table
-
-# Option:  table_family
-# Notes.:  address family to work in
-# Values:  [ip | ip6 | inet]  Default: inet
-table_family = inet
-
-# Option:  chain
-# Notes.:  main chain to store rules
-# Values:  STRING  Default: f2b-chain
-chain = f2b-chain
-
-# Option:  chain_type
-# Notes.:  refers to the kind of chain to be created
-# Values:  [filter | route | nat]  Default: filter
-#
-chain_type = filter
-
-# Option:  chain_hook
-# Notes.:  refers to the kind of chain to be created
-# Values:  [ prerouting | input | forward | output | postrouting ]  Default: input
-#
-chain_hook = input
-
-# Option:  chain_priority
-# Notes.:  priority in the chain.
-# Values:  NUMBER  Default: -1
-#
-chain_priority = -1
-
-# Option:  addr_type
-# Notes.:  address type to work with
-# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
-#
-addr_type = ipv4_addr
-
-# Default name of the filtering set
-#
-name = default
-
-# Option:  port
-# Notes.:  specifies port to monitor
-# Values:  [ NUM | STRING ]  Default:
-#
-port = ssh
-
-# Option:  protocol
-# Notes.:  internally used by config reader for interpolations.
-# Values:  [ tcp | udp ] Default: tcp
-#
-protocol = tcp
-
-# Option:  blocktype
-# Note:    This is what the action does with rules. This can be any jump target
-#          as per the nftables man page (section 8). Common values are drop,
-#          reject, reject with icmpx type host-unreachable, redirect to 2222
-# Values:  STRING
-blocktype = reject
-
-# Option:  nftables
-# Notes.:  Actual command to be executed, including common to all calls options
-# Values:  STRING
-nftables = nft
-
-# Option: addr_set
-# Notes.: The name of the nft set used to store banned addresses
-# Values: STRING
-addr_set = addr-set-<name>
-
-# Option: addr_family
-# Notes.: The family of the banned addresses
-# Values: [ ip | ip6 ]
-addr_family = ip
-
-[Init?family=inet6]
-addr_family = ip6
-addr_type = ipv6_addr
-addr_set = addr6-set-<name>
diff --git a/fail2ban/action.d/nginx-block-map.conf b/fail2ban/action.d/nginx-block-map.conf
deleted file mode 100644
index ee70290..0000000
--- a/fail2ban/action.d/nginx-block-map.conf
+++ /dev/null
@@ -1,110 +0,0 @@
-# Fail2Ban configuration file for black-listing via nginx
-#
-# Author: Serg G. Brester (aka sebres)
-#
-# To use 'nginx-block-map' action you should define some special blocks in your nginx configuration,
-# and use it hereafter in your locations (to notify fail2ban by failure, resp. nginx by ban).
-#
-# Example (argument "token_id" resp. cookie "session_id" used here as unique identifier for user):
-#
-#   http {
-#     ...
-#     # maps to check user is blacklisted (banned in f2b):
-#     #map $arg_token_id      $blck_lst_tok { include blacklisted-tokens.map; }
-#     map  $cookie_session_id $blck_lst_ses { include blacklisted-sessions.map; }
-#     ...
-#     # special log-format to notify fail2ban about failures:
-#     log_format f2b_session_errors '$msec failure "$cookie_session_id" - $remote_addr - $remote_user '
-#      ;#                  '"$request" $status $bytes_sent '
-#       #                  '"$http_referer" "$http_user_agent"';
-#
-#     # location checking blacklisted values:
-#     location ... {
-#       # check banned sessionid:
-#       if ($blck_lst_ses != "") {
-#         try_files "" @f2b-banned;
-#       }
-#       ...
-#       # notify fail2ban about a failure inside nginx:
-#       error_page 401 = @notify-f2b;
-#       ...
-#     }
-#     ...
-#     # location for return with "403 Forbidden" if banned:
-#     location @f2b-banned {
-#       default_type text/html;
-#       return 403 "<br/><center>
-#         <b style=\"color:red; font-size:18pt; border:2pt solid black; padding:5pt;\">
-#         You are banned!</b></center>";
-#     }
-#     ...
-#     # location to notify fail2ban about a failure inside nginx:
-#     location @notify-f2b {
-#       access_log /var/log/nginx/f2b-auth-errors.log f2b_session_errors;
-#     }
-#   }
-#   ...
-#
-# Note that quote-character (and possibly other special characters) are not allowed currently as session-id.
-# Thus please add any session-id validation rule in your locations (or in the corresponding backend-service), 
-# like in example below:
-#
-#   location ... {
-#     if ($cookie_session_id !~ "^[\w\-]+$") {
-#       return  403 "Wrong session-id"
-#     }
-#     ...
-#   }
-#
-# The parameters for jail corresponding log-format (f2b_session_errors):
-#
-#   [nginx-blck-lst]
-#   filter =
-#   datepattern = ^Epoch
-#   failregex = ^ failure "<F-ID>[^"]+</F-ID>" - <ADDR>
-#   usedns = no
-#
-# The same log-file can be used for IP-related jail (additionally to session-related, to ban very bad IPs):
-#
-#   [nginx-blck-ip]
-#   maxretry = 100
-#   filter =
-#   datepattern = ^Epoch
-#   failregex = ^ failure "[^"]+" - <ADDR>
-#   usedns = no
-#
-
-[Definition]
-
-# path to configuration of nginx (used to target nginx-instance in multi-instance system,
-# and as path for the blacklisted map):
-srv_cfg_path = /etc/nginx/
-
-# cmd-line arguments to supply to test/reload nginx:
-#srv_cmd = nginx -c %(srv_cfg_path)s/nginx.conf
-srv_cmd = nginx
-
-# first test configuration is correct, hereafter send reload signal:
-blck_lst_reload = %(srv_cmd)s -qt; if [ $? -eq 0 ]; then
-                    %(srv_cmd)s -s reload; if [ $? -ne 0 ]; then echo 'reload failed.'; fi;
-                  fi;
-
-# map-file for nginx, can be redefined using `action = nginx-block-map[blck_lst_file="/path/file.map"]`:
-blck_lst_file = %(srv_cfg_path)s/blacklisted-sessions.map
-
-# Action definition:
-
-actionstart_on_demand = false
-actionstart = touch '%(blck_lst_file)s'
-
-actionflush = truncate -s 0 '%(blck_lst_file)s'; %(blck_lst_reload)s
-
-actionstop = %(actionflush)s
-
-actioncheck = 
-
-_echo_blck_row = printf '\%%s 1;\n' "<fid>"
-
-actionban = %(_echo_blck_row)s >> '%(blck_lst_file)s'; %(blck_lst_reload)s
-
-actionunban = id=$(%(_echo_blck_row)s | sed -e 's/[]\/$*.^|[]/\\&/g'); sed -i "/^$id$/d" %(blck_lst_file)s; %(blck_lst_reload)s
diff --git a/fail2ban/action.d/npf.conf b/fail2ban/action.d/npf.conf
deleted file mode 100644
index 3bbb2f5..0000000
--- a/fail2ban/action.d/npf.conf
+++ /dev/null
@@ -1,61 +0,0 @@
-# Fail2Ban configuration file
-#
-# NetBSD npf ban/unban
-#
-# Author: Nils Ratusznik <nils@NetBSD.org>
-# Based on pf.conf action file
-#
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-# we don't enable NPF automatically, as it will be enabled elsewhere
-actionstart = 
-
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-# we don't disable NPF automatically either
-actionstop = 
-
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = 
-
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-actionban = /sbin/npfctl table <tablename> add <ip>
-
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    <ip>  IP address
-#          <failures>  number of failures
-#          <time>  unix timestamp of the ban time
-# Values:  CMD
-#
-# note -r option used to remove matching rule
-actionunban = /sbin/npfctl table <tablename> rem <ip>
-
-[Init]
-# Option:  tablename
-# Notes.:  The pf table name.
-# Values:  [ STRING ]
-#
-tablename = fail2ban
diff --git a/fail2ban/action.d/nsupdate.conf b/fail2ban/action.d/nsupdate.conf
deleted file mode 100644
index ef56c6b..0000000
--- a/fail2ban/action.d/nsupdate.conf
+++ /dev/null
@@ -1,114 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Andrew St. Jean
-#
-# Use nsupdate to perform dynamic DNS updates on a BIND zone file.
-# One may want to do this to update a local RBL with banned IP addresses.
-#
-# Options
-#
-# domain	DNS domain that will appear in nsupdate add and delete
-#		commands.
-#
-# ttl		The time to live (TTL) in seconds of the TXT resource
-#		record.
-#
-# rdata		Data portion of the TXT resource record.
-#
-# nsupdatecmd	Full path to the nsupdate command.
-#
-# keyfile	Full path to TSIG key file used for authentication between
-#		nsupdate and BIND.
-#
-# Create an nsupdate.local to set at least the <domain> and <keyfile>
-# options as they don't have default values.
-#
-# The ban and unban commands assume nsupdate will authenticate to the BIND
-# server using a TSIG key. The full path to the key file must be specified
-# in the <keyfile> parameter. Use this command to generate your TSIG key.
-#
-# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST <key_name>
-#
-# Replace <key_name> with some meaningful name.
-#
-# This command will generate two files. Specify the .private file in the
-# <keyfile> option. Note that the .key file must also be present in the same
-# directory for nsupdate to use the key.
-#
-# Don't forget to add the key and appropriate allow-update or update-policy
-# option to your named.conf file.
-#
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = echo <ip> | awk -F. '{print "prereq nxrrset "$4"."$3"."$2"."$1".<domain> TXT"; print "update add "$4"."$3"."$2"."$1".<domain> <ttl> IN TXT \"<rdata>\""; print "send"}' | <nsupdatecmd> -k <keyfile>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = echo <ip> | awk -F. '{print "update delete "$4"."$3"."$2"."$1".<domain>"; print "send"}' | <nsupdatecmd> -k <keyfile>
-
-[Init]
-
-# Option:  domain
-# Notes.:  DNS domain that nsupdate will update.
-# Values:  STRING
-#
-domain = 
-
-# Option:  ttl
-# Notes.:  time to live (TTL) in seconds of TXT resource record
-#          added by nsupdate.
-# Values:  NUM
-#
-ttl = 60
-
-# Option:  rdata
-# Notes.:  data portion of the TXT resource record added by nsupdate.
-# Values:  STRING
-#
-rdata = Your IP has been banned
-
-# Option:  nsupdatecmd
-# Notes.:  specifies the full path to the nsupdate program that dynamically
-#          updates BIND zone files.
-# Values:  CMD
-#
-nsupdatecmd = /usr/bin/nsupdate
-
-# Option:  keyfile
-# Notes.:  specifies the full path to the file containing the
-#	   TSIG key for communicating with BIND.
-# Values:  STRING
-#
-keyfile = 
-
diff --git a/fail2ban/action.d/route.conf b/fail2ban/action.d/route.conf
deleted file mode 100644
index 9b96a7b..0000000
--- a/fail2ban/action.d/route.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Michael Gebetsroither
-#
-# This is for blocking whole hosts through blackhole routes.
-#
-# PRO:
-#   - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
-#   - It's FAST for very large numbers of blocked ips.
-#   - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
-#   - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
-#   - No additional software required beside iproute/iproute2
-#
-# CON:
-#   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
-
-[Definition]
-actionban   = ip route add <blocktype> <ip>
-actionunban = ip route del <blocktype> <ip>
-actioncheck =
-actionstart =
-actionstop =
-
-[Init]
-
-# Option:  blocktype
-# Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
-# Values:  STRING
-blocktype = unreachable
diff --git a/fail2ban/action.d/sendmail-buffered.conf b/fail2ban/action.d/sendmail-buffered.conf
deleted file mode 100644
index 13803f8..0000000
--- a/fail2ban/action.d/sendmail-buffered.conf
+++ /dev/null
@@ -1,99 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
-              From: <sendername> <<sender>>
-              To: <dest>\n
-              Hi,\n
-              The jail <name> has been started successfully.\n
-              Output will be buffered until <lines> lines are available.\n
-              Regards,\n
-              Fail2Ban" | <mailcmd>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = if [ -f <tmpfile> ]; then
-                 printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
-                 From: <sendername> <<sender>>
-                 To: <dest>\n
-                 Hi,\n
-                 These hosts have been banned by Fail2Ban.\n
-                 `cat <tmpfile>`
-                 Regards,\n
-                 Fail2Ban" | <mailcmd>
-                 rm <tmpfile>
-             fi
-             printf %%b "Subject: [Fail2Ban] <name>: stopped  on <fq-hostname>
-             From: Fail2Ban <<sender>>
-             To: <dest>\n
-             Hi,\n
-             The jail <name> has been stopped.\n
-             Regards,\n
-             Fail2Ban" | <mailcmd>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = 
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "`date`: <ip> (<failures> failures)\n" >> <tmpfile>
-            LINE=$( wc -l <tmpfile> | awk '{ print $1 }' )
-            if [ $LINE -ge <lines> ]; then
-                printf %%b "Subject: [Fail2Ban] <name>: summary from <fq-hostname>
-                From: <sendername> <<sender>>
-                To: <dest>\n
-                Hi,\n
-                These hosts have been banned by Fail2Ban.\n
-                `cat <tmpfile>`
-                Regards,\n
-                Fail2Ban" | <mailcmd>
-                rm <tmpfile>
-            fi
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = 
-
-[Init]
-
-# Default name of the chain
-#
-name = default
-
-# Default number of lines that are buffered
-#
-lines = 5
-
-# Default temporary file
-#
-tmpfile = /var/run/fail2ban/tmp-mail.txt
-
diff --git a/fail2ban/action.d/sendmail-common.conf b/fail2ban/action.d/sendmail-common.conf
deleted file mode 100644
index 1e31fad..0000000
--- a/fail2ban/action.d/sendmail-common.conf
+++ /dev/null
@@ -1,77 +0,0 @@
-# Fail2Ban configuration file
-#
-# Common settings for sendmail actions
-#
-# Users can override the defaults in sendmail-common.local
-
-[INCLUDES]
-
-after = sendmail-common.local
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = printf %%b "Subject: [Fail2Ban] <name>: started on <fq-hostname>
-              Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-              From: <sendername> <<sender>>
-              To: <dest>\n
-              Hi,\n
-              The jail <name> has been started successfully.\n
-              Regards,\n
-              Fail2Ban" | <mailcmd>
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = printf %%b "Subject: [Fail2Ban] <name>: stopped on <fq-hostname>
-             Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-             From: <sendername> <<sender>>
-             To: <dest>\n
-             Hi,\n
-             The jail <name> has been stopped.\n
-             Regards,\n
-             Fail2Ban" | <mailcmd>
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck =
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban =
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban =
-
-[Init]
-
-# Your system mail command
-#
-mailcmd = /usr/sbin/sendmail -f "<sender>" "<dest>"
-
-# Recipient mail address
-#
-dest = root
-
-# Sender mail address
-#
-sender = fail2ban
-
-# Sender display name
-#
-sendername = Fail2Ban
diff --git a/fail2ban/action.d/sendmail-geoip-lines.conf b/fail2ban/action.d/sendmail-geoip-lines.conf
deleted file mode 100644
index b36e49a..0000000
--- a/fail2ban/action.d/sendmail-geoip-lines.conf
+++ /dev/null
@@ -1,59 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Viktor Szépe
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         helpers-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  Command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-#          You need to install geoiplookup and the GeoLite or GeoIP databases.
-#          (geoip-bin and geoip-database in Debian)
-#          The host command comes from bind9-host package.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n
-            http://bgp.he.net/ip/<ip>
-            http://www.projecthoneypot.org/ip_<ip>
-            http://whois.domaintools.com/<ip>\n\n
-            Country:`geoiplookup -f /usr/share/GeoIP/GeoIP.dat "<ip>" | cut -d':' -f2-`
-            AS:`geoiplookup -f /usr/share/GeoIP/GeoIPASNum.dat "<ip>" | cut -d':' -f2-`
-            hostname: <ip-host>\n\n
-            Lines containing failures of <ip> (max <grepmax>)\n";
-            %(_grep_logs)s;
-            printf %%b "\n
-            Regards,\n
-            Fail2Ban" ) | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
-
-# Path to the log files which contain relevant lines for the abuser IP
-#
-logpath = /dev/null
-
-# Number of log lines to include in the email
-#
-#grepmax = 1000
-#grepopts = -m <grepmax>
diff --git a/fail2ban/action.d/sendmail-whois-ipjailmatches.conf b/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
deleted file mode 100644
index 7790ec5..0000000
--- a/fail2ban/action.d/sendmail-whois-ipjailmatches.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         mail-whois-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n
-            `%(_whois_command)s`\n\n
-            Matches for <name> with <ipjailfailures> failures IP:<ip>\n
-            <ipjailmatches>\n\n
-            Regards,\n
-            Fail2Ban" | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
diff --git a/fail2ban/action.d/sendmail-whois-ipmatches.conf b/fail2ban/action.d/sendmail-whois-ipmatches.conf
deleted file mode 100644
index e4717ca..0000000
--- a/fail2ban/action.d/sendmail-whois-ipmatches.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         mail-whois-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n
-            `%(_whois_command)s`\n\n
-            Matches with <ipfailures> failures IP:<ip>\n
-            <ipmatches>\n\n
-            Regards,\n
-            Fail2Ban" | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
diff --git a/fail2ban/action.d/sendmail-whois-lines.conf b/fail2ban/action.d/sendmail-whois-lines.conf
deleted file mode 100644
index 47ec6ed..0000000
--- a/fail2ban/action.d/sendmail-whois-lines.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         mail-whois-common.conf
-         helpers-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ( printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n"
-            %(_whois_command)s;
-            printf %%b "\nLines containing failures of <ip> (max <grepmax>)\n";
-            %(_grep_logs)s;
-            printf %%b "\n
-            Regards,\n
-            Fail2Ban" ) | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
-
-# Path to the log files which contain relevant lines for the abuser IP
-#
-logpath = /dev/null
-
-# Number of log lines to include in the email
-#
-#grepmax = 1000
-#grepopts = -m <grepmax>
diff --git a/fail2ban/action.d/sendmail-whois-matches.conf b/fail2ban/action.d/sendmail-whois-matches.conf
deleted file mode 100644
index 08215ea..0000000
--- a/fail2ban/action.d/sendmail-whois-matches.conf
+++ /dev/null
@@ -1,41 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         mail-whois-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n
-            `%(_whois_command)s`\n\n
-            Matches:\n
-            <matches>\n\n
-            Regards,\n
-            Fail2Ban" | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
diff --git a/fail2ban/action.d/sendmail-whois.conf b/fail2ban/action.d/sendmail-whois.conf
deleted file mode 100644
index 9e93cd3..0000000
--- a/fail2ban/action.d/sendmail-whois.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-         mail-whois-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n\n
-            Here is more information about <ip> :\n
-            `%(_whois_command)s`\n
-            Regards,\n
-            Fail2Ban" | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
-
diff --git a/fail2ban/action.d/sendmail.conf b/fail2ban/action.d/sendmail.conf
deleted file mode 100644
index ad9e8d7..0000000
--- a/fail2ban/action.d/sendmail.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-#
-
-[INCLUDES]
-
-before = sendmail-common.conf
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from <fq-hostname>
-            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
-            From: <sendername> <<sender>>
-            To: <dest>\n
-            Hi,\n
-            The IP <ip> has just been banned by Fail2Ban after
-            <failures> attempts against <name>.\n
-            Regards,\n
-            Fail2Ban" | <mailcmd>
-
-[Init]
-
-# Default name of the chain
-#
-name = default
-
diff --git a/fail2ban/action.d/shorewall-ipset-proto6.conf b/fail2ban/action.d/shorewall-ipset-proto6.conf
deleted file mode 100644
index eacb53d..0000000
--- a/fail2ban/action.d/shorewall-ipset-proto6.conf
+++ /dev/null
@@ -1,93 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Eduardo Diaz
-#
-# This is for ipset protocol 6 (and hopefully later) (ipset v6.14).
-# for shorewall
-#
-# Use this setting in jail.conf to modify use this action instead of a
-# default one
-#
-# banaction   = shorewall-ipset-proto6
-#
-# This requires the program ipset which is normally in package called ipset.
-#
-# IPset was a feature introduced in the linux kernel 2.6.39 and 3.0.0
-# kernels, and you need Shorewall >= 4.5.5 to use this action.
-#
-# The default Shorewall configuration is with "BLACKLISTNEWONLY=Yes" (see
-# file /etc/shorewall/shorewall.conf). This means that when Fail2ban adds a
-# new shorewall rule to ban an IP address, that rule will affect only new
-# connections. So if the attacker goes on trying using the same connection
-# he could even log in. In order to get the same behavior of the iptable
-# action (so that the ban is immediate) the /etc/shorewall/shorewall.conf
-# file should me modified with "BLACKLISTNEWONLY=No".
-#
-#
-# Enable shorewall to use a blacklist using iptables creating a file
-# /etc/shorewall/blrules and adding "DROP net:+f2b-ssh all" and
-# similar lines for every jail.  To enable restoring you ipset you
-# must set SAVE_IPSETS=Yes in shorewall.conf .  You can read more
-# about ipsets handling in Shorewall at http://shorewall.net/ipsets.html
-#
-# To force creation of the ipset in the case that somebody deletes the
-# ipset create a file /etc/shorewall/initdone and add one line for
-# every ipset (this files are in Perl) and add 1 at the end of the file.
-# The example:
-# system("/usr/sbin/ipset -quiet -exist create f2b-ssh hash:ip timeout 600 ");
-# 1;
-#
-# To destroy the ipset in shorewall you must add to the file /etc/shorewall/stopped
-# # One line of every ipset
-# system("/usr/sbin/ipset -quiet destroy f2b-ssh ");
-# 1; # This must go to the end of the file if not shorewall compilation fails
-#
-
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart = if ! ipset -quiet -name list f2b-<name> >/dev/null;
-              then ipset -quiet -exist create f2b-<name> hash:ip timeout <default-ipsettime>;
-              fi
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop = ipset flush f2b-<name>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionban = ipset add f2b-<name> <ip> timeout <ipsettime> -exist
-
-# actionprolong = %(actionban)s
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP. Take care that the
-#          command is executed with Fail2Ban user rights.
-# Tags:    See jail.conf(5) man page
-# Values:  CMD
-#
-actionunban = ipset del f2b-<name> <ip> -exist
-
-# Option: default-ipsettime
-# Notes:  specifies default timeout in seconds (handled default ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (no timeout, managed by fail2ban by unban)
-default-ipsettime = 0
-
-# Option: ipsettime
-# Notes:  specifies ticket timeout (handled ipset timeout only)
-# Values:  [ NUM ]  Default: 0 (managed by fail2ban by unban)
-ipsettime = 0
-
-# expresion to caclulate timeout from bantime, example:
-# banaction = %(known/banaction)s[ipsettime='<timeout-bantime>']
-timeout-bantime = $([ "<bantime>" -le 2147483 ] && echo "<bantime>" || echo 0)
diff --git a/fail2ban/action.d/smtp.py b/fail2ban/action.d/smtp.py.rpmsave
similarity index 100%
rename from fail2ban/action.d/smtp.py
rename to fail2ban/action.d/smtp.py.rpmsave
diff --git a/fail2ban/action.d/symbiosis-blacklist-allports.conf b/fail2ban/action.d/symbiosis-blacklist-allports.conf
deleted file mode 100644
index 6fb7d0a..0000000
--- a/fail2ban/action.d/symbiosis-blacklist-allports.conf
+++ /dev/null
@@ -1,55 +0,0 @@
-# Fail2Ban configuration file for Bytemark Symbiosis firewall
-#
-# Author: Yaroslav Halchenko
-#
-
-[INCLUDES]
-
-before = iptables-common.conf
-
-[Definition]
-
-# Option:  actionstart
-# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
-# Values:  CMD
-#
-actionstart =
-
-# Option:  actionstop
-# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
-# Values:  CMD
-#
-actionstop =
-
-# Option:  actioncheck
-# Notes.:  command executed once before each actionban command
-# Values:  CMD
-#
-actioncheck = <iptables> -n -L <chain>
-
-# Option:  actionban
-# Notes.:  command executed when banning an IP.
-# Values:  CMD
-#
-actionban = echo 'all' >| /etc/symbiosis/firewall/blacklist.d/<ip>.auto
-            <iptables> -I <chain> 1 -s <ip> -j <blocktype>
-
-# Option:  actionunban
-# Notes.:  command executed when unbanning an IP.
-# Values:  CMD
-#
-actionunban = rm -f /etc/symbiosis/firewall/blacklist.d/<ip>.auto
-              <iptables> -D <chain> -s <ip> -j <blocktype> || :
-
-[Init]
-
-# Option:  chain
-# Notes    specifies the iptables chain to which the fail2ban rules should be
-#          added to.  blacklist is a chain initiated by symbiosis firewall.
-# Values:  STRING  Default: blacklist
-chain = blacklist
-
-# Option:  blocktype
-# Note:    This is to match default symbiosis firewall type for blacklisted IPs
-# Values:  STRING
-blocktype = DROP
diff --git a/fail2ban/action.d/xarf-login-attack.conf b/fail2ban/action.d/xarf-login-attack.conf
deleted file mode 100644
index f348b2c..0000000
--- a/fail2ban/action.d/xarf-login-attack.conf
+++ /dev/null
@@ -1,143 +0,0 @@
-# Fail2Ban action for sending xarf Login-Attack messages to IP owner
-#
-# IMPORTANT:
-#
-# Emailing a IP owner of abuse is a serious complain. Make sure that it is
-# serious. Fail2ban developers and network owners recommend you only use this
-# action for:
-#   * The recidive where the IP has been banned multiple times
-#   * Where maxretry has been set quite high, beyond the normal user typing
-#     password incorrectly.
-#   * For filters that have a low likelihood of receiving human errors
-#
-# DEPENDENCIES:
-#
-# This requires the dig command from bind-utils
-#
-# This uses the https://abusix.com/contactdb.html to lookup abuse contacts.
-#
-# XARF is a specification for sending a formatted response
-# for non-messaging based abuse including:
-#
-# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL
-#
-# For details see:
-# https://github.com/xarf/xarf-specification
-# http://www.x-arf.org/schemata.html
-#
-# Author: Daniel Black
-# Based on complain written by Russell Odom <russ@gloomytrousers.co.uk>
-#
-#
-
-[Definition]
-
-# bypass ban/unban for restored tickets
-norestored = 1
-
-actionstart =
-
-actionstop =
-
-actioncheck =
-
-actionban = oifs=${IFS};
-            RESOLVER_ADDR="%(addr_resolver)s"
-            if [ "<debug>" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi
-            ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"')
-            IFS=,; ADDRESSES=$(echo $ADDRESSES)
-            IFS=${oifs}
-            IP=<ip>
-            FROM=<sender>
-            SERVICE=<service>
-            FAILURES=<failures>
-            REPORTID=<time>@<fq-hostname>
-            TLP=<tlp>
-            PORT=<port>
-            DATE=`LC_ALL=C date --date=@<time> +"%%a, %%d %%h %%Y %%T %%z"`
-            if [ ! -z "$ADDRESSES" ]; then
-                oifs=${IFS}; IFS=,; ADDRESSES=$(echo $ADDRESSES)
-                IFS=${oifs}
-                (printf -- %%b "<header>\n<message>\n<report>\n\n";
-                 date '+Note: Local timezone is %%z (%%Z)';
-                 printf -- %%b "\n<ipmatches>\n\n<footer>") | <mailcmd> <mailargs> $ADDRESSES
-            fi
-
-actionunban =
-
-# Server as resolver used in dig command
-#
-addr_resolver = <ip-rev>abuse-contacts.abusix.org
-
-# Option: boundary
-# Notes:  This can be overwritten to be safe for possible predictions
-boundary = bfbb0f920793ac03cb8634bde14d8a1e
-
-_boundary = Abuse<time>-<boundary>
-
-# Option: header
-# Notes:  This is really a fixed value
-header  = Subject: abuse report about $IP - $DATE\nAuto-Submitted: auto-generated\nX-XARF: PLAIN\nContent-Transfer-Encoding: 7bit\nContent-Type: multipart/mixed; charset=utf8;\n  boundary=%(_boundary)s;\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8;\n
-
-# Option: footer
-# Notes:  This is really a fixed value and needs to match the report and header
-#         mime delimiters
-footer = \n\n--%(_boundary)s--
-
-# Option: report
-# Notes:  Intended to be fixed
-report =  --%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf-8; name=\"report.txt\";\n\n---\nReported-From: $FROM\nCategory: abuse\nReport-ID: $REPORTID\nReport-Type: login-attack\nService: $SERVICE\nVersion: 0.2\nUser-Agent: Fail2ban v0.9\nDate: $DATE\nSource-Type: ip-address\nSource: $IP\nPort: $PORT\nSchema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json\nAttachment: text/plain\nOccurances: $FAILURES\nTLP: $TLP\n\n\n--%(_boundary)s\nMIME-Version: 1.0\nContent-Transfer-Encoding: 7bit\nContent-Type: text/plain; charset=utf8; name=\"logfile.log\";
-
-# Option: Message
-# Notes:  This can be modified by the users
-message = Dear Sir/Madam,\n\nWe have detected abuse from the IP address $IP, which according to abusix.com is on your network. We would appreciate if you would investigate and take action as appropriate.\n\nLog lines are given below, but please ask if you require any further information.\n\n(If you are not the correct person to contact about this please accept our apologies - your e-mail address was extracted from the whois record by an automated process.)\n\n This mail was generated by Fail2Ban in a X-ARF format! You can find more information about x-arf at http://www.x-arf.org/specification.html.\n\nThe recipient address of this report was provided by the Abuse Contact DB by abusix.com. abusix.com does not maintain the content of the database. All information which we pass out, derives from the RIR databases and is processed for ease of use. If you want to change or report non working abuse contacts please contact the appropriate RIR. If you have any further question, contact abusix.com directly via email (info@abusix.com). Information about the Abuse Contact Database can be found here: https://abusix.com/global-reporting/abuse-contact-db\nabusix.com is neither responsible nor liable for the content or accuracy of this message.\n
-
-# Option:  loglines
-# Notes.:  The number of log lines to search for the IP for the report
-loglines = 9000
-
-# Option:  mailcmd
-# Notes.:  Your system mail command. It is passed the recipient
-# Values:  CMD
-#
-mailcmd =  /usr/sbin/sendmail
-
-# Option:  mailargs
-# Notes.:  Additional arguments to mail command. e.g. for standard Unix mail:
-#          CC reports to another address:
-#              -c me@example.com
-#          Appear to come from a different address - the '--' indicates
-#          arguments to be passed to Sendmail:
-#              -- -f me@example.com
-# Values:  [ STRING ]
-#
-mailargs = -f <sender>
-
-# Option:  tlp
-# Notes.:  Traffic light protocol defining the sharing of this information.
-#          http://www.trusted-introducer.org/ISTLPv11.pdf
-#          green is share to those involved in network security but it is not
-#          to be released to the public.
-tlp = green
-
-# ALL of the following parameters should be set so the report contains
-# meaningful information
-
-# Option: service
-# Notes.: This is the service type that was attacked. e.g. ssh, pop3
-service = unspecified
-
-# Option:  logpath
-# Notes:   Path to the log files which contain relevant lines for the abuser IP
-# Values:  Filename(s) space separated and can contain wildcards (these are
-#          greped for the IP so make sure these aren't too long
-logpath = /dev/null
-
-# Option:  sender
-# Notes.:  This is the sender that is included in the XARF report
-sender = fail2ban@<fq-hostname>
-
-# Option:  port
-# Notes.:  This is the port number that received the login-attack
-port = 0
-
diff --git a/fail2ban/fail2ban.conf b/fail2ban/fail2ban.conf.rpmsave
similarity index 100%
rename from fail2ban/fail2ban.conf
rename to fail2ban/fail2ban.conf.rpmsave
diff --git a/fail2ban/filter.d/3proxy.conf b/fail2ban/filter.d/3proxy.conf
deleted file mode 100644
index 76c7573..0000000
--- a/fail2ban/filter.d/3proxy.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Fail2Ban filter for 3proxy
-#
-#
-
-[Definition]
-
-
-failregex = ^\s[+-]\d{4} \S+ \d{3}0[1-9] \S+ <HOST>:\d+ [\d.]+:\d+ \d+ \d+ \d+\s
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# DEV Notes:
-# http://www.3proxy.ru/howtoe.asp#ERRORS indicates that 01-09 are
-# all authentication problems (%E field)
-# Log format is: "L%d-%m-%Y %H:%M:%S %z %N.%p %E %U %C:%c %R:%r %O %I %h %T"
-#
-# Requested by ykimon in https://github.com/fail2ban/fail2ban/issues/246
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/apache-auth.conf b/fail2ban/filter.d/apache-auth.conf
deleted file mode 100644
index 40f6d6e..0000000
--- a/fail2ban/filter.d/apache-auth.conf
+++ /dev/null
@@ -1,71 +0,0 @@
-# Fail2Ban apache-auth filter
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# apache-common.local
-before = apache-common.conf
-
-[Definition]
-
-# Mode for filter: normal (default) and aggressive (allows DDoS & brute force detection of mod_evasive)
-mode = normal
-
-# ignore messages of mod_evasive module:
-apache-pref-ign-normal = (?!evasive)
-# allow "denied by server configuration" from all modules:
-apache-pref-ign-aggressive =
-# mode related ignore prefix for common _apache_error_client substitution:
-apache-pref-ignore = <apache-pref-ign-<mode>>
-
-prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
-
-# auth_type = ((?:Digest|Basic): )?
-auth_type = ([A-Z]\w+: )?
-
-failregex = ^client (?:denied by server configuration|used wrong authentication scheme)\b
-            ^user (?!`)<F-USER>(?:\S*|.*?)</F-USER> (?:auth(?:oriz|entic)ation failure|not found|denied by provider)\b
-            ^Authorization of user <F-USER>(?:\S*|.*?)</F-USER> to access .*? failed\b
-            ^%(auth_type)suser <F-USER>(?:\S*|.*?)</F-USER>: password mismatch\b
-            ^%(auth_type)suser `<F-USER>(?:[^']*|.*?)</F-USER>' in realm `.+' (auth(?:oriz|entic)ation failure|not found|denied by provider)\b
-            ^%(auth_type)sinvalid nonce .* received - length is not\b
-            ^%(auth_type)srealm mismatch - got `(?:[^']*|.*?)' but expected\b
-            ^%(auth_type)sunknown algorithm `(?:[^']*|.*?)' received\b
-            ^invalid qop `(?:[^']*|.*?)' received\b
-            ^%(auth_type)sinvalid nonce .*? received - user attempted time travel\b
-            ^(?:No h|H)ostname \S+ provided via SNI(?:, but no hostname provided| and hostname \S+ provided| for a name based virtual host)\b
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# This filter matches the authorization failures of Apache. It takes the log messages
-# from the modules in aaa that return HTTP_UNAUTHORIZED, HTTP_METHOD_NOT_ALLOWED or
-# HTTP_FORBIDDEN and not AUTH_GENERAL_ERROR or HTTP_INTERNAL_SERVER_ERROR.
-#
-# An unauthorized response 401 is the first step for a browser to instigate authentication
-# however apache doesn't log this as an error. Only subsequent errors are logged in the 
-# error log.
-#
-# Source:
-#
-# By searching the code in http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/aaa/*
-# for ap_log_rerror(APLOG_MARK, APLOG_ERR and examining resulting return code should get
-# all of these expressions. Lots of submodules like mod_authz_* return back to mod_authz_core
-# to return the actual failure.
-#
-# Note that URI can contain spaces.
-#
-# See also: http://wiki.apache.org/httpd/ListOfErrors
-# Expressions that don't have tests and aren't common.
-# more be added with  https://issues.apache.org/bugzilla/show_bug.cgi?id=55284 
-#     ^user .*: nonce expired \([\d.]+ seconds old - max lifetime [\d.]+\) - sending new nonce\s*$
-#     ^user .*: one-time-nonce mismatch - sending new nonce\s*$
-#     ^realm mismatch - got `(?:[^']*|.*?)' but no realm specified\s*$
-#
-# Because url/referer are foreign input, short form of regex used if long enough to idetify failure.
-# 
-# Author: Cyril Jaquier
-# Major edits by Daniel Black and Ben Rubson.
-# Rewritten for v.0.10 by Sergey Brester (sebres).
diff --git a/fail2ban/filter.d/apache-badbots.conf b/fail2ban/filter.d/apache-badbots.conf
deleted file mode 100644
index 12d4105..0000000
--- a/fail2ban/filter.d/apache-badbots.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# Fail2Ban configuration file
-#
-# Regexp to catch known spambots and software alike. Please verify
-# that it is your intent to block IPs which were driven by
-# above mentioned bots.
-
-
-[Definition]
-
-badbotscustom = EmailCollector|WebEMailExtrac|TrackBack/1\.02|sogou music spider|(?:Mozilla/\d+\.\d+ )?Jorgee
-badbots = Atomic_Email_Hunter/4\.0|atSpider/1\.0|autoemailspider|bwh3_user_agent|China Local Browse 2\.6|ContactBot/0\.2|ContentSmartz|DataCha0s/2\.0|DBrowse 1\.4b|DBrowse 1\.4d|Demo Bot DOT 16b|Demo Bot Z 16b|DSurf15a 01|DSurf15a 71|DSurf15a 81|DSurf15a VA|EBrowse 1\.4b|Educate Search VxB|EmailSiphon|EmailSpider|EmailWolf 1\.00|ESurf15a 15|ExtractorPro|Franklin Locator 1\.8|FSurf15a 01|Full Web Bot 0416B|Full Web Bot 0516B|Full Web Bot 2816B|Guestbook Auto Submitter|Industry Program 1\.0\.x|ISC Systems iRc Search 2\.1|IUPUI Research Bot v 1\.9a|LARBIN-EXPERIMENTAL \(efp@gmx\.net\)|LetsCrawl\.com/1\.0 \+http\://letscrawl\.com/|Lincoln State Web Browser|LMQueueBot/0\.2|LWP\:\:Simple/5\.803|Mac Finder 1\.0\.xx|MFC Foundation Class Library 4\.0|Microsoft URL Control - 6\.00\.8xxx|Missauga Locate 1\.0\.0|Missigua Locator 1\.9|Missouri College Browse|Mizzu Labs 2\.2|Mo College 1\.9|MVAClient|Mozilla/2\.0 \(compatible; NEWT ActiveX; Win32\)|Mozilla/3\.0 \(compatible; Indy Library\)|Mozilla/3\.0 \(compatible; scan4mail \(advanced version\) http\://www\.peterspages\.net/?scan4mail\)|Mozilla/4\.0 \(compatible; Advanced Email Extractor v2\.xx\)|Mozilla/4\.0 \(compatible; Iplexx Spider/1\.0 http\://www\.iplexx\.at\)|Mozilla/4\.0 \(compatible; MSIE 5\.0; Windows NT; DigExt; DTS Agent|Mozilla/4\.0 efp@gmx\.net|Mozilla/5\.0 \(Version\: xxxx Type\:xx\)|NameOfAgent \(CMS Spider\)|NASA Search 1\.0|Nsauditor/1\.x|PBrowse 1\.4b|PEval 1\.4b|Poirot|Port Huron Labs|Production Bot 0116B|Production Bot 2016B|Production Bot DOT 3016B|Program Shareware 1\.0\.2|PSurf15a 11|PSurf15a 51|PSurf15a VA|psycheclone|RSurf15a 41|RSurf15a 51|RSurf15a 81|searchbot admin@google\.com|ShablastBot 1\.0|snap\.com beta crawler v0|Snapbot/1\.0|Snapbot/1\.0 \(Snap Shots&#44; \+http\://www\.snap\.com\)|sogou develop spider|Sogou Orion spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sogou spider|Sogou web spider/3\.0\(\+http\://www\.sogou\.com/docs/help/webmasters\.htm#07\)|sohu agent|SSurf15a 11 |TSurf15a 11|Under the Rainbow 2\.2|User-Agent\: Mozilla/4\.0 \(compatible; MSIE 6\.0; Windows NT 5\.1\)|VadixBot|WebVulnCrawl\.unknown/1\.0 libwww-perl/5\.803|Wells Search II|WEP Search 00
-
-failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP.*"(?:%(badbots)s|%(badbotscustom)s)"$
-
-ignoreregex =
-
-datepattern = ^[^\[]*\[({DATE})
-              {^LN-BEG}
-
-# DEV Notes:
-# List of bad bots fetched from http://www.user-agents.org
-# Generated on Thu Nov  7 14:23:35 PST 2013 by files/gen_badbots.
-#
-# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/apache-botsearch.conf b/fail2ban/filter.d/apache-botsearch.conf
deleted file mode 100644
index 872f199..0000000
--- a/fail2ban/filter.d/apache-botsearch.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# Fail2Ban filter to match web requests for selected URLs that don't exist
-#
-# This filter is aimed at blocking specific URLs that don't exist. This
-# could be a set of URLs places in a Disallow: directive in robots.txt or
-# just some web services that don't exist caused bots are searching for
-# exploitable content. This filter is designed to have a low false positive
-# rate due.
-#
-# An alternative to this is the apache-noscript filter which blocks all
-# types of scripts that don't exist.
-#
-#
-# This is normally a predefined list of exploitable or valuable web services
-# that are hidden or aren't actually installed.
-#
-
-[INCLUDES]
-
-# overwrite with apache-common.local if _apache_error_client is incorrect.
-# Load regexes for filtering from botsearch-common.conf
-before = apache-common.conf
-         botsearch-common.conf
-
-[Definition]
-
-prefregex = ^%(_apache_error_client)s (?:AH\d+: )?<F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^(?:File does not exist|script not found or unable to stat): <webroot><block>(, referer: \S+)?\s*$
-            ^script '<webroot><block>' not found or unable to stat(, referer: \S+)?\s*$
-
-ignoreregex = 
-
-# Webroot represents the webroot on which all other files are based
-webroot = /var/www/
-
-
-# DEV Notes:
-#
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/apache-common.conf b/fail2ban/filter.d/apache-common.conf
deleted file mode 100644
index 6577fe7..0000000
--- a/fail2ban/filter.d/apache-common.conf
+++ /dev/null
@@ -1,44 +0,0 @@
-# Generic configuration items (to be used as interpolations) in other
-# apache filters.
-
-[INCLUDES]
-
-before = common.conf
-# Load customizations if any available
-after = apache-common.local
-
-[DEFAULT]
-
-# Apache logging mode:
-#   all - universal prefix (logfile, syslog)
-#   logfile - logfile only
-#   syslog - syslog only
-# Use `filter = apache-auth[logging=syslog]` to get more precise regex if apache logs into syslog (ErrorLog syslog).
-# Use `filter = apache-auth[logging=all]` to get universal regex matches both logging variants.
-logging = logfile
-
-# Apache logging prefixes (date-pattern prefix, server, process etc.):
-apache-prefix-syslog = %(__prefix_line)s
-apache-prefix-logfile = \[\]\s
-apache-prefix-all = (?:%(apache-prefix-logfile)s|%(apache-prefix-syslog)s)?
-
-# Setting for __prefix_line (only `logging=syslog`):
-_daemon = (?:apache\d*|httpd(?:/\w+)?)
-
-apache-prefix = <apache-prefix-<logging>>
-
-apache-pref-ignore =
-
-_apache_error_client = <apache-prefix>\[(:?error|<apache-pref-ignore>\S+:\S+)\]( \[pid \d+(:\S+ \d+)?\])? \[client <HOST>(:\d{1,5})?\]
-
-datepattern = {^LN-BEG}
-
-# Common prefix for [error] apache messages which also would include <HOST>
-# Depending on the version it could be
-# 2.2: [Sat Jun 01 11:23:08 2013] [error] [client 1.2.3.4]
-# 2.4: [Thu Jun 27 11:55:44.569531 2013] [core:info] [pid 4101:tid 2992634688] [client 1.2.3.4:46652]
-# 2.4 (perfork): [Mon Dec 23 07:49:01.981912 2013] [:error] [pid 3790] [client 204.232.202.107:46301] script '/var/www/timthumb.php' not found or unable to 
-#
-# Reference: https://github.com/fail2ban/fail2ban/issues/268
-#
-# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/apache-fakegooglebot.conf b/fail2ban/filter.d/apache-fakegooglebot.conf
deleted file mode 100644
index 729410a..0000000
--- a/fail2ban/filter.d/apache-fakegooglebot.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Fail2Ban filter for fake Googlebot User Agents
-
-[Definition]
-
-failregex = ^<HOST> .*Googlebot.*$
-
-ignoreregex =
-
-datepattern = ^[^\[]*\[({DATE})
-              {^LN-BEG}
-
-# DEV Notes:
-#
-# Author: Lee Clemens
-# Thanks: Johannes B. Ullrich, Ph.D.
-# Reference: https://isc.sans.edu/forums/diary/When+Google+isnt+Google/15968/
diff --git a/fail2ban/filter.d/apache-modsecurity.conf b/fail2ban/filter.d/apache-modsecurity.conf
deleted file mode 100644
index f7600ac..0000000
--- a/fail2ban/filter.d/apache-modsecurity.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Fail2Ban apache-modsec filter
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# apache-common.local
-before = apache-common.conf
-
-[Definition]
-
-
-failregex = ^%(_apache_error_client)s(?: \[client [^\]]+\])? ModSecurity:\s+(?:\[(?:\w+ \"[^\"]*\"|[^\]]*)\]\s*)*Access denied with code [45]\d\d
-
-ignoreregex = 
-
-# https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-2-Data-Formats
-# Author: Daniel Black
-#         Sergey G. Brester aka sebres (review, optimization)
diff --git a/fail2ban/filter.d/apache-nohome.conf b/fail2ban/filter.d/apache-nohome.conf
deleted file mode 100644
index 358d6d3..0000000
--- a/fail2ban/filter.d/apache-nohome.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Fail2Ban filter to web requests for home directories on Apache servers
-#
-# Regex to match failures to find a home directory on a server, which
-# became popular last days. Most often attacker just uses IP instead of
-# domain name -- so expect to see them in generic error.log if you have
-# per-domain log files.
-
-[INCLUDES]
-
-# overwrite with apache-common.local if _apache_error_client is incorrect.
-before = apache-common.conf
-
-[Definition]
-
-
-failregex = ^%(_apache_error_client)s (AH00128: )?File does not exist: .*/~.*
-
-ignoreregex = 
-
-# Author: Yaroslav O. Halchenko <debian@onerussian.com>
diff --git a/fail2ban/filter.d/apache-noscript.conf b/fail2ban/filter.d/apache-noscript.conf
deleted file mode 100644
index dd9452a..0000000
--- a/fail2ban/filter.d/apache-noscript.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-# Fail2Ban filter to block web requests for scripts (on non scripted websites)
-#
-# This matches many types of scripts that don't exist. This could generate a
-# lot of false positive matches in cases like wikis and forums where users
-# no affiliated with the website can insert links to missing files/scripts into
-# pages and cause non-malicious browsers of the site to trigger against this
-# filter.
-#
-# If you'd like to match specific URLs that don't exist see the
-# apache-botsearch filter.
-#
-
-[INCLUDES]
-
-# overwrite with apache-common.local if _apache_error_client is incorrect.
-before = apache-common.conf
-
-[Definition]
-
-script = /\S*(?:php(?:[45]|[.-]cgi)?|\.asp|\.exe|\.pl|\bcgi-bin/)
-
-prefregex = ^%(_apache_error_client)s (?:AH0(?:01(?:28|30)|1(?:264|071)|2811): )?(?:(?:[Ff]ile|script|[Gg]ot) )<F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^(?:does not exist|not found or unable to stat): <script>\b
-            ^'<script>\S*' not found or unable to stat
-            ^error '[Pp]rimary script unknown(?:\\n)?'
-
-ignoreregex = 
-
-
-# DEV Notes:
-#
-# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
-#
-# Second regex, script '/\S*(\.php|\.asp|\.exe|\.pl)\S*' not found or unable to stat\s*$ is in httpd-2.2
-#
-# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/apache-overflows.conf b/fail2ban/filter.d/apache-overflows.conf
deleted file mode 100644
index 02a2ef2..0000000
--- a/fail2ban/filter.d/apache-overflows.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# Fail2Ban filter to block web requests on a long or suspicious nature
-#
-
-[INCLUDES]
-
-# overwrite with apache-common.local if _apache_error_client is incorrect.
-before = apache-common.conf
-
-[Definition]
-
-failregex = ^%(_apache_error_client)s (?:(?:AH0013[456]: )?Invalid (method|URI) in request\b|(?:AH00565: )?request failed: URI too long \(longer than \d+\)|request failed: erroneous characters after protocol string:|(?:AH00566: )?request failed: invalid characters in URI\b)
-
-ignoreregex =
-
-# DEV Notes:
-#
-# [sebres] Because this apache-log could contain very long URLs (and/or referrer), 
-#          the parsing of it anchored way may be very vulnerable (at least as regards 
-#          the system resources, see gh-1790). Thus rewritten without end-anchor ($).
-# 
-# fgrep -r 'URI too long' httpd-2.*
-#   httpd-2.2.25/server/protocol.c:                          "request failed: URI too long (longer than %d)", r->server->limit_req_line);
-#   httpd-2.4.4/server/protocol.c:                              "request failed: URI too long (longer than %d)",
-#
-# fgrep -r 'in request' ../httpd-2.* | fgrep Invalid
-#   httpd-2.2.25/server/core.c:                     "Invalid URI in request %s", r->the_request);
-#   httpd-2.2.25/server/core.c:                          "Invalid method in request %s", r->the_request);
-#   httpd-2.2.25/docs/manual/rewrite/flags.html.fr:avertissements 'Invalid URI in request'.
-#   httpd-2.4.4/server/core.c:                     "Invalid URI in request %s", r->the_request);
-#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s - possible attempt to establish SSL connection on non-SSL port", r->the_request);
-#   httpd-2.4.4/server/core.c:                              "Invalid method in request %s", r->the_request);
-#
-# fgrep -r 'invalid characters in URI' httpd-2.*
-#   httpd-2.4.4/server/protocol.c:                              "request failed: invalid characters in URI");
-#
-# http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?r1=739382&r2=739620&pathrev=739620
-#   ...possible attempt to establish SSL connection on non-SSL port
-#
-# https://wiki.apache.org/httpd/ListOfErrors
-# Author: Tim Connors
diff --git a/fail2ban/filter.d/apache-pass.conf b/fail2ban/filter.d/apache-pass.conf
deleted file mode 100644
index 3cab87b..0000000
--- a/fail2ban/filter.d/apache-pass.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Fail2Ban Apache pass filter
-# This filter is for access.log, NOT for error.log
-#
-# The knocking request must have a referer.
-
-[Definition]
-
-failregex = ^<HOST> - \w+ \[\] "GET <knocking_url> HTTP/1\.[01]" 200 \d+ ".*" "[^-].*"$
-
-ignoreregex =
-
-datepattern = ^[^\[]*\[({DATE})
-              {^LN-BEG}
-
-[Init]
-
-knocking_url = /knocking/
-
-# Author: Viktor Szépe
diff --git a/fail2ban/filter.d/apache-shellshock.conf b/fail2ban/filter.d/apache-shellshock.conf
deleted file mode 100644
index 55c17c8..0000000
--- a/fail2ban/filter.d/apache-shellshock.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# Fail2Ban filter to block web requests containing custom headers attempting to exploit the shellshock bug
-#
-#
-
-[INCLUDES]
-
-# overwrite with apache-common.local if _apache_error_client is incorrect.
-before = apache-common.conf
-
-[Definition]
-
-prefregex = ^%(_apache_error_client)s (AH01215: )?/bin/([bd]a)?sh: <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^warning: HTTP_[^:]+: ignoring function definition attempt(, referer: \S+)?\s*$
-            ^error importing function definition for `HTTP_[^']+'(, referer: \S+)?\s*$
-
-ignoreregex = 
-
-
-# DEV Notes:
-#
-# https://wiki.apache.org/httpd/ListOfErrors for apache error IDs
-#
-# example log lines: 
-# [Thu Sep 25 09:27:18.813902 2014] [cgi:error] [pid 16860] [client 89.207.132.76:59635] AH01215: /bin/bash: warning: HTTP_TEST: ignoring function definition attempt
-# [Thu Sep 25 09:29:56.141832 2014] [cgi:error] [pid 16864] [client 162.247.73.206:41273] AH01215: /bin/bash: error importing function definition for `HTTP_TEST'
-#
-# Author: Eugene Hopkinson (e.hopkinson@gmail.com)
diff --git a/fail2ban/filter.d/assp.conf b/fail2ban/filter.d/assp.conf
deleted file mode 100644
index 9837f71..0000000
--- a/fail2ban/filter.d/assp.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# Fail2Ban filter for Anti-Spam SMTP Proxy Server (ASSP)
-#    Filter works in theory for both ASSP V1 and V2. Recommended ASSP is V2.5.1 or later.
-#    Support for ASSP V1 ended in 2014 so if you are still running ASSP V1 an immediate upgrade is recommended.
-#
-#    Homepage:    http://sourceforge.net/projects/assp/
-#    ProjectSite: http://sourceforge.net/projects/assp/?source=directory
-#
-#
-
-[Definition] 
-# Note: First three failregex matches below are for ASSP V1 with the remaining being designed for V2. Deleting the V1 regex is recommended but I left it in for compatibility reasons.
-
-__assp_actions = (?:dropping|refusing)
-
-failregex = ^(:? \[SSL-out\])? <HOST> max sender authentication errors \(\d{,3}\) exceeded -- %(__assp_actions)s connection - after reply: \d{3} \d{1}\.\d{1}.\d{1} Error: authentication failed: \w+;$
-			^(?: \[SSL-out\])? <HOST> SSL negotiation with client failed: SSL accept attempt failed with unknown error.*:unknown protocol;$
-			^ Blocking <HOST> - too much AUTH errors \(\d{,3}\);$
-			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> (?:\<\S+@\S+\.\S+\> )*(?:to: \S+@\S+\.\S+ )*relay attempt blocked for(?: \(parsing\))?: \S+$
-			^\s*(?:[\w\-]+\s+)*(?:\[\S+\]\s+)*<HOST> \[SMTP Error\] 535 5\.7\.8 Error: authentication failed:\s+(?:\S+|Connection lost to authentication server|Invalid authentication mechanism|Invalid base64 data in continued response)?$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}%%b-%%d-%%Exy %%H:%%M:%%S
-              {^LN-BEG}
-
-# DEV Notes:
-# V1 Examples matches:
-#   Apr-27-13 02:33:09 Blocking 217.194.197.97 - too much AUTH errors (41);
-#   Dec-29-12 17:10:31 [SSL-out] 200.247.87.82 SSL negotiation with client failed: SSL accept attempt failed with unknown errorerror:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol;
-#   Dec-30-12 04:01:47 [SSL-out] 81.82.232.66 max sender authentication errors (5) exceeded 
-#
-# V2 Examples matches:
-#   Jul-29-16 16:49:52 m1-25391-06124 [Worker_1] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user@example.org relay attempt blocked for: someone@example.org
-#   Jul-30-16 16:59:42 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
-#   Jul-30-16 00:15:36 m1-52131-09651 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: UGFzc3dvcmQ6
-#   Jul-31-16 06:45:59 [Worker_1] [TLS-in] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed:
-#   Jan-05-16 08:38:49 m1-01129-09140 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> relay attempt blocked for (parsing): <user2@example>
-#   Jun-12-16 16:43:37 m1-64217-12013 [Worker_1] [TLS-in] [TLS-out] [RelayAttempt] 0.0.0.0 <user@example.com> to: user2@example.com relay attempt blocked for (parsing): <a.notheruser69@example.c>
-#   Jan-22-16 22:25:51 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid authentication mechanism
-#   Mar-19-16 13:42:20 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Invalid base64 data in continued response
-#   Jul-18-16 16:54:21 [Worker_2] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
-#   Jul-18-16 17:14:23 m1-76453-02949 [Worker_1] [TLS-out] 0.0.0.0 [SMTP Error] 535 5.7.8 Error: authentication failed: Connection lost to authentication server
-
-#
-# Author: Enrico Labedzki (enrico.labedzki@deiwos.de)
-# V2 Filters: Robert Hardy (rhardy@webcon.ca)
diff --git a/fail2ban/filter.d/asterisk.conf b/fail2ban/filter.d/asterisk.conf
deleted file mode 100644
index 6847249..0000000
--- a/fail2ban/filter.d/asterisk.conf
+++ /dev/null
@@ -1,55 +0,0 @@
-# Fail2Ban filter for asterisk authentication failures
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = asterisk
-
-__pid_re = (?:\s*\[\d+\])
-
-iso8601 = \d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+[+-]\d{4}
-
-# All Asterisk log messages begin like this:
-log_prefix= (?:NOTICE|SECURITY|WARNING)%(__pid_re)s:?(?:\[C-[\da-f]*\])?:? [^:]+:\d*(?:(?: in)? [^:]+:)?
-
-prefregex = ^%(__prefix_line)s%(log_prefix)s <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^Registration from '[^']*' failed for '<HOST>(:\d+)?' - (?:Wrong password|Username/auth name mismatch|No matching peer found|Not a local domain|Device does not match ACL|Peer is not supposed to register|ACL error \(permit/deny\)|Not a local domain)$
-            ^Call from '[^']*' \(<HOST>:\d+\) to extension '[^']*' rejected because extension not found in context
-            ^(?:Host )?<HOST> (?:failed (?:to authenticate\b|MD5 authentication\b)|tried to authenticate with nonexistent user\b)
-            ^No registration for peer '[^']*' \(from <HOST>\)$
-            ^hacking attempt detected '<HOST>'$
-            ^SecurityEvent="(?:FailedACL|InvalidAccountID|ChallengeResponseFailed|InvalidPassword)"(?:(?:,(?!RemoteAddress=)\w+="[^"]*")*|.*?),RemoteAddress="IPV[46]/[^/"]+/<HOST>/\d+"(?:,(?!RemoteAddress=)\w+="[^"]*")*$
-            ^"Rejecting unknown SIP connection from <HOST>(?::\d+)?"$
-            ^Request (?:'[^']*' )?from '(?:[^']*|.*?)' failed for '<HOST>(?::\d+)?'\s\(callid: [^\)]*\) - (?:No matching endpoint found|Not match Endpoint(?: Contact)? ACL|(?:Failed|Error) to authenticate)\s*$
-
-# FreePBX (todo: make optional in v.0.10):
-#            ^(%(__prefix_line)s|\[\]\s*WARNING%(__pid_re)s:?(?:\[C-[\da-f]*\])? )[^:]+: Friendly Scanner from <HOST>$
-
-ignoreregex =
-
-datepattern = {^LN-BEG}
-
-# Author: Xavier Devlamynck / Daniel Black
-#
-# General log format - main/logger.c:ast_log
-# Address format - ast_sockaddr_stringify
-#
-# First regex: channels/chan_sip.c
-#
-# main/logger.c:ast_log_vsyslog - "in {functionname}:" only occurs in syslog
-
-journalmatch = _SYSTEMD_UNIT=asterisk.service
-
-
-[lt_journal]
-
-# asterisk can log timestamp if logs into systemd-journal (optional part matching this timestamp, gh-2383):
-__extra_timestamp = (?:\[[^\]]+\]\s+)?
-__prefix_line = %(known/__prefix_line)s%(__extra_timestamp)s
diff --git a/fail2ban/filter.d/bitwarden.conf b/fail2ban/filter.d/bitwarden.conf
deleted file mode 100644
index b0651c8..0000000
--- a/fail2ban/filter.d/bitwarden.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# Fail2Ban filter for Bitwarden
-# Detecting failed login attempts
-# Logged in bwdata/logs/identity/Identity/log.txt
-
-[INCLUDES]
-before = common.conf
-
-[Definition]
-_daemon = Bitwarden-Identity
-failregex = ^%(__prefix_line)s\s*\[(?:W(?:RN|arning)|Bit\.Core\.[^\]]+)\]\s+Failed login attempt(?:, 2FA invalid)?\. <ADDR>$
-
-# DEV Notes:
-# __prefix_line can result to an empty string, so it can support syslog and non-syslog at once.
diff --git a/fail2ban/filter.d/botsearch-common.conf b/fail2ban/filter.d/botsearch-common.conf
deleted file mode 100644
index 6052fab..0000000
--- a/fail2ban/filter.d/botsearch-common.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-# Generic configuration file for -botsearch filters
-
-[Init]
-
-# Block is the actual non-found directories to block
-block = \/?(<webmail>|<phpmyadmin>|<wordpress>|cgi-bin|mysqladmin)[^,]*
-
-# These are just convenient definitions that assist the blocking of stuff that 
-# isn't installed
-webmail = roundcube|(ext)?mail|horde|(v-?)?webmail
-
-phpmyadmin = (typo3/|xampp/|admin/|)(pma|(php)?[Mm]y[Aa]dmin)
-
-wordpress = wp-(login|signup|admin)\.php
-
-# DEV Notes:
-# Taken from apache-botsearch filter
-# 
-# Author: Frantisek Sumsal
diff --git a/fail2ban/filter.d/centreon.conf b/fail2ban/filter.d/centreon.conf
deleted file mode 100644
index fd3c848..0000000
--- a/fail2ban/filter.d/centreon.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Fail2Ban filter for Centreon Web
-# Detecting unauthorized access to the Centreon Web portal
-# typically logged in /var/log/centreon/login.log
-
-[Init]
-datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
-
-[Definition]
-failregex = ^(?:\|-?\d+){3}\|\[[^\]]*\] \[<HOST>\] Authentication failed for '<F-USER>[^']+</F-USER>'
diff --git a/fail2ban/filter.d/common.conf b/fail2ban/filter.d/common.conf
deleted file mode 100644
index 1328603..0000000
--- a/fail2ban/filter.d/common.conf
+++ /dev/null
@@ -1,89 +0,0 @@
-# Generic configuration items (to be used as interpolations) in other
-# filters  or actions configurations
-#
-
-[INCLUDES]
-
-# Load customizations if any available
-after = common.local
-
-
-[DEFAULT]
-
-# Type of log-file resp. log-format (file, short, journal, rfc542):
-logtype = file
-
-# Daemon definition is to be specialized (if needed) in .conf file
-_daemon = \S*
-
-#
-# Shortcuts for easier comprehension of the failregex
-#
-# PID.
-# EXAMPLES: [123]
-__pid_re = (?:\[\d+\])
-
-# Daemon name (with optional source_file:line or whatever)
-# EXAMPLES: pam_rhosts_auth, [sshd], pop(pam_unix)
-__daemon_re = [\[\(]?<_daemon>(?:\(\S+\))?[\]\)]?:?
-
-# extra daemon info
-# EXAMPLE: [ID 800047 auth.info]
-__daemon_extra_re = \[ID \d+ \S+\]
-
-# Combinations of daemon name and PID
-# EXAMPLES: sshd[31607], pop(pam_unix)[4920]
-__daemon_combs_re = (?:<__pid_re>?:\s+<__daemon_re>|<__daemon_re><__pid_re>?:?)
-
-# Some messages have a kernel prefix with a timestamp
-# EXAMPLES: kernel: [769570.846956]
-__kernel_prefix = kernel:\s?\[ *\d+\.\d+\]:?
-
-__hostname = \S+
-
-# A MD5 hex
-# EXAMPLES: 07:06:27:55:b0:e3:0c:3c:5a:28:2d:7c:7e:4c:77:5f
-__md5hex = (?:[\da-f]{2}:){15}[\da-f]{2}
-
-# bsdverbose is where syslogd is started with -v or -vv and results in <4.3> or
-# <auth.info> appearing before the host as per testcases/files/logs/bsd/*.
-__bsd_syslog_verbose = <[^.]+\.[^.]+>
-
-__vserver = @vserver_\S+
-
-__date_ambit = (?:\[\])
-
-# Common line prefixes (beginnings) which could be used in filters
-#
-#      [bsdverbose]? [hostname] [vserver tag] daemon_id spaces
-#
-# This can be optional (for instance if we match named native log files)
-__prefix_line = <lt_<logtype>/__prefix_line>
-
-# PAM authentication mechanism check for failures, e.g.: pam_unix, pam_sss,
-# pam_ldap
-__pam_auth = pam_unix
-
-# standardly all formats using prefix have line-begin anchored date:
-datepattern = <lt_<logtype>/datepattern>
-
-[lt_file]
-# Common line prefixes for logtype "file":
-__prefix_line = <__date_ambit>?\s*(?:<__bsd_syslog_verbose>\s+)?(?:<__hostname>\s+)?(?:<__kernel_prefix>\s+)?(?:<__vserver>\s+)?(?:<__daemon_combs_re>\s+)?(?:<__daemon_extra_re>\s+)?
-datepattern = {^LN-BEG}
-
-[lt_short]
-# Common (short) line prefix for logtype "journal" (corresponds output of formatJournalEntry):
-__prefix_line = \s*(?:<__hostname>\s+)?(?:<_daemon><__pid_re>?:?\s+)?(?:<__kernel_prefix>\s+)?
-datepattern = %(lt_file/datepattern)s
-[lt_journal]
-__prefix_line = %(lt_short/__prefix_line)s
-datepattern = %(lt_short/datepattern)s
-
-[lt_rfc5424]
-# RFC 5424 log-format, see gh-2309:
-#__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ \S+\s+
-__prefix_line = \s*<__hostname> <__daemon_re> \d+ \S+ (?:[^\[\]\s]+|(?:\[(?:[^\]"]*|"[^"]*")*\])+)\s+
-datepattern = ^<\d+>\d+\s+{DATE}
-
-# Author: Yaroslav Halchenko, Sergey G. Brester (aka sebres)
diff --git a/fail2ban/filter.d/counter-strike.conf b/fail2ban/filter.d/counter-strike.conf
deleted file mode 100644
index 294927b..0000000
--- a/fail2ban/filter.d/counter-strike.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Fail2Ban filter for failure attempts in Counter Strike-1.6
-#
-#
-
-[Definition]
-
-failregex = ^: Bad Rcon: "rcon \d+ "\S+"  sv_contact ".*?"" from "<HOST>:\d+"$
-
-ignoreregex =
-
-datepattern = ^L %%d/%%m/%%Y - %%H:%%M:%%S
-
-
-# Author: Daniel Black
-
diff --git a/fail2ban/filter.d/courier-auth.conf b/fail2ban/filter.d/courier-auth.conf
deleted file mode 100644
index 1ac3373..0000000
--- a/fail2ban/filter.d/courier-auth.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Fail2Ban filter for courier authentication failures
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = (?:courier)?(?:imapd?|pop3d?)(?:login)?(?:-ssl)?
-
-failregex = ^%(__prefix_line)sLOGIN FAILED, (?:user|method)=.*, ip=\[<HOST>\]$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# Author: Christoph Haas
-# Modified by: Cyril Jaquier
diff --git a/fail2ban/filter.d/courier-smtp.conf b/fail2ban/filter.d/courier-smtp.conf
deleted file mode 100644
index 4b2b8d8..0000000
--- a/fail2ban/filter.d/courier-smtp.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2Ban filter to block relay attempts though a Courier smtp server
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = courieresmtpd
-
-prefregex = ^%(__prefix_line)serror,relay=<HOST>,(?:port=\d+,)?<F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^[^:]*: 550 User (<.*> )?unknown\.?$
-            ^msg="535 Authentication failed\.",cmd:( AUTH \S+)?( [0-9a-zA-Z\+/=]+)?(?: \S+)$
-
-ignoreregex = 
-
-# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/cyrus-imap.conf b/fail2ban/filter.d/cyrus-imap.conf
deleted file mode 100644
index 31dfda6..0000000
--- a/fail2ban/filter.d/cyrus-imap.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Fail2Ban filter for authentication failures on Cyrus imap server
-#
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = (?:cyrus/)?(?:imap(d|s)?|pop3(d|s)?)
-
-failregex = ^%(__prefix_line)sbadlogin: [^\[]*\[<HOST>\] \S+ .*?\[?SASL\(-13\): (authentication failure|user not found): .*\]?$
-
-ignoreregex = 
-
-# Author: Jan Wagner <waja@cyconet.org>
diff --git a/fail2ban/filter.d/directadmin.conf b/fail2ban/filter.d/directadmin.conf
deleted file mode 100644
index 87c7802..0000000
--- a/fail2ban/filter.d/directadmin.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2Ban configuration file for Directadmin
-#
-#
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-failregex = ^: \'<HOST>\' \d{1,3} failed login attempt(s)?. \s*
-
-ignoreregex = 
-
-datepattern = ^%%Y:%%m:%%d-%%H:%%M:%%S
-
-#
-# Requires Directadmin v1.45.3 or higher. http://www.directadmin.com/features.php?id=1590
-#
-# Author: Cyril Roos
-
diff --git a/fail2ban/filter.d/domino-smtp.conf b/fail2ban/filter.d/domino-smtp.conf
deleted file mode 100644
index 638cd7c..0000000
--- a/fail2ban/filter.d/domino-smtp.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# Fail2Ban configuration file for IBM Domino SMTP Server TASK to detect failed login attempts
-#
-# Author: Christian Brandlehner
-#
-# $Revision: 003 $
-#
-# Configuration:
-# Set the following Domino Server parameters in notes.ini:
-#       console_log_enabled=1
-#       log_sessions=2
-# You also have to use a date and time format supported by fail2ban. Recommended notes.ini configuration is:
-#       DateOrder=DMY
-#       DateSeparator=-
-#       ClockType=24_Hour
-#       TimeSeparator=:
-#
-# Depending on your locale you might have to tweak the date and time format so fail2ban can read the log
-
-#[INCLUDES]
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-#before = common.conf
-
-[Definition]
-# Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>\S+)
-# Values:  TEXT
-#
-# Sample log entries (used different time formats and an extra sample with process info in front of date)
-# 01-23-2009 19:54:51   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
-# [28325:00010-3735542592] 22-06-2014 09:56:12   smtp: postmaster [1.2.3.4] authentication failure using internet password
-# 08-09-2014 06:14:27   smtp: postmaster [1.2.3.4] authentication failure using internet password
-# 08-09-2014 06:14:27   SMTP Server: Authentication failed for user postmaster ; connecting host 1.2.3.4
-
-__prefix = (?:\[[^\]]+\])?\s*
-__opt_data = (?::|\s+\[[^\]]+\])
-failregex = ^%(__prefix)sSMTP Server%(__opt_data)s Authentication failed for user .*? \; connecting host \[?<HOST>\]?$
-            ^%(__prefix)ssmtp: (?:[^\[]+ )*\[?<HOST>\]? authentication failure using internet password\s*$
-            ^%(__prefix)sSMTP Server%(__opt_data)s Connection from \[?<HOST>\]? rejected for policy reasons\.
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-
-ignoreregex =
-
diff --git a/fail2ban/filter.d/dovecot.conf b/fail2ban/filter.d/dovecot.conf.rpmsave
similarity index 100%
rename from fail2ban/filter.d/dovecot.conf
rename to fail2ban/filter.d/dovecot.conf.rpmsave
diff --git a/fail2ban/filter.d/dropbear.conf b/fail2ban/filter.d/dropbear.conf
deleted file mode 100644
index 930bb12..0000000
--- a/fail2ban/filter.d/dropbear.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# Fail2Ban filter for dropbear
-#
-# NOTE: The regex below is ONLY intended to work with a patched
-# version of Dropbear as described here:
-# http://www.unchartedbackwaters.co.uk/pyblosxom/static/patches
-#            ^%(__prefix_line)sexit before auth from <HOST>.*\s*$
-#
-# The standard Dropbear output doesn't provide enough information to
-# ban all types of attack.  The Dropbear patch adds IP address
-# information to the 'exit before auth' message which is always
-# produced for any form of non-successful login. It is that message
-# which this file matches.
-#
-# More information: http://bugs.debian.org/546913
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = dropbear
-
-prefregex = ^%(__prefix_line)s<F-CONTENT>(?:[Ll]ogin|[Bb]ad|[Ee]xit).+</F-CONTENT>$
-
-failregex = ^[Ll]ogin attempt for nonexistent user ('.*' )?from <HOST>:\d+$
-            ^[Bb]ad (PAM )?password attempt for .+ from <HOST>(:\d+)?$
-            ^[Ee]xit before auth \(user '.+', \d+ fails\): Max auth tries reached - user '.+' from <HOST>:\d+\s*$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# The first two regexs here match the unmodified dropbear messages. It isn't
-# possible to match the source of the 'exit before auth' messages from dropbear
-# as they don't include the "from <HOST>" bit.
-#
-# The second last failregex line we need to match with the modified dropbear.
-#
-# For the second regex the following apply:
-#
-# http://www.netmite.com/android/mydroid/external/dropbear/svr-authpam.c
-# http://svn.dd-wrt.com/changeset/16642#file64
-#
-# http://svn.dd-wrt.com/changeset/16642/src/router/dropbear/svr-authpasswd.c
-#
-# Author: Francis Russell
-#         Zak B. Elep
diff --git a/fail2ban/filter.d/drupal-auth.conf b/fail2ban/filter.d/drupal-auth.conf
deleted file mode 100644
index b60abe3..0000000
--- a/fail2ban/filter.d/drupal-auth.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Fail2Ban filter to block repeated failed login attempts to Drupal site(s)
-#
-#
-# Drupal must be setup to use Syslog, which defaults to the following format:
-#
-#   !base_url|!timestamp|!type|!ip|!request_uri|!referer|!uid|!link|!message
-#
-#
-
-[INCLUDES]
-
-before = common.conf
-
-
-[Definition]
-
-failregex = ^%(__prefix_line)s(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})(\/[\w\.-]+)*\|\d{10}\|user\|<HOST>\|.+\|.+\|\d\|.*\|Login attempt failed for .+\.$
-
-ignoreregex =
-
-
-# DEV Notes:
-#
-# https://www.drupal.org/documentation/modules/syslog
-#
-# Author: Lee Clemens
diff --git a/fail2ban/filter.d/ejabberd-auth.conf b/fail2ban/filter.d/ejabberd-auth.conf
deleted file mode 100644
index 48e82df..0000000
--- a/fail2ban/filter.d/ejabberd-auth.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Steven Hiscocks
-#
-#
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-#          Multiline regexs should use tag "<SKIPLINES>" to separate lines.
-#          This allows lines between the matching lines to continue to be
-#          searched for other failures. This tag can be used multiple times.
-# Values:  TEXT
-#
-failregex = ^=INFO REPORT====  ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for \S+ from (?:IP )?<HOST>(?: \({{(?:\d+,){3}\d+},\d+}\))?$
-            ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:\w+:\d+ \([^\)]+\) Failed (?:c2s \w+ )?authentication for \S+ from (?:IP )?(?:::FFFF:)?<HOST>(?:: |$)
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
-
-# "maxlines" is number of log lines to buffer for multi-line regex searches
-maxlines = 2
-
-# Option:  journalmatch
-# Notes.:  systemd journalctl style match filter for journal based backend
-# Values:  TEXT
-#
-journalmatch = 
-
-#datepattern = ^(?:=[^=]+={3,} )?({DATE})
-# explicit time format using prefix =...==== and no date in second string begins with I(...)... 
-datepattern = ^(?:=[^=]+={3,} )?(%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?)
-              ^I\(()**
diff --git a/fail2ban/filter.d/exim-common.conf b/fail2ban/filter.d/exim-common.conf
deleted file mode 100644
index b3b2575..0000000
--- a/fail2ban/filter.d/exim-common.conf
+++ /dev/null
@@ -1,20 +0,0 @@
-# Fail2Ban filter file for common exim expressions
-#
-# This is to be used by other exim filters
-
-[INCLUDES]
-
-# Load customizations if any available
-after = exim-common.local
-
-[Definition]
-
-host_info_pre = (?:H=([\w.-]+ )?(?:\(\S+\) )?)?
-host_info_suf = (?::\d+)?(?: I=\[\S+\](:\d+)?)?(?: U=\S+)?(?: P=e?smtp)?(?: F=(?:<>|[^@]+@\S+))?\s
-host_info = %(host_info_pre)s\[<HOST>\]%(host_info_suf)s
-pid = (?: \[\d+\])?
-
-# DEV Notes:
-# From exim source code: ./src/receive.c:add_host_info_for_log
-#
-# Author:  Daniel Black
diff --git a/fail2ban/filter.d/exim-spam.conf b/fail2ban/filter.d/exim-spam.conf
deleted file mode 100644
index 733c884..0000000
--- a/fail2ban/filter.d/exim-spam.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# Fail2Ban filter for exim the spam rejection messages
-#
-# Honeypot traps are very useful for fighting spam. You just activate an email
-# address on your domain that you do not intend to use at all, and that normal
-# people do not risk to try for contacting you. It may be something that 
-# spammers often test. You can also hide the address on a web page to be picked
-# by spam spiders. Or simply parse your mail logs for an invalid address 
-# already being frequently targeted by spammers. Enable the address and 
-# redirect it to the blackhole. In Exim's alias file, you would add the 
-# following line (assuming the address is honeypot@yourdomain.com):
-#
-# honeypot:  :blackhole:
-#
-# For the SA: Action: silently tossed message... to be logged exim's SAdevnull option needs to be used.
-#
-# To this filter use the jail.local should contain in the right jail:
-#
-# filter = exim-spam[honeypot=honeypot@yourdomain.com]
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# exim-common.local
-before = exim-common.conf
-
-[Definition]
-
-failregex =  ^%(pid)s \S+ F=(<>|\S+@\S+) %(host_info)srejected by local_scan\(\): .{0,256}$
-             ^%(pid)s %(host_info)sF=(<>|[^@]+@\S+) rejected RCPT [^@]+@\S+: .*dnsbl.*\s*$
-             ^%(pid)s \S+ %(host_info)sF=(<>|[^@]+@\S+) rejected after DATA: This message contains a virus \(\S+\)\.\s*$
-             ^%(pid)s \S+ SA: Action: flagged as Spam but accepted: score=\d+\.\d+ required=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=\S+ \[<HOST>\]\) for <honeypot>$
-             ^%(pid)s \S+ SA: Action: silently tossed message: score=\d+\.\d+ required=\d+\.\d+ trigger=\d+\.\d+ \(scanned in \d+/\d+ secs \| Message-Id: \S+\)\. From \S+ \(host=(\S+ )?\[<HOST>\]\) for \S+$
-
-ignoreregex = 
-
-[Init]
-
-# Option:  honeypot
-# Notes.:  honeypot is an email address that isn't published anywhere that a
-#          legitimate email sender would send email too.
-# Values:  email address
-
-honeypot = trap@example.com
-
-# DEV Notes:
-# The %(host_info) defination contains a <HOST> match
-#
-# Author: Cyril Jaquier
-#         Daniel Black (rewrote with strong regexs)
diff --git a/fail2ban/filter.d/exim.conf b/fail2ban/filter.d/exim.conf
deleted file mode 100644
index 6a8c12c..0000000
--- a/fail2ban/filter.d/exim.conf
+++ /dev/null
@@ -1,54 +0,0 @@
-# Fail2Ban filter for exim
-#
-# This includes the rejection messages of exim. For spam and filter
-# related bans use the exim-spam.conf
-#
-
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# exim-common.local
-before = exim-common.conf
-
-[Definition]
-
-# Fre-filter via "prefregex" is currently inactive because of too different failure syntax in exim-log (testing needed):
-#prefregex = ^%(pid)s <F-CONTENT>\b(?:\w+ authenticator failed|([\w\-]+ )?SMTP (?:(?:call|connection) from|protocol(?: synchronization)? error)|no MAIL in|(?:%(host_info_pre)s\[[^\]]+\]%(host_info_suf)s(?:sender verify fail|rejected RCPT|dropped|AUTH command))).+</F-CONTENT>$
-
-failregex = ^%(pid)s %(host_info)ssender verify fail for <\S+>: (?:Unknown user|Unrouteable address|all relevant MX records point to non-existent hosts)\s*$
-            ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
-            ^%(pid)s %(host_info)srejected RCPT [^@]+@\S+: (?:relay not permitted|Sender verify failed|Unknown user|Unrouteable address)\s*$
-            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
-            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
-            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
-            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
-            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$
-            <mdre-<mode>>
-
-mdre-aggressive = ^%(pid)s no host name found for IP address <HOST>$
-                  ^%(pid)s no IP address found for host \S+ \(during SMTP connection from \[<HOST>\]\)$
-
-mdre-normal = 
-
-# Parameter `mode` - `normal` or `aggressive`.
-# Aggressive mode can be used to match flood and ddos-similar log-entries like:
-#   'no host found for IP', 'no IP found for host'.
-# Note this is not an authentication failures, so it may produce lots of false 
-# positives on misconfigured MTAs.
-# Ex.:
-#   filter = exim[mode=aggressive]
-mode = normal
-
-ignoreregex = 
-
-# DEV Notes:
-# The %(host_info) defination contains a <HOST> match
-#
-# SMTP protocol synchronization error \([^)]*\)  <- This needs to be non-greedy
-# to void capture beyond ")" to avoid a DoS Injection vulnerabilty as input= is
-# user injectable data.
-#
-# Author: Cyril Jaquier
-#         Daniel Black (rewrote with strong regexs)
-#         Martin O'Neal (added additional regexs to detect authentication failures, protocol errors, and drops)
diff --git a/fail2ban/filter.d/freeswitch.conf b/fail2ban/filter.d/freeswitch.conf
deleted file mode 100644
index 0fdcf1f..0000000
--- a/fail2ban/filter.d/freeswitch.conf
+++ /dev/null
@@ -1,58 +0,0 @@
-# Fail2Ban configuration file
-#
-# Enable "log-auth-failures" on each Sofia profile to monitor
-# <param name="log-auth-failures" value="true"/>
-# -- this requires a high enough loglevel on your logs to save these messages.
-#
-# In the fail2ban jail.local file for this filter set ignoreip to the internal
-# IP addresses on your LAN.
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = freeswitch
-
-# Parameter "mode": normal, ddos or extra (default, combines all)
-# Usage example (for jail.local):
-#   [freeswitch]
-#   mode = normal
-#   # or with rewrite filter parameters of jail:
-#   [freeswitch-ddos]
-#   filter = freeswitch[mode=ddos]
-#
-mode = extra
-              
-# Prefix contains common prefix line (server, daemon, etc.) and 2 datetimes if used systemd backend
-_pref_line = ^%(__prefix_line)s(?:(?:\d+-)?\d+-\d+ \d+:\d+:\d+\.\d+)?
-
-prefregex = ^%(_pref_line)s \[WARN(?:ING)?\](?: \[SOFIA\])? \[?sofia_reg\.c:\d+\]? <F-CONTENT>.+</F-CONTENT>$
-
-cmnfailre = ^Can't find user \[[^@]+@[^\]]+\] from <HOST>$
-
-mdre-normal = %(cmnfailre)s
-              ^SIP auth failure \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
-
-mdre-ddos   = ^SIP auth (?:failure|challenge) \((REGISTER|INVITE)\) on sofia profile \'[^']+\' for \[[^\]]*\] from ip <HOST>$
-
-mdre-extra  = %(cmnfailre)s
-              <mdre-ddos>
-
-failregex = <mdre-<mode>>
-
-ignoreregex =
-
-datepattern = ^(?:%%Y-)?%%m-%%d[ T]%%H:%%M:%%S(?:\.%%f)?
-              {^LN-BEG}
-
-# Author: Rupa SChomaker, soapee01, Daniel Black, Sergey Brester aka sebres
-# https://freeswitch.org/confluence/display/FREESWITCH/Fail2Ban
-# Thanks to Jim on mailing list of samples and guidance
-#
-# No need to match the following. Its a duplicate of the SIP auth regex.
-#  ^\.\d+ \[DEBUG\] sofia\.c:\d+ IP <HOST> Rejected by acl "\S+"\. Falling back to Digest auth\.$
diff --git a/fail2ban/filter.d/froxlor-auth.conf b/fail2ban/filter.d/froxlor-auth.conf
deleted file mode 100644
index d8f3785..0000000
--- a/fail2ban/filter.d/froxlor-auth.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# Fail2Ban configuration file to block repeated failed login attempts to Frolor installation(s)
-# 
-# Froxlor needs to log to Syslog User (e.g. /var/log/user.log) with one of the following messages
-# <syslog prefix> Froxlor: [Login Action <HOST>] Unknown user '<USER>' tried to login.
-# <syslog prefix> Froxlor: [Login Action <HOST>] User '<USER>' tried to login with wrong password.
-#
-# Author: Joern Muehlencord
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-_daemon = Froxlor
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-
-prefregex = ^%(__prefix_line)s\[Login Action <HOST>\] <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^Unknown user \S* tried to login.$
-            ^User \S* tried to login with wrong password.$
-
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =
-
diff --git a/fail2ban/filter.d/gitlab.conf b/fail2ban/filter.d/gitlab.conf
deleted file mode 100644
index 0c614ae..0000000
--- a/fail2ban/filter.d/gitlab.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# Fail2Ban filter for Gitlab
-# Detecting unauthorized access to the Gitlab Web portal
-# typically logged in /var/log/gitlab/gitlab-rails/application.log
-
-[Definition]
-failregex = ^: Failed Login: username=<F-USER>.+</F-USER> ip=<HOST>$
diff --git a/fail2ban/filter.d/grafana.conf b/fail2ban/filter.d/grafana.conf
deleted file mode 100644
index e7f0f42..0000000
--- a/fail2ban/filter.d/grafana.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Fail2Ban filter for Grafana
-# Detecting unauthorized access
-# Typically logged in /var/log/grafana/grafana.log
-
-[Init]
-datepattern = ^t=%%Y-%%m-%%dT%%H:%%M:%%S%%z
-
-[Definition]
-failregex = ^(?: lvl=err?or)? msg="Invalid username or password"(?: uname=(?:"<F-ALT_USER>[^"]+</F-ALT_USER>"|<F-USER>\S+</F-USER>)| error="<F-ERROR>[^"]+</F-ERROR>"| \S+=(?:\S*|"[^"]+"))* remote_addr=<ADDR>$
diff --git a/fail2ban/filter.d/groupoffice.conf b/fail2ban/filter.d/groupoffice.conf
deleted file mode 100644
index 166c5fe..0000000
--- a/fail2ban/filter.d/groupoffice.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Fail2Ban filter for Group-Office
-#
-# Enable logging with:
-# $config['info_log']='/home/groupoffice/log/info.log';
-#
-
-[Definition]
-
-failregex = ^\[\]LOGIN FAILED for user: "\S+" from IP: <HOST>$
-
-ignoreregex =
-
-# Author: Daniel Black
-
diff --git a/fail2ban/filter.d/gssftpd.conf b/fail2ban/filter.d/gssftpd.conf
deleted file mode 100644
index 5f9fb6a..0000000
--- a/fail2ban/filter.d/gssftpd.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Fail2Ban filter file for gssftp
-#
-# Note: gssftp is part of the krb5-appl-servers in Fedora
-#
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = ftpd
-
-failregex = ^%(__prefix_line)srepeated login failures from <HOST> \(\S+\)$
-
-ignoreregex = 
-
-# Author: Kevin Zembower
-# Edited: Daniel Black - syslog based daemon
diff --git a/fail2ban/filter.d/guacamole.conf b/fail2ban/filter.d/guacamole.conf
deleted file mode 100644
index bc6dbea..0000000
--- a/fail2ban/filter.d/guacamole.conf
+++ /dev/null
@@ -1,51 +0,0 @@
-# Fail2Ban configuration file for guacamole
-#
-# Author: Steven Hiscocks
-#
-
-[Definition]
-
-logging = catalina
-failregex = <L_<logging>/failregex>
-maxlines = <L_<logging>/maxlines>
-datepattern = <L_<logging>/datepattern>
-
-[L_catalina]
-
-failregex = ^.*\nWARNING: Authentication attempt from <HOST> for user "[^"]*" failed\.$
-
-maxlines = 2
-
-datepattern = ^%%b %%d, %%ExY %%I:%%M:%%S %%p
-              ^WARNING:()**
-              {^LN-BEG}
-
-[L_webapp]
-
-failregex = ^ \[\S+\] WARN  \S+ - Authentication attempt from <HOST> for user "<F-USER>[^"]+</F-USER>" failed.
-
-maxlines = 1
-
-datepattern = ^%%H:%%M:%%S.%%f
-
-# DEV Notes:
-#
-# failregex is based on the default pattern given in Guacamole documentation :
-# https://guacamole.apache.org/doc/gug/configuring-guacamole.html#webapp-logging
-#
-# The following logback.xml Guacamole configuration file can then be used accordingly :
-# <configuration>
-#   <appender name="FILE" class="ch.qos.logback.core.rolling.RollingFileAppender">
-#     <file>/var/log/guacamole.log</file>
-#     <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
-#       <fileNamePattern>/var/log/guacamole.%d.log.gz</fileNamePattern>
-#       <maxHistory>32</maxHistory>
-#     </rollingPolicy>
-#     <encoder>
-#       <pattern>%d{HH:mm:ss.SSS} [%thread] %-5level %logger{36} - %msg%n</pattern>
-#     </encoder>
-#   </appender>
-#   <root level="info">
-#     <appender-ref ref="FILE" />
-#   </root>
-# </configuration>
diff --git a/fail2ban/filter.d/haproxy-http-auth.conf b/fail2ban/filter.d/haproxy-http-auth.conf
deleted file mode 100644
index f92f9d6..0000000
--- a/fail2ban/filter.d/haproxy-http-auth.conf
+++ /dev/null
@@ -1,37 +0,0 @@
-# Fail2Ban filter configuration file to match failed login attempts to
-# HAProxy HTTP Authentication protected servers.
-#
-# PLEASE NOTE - When a user first hits the HTTP Auth a 401 is returned by the server
-# which prompts their browser to ask for login details.
-# This initial 401 is logged by HAProxy.
-# In other words, even successful logins will have at least 1 fail regex match.
-# Please keep this in mind when setting findtime and maxretry for jails.
-#
-# Author: Jordan Moeser
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-_daemon = haproxy
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = ^%(__prefix_line)s<HOST>(?::\d+)?\s+.*<NOSRV> -1/-1/-1/-1/\+*\d* 401
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =
diff --git a/fail2ban/filter.d/horde.conf b/fail2ban/filter.d/horde.conf
deleted file mode 100644
index b94ebf6..0000000
--- a/fail2ban/filter.d/horde.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# fail2ban filter configuration for horde
-
-
-[Definition]
-
-
-failregex = ^ HORDE \[error\] \[(horde|imp)\] FAILED LOGIN for \S+ \[<HOST>\](\(forwarded for \[\S+\]\))? to (Horde|{[^}]+}) \[(pid \d+ )?on line \d+ of \S+\]$
-
-
-ignoreregex = 
-
-# DEV NOTES:
-# https://github.com/horde/horde/blob/master/imp/lib/Auth.php#L132
-# https://github.com/horde/horde/blob/master/horde/login.php
-# 
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/ignorecommands/apache-fakegooglebot b/fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave
similarity index 100%
rename from fail2ban/filter.d/ignorecommands/apache-fakegooglebot
rename to fail2ban/filter.d/ignorecommands/apache-fakegooglebot.rpmsave
diff --git a/fail2ban/filter.d/kerio.conf b/fail2ban/filter.d/kerio.conf
deleted file mode 100644
index 0fde092..0000000
--- a/fail2ban/filter.d/kerio.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# Fail2ban filter for kerio
-
-[Definition]
-
-failregex = ^ SMTP Spam attack detected from <HOST>,
-            ^ IP address <HOST> found in DNS blacklist
-            ^ Relay attempt from IP address <HOST>
-            ^ Attempt to deliver to unknown recipient \S+, from \S+, IP address <HOST>$
-            ^ Failed SMTP login from <HOST>
-            ^ SMTP: User \S+ doesn't exist. Attempt from IP address <HOST>
-            ^ Client with IP address <HOST> has no reverse DNS entry, connection rejected before SMTP greeting$
-            ^ Administration login into Web Administration from <HOST> failed: IP address not allowed$
-            ^ Message from IP address <HOST>, sender \S+ rejected: sender domain does not exist$
-
-ignoreregex =
-
-datepattern = ^\[%%d/%%b/%%Y %%H:%%M:%%S\]
-
-# DEV NOTES:
-# 
-# Author: A.P. Lawrence
-# Updated by: M. Bischoff <https://github.com/herrbischoff>
-#
-# Based off: http://aplawrence.com/Kerio/fail2ban.html
diff --git a/fail2ban/filter.d/lighttpd-auth.conf b/fail2ban/filter.d/lighttpd-auth.conf
deleted file mode 100644
index a68f4f4..0000000
--- a/fail2ban/filter.d/lighttpd-auth.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# Fail2Ban filter to match wrong passwords as notified by lighttpd's auth Module
-#
-
-[Definition]
-
-failregex = ^: \((?:http|mod)_auth\.c\.\d+\) (?:password doesn\'t match .* username: .*|digest: auth failed for .*: wrong password|get_password failed), IP: <HOST>\s*$
-
-ignoreregex = 
-
-# Author: Francois Boulogne <fboulogne@april.org>
diff --git a/fail2ban/filter.d/mongodb-auth.conf b/fail2ban/filter.d/mongodb-auth.conf
deleted file mode 100644
index 66c27ab..0000000
--- a/fail2ban/filter.d/mongodb-auth.conf
+++ /dev/null
@@ -1,49 +0,0 @@
-# Fail2Ban filter for unsuccesfull MongoDB authentication attempts
-#
-# Logfile /var/log/mongodb/mongodb.log
-#
-# add setting in /etc/mongodb.conf
-# logpath=/var/log/mongodb/mongodb.log
-#
-# and use of the authentication
-# auth = true
-#
-
-[Definition]
-#failregex = ^\s+\[initandlisten\] connection accepted from <HOST>:\d+ \#(?P<__connid>\d+) \(1 connection now open\)<SKIPLINES>\s+\[conn(?P=__connid)\] Failed to authenticate\s+
-failregex = ^\s+\[conn(?P<__connid>\d+)\] Failed to authenticate [^\n]+<SKIPLINES>\s+\[conn(?P=__connid)\] end connection <HOST>
-
-ignoreregex =
-
-
-[Init]
-maxlines = 10
-
-# DEV Notes:
-#
-# Regarding the multiline regex:
-#
-# There can be a nunber of non-related lines between the first and second part
-# of this regex maxlines of 10 is quite generious.
-#
-# Note the capture __connid, includes the connection ID, used in second part of regex.
-#
-# The first regex is commented out (but will match also), because it is better to use
-# the host from "end connection" line (uncommented above):
-#  -  it has the same prefix, searching begins directly with failure message
-#     (so faster, because ignores success connections at all)
-#  -  it is not so vulnerable in case of possible race condition
-#
-# Log example:
-# 2016-10-20T09:54:27.108+0200 [initandlisten] connection accepted from 127.0.0.1:53276 #1 (1 connection now open)
-# 2016-10-20T09:54:27.109+0200 [conn1]  authenticate db: test { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
-# 2016-10-20T09:54:27.110+0200 [conn1] Failed to authenticate root@test with mechanism MONGODB-CR: AuthenticationFailed UserNotFound Could not find user root@test
-# 2016-11-09T09:54:27.894+0100 [conn1] end connection 127.0.0.1:53276 (0 connections now open)
-# 2016-11-09T11:55:58.890+0100 [initandlisten] connection accepted from 127.0.0.1:54266 #1510 (1 connection now open)
-# 2016-11-09T11:55:58.892+0100 [conn1510]  authenticate db: admin { authenticate: 1, nonce: "xxx", user: "root", key: "xxx" }
-# 2016-11-09T11:55:58.892+0100 [conn1510] Failed to authenticate root@admin with mechanism MONGODB-CR: AuthenticationFailed key mismatch
-# 2016-11-09T11:55:58.894+0100 [conn1510] end connection 127.0.0.1:54266 (0 connections now open)
-#
-# Authors: Alexander Finkhäuser
-#          Sergey G. Brester (sebres)
-
diff --git a/fail2ban/filter.d/monit.conf b/fail2ban/filter.d/monit.conf
deleted file mode 100644
index fdaee9c..0000000
--- a/fail2ban/filter.d/monit.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Fail2Ban filter for monit.conf, looks for failed access attempts
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-# [DEFAULT]
-# logtype = short
-
-[Definition]
-
-_daemon = monit
-
-_prefix = Warning|HttpRequest
-
-# Regexp for previous (accessing monit httpd) and new (access denied) versions
-failregex = ^%(__prefix_line)s(?:error\s*:\s+)?(?:%(_prefix)s):\s+(?:access denied\s+--\s+)?[Cc]lient '?<HOST>'?(?:\s+supplied|\s*:)\s+(?:unknown user '<F-ALT_USER>[^']+</F-ALT_USER>'|wrong password for user '<F-USER>[^']*</F-USER>'|empty password)
-
-# Ignore login with empty user (first connect, no user specified)
-# ignoreregex = %(__prefix_line)s\w+: access denied -- client <HOST>: (?:unknown user '')
-ignoreregex =
diff --git a/fail2ban/filter.d/murmur.conf b/fail2ban/filter.d/murmur.conf
deleted file mode 100644
index efdaf8b..0000000
--- a/fail2ban/filter.d/murmur.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# Fail2Ban filter for murmur/mumble-server
-#
-
-[Definition]
-
-_daemon = murmurd
-
-# N.B. If you allow users to have usernames that include the '>' character you
-#      should change this to match the regex assigned to the 'username'
-#      variable in your server config file (murmur.ini / mumble-server.ini).
-_usernameregex = [^>]+
-
-# Prefix for systemd-journal (with second date-pattern as optional match):
-#
-__prefix_journal = (?:\S+\s+%(_daemon)s\[\d+\]:(?:\s+\<W\>[\d\-]+ [\d:]+.\d+)?)
-
-__prefix_line = %(__prefix_journal)s?
-
-_prefix = %(__prefix_line)s\s+\d+ => <\d+:%(_usernameregex)s\(-1\)> Rejected connection from <HOST>:\d+:
-
-prefregex = ^%(_prefix)s <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^Invalid server password$
-            ^Wrong certificate or password for existing user$
-
-ignoreregex =
-
-datepattern = ^<W>{DATE}
-
-journalmatch = _SYSTEMD_UNIT=murmurd.service + _COMM=murmurd
-
-# DEV Notes:
-#
-# Author: Ross Brown
diff --git a/fail2ban/filter.d/mysqld-auth.conf b/fail2ban/filter.d/mysqld-auth.conf
deleted file mode 100644
index 930c9b5..0000000
--- a/fail2ban/filter.d/mysqld-auth.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# Fail2Ban filter for unsuccesful MySQL authentication attempts
-#
-#
-# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
-# log-error=/var/log/mysqld.log
-# log-warnings = 2
-#
-# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = mysqld
-
-failregex = ^%(__prefix_line)s(?:(?:\d{6}|\d{4}-\d{2}-\d{2})[ T]\s?\d{1,2}:\d{2}:\d{2} )?(?:\d+ )?\[\w+\] (?:\[[^\]]+\] )*Access denied for user '<F-USER>[^']+</F-USER>'@'<HOST>' (to database '[^']*'|\(using password: (YES|NO)\))*\s*$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# Technically __prefix_line can equate to an empty string hence it can support
-# syslog and non-syslog at once.
-# Example:
-# 130322 11:26:54 [Warning] Access denied for user 'root'@'127.0.0.1' (using password: YES)
-#
-# Authors: Artur Penttinen
-#          Yaroslav O. Halchenko
diff --git a/fail2ban/filter.d/nagios.conf b/fail2ban/filter.d/nagios.conf
deleted file mode 100644
index 0429d3f..0000000
--- a/fail2ban/filter.d/nagios.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Fail2Ban filter for Nagios Remote Plugin Executor (nrpe2)
-# Detecting unauthorized access to the nrpe2 daemon 
-# typically logged in /var/log/messages syslog
-#
-
-[INCLUDES]
-# Read syslog common prefixes
-before = common.conf
-
-[Definition]
-_daemon     = nrpe
-failregex   = ^%(__prefix_line)sHost <HOST> is not allowed to talk to us!\s*$
-ignoreregex =
-
-# DEV Notes:
-# 
-# Author: Ivo Truxa - 2014/02/03
diff --git a/fail2ban/filter.d/named-refused.conf b/fail2ban/filter.d/named-refused.conf.rpmsave
similarity index 100%
rename from fail2ban/filter.d/named-refused.conf
rename to fail2ban/filter.d/named-refused.conf.rpmsave
diff --git a/fail2ban/filter.d/nginx-botsearch.conf b/fail2ban/filter.d/nginx-botsearch.conf.rpmsave
similarity index 100%
rename from fail2ban/filter.d/nginx-botsearch.conf
rename to fail2ban/filter.d/nginx-botsearch.conf.rpmsave
diff --git a/fail2ban/filter.d/nginx-http-auth.conf b/fail2ban/filter.d/nginx-http-auth.conf
deleted file mode 100644
index 93341cd..0000000
--- a/fail2ban/filter.d/nginx-http-auth.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# fail2ban filter configuration for nginx
-
-
-[Definition]
-
-
-failregex = ^ \[error\] \d+#\d+: \*\d+ user "(?:[^"]+|.*?)":? (?:password mismatch|was not found in "[^\"]*"), client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(?:, referrer: "\S+")?\s*$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# DEV NOTES:
-# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
-# Extensive search of all nginx auth failures not done yet.
-# 
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/nginx-limit-req.conf b/fail2ban/filter.d/nginx-limit-req.conf
deleted file mode 100644
index e23548a..0000000
--- a/fail2ban/filter.d/nginx-limit-req.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# Fail2ban filter configuration for nginx :: limit_req
-# used to ban hosts, that were failed through nginx by limit request processing rate 
-#
-# Author: Serg G. Brester (sebres)
-#
-# To use 'nginx-limit-req' filter you should have `ngx_http_limit_req_module`
-# and define `limit_req` and `limit_req_zone` as described in nginx documentation
-# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
-#
-# Example:
-#
-#   http {
-#     ...
-#     limit_req_zone $binary_remote_addr zone=lr_zone:10m rate=1r/s;
-#     ...
-#     # http, server, or location:
-#     location ... {
-#       limit_req zone=lr_zone burst=1 nodelay;
-#       ...
-#     }
-#     ...
-#   }
-#   ...
-#
-
-[Definition]
-
-# Specify following expression to define exact zones, if you want to ban IPs limited 
-# from specified zones only.
-# Example:
-#
-#   ngx_limit_req_zones = lr_zone|lr_zone2
-#
-ngx_limit_req_zones = [^"]+
-
-# Use following full expression if you should range limit request to specified 
-# servers, requests, referrers etc. only :
-#
-# failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>, server: \S*, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"(, referrer: "\S+")?\s*$
-
-# Shortly, much faster and stable version of regexp:
-failregex = ^\s*\[[a-z]+\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "(?:%(ngx_limit_req_zones)s)", client: <HOST>,
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
diff --git a/fail2ban/filter.d/nsd.conf b/fail2ban/filter.d/nsd.conf
deleted file mode 100644
index bfd9954..0000000
--- a/fail2ban/filter.d/nsd.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Bas van den Dikkenberg
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-_daemon = nsd
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-
-failregex =  ^%(__prefix_line)sinfo: ratelimit block .* query <HOST> TYPE255$
-             ^%(__prefix_line)sinfo: .* <HOST> refused, no acl matches\.$
-
-ignoreregex =
-
-datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
\ No newline at end of file
diff --git a/fail2ban/filter.d/openhab.conf b/fail2ban/filter.d/openhab.conf
deleted file mode 100644
index f6b9633..0000000
--- a/fail2ban/filter.d/openhab.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Openhab brute force auth filter: /etc/fail2ban/filter.d/openhab.conf:
-#
-# Block IPs trying to auth openhab by web or rest api
-#
-# Matches e.g.
-# 12.34.33.22 -  -  [26/sept./2015:18:04:43 +0200] "GET /openhab.app HTTP/1.1" 401 1382 
-# 175.18.15.10 -  -  [02/sept./2015:00:11:31 +0200] "GET /rest/bindings HTTP/1.1" 401 1384
-
-[Definition] 
-failregex = ^<HOST>\s+-\s+-\s+\[\]\s+"[A-Z]+ .*" 401 \d+\s*$
-
-datepattern = %%d/%%b[^/]*/%%Y:%%H:%%M:%%S %%z
-
-
-
diff --git a/fail2ban/filter.d/openwebmail.conf b/fail2ban/filter.d/openwebmail.conf
deleted file mode 100644
index ef51031..0000000
--- a/fail2ban/filter.d/openwebmail.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Fail2Ban filter for Openwebmail
-# banning hosts with authentication errors in /var/log/openwebmail.log
-# OpenWebMail http://openwebmail.org
-#
-
-[Definition]
-
-failregex = ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - login error - (no such user - loginname=(?P=USER)|auth_unix.pl, ret -4, Password incorrect)$
-            ^ - \[\d+\] \(<HOST>\) (?P<USER>\S+) - userinfo error - auth_unix.pl, ret -4, User (?P=USER) doesn't exist$
-
-ignoreregex =
-
-# DEV Notes:
-#
-# Author: Ivo Truxa (c) 2013 truXoft.com
diff --git a/fail2ban/filter.d/oracleims.conf b/fail2ban/filter.d/oracleims.conf
deleted file mode 100644
index 7d75c32..0000000
--- a/fail2ban/filter.d/oracleims.conf
+++ /dev/null
@@ -1,63 +0,0 @@
-# Fail2Ban configuration file
-# for Oracle IMS with XML logging
-#
-# Author: Joel Snyder/jms@opus1.com/2014-June-01
-#
-#
-
-
-[INCLUDES]
-
-# Read common prefixes.
-# If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages
-# in the logfile. The host must be matched by a
-# group named "host". The tag "<HOST>" can
-# be used for standard IP/hostname matching and is
-# only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-#
-# CONFIGURATION REQUIREMENTS FOR ORACLE IMS v6 and ABOVE:
-#
-# In OPTION.DAT you must have LOG_FORMAT=4 and
-#  bit 5 of LOG_CONNECTION must be set. 
-#
-# Many of these sub-fields are optional and can be turned on and off
-# by the system manager.  We need the "tr" field
-#  (transport information (present if bit 5 of LOG_CONNECTION is
-# set and transport information is available)).
-# "di" should be there by default if you have LOG_FORMAT=4.
-# Do not use "mi" as this is not included by default.
-#
-# Typical line IF YOU ARE USING TAGGING ! ! ! is:
-# <co ts="2014-06-02T09:45:50.29" pi="123f.3f8.4397"
-# sc="tcp_local" dr="+" ac="U"
-# tr="TCP|192.245.12.223|25|151.1.71.144|59762" ap="SMTP"
-# mi="Bad password"
-# us="01ko8hqnoif09qx0np@imap.opus1.com"
-# di="535 5.7.8 Bad username or password (Authentication failed)."/>
-# Format is generally documented in the PORT_ACCESS mapping 
-# at http://docs.oracle.com/cd/E19563-01/819-4428/bgaur/index.html
-#
-# All that would be on one line.
-# Note that you MUST have LOG_FORMAT=4 for this to work!
-#
-
-failregex = tr="[A-Z]+\|[0-9.]+\|\d+\|<HOST>\|\d+" ap="[^"]*" mi="Bad password" us="[^"]*" di="535 5.7.8 Bad username or password( \(Authentication failed\))?\."/>$
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =
-
-datepattern = ^<co ts="{DATE}"\s+
diff --git a/fail2ban/filter.d/pam-generic.conf b/fail2ban/filter.d/pam-generic.conf
deleted file mode 100644
index 0cadbee..0000000
--- a/fail2ban/filter.d/pam-generic.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Fail2Ban configuration file for generic PAM authentication errors
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-# if you want to catch only login errors from specific daemons, use something like
-#_ttys_re=(?:ssh|pure-ftpd|ftp)
-#
-# Default: catch all failed logins
-_ttys_re=\S*
-
-__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
-_daemon = \S+
-
-prefregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure;(?:\s+(?:(?:logname|e?uid)=\S*)){0,3} tty=%(_ttys_re)s <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^ruser=<F-ALT_USER>(?:\S*|.*?)</F-ALT_USER> rhost=<HOST>(?:\s+user=<F-USER>(?:\S*|.*?)</F-USER>)?\s*$
-
-ignoreregex = 
-
-datepattern = {^LN-BEG}
-
-# DEV Notes:
-#
-# for linux-pam before 0.99.2.0 (late 2005) (removed before 0.8.11 release)
-# _daemon = \S*\(?pam_unix\)?
-# failregex = ^%(__prefix_line)sauthentication failure; logname=\S* uid=\S* euid=\S* tty=%(_ttys_re)s ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-#
-# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/perdition.conf b/fail2ban/filter.d/perdition.conf
deleted file mode 100644
index c47dcac..0000000
--- a/fail2ban/filter.d/perdition.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Fail2Ban filter for perdition
-#
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon=perdition.\S+
-
-failregex = ^%(__prefix_line)sAuth: <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+ client-secure=\S+ authorisation_id=NONE authentication_id=".+" server="\S+" protocol=\S+ server-secure=\S+ status="failed: (local authentication failure|Re-Authentication Failure)"$
-            ^%(__prefix_line)sFatal Error reading authentication information from client <HOST>:\d+->(\d{1,3}\.){3}\d{1,3}:\d+: Exiting child$
-
-ignoreregex =
-
-# Author: Christophe Carles and Daniel Black
diff --git a/fail2ban/filter.d/php-url-fopen.conf b/fail2ban/filter.d/php-url-fopen.conf
deleted file mode 100644
index a7957c9..0000000
--- a/fail2ban/filter.d/php-url-fopen.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Fail2Ban filter for URLs with a URL as a script parameters
-# which can be an indication of a fopen url php injection
-#
-# Example of web requests in Apache access log:
-# 66.185.212.172 - - [26/Mar/2009:08:44:20 -0500] "GET /index.php?n=http://eatmyfood.hostinginfive.com/pizza.htm? HTTP/1.1" 200 114 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)"
-
-[Definition]
-
-failregex = ^<HOST> -.*"(GET|POST).*\?.*\=http\:\/\/.* HTTP\/.*$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# Version 2
-# fixes the failregex so REFERERS that contain =http:// don't get blocked
-# (mentioned by "fasuto" (no real email provided... blog comment) in this entry:
-# http://blogs.buanzo.com.ar/2009/04/fail2ban-filter-for-php-injection-attacks.html#comment-1489
-#
-# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
-
-datepattern = ^[^\[]*\[({DATE})
-              {^LN-BEG}
diff --git a/fail2ban/filter.d/phpmyadmin-syslog.conf b/fail2ban/filter.d/phpmyadmin-syslog.conf
deleted file mode 100644
index 4378bed..0000000
--- a/fail2ban/filter.d/phpmyadmin-syslog.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Fail2Ban filter for the phpMyAdmin-syslog
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = phpMyAdmin
-
-failregex = ^%(__prefix_line)suser denied: (?:\S+|.*?) \(mysql-denied\) from <HOST>\s*$
-
-ignoreregex =
-
-
-# Author: Pavel Mihadyuk
-# Regex fixes: Serg G. Brester
diff --git a/fail2ban/filter.d/portsentry.conf b/fail2ban/filter.d/portsentry.conf
deleted file mode 100644
index 35ca2a3..0000000
--- a/fail2ban/filter.d/portsentry.conf
+++ /dev/null
@@ -1,15 +0,0 @@
-# Fail2Ban filter for failure attempts in Counter Strike-1.6
-#
-#
-
-[Definition]
-
-failregex = \/<HOST> Port\: [0-9]+ (TCP|UDP) Blocked$
-
-ignoreregex =
-
-datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
-
-# Author: Pacop <pacoparu@gmail.com>
-
diff --git a/fail2ban/filter.d/postfix.conf b/fail2ban/filter.d/postfix.conf
deleted file mode 100644
index fb690fb..0000000
--- a/fail2ban/filter.d/postfix.conf
+++ /dev/null
@@ -1,80 +0,0 @@
-# Fail2Ban filter for selected Postfix SMTP rejections
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = postfix(-\w+)?/\w+(?:/smtp[ds])?
-_port = (?::\d+)?
-
-prefregex = ^%(__prefix_line)s<mdpr-<mode>> <F-CONTENT>.+</F-CONTENT>$
-
-mdpr-normal = (?:\w+: reject:|(?:improper command pipelining|too many errors) after \S+)
-mdre-normal=^RCPT from [^[]*\[<HOST>\]%(_port)s: 55[04] 5\.7\.1\s
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 45[04] 4\.7\.\d+ (?:Service unavailable\b|Client host rejected: cannot find your (reverse )?hostname\b)
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.7\.\d+ (<[^>]*>)?: Helo command rejected: Host not found\b
-            ^EHLO from [^[]*\[<HOST>\]%(_port)s: 504 5\.5\.\d+ (<[^>]*>)?: Helo command rejected: need fully-qualified hostname\b
-            ^(RCPT|VRFY) from [^[]*\[<HOST>\]%(_port)s: 550 5\.1\.1\s
-            ^RCPT from [^[]*\[<HOST>\]%(_port)s: 450 4\.1\.\d+ (<[^>]*>)?: Sender address rejected: Domain not found\b
-            ^from [^[]*\[<HOST>\]%(_port)s:?
-
-mdpr-auth = warning:
-mdre-auth = ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server| Invalid authentication mechanism)
-mdre-auth2= ^[^[]*\[<HOST>\]%(_port)s: SASL ((?i)LOGIN|PLAIN|(?:CRAM|DIGEST)-MD5) authentication failed:(?! Connection lost to authentication server)
-# todo: check/remove "Invalid authentication mechanism" from ignore list, if gh-1243 will get finished (see gh-1297).
-
-# Mode "rbl" currently included in mode "normal", but if needed for jail "postfix-rbl" only:
-mdpr-rbl = %(mdpr-normal)s
-mdre-rbl  = ^RCPT from [^[]*\[<HOST>\]%(_port)s: [45]54 [45]\.7\.1 Service unavailable; Client host \[\S+\] blocked\b
-
-# Mode "rbl" currently included in mode "normal" (within 1st rule)
-mdpr-more = %(mdpr-normal)s
-mdre-more = %(mdre-normal)s
-
-mdpr-ddos = (?:lost connection after(?! DATA) [A-Z]+|disconnect(?= from \S+(?: \S+=\d+)* auth=0/(?:[1-9]|\d\d+)))
-mdre-ddos = ^from [^[]*\[<HOST>\]%(_port)s:?
-
-mdpr-extra = (?:%(mdpr-auth)s|%(mdpr-normal)s)
-mdre-extra = %(mdre-auth)s
-            %(mdre-normal)s
-
-mdpr-aggressive = (?:%(mdpr-auth)s|%(mdpr-normal)s|%(mdpr-ddos)s)
-mdre-aggressive = %(mdre-auth2)s
-                  %(mdre-normal)s
-
-mdpr-errors = too many errors after \S+
-mdre-errors = ^from [^[]*\[<HOST>\]%(_port)s$
-
-
-failregex = <mdre-<mode>>
-
-# Parameter "mode": more (default combines normal and rbl), auth, normal, rbl, ddos, extra or aggressive (combines all)
-# Usage example (for jail.local):
-#   [postfix]
-#   mode = aggressive
-#
-#   # or another jail (rewrite filter parameters of jail):
-#   [postfix-rbl]
-#   filter = postfix[mode=rbl]
-#
-#   # jail to match "too many errors", related postconf `smtpd_hard_error_limit`:
-#   # (normally included in other modes (normal, more, extra, aggressive), but this jail'd allow to ban on the first message)
-#   [postfix-many-errors]
-#   filter = postfix[mode=errors]
-#   maxretry = 1
-#
-mode = more
-
-ignoreregex = 
-
-[Init]
-
-journalmatch = _SYSTEMD_UNIT=postfix.service
-
-# Author: Cyril Jaquier
diff --git a/fail2ban/filter.d/proftpd.conf b/fail2ban/filter.d/proftpd.conf
deleted file mode 100644
index 71f2ba7..0000000
--- a/fail2ban/filter.d/proftpd.conf
+++ /dev/null
@@ -1,33 +0,0 @@
-# Fail2Ban filter for the Proftpd FTP daemon
-#
-# Set "UseReverseDNS off" in proftpd.conf to avoid the need for DNS.
-# See: http://www.proftpd.org/docs/howto/DNS.html
-# When the default locale for your system is not en_US.UTF-8
-# on Debian-based systems be sure to add this to /etc/default/proftpd
-# export LC_TIME="en_US.UTF-8"
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = proftpd
-
-__suffix_failed_login = ([uU]ser not authorized for login|[nN]o such user found|[iI]ncorrect password|[pP]assword expired|[aA]ccount disabled|[iI]nvalid shell: '\S+'|[uU]ser in \S+|[lL]imit (access|configuration) denies login|[nN]ot a UserAlias|[mM]aximum login length exceeded)
-
-
-prefregex = ^%(__prefix_line)s%(__hostname)s \(\S+\[<HOST>\]\)[: -]+ <F-CONTENT>(?:USER|SECURITY|Maximum) .+</F-CONTENT>$
-
-
-failregex = ^USER <F-USER>\S+|.*?</F-USER>(?: \(Login failed\))?: %(__suffix_failed_login)s
-            ^SECURITY VIOLATION: <F-USER>\S+|.*?</F-USER> login attempted
-            ^Maximum login attempts \(\d+\) exceeded
-
-ignoreregex = 
-
-[Init]
-journalmatch = _SYSTEMD_UNIT=proftpd.service
-
-# Author: Yaroslav Halchenko
-#         Daniel Black - hardening of regex
diff --git a/fail2ban/filter.d/pure-ftpd.conf b/fail2ban/filter.d/pure-ftpd.conf
deleted file mode 100644
index 034336f..0000000
--- a/fail2ban/filter.d/pure-ftpd.conf
+++ /dev/null
@@ -1,40 +0,0 @@
-# Fail2Ban filter for pureftp
-#
-# Disable hostname based logging by:
-#
-# Start pure-ftpd with the -H switch or on Ubuntu 'echo yes > /etc/pure-ftpd/conf/DontResolve'
-#
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = pure-ftpd
-
-# Error message specified in multiple languages
-__errmsg = (?:Godkendelse mislykkedes for \[.*\]|Authentifizierung fehlgeschlagen für Benutzer \[.*\].|Authentication failed for user \[.*\]|Autentificación fallida para el usuario \[.*\]|\[.*\] c'est un batard, il connait pas son code|Erreur d'authentification pour l'utilisateur \[.*\]|Azonosítás sikertelen \[.*\] felhasználónak|Autenticazione falita per l'utente \[.*\]|Autorisatie faalde voor gebruiker \[.*\]|Godkjennelse mislyktes for \[.*\]|\[.*\] kullanýcýsý için giriþ hatalý|Autenticação falhou para usuário \[.*\]|Autentificare esuata pentru utilizatorul \[.*\]|Autentifikace uživatele selhala \[.*\]|Autentyfikacja nie powiodła się dla użytkownika \[.*\]|Autentifikacia uzivatela zlyhala \[.*\]|Behörighetskontroll misslyckas för användare \[.*\]|Авторизация не удалась пользователю \[.*\]|\[.*\] 嶸盪 檣隸 褒ぬ|妏蚚氪\[.*\]桄痐囮啖|使用者\[.*\]驗證失敗)
-
-failregex = ^%(__prefix_line)s\(.+?@<HOST>\) \[WARNING\] %(__errmsg)s\s*$
-
-ignoreregex = 
-
-[Init]
-
-journalmatch = _SYSTEMD_UNIT=pure-ftpd.service + _COMM=pure-ftpd
-
-# Author: Cyril Jaquier
-# Modified: Yaroslav Halchenko for pure-ftpd
-# Documentation thanks to Blake on http://www.fail2ban.org/wiki/index.php?title=Fail2ban:Community_Portal
-# UTF-8 editing and mechanism thanks to Johannes Weberhofer
-#
-# Only logs to syslog though facility can be changed configuration file/command line
-#
-# To get messages in the right encoding:
-# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[defhint]* | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' > messages
-# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[pr][to] | grep -Po '".?"' | recode latin1..utf-8 | tr -d '"' >> messages
-# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[cps][slkv] | grep -Po '".?"' | recode latin2..utf-8 | tr -d '"' >> messages
-# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_ru | grep -Po '".?"' | recode KOI8-R..utf-8 | tr -d '"' >> messages
-# grep MSG_AUTH_FAILED_LOG pure-ftpd-1.0.36/src/messages_[kz] | grep -Po '".*?"' | tr -d '"' | recode big5..utf-8 >> messages
diff --git a/fail2ban/filter.d/qmail.conf b/fail2ban/filter.d/qmail.conf
deleted file mode 100644
index 62d499c..0000000
--- a/fail2ban/filter.d/qmail.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Fail2Ban filters for qmail RBL patches/fake proxies
-#
-# the default djb RBL implementation doesn't log any rejections 
-# so is useless with this filter.
-#
-# One patch is here:
-#
-# http://www.tjsi.com/rblsmtpd/faq/ patch to rblsmtpd
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = (?:qmail|rblsmtpd)
-
-failregex = ^%(__prefix_line)s\d+\.\d+ rblsmtpd: <HOST> pid \d+ \S+ 4\d\d \S+\s*$
-            ^%(__prefix_line)s\d+\.\d+ qmail-smtpd: 4\d\d badiprbl: ip <HOST> rbl: \S+\s*$
-            ^%(__prefix_line)s\S+ blocked <HOST> \S+ -\s*$
-
-ignoreregex =
-
-# DEV Notes:
-#
-# These seem to be for two or 3 different patches to qmail or rblsmtpd
-# so you'll probably only ever see one of these regex's that match.
-#
-# ref: https://github.com/fail2ban/fail2ban/pull/386
-#
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/recidive.conf b/fail2ban/filter.d/recidive.conf.rpmsave
similarity index 100%
rename from fail2ban/filter.d/recidive.conf
rename to fail2ban/filter.d/recidive.conf.rpmsave
diff --git a/fail2ban/filter.d/roundcube-auth.conf b/fail2ban/filter.d/roundcube-auth.conf
deleted file mode 100644
index 9912ff4..0000000
--- a/fail2ban/filter.d/roundcube-auth.conf
+++ /dev/null
@@ -1,39 +0,0 @@
-# Fail2Ban configuration file for roundcube web server
-#
-# By default failed logins are printed to 'errors'. The first regex matches those
-# The second regex matches those printed to 'userlogins'
-#   The userlogins log file can be enabled by setting $config['log_logins'] = true; in config.inc.php
-#
-# The logpath in your jail can be updated to userlogins if you wish
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-prefregex = ^\s*(\[\])?(%(__hostname)s\s*(?:roundcube(?:\[(\d*)\])?:)?\s*(<[\w]+>)? IMAP Error)?: <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^(?:FAILED login|Login failed) for <F-USER>.*</F-USER> from <HOST>(?:(?:\([^\)]*\))?\. (?:(?! from ).)*(?: user=(?P=user))? in \S+\.php on line \d+ \(\S+ \S+\))?$
-            ^(?:<[\w]+> )?Failed login for <F-USER>.*</F-USER> from <HOST> in session \w+( \(error: \d\))?$
-
-ignoreregex = 
-
-journalmatch = SYSLOG_IDENTIFIER=roundcube
-
-# DEV Notes:
-#
-# Source: https://github.com/roundcube/roundcubemail/blob/master/program/lib/Roundcube/rcube_imap.php#L180
-#
-# Part after <HOST> comes straight from IMAP server up until the " in ....."
-# Earlier versions didn't log the IMAP response hence optional.
-#
-# DoS resistance:
-#
-# Assume that the user can inject "from <HOST>" into the imap response
-# somehow. Write test cases around this to ensure that the combination of
-# arbitrary user input and IMAP response doesn't inject the wrong IP for
-# fail2ban
-#
-# Author: Teodor Micu & Yaroslav Halchenko & terence namusonge & Daniel Black & Lee Clemens
diff --git a/fail2ban/filter.d/screensharingd.conf b/fail2ban/filter.d/screensharingd.conf
deleted file mode 100644
index 4cd7646..0000000
--- a/fail2ban/filter.d/screensharingd.conf
+++ /dev/null
@@ -1,31 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Simon Brown
-#
-# Filter for Mac OS X Screen Sharing service
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-_daemon = screensharingd
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .+ :: Viewer Address: <HOST> :: Type: DH$
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex =
diff --git a/fail2ban/filter.d/selinux-common.conf b/fail2ban/filter.d/selinux-common.conf
deleted file mode 100644
index b3e0ae4..0000000
--- a/fail2ban/filter.d/selinux-common.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Fail2Ban configuration file for generic SELinux audit messages
-#
-# This file is not intended to be used directly, and should be included into a
-# filter file which would define following variables. See selinux-ssh.conf as
-# and example.
-#
-# _type
-# _uid
-# _auid 
-# _subj
-# _msg
-#
-# Also one of these variables must include <HOST>.
-
-[Definition]
-
-failregex = ^type=%(_type)s msg=audit\(:\d+\): (user )?pid=\d+ uid=%(_uid)s auid=%(_auid)s ses=\d+ subj=%(_subj)s msg='%(_msg)s'$
-
-ignoreregex =
-
-datepattern = EPOCH
-
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/selinux-ssh.conf b/fail2ban/filter.d/selinux-ssh.conf
deleted file mode 100644
index 6955094..0000000
--- a/fail2ban/filter.d/selinux-ssh.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Fail2Ban configuration file for SELinux ssh authentication errors
-#
-
-[INCLUDES]
-
-after = selinux-common.conf
-
-[Definition]
-
-_type = USER_(ERR|AUTH)
-_uid  = 0
-_auid = \d+
-_subj = (?:unconfined_u|system_u):system_r:sshd_t:s0-s0:c0\.c1023
-
-_exe  =/usr/sbin/sshd
-_terminal = ssh
-
-_msg = op=\S+ acct=(?P<_quote_acct>"?)\S+(?P=_quote_acct) exe="%(_exe)s" hostname=(\?|(\d+\.){3}\d+) addr=<HOST> terminal=%(_terminal)s res=failed
-
-# DEV Notes:
-#
-# Note: USER_LOGIN is ignored as this is the duplicate messsage
-# ssh logs after 3 USER_AUTH failures.
-# 
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/sendmail-auth.conf b/fail2ban/filter.d/sendmail-auth.conf
deleted file mode 100644
index 84fcbdd..0000000
--- a/fail2ban/filter.d/sendmail-auth.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# Fail2Ban filter for sendmail authentication failures
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = (?:sendmail|sm-(?:mta|acceptingconnections))
-# "\w{14,20}" will give support for IDs from 14 up to 20 characters long
-__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
-addr = (?:IPv6:<IP6>|<IP4>)
-
-prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^(\S+ )?\[%(addr)s\]( \(may be forged\))?: possible SMTP attack: command=AUTH, count=\d+$
-            ^AUTH failure \(LOGIN\):(?: [^:]+:)? authentication failure: checkpass failed, user=<F-USER>(?:\S+|.*?)</F-USER>, relay=(?:\S+ )?\[%(addr)s\](?: \(may be forged\))?$
-ignoreregex =
-
-journalmatch = _SYSTEMD_UNIT=sendmail.service
-
-# DEV Notes:
-#
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/sendmail-reject.conf b/fail2ban/filter.d/sendmail-reject.conf
deleted file mode 100644
index e8b766c..0000000
--- a/fail2ban/filter.d/sendmail-reject.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-# Fail2Ban filter for sendmail spam/relay type failures
-#
-# Some of the below failregex will only work properly, when the following
-# options are set in the .mc file (see your Sendmail documentation on how
-# to modify it and generate the corresponding .cf file):
-#
-# FEATURE(`delay_checks')
-# FEATURE(`greet_pause', `500')
-# FEATURE(`ratecontrol', `nodelay', `terminate')
-# FEATURE(`conncontrol', `nodelay', `terminate')
-#
-# ratecontrol and conncontrol also need corresponding options ClientRate:
-# and ClientConn: in the access file, see documentation for ratecontrol and
-# conncontrol in the sendmail/cf/README file.
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = (?:(sm-(mta|acceptingconnections)|sendmail))
-__prefix_line = %(known/__prefix_line)s(?:\w{14,20}: )?
-addr = (?:IPv6:<IP6>|<IP4>)
-
-prefregex = ^<F-MLFID>%(__prefix_line)s</F-MLFID><F-CONTENT>.+</F-CONTENT>$
-
-cmnfailre = ^ruleset=check_rcpt, arg1=(?P<email><\S+@\S+>), relay=(\S+ )?\[%(addr)s\](?: \(may be forged\))?, reject=(550 5\.7\.1 (?P=email)\.\.\. Relaying denied\. (IP name possibly forged \[(\d+\.){3}\d+\]|Proper authentication required\.|IP name lookup failed \[(\d+\.){3}\d+\])|553 5\.1\.8 (?P=email)\.\.\. Domain of sender address \S+ does not exist|550 5\.[71]\.1 (?P=email)\.\.\. (Rejected: .*|User unknown))$
-            ^ruleset=check_relay, arg1=(?P<dom>\S+), arg2=%(addr)s, relay=((?P=dom) )?\[(\d+\.){3}\d+\](?: \(may be forged\))?, reject=421 4\.3\.2 (Connection rate limit exceeded\.|Too many open connections\.)$
-            ^rejecting commands from (\S* )?\[%(addr)s\] due to pre-greeting traffic after \d+ seconds$
-            ^(?:\S+ )?\[%(addr)s\]: (?:(?i)expn|vrfy) \S+ \[rejected\]$
-            ^<[^@]+@[^>]+>\.\.\. No such user here$
-            ^<F-NOFAIL>from=<[^@]+@[^>]+></F-NOFAIL>, size=\d+, class=\d+, nrcpts=\d+, bodytype=\w+, proto=E?SMTP, daemon=MTA, relay=\S+ \[%(addr)s\]$
-
-mdre-normal =
-
-mdre-extra = ^(?:\S+ )?\[%(addr)s\](?: \(may be forged\))? did not issue \S+ during connection
-
-mdre-aggressive = %(mdre-extra)s
-
-failregex = %(cmnfailre)s
-            <mdre-<mode>>
-
-# Parameter "mode": normal (default), extra or aggressive
-# Usage example (for jail.local):
-#   [sendmail-reject]
-#   filter = sendmail-reject[mode=extra]
-#
-mode = normal
-
-ignoreregex = 
-
-journalmatch = SYSLOG_IDENTIFIER=sm-mta + _SYSTEMD_UNIT=sendmail.service
-
-# DEV NOTES:
-# 
-# Regarding the multiline regex:
-#
-# "No such user" lines generate a failure and needs to be matched together with
-# another line with the HOST, therefore no-failure line was added as regex, that
-# contains HOST (see line with tag <F-NOFAIL>).
-#
-# Note the capture <F-MLFID>, includes both the __prefix_lines (which includes
-# the sendmail PID), but also the `\w{14}` which the the sendmail assigned 
-# mail ID (todo: check this is necessary, possible obsolete).
-#
-# Author: Daniel Black, Fabian Wenk and Sergey Brester aka sebres.
-# Rewritten using prefregex by Serg G. Brester.
diff --git a/fail2ban/filter.d/sieve.conf b/fail2ban/filter.d/sieve.conf
deleted file mode 100644
index 4ec9c45..0000000
--- a/fail2ban/filter.d/sieve.conf
+++ /dev/null
@@ -1,18 +0,0 @@
-# Fail2Ban filter for sieve authentication failures
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = (?:cyrus/)?(?:tim)?sieved?
-
-failregex = ^%(__prefix_line)sbadlogin: \S+ ?\[<HOST>\] \S+ authentication failure$
-
-ignoreregex = 
-
-# Author: Jan Wagner <waja@cyconet.org>
diff --git a/fail2ban/filter.d/slapd.conf b/fail2ban/filter.d/slapd.conf
deleted file mode 100644
index 22cf430..0000000
--- a/fail2ban/filter.d/slapd.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# slapd (Stand-alone LDAP Daemon) openldap daemon filter
-#
-# Detecting invalid credentials: error code 49
-# http://www.openldap.org/doc/admin24/appendix-ldap-result-codes.html#invalidCredentials (49)
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = slapd
-
-failregex = ^(?P<__prefix>%(__prefix_line)s)conn=(?P<_conn_>\d+) fd=\d+ ACCEPT from IP=<HOST>:\d{1,5} \(IP=\S+\)\s*<SKIPLINES>(?P=__prefix)conn=(?P=_conn_) op=\d+ RESULT(?:\s(?!err)\S+=\S*)* err=49 text=[\w\s]*$
-
-ignoreregex =
-
-[Init]
-
-# "maxlines" is number of log lines to buffer for multi-line regex searches
-maxlines = 20
-
-# Author: Andrii Melnyk
diff --git a/fail2ban/filter.d/softethervpn.conf b/fail2ban/filter.d/softethervpn.conf
deleted file mode 100644
index f7e7c0c..0000000
--- a/fail2ban/filter.d/softethervpn.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# Fail2Ban filter for SoftEtherVPN
-# Detecting unauthorized access to SoftEtherVPN
-# typically logged in /usr/local/vpnserver/security_log/*/sec.log, or in syslog, depending on configuration
-
-[INCLUDES]
-before = common.conf
-
-[Definition]
-failregex = ^%(__prefix_line)s(?:(?:\([\d\-]+ [\d:.]+\) )?<SECURITY_LOG>: )?Connection "[^"]+": User authentication failed. The user name that has been provided was "<F-USER>(?:[^"]+|.+)</F-USER>", from <ADDR>\.$
diff --git a/fail2ban/filter.d/sogo-auth.conf b/fail2ban/filter.d/sogo-auth.conf
deleted file mode 100644
index 4155f89..0000000
--- a/fail2ban/filter.d/sogo-auth.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2ban filter for SOGo authentcation
-#
-# Log file usually in /var/log/sogo/sogo.log
-
-[Definition]
-
-failregex = ^ sogod \[\d+\]: SOGoRootPage Login from '<HOST>(?:,[^']*)?' for user '[^']*' might not have worked( - password policy: \d*  grace: -?\d*  expire: -?\d*  bound: -?\d*)?\s*$
-
-ignoreregex = "^<ADDR>"
-
-datepattern = {^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\s*%%z)?
-              {^LN-BEG}(?:%%a )?%%b %%d %%H:%%M:%%S(?:\.%%f)?(?: %%ExY)?
-              ^[^\[]*\[({DATE})
-              {^LN-BEG}
-
-# 
-# DEV Notes:
-#
-# The error log may contain multiple hosts, whereas the first one 
-# is the client and all others are poxys. We match the first one, only
-#
-# Author: Arnd Brandes
diff --git a/fail2ban/filter.d/solid-pop3d.conf b/fail2ban/filter.d/solid-pop3d.conf
deleted file mode 100644
index ba19d66..0000000
--- a/fail2ban/filter.d/solid-pop3d.conf
+++ /dev/null
@@ -1,32 +0,0 @@
-# Fail2Ban filter for unsuccessful solid-pop3 authentication attempts
-#
-# Doesn't currently provide PAM support as PAM log messages don't include rhost as
-# remote IP.
-#
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = solid-pop3d
-
-failregex = ^%(__prefix_line)sauthentication failed: (no such user|can't map user name): .*? - <HOST>$
-            ^%(__prefix_line)s(APOP )?authentication failed for (mapped )?user .*? - <HOST>$
-            ^%(__prefix_line)sroot login not allowed - <HOST>$
-            ^%(__prefix_line)scan't find APOP secret for user .*? - <HOST>$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# solid-pop3d needs to be compiled with --enable-logextend to support
-# IP addresses in log messages.
-#
-# solid-pop3d-0.15/src/main.c contains all authentication errors
-# except for PAM authentication messages ( src/authenticate.c )
-#
-# A pam authentication failure message (note no IP for rhost).
-# Nov 17 23:17:50 emf1pt2-2-35-70 solid-pop3d[17176]: pam_unix(solid-pop3d:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=jacques
-# 
-# Authors: Daniel Black
diff --git a/fail2ban/filter.d/squid.conf b/fail2ban/filter.d/squid.conf
deleted file mode 100644
index 58694c4..0000000
--- a/fail2ban/filter.d/squid.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# Fail2Ban filter for Squid attempted proxy bypasses
-#
-#
-
-[Definition]
-
-failregex = ^\s+\d\s<HOST>\s+[A-Z_]+_DENIED/403 .*$
-            ^\s+\d\s<HOST>\s+NONE/405 .*$
-
-ignoreregex =
-
-datepattern = {^LN-BEG}Epoch
-              {^LN-BEG}
-
-# Author: Daniel Black
-
diff --git a/fail2ban/filter.d/squirrelmail.conf b/fail2ban/filter.d/squirrelmail.conf
deleted file mode 100644
index 31e922e..0000000
--- a/fail2ban/filter.d/squirrelmail.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-
-[Definition]
-
-failregex = ^ \[LOGIN_ERROR\].*from <HOST>: Unknown user or password incorrect\.$
-
-ignoreregex =
-
-datepattern = ^%%m/%%d/%%Y %%H:%%M:%%S
-
-# DEV NOTES:
-#
-# Author: Daniel Black
diff --git a/fail2ban/filter.d/sshd.conf b/fail2ban/filter.d/sshd.conf.rpmsave
similarity index 100%
rename from fail2ban/filter.d/sshd.conf
rename to fail2ban/filter.d/sshd.conf.rpmsave
diff --git a/fail2ban/filter.d/stunnel.conf b/fail2ban/filter.d/stunnel.conf
deleted file mode 100644
index 2396d89..0000000
--- a/fail2ban/filter.d/stunnel.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# Fail2ban filter for stunnel
-
-[Definition]
-
-failregex = ^ LOG\d\[\d+:\d+\]:\ SSL_accept from <HOST>:\d+ : (?P<CODE>[\dA-F]+): error:(?P=CODE):SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate$
-
-ignoreregex =
-
-# DEV NOTES:
-# 
-# Author: Daniel Black
-#
-# Based off: http://www.fail2ban.org/wiki/index.php/Fail2ban:Community_Portal#stunnel4
diff --git a/fail2ban/filter.d/suhosin.conf b/fail2ban/filter.d/suhosin.conf
deleted file mode 100644
index 46fbe38..0000000
--- a/fail2ban/filter.d/suhosin.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-# Fail2Ban filter for suhosian PHP hardening
-#
-# This occurs with lighttpd or directly from the plugin
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-
-[Definition]
-
-_daemon = (?:lighttpd|suhosin)
-
-
-_lighttpd_prefix = (?:\(mod_fastcgi\.c\.\d+\) FastCGI-stderr:\s)
-
-failregex = ^%(__prefix_line)s%(_lighttpd_prefix)s?ALERT - .*? \(attacker '<HOST>', file '[^']*'(?:, line \d+)?\)$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# https://github.com/stefanesser/suhosin/blob/1fba865ab73cc98a3109f88d85eb82c1bfc29b37/log.c#L161
-#
-# Author: Arturo 'Buanzo' Busleiman <buanzo@buanzo.com.ar>
diff --git a/fail2ban/filter.d/tine20.conf b/fail2ban/filter.d/tine20.conf
deleted file mode 100644
index a80d89e..0000000
--- a/fail2ban/filter.d/tine20.conf
+++ /dev/null
@@ -1,24 +0,0 @@
-# Fail2Ban filter for Tine 2.0 authentication
-#
-# Enable logging with:
-# $config['info_log']='/var/log/tine20/tine20.log';
-#
-
-[Definition]
-
-failregex =  ^[\da-f]{5,} [\da-f]{5,} (-- none --|.*?)( \d+(\.\d+)?(h|m|s|ms)){0,2} -  WARN \(\d+\): Tinebase_Controller::login::\d+ Login with username .*? from <HOST> failed \(-[13]\)!$
-
-ignoreregex = 
-
-datepattern = ^[^-]+ -- [^-]+ -- - ({DATE})
-              {^LN-BEG}
-
-# Author: Mika (mkl) from Tine20.org forum: https://www.tine20.org/forum/viewtopic.php?f=2&t=15688&p=54766
-# Editor: Daniel Black
-# Advisor: Lars Kneschke
-#
-# Usernames can contain spaces.
-#
-# Authentication: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Controller.php#l105
-# Logger: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Log/Formatter.php
-# formatMicrotimeDiff: http://git.tine20.org/git?p=tine20;a=blob;f=tine20/Tinebase/Helper.php#l276
diff --git a/fail2ban/filter.d/traefik-auth.conf b/fail2ban/filter.d/traefik-auth.conf
deleted file mode 100644
index 8022fee..0000000
--- a/fail2ban/filter.d/traefik-auth.conf
+++ /dev/null
@@ -1,76 +0,0 @@
-# Fail2ban filter configuration for traefik :: auth
-# used to ban hosts, that were failed through traefik
-#
-# Author: CrazyMax
-#
-# To use 'traefik-auth' filter you have to configure your Traefik instance to write
-# the access logs as describe in https://docs.traefik.io/configuration/logs/#access-logs
-# into a log file on host and specifiy users for Basic Authentication
-# https://docs.traefik.io/configuration/entrypoints/#basic-authentication
-#
-# Example:
-#
-# version: "3.2"
-#
-# services:
-#   traefik:
-#     image: traefik:latest
-#     command:
-#       - "--loglevel=INFO"
-#       - "--accesslog=true"
-#       - "--accessLog.filePath=/var/log/access.log"
-# #       - "--accessLog.filters.statusCodes=400-499"
-#       - "--defaultentrypoints=http,https"
-#       - "--entryPoints=Name:http Address::80"
-#       - "--entryPoints=Name:https Address::443 TLS"
-#       - "--docker.domain=example.com"
-#       - "--docker.watch=true"
-#       - "--docker.exposedbydefault=false"
-#       - "--api=true"
-#       - "--api.dashboard=true"
-#     ports:
-#       - target: 80
-#         published: 80
-#         protocol: tcp
-#         mode: host
-#       - target: 443
-#         published: 443
-#         protocol: tcp
-#         mode: host
-#     labels:
-#       - "traefik.enable=true"
-#       - "traefik.port=8080"
-#       - "traefik.backend=traefik"
-#       - "traefik.frontend.rule=Host:traefik.example.com"
-#       - "traefik.frontend.auth.basic.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/"
-#     volumes:
-#       - "/var/log/traefik:/var/log"
-#       - "/var/run/docker.sock:/var/run/docker.sock"
-#     restart: always
-#
-
-[Definition]
-
-# Parameter "method" can be used to specifiy request method
-req-method = \S+
-# Usage example (for jail.local):
-#   filter = traefik-auth[req-method="GET|POST|HEAD"]
-
-failregex = ^<HOST> \- <usrre-<mode>> \[\] \"(?:<req-method>) [^\"]+\" 401\b
-
-ignoreregex =
-
-# Parameter "mode": normal (default), ddos or aggressive
-# Usage example (for jail.local):
-#   [traefik-auth]
-#   mode = aggressive
-#   # or another jail (rewrite filter parameters of jail):
-#   [traefik-auth-ddos]
-#   filter = traefik-auth[mode=ddos]
-#
-mode = normal
-
-# part of failregex matches user name (must be available in normal mode, must be empty in ddos mode, and both for aggressive mode):
-usrre-normal = (?!- )<F-USER>\S+</F-USER>
-usrre-ddos = -
-usrre-aggressive = <F-USER>\S+</F-USER>
\ No newline at end of file
diff --git a/fail2ban/filter.d/uwimap-auth.conf b/fail2ban/filter.d/uwimap-auth.conf
deleted file mode 100644
index f734eb7..0000000
--- a/fail2ban/filter.d/uwimap-auth.conf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Fail2Ban filter for uwimap
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = (?:ipop3d|imapd)
-
-failregex = ^%(__prefix_line)sLogin (?:failed|excessive login failures|disabled|SYSTEM BREAK-IN ATTEMPT) user=\S* auth=\S* host=.*\[<HOST>\]\s*$ 
-            ^%(__prefix_line)sFailed .* override of user=.* host=.*\[<HOST>\]\s*$
-
-ignoreregex = 
-
-# Author: Amir Caspi
diff --git a/fail2ban/filter.d/vsftpd.conf b/fail2ban/filter.d/vsftpd.conf
deleted file mode 100644
index 2ecc44d..0000000
--- a/fail2ban/filter.d/vsftpd.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2Ban filter for vsftp
-#
-# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
-# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
-# incoming ip address rather than domain names.
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-__pam_re=\(?%(__pam_auth)s(?:\(\S+\))?\)?:?
-_daemon =  vsftpd
-
-failregex = ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-            ^ \[pid \d+\] \[[^\]]+\] FAIL LOGIN: Client "<HOST>"(?:\s*$|,)
-
-ignoreregex = 
-
-# Author: Cyril Jaquier
-# Documentation from fail2ban wiki
diff --git a/fail2ban/filter.d/webmin-auth.conf b/fail2ban/filter.d/webmin-auth.conf
deleted file mode 100644
index a0f014c..0000000
--- a/fail2ban/filter.d/webmin-auth.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2Ban filter for webmin
-#
-
-[INCLUDES]
-
-before = common.conf
-
-[Definition]
-
-_daemon = webmin
-
-failregex = ^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$
-            ^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# pattern :     webmin[15673]: Non-existent login as toto from 86.0.6.217
-#               webmin[29544]: Invalid login as root from 86.0.6.217
-#
-# Rule Author: Delvit Guillaume
diff --git a/fail2ban/filter.d/wuftpd.conf b/fail2ban/filter.d/wuftpd.conf
deleted file mode 100644
index 6f6700e..0000000
--- a/fail2ban/filter.d/wuftpd.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-# Fail2Ban configuration file for wuftpd
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = wu-ftpd
-__pam_re=\(?%(__pam_auth)s(?:\(wu-ftpd:auth\))?\)?:?
-
-failregex = ^%(__prefix_line)sfailed login from \S+ \[<HOST>\]\s*$
-            ^%(__prefix_line)s%(__pam_re)s\s+authentication failure; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
-
-
-ignoreregex = 
-
-# Author: Yaroslav Halchenko
diff --git a/fail2ban/filter.d/xinetd-fail.conf b/fail2ban/filter.d/xinetd-fail.conf
deleted file mode 100644
index b4093d9..0000000
--- a/fail2ban/filter.d/xinetd-fail.conf
+++ /dev/null
@@ -1,29 +0,0 @@
-# Fail2Ban filter for xinetd failures
-#
-# Cfr.: /var/log/(daemon\.|sys)log
-#
-#
-
-[INCLUDES]
-
-# Read common prefixes. If any customizations available -- read them from
-# common.local
-before = common.conf
-
-[Definition]
-
-_daemon = xinetd
-
-prefregex = ^%(__prefix_line)sFAIL: <F-CONTENT>.+</F-CONTENT>$
-
-failregex = ^\S+ address from=<HOST>$
-            ^\S+ libwrap from=<HOST>$
-
-ignoreregex = 
-
-# DEV Notes:
-#
-# libwrap => tcp wrappers: hosts.(allow|deny)
-# address => xinetd: deny_from|only_from
-#
-# Author: Guido Bozzetto
diff --git a/fail2ban/filter.d/znc-adminlog.conf b/fail2ban/filter.d/znc-adminlog.conf
deleted file mode 100644
index 8faa25e..0000000
--- a/fail2ban/filter.d/znc-adminlog.conf
+++ /dev/null
@@ -1,34 +0,0 @@
-# Fail2Ban filter for ZNC (requires adminlog module)
-#
-# to use this module, enable the adminlog module from within ZNC and point
-# logpath to its logfile (e.g. /var/lib/znc/moddata/adminlog/znc.log).
-
-[DEFAULT]
-
-logtype = file
-
-[Definition]
-
-_daemon = znc
-
-# Prefix for different logtype (file, journal):
-#
-__prefix_file = (?:\[\]\s+)?
-__prefix_short = (?:\S+\s+%(_daemon)s\[\d+\]:)\s+
-__prefix_journal = %(__prefix_short)s
-
-__prefix_line = <__prefix_<logtype>>
-
-failregex = ^%(__prefix_line)s\[[^]]+\] failed to login from <ADDR>
-
-ignoreregex = 
-
-journalmatch = _SYSTEMD_UNIT=znc.service + _COMM=znc
-
-# DEV Notes:
-# Log format is: [<DATE+TIME>] [<USERNAME>] <ACTION> from <ADDR>
-# [2018-10-27 01:40:17] [girst] connected to ZNC from 1.2.3.4
-# [2018-10-27 01:40:21] [girst] disconnected from ZNC from 1.2.3.4
-# [2018-10-27 01:40:55] [girst] failed to login from 1.2.3.4
-#
-# Author: Tobias Girstmair (//gir.st/)
diff --git a/fail2ban/filter.d/zoneminder.conf b/fail2ban/filter.d/zoneminder.conf
deleted file mode 100644
index cc82755..0000000
--- a/fail2ban/filter.d/zoneminder.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# Fail2Ban filter for Zoneminder login failures
-
-[INCLUDES]
-before = apache-common.conf
-
-[Definition]
-
-# pattern: [Wed Apr 27 23:12:07.736196 2016] [:error] [pid 2460] [client 10.1.1.1:47296] WAR [Login denied for user "test"], referer: https://zoneminderurl/index.php
-#
-#
-# Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile.
-
-failregex = ^%(_apache_error_client)s WAR \[Login denied for user "[^"]*"\]
-
-ignoreregex =
-
-# Notes:
-#	Tested on Zoneminder 1.29.0
-#
-# Author: John Marzella
diff --git a/fail2ban/jail.conf b/fail2ban/jail.conf.rpmsave
similarity index 100%
rename from fail2ban/jail.conf
rename to fail2ban/jail.conf.rpmsave
diff --git a/fail2ban/jail.d/00-firewalld.conf b/fail2ban/jail.d/00-firewalld.conf
deleted file mode 100644
index 61752cb..0000000
--- a/fail2ban/jail.d/00-firewalld.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-# This file is part of the fail2ban-firewalld package to configure the use of
-# the firewalld actions as the default actions.  You can remove this package
-# (along with the empty fail2ban meta-package) if you do not use firewalld
-[DEFAULT]
-banaction = firewallcmd-rich-rules[actiontype=<multiport>]
-banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
diff --git a/fail2ban/paths-common.conf b/fail2ban/paths-common.conf
deleted file mode 100644
index 7383caf..0000000
--- a/fail2ban/paths-common.conf
+++ /dev/null
@@ -1,96 +0,0 @@
-# Common
-#
-
-[INCLUDES]
-
-after  = paths-overrides.local
-
-[DEFAULT]
-
-default_backend = %(default/backend)s
-
-# Initial common values (to overwrite in path-<distribution>.conf)...
-# There is no sensible generic defaults for syslog log targets, thus
-# leaving them empty here (resp. set to mostly used variant) in order 
-# to avoid errors while parsing/interpolating configs.
-#
-# Note systemd-backend does not need the logpath at all.
-#
-syslog_local0 = /var/log/messages
-
-syslog_authpriv = /var/log/auth.log
-syslog_daemon  = %(syslog_local0)s
-syslog_ftp = %(syslog_local0)s
-syslog_mail =
-syslog_mail_warn =
-syslog_user = %(syslog_local0)s
-
-# Set the default syslog backend target to default_backend
-syslog_backend = %(default_backend)s
-
-# Default values for several jails:
-
-sshd_log = %(syslog_authpriv)s
-sshd_backend = %(default_backend)s
-
-dropbear_log = %(syslog_authpriv)s
-dropbear_backend = %(default_backend)s
-
-apache_error_log = /var/log/apache2/*error.log
-
-apache_access_log = /var/log/apache2/*access.log
-
-# from /etc/audit/auditd.conf
-auditd_log = /var/log/audit/audit.log
-
-exim_main_log = /var/log/exim/mainlog
-
-nginx_error_log = /var/log/nginx/*error.log
-
-nginx_access_log = /var/log/nginx/*access.log
-
-
-lighttpd_error_log = /var/log/lighttpd/error.log
-
-# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
-# syslog_user is the default. Lighttpd also hooks errors into its log.
-
-suhosin_log = %(syslog_user)s
-              %(lighttpd_error_log)s
-
-# defaults to ftp or local2 if ftp doesn't exist
-proftpd_log = %(syslog_ftp)s
-proftpd_backend = %(default_backend)s
-
-# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
-# defaults to ftp but can be overwritten.
-pureftpd_log = %(syslog_ftp)s
-pureftpd_backend = %(default_backend)s
-
-# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
-#
-wuftpd_log = %(syslog_ftp)s
-wuftpd_backend = %(default_backend)s
-
-# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
-# No distro seems to set it to syslog by default
-# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
-vsftpd_log = /var/log/vsftpd.log
-
-# Technically syslog_facility in main.cf can overwrite but no-one sane does this.
-postfix_log = %(syslog_mail_warn)s
-postfix_backend = %(default_backend)s
-
-dovecot_log = %(syslog_mail_warn)s
-dovecot_backend = %(default_backend)s
-
-# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
-solidpop3d_log = %(syslog_local0)s
-
-mysql_log = %(syslog_daemon)s
-mysql_backend = %(default_backend)s
-
-roundcube_errors_log = /var/log/roundcube/errors
-
-# Directory with ignorecommand scripts
-ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
diff --git a/fail2ban/paths-fedora.conf b/fail2ban/paths-fedora.conf
deleted file mode 100644
index 3d637e1..0000000
--- a/fail2ban/paths-fedora.conf
+++ /dev/null
@@ -1,42 +0,0 @@
-# Fedora
-
-[INCLUDES]
-
-before = paths-common.conf
-
-after  = paths-overrides.local
-
-
-[DEFAULT]
-
-syslog_mail = /var/log/maillog
-
-syslog_mail_warn = /var/log/maillog
-
-syslog_authpriv = /var/log/secure
-
-apache_error_log = /var/log/httpd/*error_log
-
-apache_access_log = /var/log/httpd/*access_log
-
-# /etc/proftpd/proftpd.conf (ExtendedLog for Anonymous)
-# proftpd_log = /var/log/proftpd/auth.log
-# Tested and it worked out in /var/log/messages so assuming syslog_ftp for now.
-
-exim_main_log = /var/log/exim/main.log
-
-mysql_log = /var/log/mariadb/mariadb.log
-            /var/log/mysqld.log
-
-roundcube_errors_log = /var/log/roundcubemail/errors
-
-# These services will log to the journal via syslog, so use the journal by
-# default.
-syslog_backend = systemd
-sshd_backend = systemd
-dropbear_backend = systemd
-proftpd_backend = systemd
-pureftpd_backend = systemd
-wuftpd_backend = systemd
-postfix_backend = systemd
-dovecot_backend = systemd
diff --git a/firewalld/firewalld.conf b/firewalld/firewalld.conf
deleted file mode 100644
index c387f87..0000000
--- a/firewalld/firewalld.conf
+++ /dev/null
@@ -1,84 +0,0 @@
-# firewalld config file
-
-# default zone
-# The default zone used if an empty zone string is used.
-# Default: public
-DefaultZone=public
-
-# Clean up on exit
-# If set to no or false the firewall configuration will not get cleaned up
-# on exit or stop of firewalld.
-# Default: yes
-CleanupOnExit=yes
-
-# Clean up kernel modules on exit
-# If set to yes or true the firewall related kernel modules will be
-# unloaded on exit or stop of firewalld. This might attempt to unload
-# modules not originally loaded by firewalld.
-# Default: yes
-CleanupModulesOnExit=yes
-
-# Lockdown
-# If set to enabled, firewall changes with the D-Bus interface will be limited
-# to applications that are listed in the lockdown whitelist.
-# The lockdown whitelist file is lockdown-whitelist.xml
-# Default: no
-Lockdown=no
-
-# IPv6_rpfilter
-# Performs a reverse path filter test on a packet for IPv6. If a reply to the
-# packet would be sent via the same interface that the packet arrived on, the 
-# packet will match and be accepted, otherwise dropped.
-# The rp_filter for IPv4 is controlled using sysctl.
-# Note: This feature has a performance impact. See man page FIREWALLD.CONF(5)
-# for details.
-# Default: yes
-IPv6_rpfilter=yes
-
-# IndividualCalls
-# Do not use combined -restore calls, but individual calls. This increases the
-# time that is needed to apply changes and to start the daemon, but is good for
-# debugging.
-# Default: no
-IndividualCalls=no
-
-# LogDenied
-# Add logging rules right before reject and drop rules in the INPUT, FORWARD
-# and OUTPUT chains for the default rules and also final reject and drop rules
-# in zones. Possible values are: all, unicast, broadcast, multicast and off.
-# Default: off
-LogDenied=off
-
-# FirewallBackend
-# Selects the firewall backend implementation.
-# Choices are:
-#	- nftables (default)
-#	- iptables (iptables, ip6tables, ebtables and ipset)
-FirewallBackend=nftables
-
-# FlushAllOnReload
-# Flush all runtime rules on a reload. In previous releases some runtime
-# configuration was retained during a reload, namely; interface to zone
-# assignment, and direct rules. This was confusing to users. To get the old
-# behavior set this to "no".
-# Default: yes
-FlushAllOnReload=yes
-
-# RFC3964_IPv4
-# As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that
-# correspond to IPv4 addresses that should not be routed over the public
-# internet.
-# Defaults to "yes".
-RFC3964_IPv4=yes
-
-# AllowZoneDrifting
-# Older versions of firewalld had undocumented behavior known as "zone
-# drifting". This allowed packets to ingress multiple zones - this is a
-# violation of zone based firewalls. However, some users rely on this behavior
-# to have a "catch-all" zone, e.g. the default zone. You can enable this if you
-# desire such behavior. It's disabled by default for security reasons.
-# Note: If "yes" packets will only drift from source based zones to interface
-# based zones (including the default zone). Packets never drift from interface
-# based zones to other interfaces based zones (including the default zone).
-# Possible values; "yes", "no". Defaults to "yes".
-AllowZoneDrifting=yes
diff --git a/firewalld/lockdown-whitelist.xml b/firewalld/lockdown-whitelist.xml
deleted file mode 100644
index 1f4b4e5..0000000
--- a/firewalld/lockdown-whitelist.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<whitelist>
-  <command name="/usr/libexec/platform-python -s /usr/bin/firewall-config"/>
-  <selinux context="system_u:system_r:NetworkManager_t:s0"/>
-  <selinux context="system_u:system_r:virtd_t:s0-s0:c0.c1023"/>
-  <user id="0"/>
-</whitelist>
diff --git a/logrotate.d/fail2ban b/logrotate.d/fail2ban.rpmsave
similarity index 100%
rename from logrotate.d/fail2ban
rename to logrotate.d/fail2ban.rpmsave
diff --git a/logrotate.d/firewalld b/logrotate.d/firewalld
deleted file mode 100644
index e038fd5..0000000
--- a/logrotate.d/firewalld
+++ /dev/null
@@ -1,7 +0,0 @@
-/var/log/firewalld {
-    weekly
-    missingok
-    rotate 4
-    copytruncate
-    minsize 1M
-}
diff --git a/modprobe.d/firewalld-sysctls.conf b/modprobe.d/firewalld-sysctls.conf
deleted file mode 100644
index db9a743..0000000
--- a/modprobe.d/firewalld-sysctls.conf
+++ /dev/null
@@ -1 +0,0 @@
-install nf_conntrack /sbin/modprobe --ignore-install nf_conntrack $CMDLINE_OPTS && /sbin/sysctl --quiet --pattern 'net[.]netfilter[.]nf_conntrack.*' --system
diff --git a/nftables/main.nft b/nftables/main.nft
deleted file mode 100644
index 6460d10..0000000
--- a/nftables/main.nft
+++ /dev/null
@@ -1,64 +0,0 @@
-# Sample configuration for nftables service.
-# Load this by calling 'nft -f /etc/nftables/main.nft'.
-
-# Note about base chain priorities:
-# The priority values used in these sample configs are
-# offset by 20 in order to avoid ambiguity when firewalld
-# is also running which uses an offset of 10. This means
-# that packets will traverse firewalld first and if not
-# dropped/rejected there will hit the chains defined here.
-# Chains created by iptables, ebtables and arptables tools
-# do not use an offset, so those chains are traversed first
-# in any case.
-
-# drop any existing nftables ruleset
-flush ruleset
-
-# a common table for both IPv4 and IPv6
-table inet nftables_svc {
-
-	# protocols to allow
-	set allowed_protocols {
-		type inet_proto
-		elements = { icmp, icmpv6 }
-	}
-
-	# interfaces to accept any traffic on
-	set allowed_interfaces {
-		type ifname
-		elements = { "lo" }
-	}
-
-	# services to allow
-	set allowed_tcp_dports {
-		type inet_service
-		elements = { ssh, 9090 }
-	}
-
-	# this chain gathers all accept conditions
-	chain allow {
-		ct state established,related accept
-
-		meta l4proto @allowed_protocols accept
-		iifname @allowed_interfaces accept
-		tcp dport @allowed_tcp_dports accept
-	}
-
-	# base-chain for traffic to this host
-	chain INPUT {
-		type filter hook input priority filter + 20
-		policy accept
-
-		jump allow
-		reject with icmpx type port-unreachable
-	}
-}
-
-# By default, any forwarding traffic is allowed.
-# Uncomment the following line to filter it based
-# on the same criteria as input traffic.
-#include "/etc/nftables/router.nft"
-
-# Uncomment the following line to enable masquerading of
-# forwarded traffic. May be used with or without router.nft.
-#include "/etc/nftables/nat.nft"
diff --git a/nftables/nat.nft b/nftables/nat.nft
deleted file mode 100644
index 7079893..0000000
--- a/nftables/nat.nft
+++ /dev/null
@@ -1,30 +0,0 @@
-# Sample configuration snippet for nftables service.
-# Meant to be included by main.nft, not for direct use.
-
-# dedicated table for IPv4
-table ip nftables_svc {
-
-	# interfaces to masquerade traffic from
-	set masq_interfaces {
-		type ifname
-		elements = { "virbr0" }
-	}
-
-	# networks to masquerade traffic from
-	# 'interval' flag is required to support subnets
-	set masq_ips {
-		type ipv4_addr
-		flags interval
-		elements = { 192.168.122.0/24 }
-	}
-
-	# base-chain to manipulate conntrack in postrouting,
-	# will see packets for new or related traffic only
-	chain POSTROUTING {
-		type nat hook postrouting priority srcnat + 20
-		policy accept
-
-		iifname @masq_interfaces oifname != @masq_interfaces masquerade
-		ip saddr @masq_ips masquerade
-	}
-}
diff --git a/nftables/osf/pf.os b/nftables/osf/pf.os
deleted file mode 100644
index 35cbb47..0000000
--- a/nftables/osf/pf.os
+++ /dev/null
@@ -1,703 +0,0 @@
-# $FreeBSD: head/etc/pf.os 258865 2013-12-03 04:32:02Z eadler $
-# $OpenBSD: pf.os,v 1.27 2016/09/03 17:08:57 sthen Exp $
-# passive OS fingerprinting
-# -------------------------
-#
-# SYN signatures. Those signatures work for SYN packets only (duh!).
-#
-# (C) Copyright 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx>
-# (C) Copyright 2003 by Mike Frantzen <frantzen@w4g.org>
-#
-#  Permission to use, copy, modify, and distribute this software for any
-#  purpose with or without fee is hereby granted, provided that the above
-#  copyright notice and this permission notice appear in all copies.
-#
-#  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-#  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-#  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-#  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-#  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-#  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-#  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-#
-#
-# This fingerprint database is adapted from Michal Zalewski's p0f passive
-# operating system package.  The last database sync was from a Nov 3 2003
-# p0f.fp.
-#
-#
-# Each line in this file specifies a single fingerprint. Please read the
-# information below carefully before attempting to append any signatures
-# reported as UNKNOWN to this file to avoid mistakes.
-#
-# We use the following set metrics for fingerprinting:
-#
-# - Window size (WSS) - a highly OS dependent setting used for TCP/IP
-#   performance control (max. amount of data to be sent without ACK).
-#   Some systems use a fixed value for initial packets. On other
-#   systems, it is a multiple of MSS or MTU (MSS+40). In some rare
-#   cases, the value is just arbitrary.
-#
-#   NEW SIGNATURE: if p0f reported a special value of 'Snn', the number
-#   appears to be a multiple of MSS (MSS*nn); a special value of 'Tnn'
-#   means it is a multiple of MTU ((MSS+40)*nn). Unless you notice the
-#   value of nn is not fixed (unlikely), just copy the Snn or Tnn token
-#   literally. If you know this device has a simple stack and a fixed
-#   MTU, you can however multiply S value by MSS, or T value by MSS+40,
-#   and put it instead of Snn or Tnn.
-#
-#   If WSS otherwise looks like a fixed value (for example a multiple
-#   of two), or if you can confirm the value is fixed, please quote
-#   it literally. If there's no apparent pattern in WSS chosen, you
-#   should consider wildcarding this value.
-#
-# - Overall packet size - a function of all IP and TCP options and bugs.
-#
-#   NEW SIGNATURE: Copy this value literally.
-#
-# - Initial TTL - We check the actual TTL of a received packet. It can't
-#   be higher than the initial TTL, and also shouldn't be dramatically
-#   lower (maximum distance is defined as 40 hops).
-#
-#   NEW SIGNATURE: *Never* copy TTL from a p0f-reported signature literally.
-#   You need to determine the initial TTL. The best way to do it is to
-#   check the documentation for a remote system, or check its settings.
-#   A fairly good method is to simply round the observed TTL up to
-#   32, 64, 128, or 255, but it should be noted that some obscure devices
-#   might not use round TTLs (in particular, some shoddy appliances use
-#   "original" initial TTL settings). If not sure, you can see how many
-#   hops you're away from the remote party with traceroute or mtr.
-#
-# - Don't fragment flag (DF) - some modern OSes set this to implement PMTU
-#   discovery. Others do not bother.
-#
-#   NEW SIGNATURE: Copy this value literally.
-#
-# - Maximum segment size (MSS) - this setting is usually link-dependent. P0f
-#   uses it to determine link type of the remote host.
-#
-#   NEW SIGNATURE: Always wildcard this value, except for rare cases when
-#   you have an appliance with a fixed value, know the system supports only
-#   a very limited number of network interface types, or know the system
-#   is using a value it pulled out of nowhere.  Specific unique MSS
-#   can be used to tell Google crawlbots from the rest of the population.
-#
-# - Window scaling (WSCALE) - this feature is used to scale WSS.
-#   It extends the size of a TCP/IP window to 32 bits. Some modern
-#   systems implement this feature.
-#
-#   NEW SIGNATURE: Observe several signatures. Initial WSCALE is often set
-#   to zero or other low value. There's usually no need to wildcard this
-#   parameter.
-#
-# - Timestamp - some systems that implement timestamps set them to
-#   zero in the initial SYN. This case is detected and handled appropriately.
-#
-# - Selective ACK permitted - a flag set by systems that implement
-#   selective ACK functionality.
-#
-# - The sequence of TCP all options (MSS, window scaling, selective ACK
-#   permitted, timestamp, NOP). Other than the options previously
-#   discussed, p0f also checks for timestamp option (a silly
-#   extension to broadcast your uptime ;-), NOP options (used for
-#   header padding) and sackOK option (selective ACK feature).
-#
-#   NEW SIGNATURE: Copy the sequence literally.
-#
-# To wildcard any value (except for initial TTL or TCP options), replace
-# it with '*'. You can also use a modulo operator to match any values
-# that divide by nnn - '%nnn'.
-#
-# Fingerprint entry format:
-#
-# wwww:ttt:D:ss:OOO...:OS:Version:Subtype:Details
-#
-# wwww     - window size (can be *, %nnn, Snn or Tnn).  The special values
-#            "S" and "T" which are a multiple of MSS or a multiple of MTU
-#            respectively.
-# ttt      - initial TTL
-# D        - don't fragment bit (0 - not set, 1 - set)
-# ss       - overall SYN packet size
-# OOO      - option value and order specification (see below)
-# OS       - OS genre (Linux, Solaris, Windows)
-# Version  - OS Version (2.0.27 on x86, etc)
-# Subtype  - OS subtype or patchlevel (SP3, lo0)
-# details  - Generic OS details
-#
-# If OS genre starts with '*', p0f will not show distance, link type
-# and timestamp data. It is useful for userland TCP/IP stacks of
-# network scanners and so on, where many settings are randomized or
-# bogus.
-#
-# If OS genre starts with @, it denotes an approximate hit for a group
-# of operating systems (signature reporting still enabled in this case).
-# Use this feature at the end of this file to catch cases for which
-# you don't have a precise match, but can tell it's Windows or FreeBSD
-# or whatnot by looking at, say, flag layout alone.
-#
-# Option block description is a list of comma or space separated
-# options in the order they appear in the packet:
-#
-# N	   - NOP option
-# Wnnn	   - window scaling option, value nnn (or * or %nnn)
-# Mnnn	   - maximum segment size option, value nnn (or * or %nnn)
-# S	   - selective ACK OK
-# T	   - timestamp
-# T0	   - timestamp with a zero value
-#
-# To denote no TCP options, use a single '.'.
-#
-# Please report any additions to this file, or any inaccuracies or
-# problems spotted, to the maintainers: lcamtuf@coredump.cx,
-# frantzen@openbsd.org and bugs@openbsd.org with a tcpdump packet
-# capture of the relevant SYN packet(s)
-#
-# A test and submission page is available at
-# http://lcamtuf.coredump.cx/p0f-help/
-#
-#
-# WARNING WARNING WARNING
-# -----------------------
-#
-# Do not add a system X as OS Y just because NMAP says so. It is often
-# the case that X is a NAT firewall. While nmap is talking to the
-# device itself, p0f is fingerprinting the guy behind the firewall
-# instead.
-#
-# When in doubt, use common sense, don't add something that looks like
-# a completely different system as Linux or FreeBSD or LinkSys router.
-# Check DNS name, establish a connection to the remote host and look
-# at SYN+ACK - does it look similar?
-#
-# Some users tweak their TCP/IP settings - enable or disable RFC1323
-# functionality, enable or disable timestamps or selective ACK,
-# disable PMTU discovery, change MTU and so on. Always compare a new rule
-# to other fingerprints for this system, and verify the system isn't
-# "customized" before adding it. It is OK to add signature variants
-# caused by a commonly used software (personal firewalls, security
-# packages, etc), but it makes no sense to try to add every single
-# possible /proc/sys/net/ipv4 tweak on Linux or so.
-#
-# KEEP IN MIND: Some packet firewalls configured to normalize outgoing
-# traffic (OpenBSD pf with "scrub" enabled, for example) will, well,
-# normalize packets. Signatures will not correspond to the originating
-# system (and probably not quite to the firewall either).
-#
-# NOTE: Try to keep this file in some reasonable order, from most to
-# least likely systems. This will speed up operation. Also keep most
-# generic and broad rules near the end.
-#
-
-##########################
-# Standard OS signatures #
-##########################
-
-# ----------------- AIX ---------------------
-
-# AIX is first because its signatures are close to NetBSD, MacOS X and
-# Linux 2.0, but it uses a fairly rare MSSes, at least sometimes...
-# This is a shoddy hack, though.
-
-45046:64:0:44:M*:		AIX:4.3::AIX 4.3
-16384:64:0:44:M512:		AIX:4.3:2-3:AIX 4.3.2 and earlier
-
-16384:64:0:60:M512,N,W%2,N,N,T:		AIX:4.3-5.2:3:AIX 4.3.3-5.2
-32768:64:0:60:M512,N,W%2,N,N,T:		AIX:4.3-5.2:3:AIX 4.3.3-5.2
-65535:64:0:60:M512,N,W%2,N,N,T:		AIX:4.3-5-2:3:AIX 4.3.3-5.2
-65535:64:0:64:M*,N,W1,N,N,T,N,N,S:	AIX:5.3:ML1:AIX 5.3 ML1
-
-# ----------------- Linux -------------------
-
-# S1:64:0:44:M*:A:		Linux:1.2::Linux 1.2.x (XXX quirks support)
-512:64:0:44:M*:			Linux:2.0:3x:Linux 2.0.3x
-16384:64:0:44:M*:		Linux:2.0:3x:Linux 2.0.3x
-
-# Endian snafu! Nelson says "ha-ha":
-2:64:0:44:M*:			Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
-64:64:0:44:M*:			Linux:2.0:3x:Linux 2.0.3x (MkLinux) on Mac
-
-
-S4:64:1:60:M1360,S,T,N,W0:	Linux:google::Linux (Google crawlbot)
-
-S2:64:1:60:M*,S,T,N,W0:		Linux:2.4::Linux 2.4 (big boy)
-S3:64:1:60:M*,S,T,N,W0:		Linux:2.4:.18-21:Linux 2.4.18 and newer
-S4:64:1:60:M*,S,T,N,W0:		Linux:2.4/2.6::Linux 2.4/2.6 <= 2.6.7
-
-S4:64:1:60:M*,S,T,N,W5:		Linux:2.6::Linux 2.6 (newer, 1)
-S4:64:1:60:M*,S,T,N,W6:		Linux:2.6::Linux 2.6 (newer, 2)
-S4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 3)
-T4:64:1:60:M*,S,T,N,W7:		Linux:2.6::Linux 2.6 (newer, 4)
-
-S10:64:1:60:M*,S,T,N,W4:	Linux:3.0::Linux 3.0
-S10:64:1:60:M*,S,T,N,W6:	Linux:3.1::Linux 3.1
-S10:64:1:60:M*,S,T,N,W7:	Linux:3.4-3.10::Linux 3.4 - 3.10
-S20:64:1:60:M*,S,T,N,W7:	Linux:3.11-4.19::Linux 3.11 - 4.19
-S44:64:1:60:M*,S,T,N,W7:	Linux:4.20::Linux 4.20
-
-S3:64:1:60:M*,S,T,N,W1:		Linux:2.5::Linux 2.5 (sometimes 2.4)
-S4:64:1:60:M*,S,T,N,W1:		Linux:2.5-2.6::Linux 2.5/2.6
-S3:64:1:60:M*,S,T,N,W2:		Linux:2.5::Linux 2.5 (sometimes 2.4)
-S4:64:1:60:M*,S,T,N,W2:		Linux:2.5::Linux 2.5 (sometimes 2.4)
-
-S20:64:1:60:M*,S,T,N,W0:	Linux:2.2:20-25:Linux 2.2.20 and newer
-S22:64:1:60:M*,S,T,N,W0:	Linux:2.2::Linux 2.2
-S11:64:1:60:M*,S,T,N,W0:	Linux:2.2::Linux 2.2
-
-# Popular cluster config scripts disable timestamps and
-# selective ACK:
-S4:64:1:48:M1460,N,W0:		Linux:2.4:cluster:Linux 2.4 in cluster
-
-# This needs to be investigated. On some systems, WSS
-# is selected as a multiple of MTU instead of MSS. I got
-# many submissions for this for many late versions of 2.4:
-T4:64:1:60:M1412,S,T,N,W0:	Linux:2.4::Linux 2.4 (late, uncommon)
-
-# This happens only over loopback, but let's make folks happy:
-32767:64:1:60:M16396,S,T,N,W0:	Linux:2.4:lo0:Linux 2.4 (local)
-S8:64:1:60:M3884,S,T,N,W0:	Linux:2.2:lo0:Linux 2.2 (local)
-
-# Opera visitors:
-16384:64:1:60:M*,S,T,N,W0:	Linux:2.2:Opera:Linux 2.2 (Opera?)
-32767:64:1:60:M*,S,T,N,W0:	Linux:2.4:Opera:Linux 2.4 (Opera?)
-
-# Some fairly common mods:
-S4:64:1:52:M*,N,N,S,N,W0:	Linux:2.4:ts:Linux 2.4 w/o timestamps
-S22:64:1:52:M*,N,N,S,N,W0:	Linux:2.2:ts:Linux 2.2 w/o timestamps
-
-
-# ----------------- FreeBSD -----------------
-
-16384:64:1:44:M*:		FreeBSD:2.0-4.2::FreeBSD 2.0-4.2
-16384:64:1:60:M*,N,W0,N,N,T:	FreeBSD:4.4::FreeBSD 4.4
-
-1024:64:1:60:M*,N,W0,N,N,T:	FreeBSD:4.4::FreeBSD 4.4
-
-57344:64:1:44:M*:		FreeBSD:4.6-4.8:noRFC1323:FreeBSD 4.6-4.8 (no RFC1323)
-57344:64:1:60:M*,N,W0,N,N,T:	FreeBSD:4.6-4.9::FreeBSD 4.6-4.9
-
-32768:64:1:60:M*,N,W0,N,N,T:	FreeBSD:4.8-5.1::FreeBSD 4.8-5.1 (or MacOS X)
-65535:64:1:60:M*,N,W0,N,N,T:	FreeBSD:4.8-5.2::FreeBSD 4.8-5.2 (or MacOS X)
-65535:64:1:60:M*,N,W1,N,N,T:	FreeBSD:4.7-5.2::FreeBSD 4.7-5.2
-
-65535:64:1:60:M*,N,W6,S,T:	FreeBSD:9.0-12.0::FreeBSD 9.0 - 12.0
-
-# XXX need quirks support
-# 65535:64:1:60:M*,N,W0,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (1)
-# 65535:64:1:60:M*,N,W1,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (2)
-# 65535:64:1:60:M*,N,W2,N,N,T:Z:FreeBSD:5.1-5.4::5.1-current (3)
-# 65535:64:1:44:M*:Z:FreeBSD:5.2::FreeBSD 5.2 (no RFC1323)
-
-# 16384:64:1:60:M*,N,N,N,N,N,N,T:FreeBSD:4.4:noTS:FreeBSD 4.4 (w/o timestamps)
-
-# ----------------- NetBSD ------------------
-
-16384:64:0:60:M*,N,W0,N,N,T:	NetBSD:1.3::NetBSD 1.3
-65535:64:0:60:M*,N,W0,N,N,T0:	NetBSD:1.6:opera:NetBSD 1.6 (Opera)
-16384:64:0:60:M*,N,W0,N,N,T0:	NetBSD:1.6::NetBSD 1.6
-16384:64:1:60:M*,N,W0,N,N,T0:	NetBSD:1.6:df:NetBSD 1.6 (DF)
-65535:64:1:60:M*,N,W1,N,N,T0:	NetBSD:1.6::NetBSD 1.6W-current (DF)
-65535:64:1:60:M*,N,W0,N,N,T0:	NetBSD:1.6::NetBSD 1.6X (DF)
-32768:64:1:60:M*,N,W0,N,N,T0:	NetBSD:1.6:randomization:NetBSD 1.6ZH-current (w/ ip_id randomization)
-
-# ----------------- OpenBSD -----------------
-
-16384:64:0:60:M*,N,W0,N,N,T:		OpenBSD:2.6::NetBSD 1.3 (or OpenBSD 2.6)
-16384:64:1:64:M*,N,N,S,N,W0,N,N,T:	OpenBSD:3.0-4.8::OpenBSD 3.0-4.8
-16384:64:0:64:M*,N,N,S,N,W0,N,N,T:	OpenBSD:3.0-4.8:no-df:OpenBSD 3.0-4.8 (scrub no-df)
-57344:64:1:64:M*,N,N,S,N,W0,N,N,T:	OpenBSD:3.3-4.0::OpenBSD 3.3-4.0
-57344:64:0:64:M*,N,N,S,N,W0,N,N,T:	OpenBSD:3.3-4.0:no-df:OpenBSD 3.3-4.0 (scrub no-df)
-
-65535:64:1:64:M*,N,N,S,N,W0,N,N,T:	OpenBSD:3.0-4.0:opera:OpenBSD 3.0-4.0 (Opera)
-
-16384:64:1:64:M*,N,N,S,N,W3,N,N,T:	OpenBSD:4.9::OpenBSD 4.9
-16384:64:0:64:M*,N,N,S,N,W3,N,N,T:	OpenBSD:4.9:no-df:OpenBSD 4.9 (scrub no-df)
-
-16384:64:1:64:M*,N,N,S,N,W6,N,N,T:      OpenBSD:6.1::OpenBSD 6.1
-16384:64:0:64:M*,N,N,S,N,W6,N,N,T:      OpenBSD:6.1:no-df:OpenBSD 6.1 (scrub no-df)
-
-# ----------------- DragonFly BSD -----------------
-
-57344:64:1:60:M*,N,W0,N,N,T:		DragonFly:1.0:A:DragonFly 1.0A
-57344:64:0:64:M*,N,W0,N,N,S,N,N,T:	DragonFly:1.2-1.12::DragonFly 1.2-1.12
-5840:64:1:60:M*,S,T,N,W4:			DragonFly:2.0-2.1::DragonFly 2.0-2.1
-57344:64:0:64:M*,N,W0,N,N,S,N,N,T:	DragonFly:2.2-2.3::DragonFly 2.2-2.3
-57344:64:0:64:M*,N,W5,N,N,S,N,N,T:	DragonFly:2.4-2.7::DragonFly 2.4-2.7
-
-# ----------------- Solaris -----------------
-
-S17:64:1:64:N,W3,N,N,T0,N,N,S,M*:	Solaris:8:RFC1323:Solaris 8 RFC1323
-S17:64:1:48:N,N,S,M*:			Solaris:8::Solaris 8
-S17:255:1:44:M*:			Solaris:2.5-2.7::Solaris 2.5 to 7
-
-S6:255:1:44:M*:				Solaris:2.6-2.7::Solaris 2.6 to 7
-S23:255:1:44:M*:			Solaris:2.5:1:Solaris 2.5.1
-S34:64:1:48:M*,N,N,S:			Solaris:2.9::Solaris 9
-S44:255:1:44:M*:			Solaris:2.7::Solaris 7
-
-4096:64:0:44:M1460:			SunOS:4.1::SunOS 4.1.x
-
-S34:64:1:52:M*,N,W0,N,N,S:		Solaris:10:beta:Solaris 10 (beta)
-32850:64:1:64:M*,N,N,T,N,W1,N,N,S:	Solaris:10::Solaris 10 1203
-
-# ----------------- IRIX --------------------
-
-49152:64:0:44:M*:			IRIX:6.4::IRIX 6.4
-61440:64:0:44:M*:			IRIX:6.2-6.5::IRIX 6.2-6.5
-49152:64:0:52:M*,N,W2,N,N,S:		IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
-49152:64:0:52:M*,N,W3,N,N,S:		IRIX:6.5:RFC1323:IRIX 6.5 (RFC1323)
-
-61440:64:0:48:M*,N,N,S:			IRIX:6.5:12-21:IRIX 6.5.12 - 6.5.21
-49152:64:0:48:M*,N,N,S:			IRIX:6.5:15-21:IRIX 6.5.15 - 6.5.21
-
-49152:60:0:64:M*,N,W2,N,N,T,N,N,S:	IRIX:6.5:IP27:IRIX 6.5 IP27
-
-
-# ----------------- Tru64 -------------------
-
-32768:64:1:48:M*,N,W0:			Tru64:4.0::Tru64 4.0 (or OS/2 Warp 4)
-32768:64:0:48:M*,N,W0:			Tru64:5.0::Tru64 5.0
-8192:64:0:44:M1460:			Tru64:5.1:noRFC1323:Tru64 6.1 (no RFC1323) (or QNX 6)
-61440:64:0:48:M*,N,W0:			Tru64:5.1a:JP4:Tru64 v5.1a JP4 (or OpenVMS 7.x on Compaq 5.x stack)
-
-# ----------------- OpenVMS -----------------
-
-6144:64:1:60:M*,N,W0,N,N,T:		OpenVMS:7.2::OpenVMS 7.2 (Multinet 4.4 stack)
-
-# ----------------- MacOS -------------------
-
-# XXX Need EOL tcp opt support
-# S2:255:1:48:M*,W0,E:.:MacOS:8.6 classic
-
-# XXX some of these use EOL too
-16616:255:1:48:M*,W0:			MacOS:7.3-8.6:OTTCP:MacOS 7.3-8.6 (OTTCP)
-16616:255:1:48:M*,N,N,N:		MacOS:8.1-8.6:OTTCP:MacOS 8.1-8.6 (OTTCP)
-32768:255:1:48:M*,W0,N:			MacOS:9.0-9.2::MacOS 9.0-9.2
-65535:255:1:48:M*,N,N,N,N:		MacOS:9.1::MacOS 9.1 (OT 2.7.4)
-
-
-# ----------------- Windows -----------------
-
-# Windows TCP/IP stack is a mess. For most recent XP, 2000 and
-# even 98, the patchlevel, not the actual OS version, is more
-# relevant to the signature. They share the same code, so it would
-# seem. Luckily for us, almost all Windows 9x boxes have an
-# awkward MSS of 536, which I use to tell one from another
-# in most difficult cases.
-
-8192:32:1:44:M*:			Windows:3.11::Windows 3.11 (Tucows)
-S44:64:1:64:M*,N,W0,N,N,T0,N,N,S:	Windows:95::Windows 95
-8192:128:1:64:M*,N,W0,N,N,T0,N,N,S:	Windows:95:b:Windows 95b
-
-# There were so many tweaking tools and so many stack versions for
-# Windows 98 it is no longer possible to tell them from each other
-# without some very serious research. Until then, there's an insane
-# number of signatures, for your amusement:
-
-S44:32:1:48:M*,N,N,S:			Windows:98:lowTTL:Windows 98 (low TTL)
-8192:32:1:48:M*,N,N,S:			Windows:98:lowTTL:Windows 98 (low TTL)
-%8192:64:1:48:M536,N,N,S:		Windows:98::Windows 98
-%8192:128:1:48:M536,N,N,S:		Windows:98::Windows 98
-S4:64:1:48:M*,N,N,S:			Windows:98::Windows 98
-S6:64:1:48:M*,N,N,S:			Windows:98::Windows 98
-S12:64:1:48:M*,N,N,S:			Windows:98::Windows 98
-T30:64:1:64:M1460,N,W0,N,N,T0,N,N,S:	Windows:98::Windows 98
-32767:64:1:48:M*,N,N,S:			Windows:98::Windows 98
-37300:64:1:48:M*,N,N,S:			Windows:98::Windows 98
-46080:64:1:52:M*,N,W3,N,N,S:		Windows:98:RFC1323:Windows 98 (RFC1323)
-65535:64:1:44:M*:			Windows:98:noSack:Windows 98 (no sack)
-S16:128:1:48:M*,N,N,S:			Windows:98::Windows 98
-S16:128:1:64:M*,N,W0,N,N,T0,N,N,S:	Windows:98::Windows 98
-S26:128:1:48:M*,N,N,S:			Windows:98::Windows 98
-T30:128:1:48:M*,N,N,S:			Windows:98::Windows 98
-32767:128:1:52:M*,N,W0,N,N,S:		Windows:98::Windows 98
-60352:128:1:48:M*,N,N,S:		Windows:98::Windows 98
-60352:128:1:64:M*,N,W2,N,N,T0,N,N,S:	Windows:98::Windows 98
-
-# What's with 1414 on NT?
-T31:128:1:44:M1414:			Windows:NT:4.0:Windows NT 4.0 SP6a
-64512:128:1:44:M1414:			Windows:NT:4.0:Windows NT 4.0 SP6a
-8192:128:1:44:M*:			Windows:NT:4.0:Windows NT 4.0 (older)
-
-# Windows XP and 2000. Most of the signatures that were
-# either dubious or non-specific (no service pack data)
-# were deleted and replaced with generics at the end.
-
-65535:128:1:48:M*,N,N,S:		Windows:2000:SP4:Windows 2000 SP4, XP SP1
-65535:128:1:48:M*,N,N,S:		Windows:XP:SP1:Windows 2000 SP4, XP SP1
-%8192:128:1:48:M*,N,N,S:		Windows:2000:SP2+:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
-%8192:128:1:48:M*,N,N,S:		Windows:XP:SP1:Windows 2000 SP2, XP SP1 (seldom 98 4.10.2222)
-S20:128:1:48:M*,N,N,S:			Windows:2000::Windows 2000/XP SP3
-S20:128:1:48:M*,N,N,S:			Windows:XP:SP3:Windows 2000/XP SP3
-S45:128:1:48:M*,N,N,S:			Windows:2000:SP4:Windows 2000 SP4, XP SP 1
-S45:128:1:48:M*,N,N,S:			Windows:XP:SP1:Windows 2000 SP4, XP SP 1
-40320:128:1:48:M*,N,N,S:		Windows:2000:SP4:Windows 2000 SP4
-
-S6:128:1:48:M*,N,N,S:			Windows:2000:SP2:Windows XP, 2000 SP2+
-S6:128:1:48:M*,N,N,S:			Windows:XP::Windows XP, 2000 SP2+
-S12:128:1:48:M*,N,N,S:			Windows:XP:SP1:Windows XP SP1
-S44:128:1:48:M*,N,N,S:			Windows:2000:SP3:Windows Pro SP1, 2000 SP3
-S44:128:1:48:M*,N,N,S:			Windows:XP:SP1:Windows Pro SP1, 2000 SP3
-64512:128:1:48:M*,N,N,S:		Windows:2000:SP3:Windows SP1, 2000 SP3
-64512:128:1:48:M*,N,N,S:		Windows:XP:SP1:Windows SP1, 2000 SP3
-32767:128:1:48:M*,N,N,S:		Windows:2000:SP4:Windows SP1, 2000 SP4
-32767:128:1:48:M*,N,N,S:		Windows:XP:SP1:Windows SP1, 2000 SP4
-
-8192:128:1:52:M*,N,W2,N,N,S:		Windows:Vista::Windows Vista/7
-
-# Odds, ends, mods:
-
-S52:128:1:48:M1260,N,N,S:		Windows:2000:cisco:Windows XP/2000 via Cisco
-S52:128:1:48:M1260,N,N,S:		Windows:XP:cisco:Windows XP/2000 via Cisco
-65520:128:1:48:M*,N,N,S:		Windows:XP::Windows XP bare-bone
-16384:128:1:52:M536,N,W0,N,N,S:		Windows:2000:ZoneAlarm:Windows 2000 w/ZoneAlarm?
-2048:255:0:40:.:			Windows:.NET::Windows .NET Enterprise Server
-
-44620:64:0:48:M*,N,N,S:			Windows:ME::Windows ME no SP (?)
-S6:255:1:48:M536,N,N,S:			Windows:95:winsock2:Windows 95 winsock 2
-32768:32:1:52:M1460,N,W0,N,N,S:		Windows:2003:AS:Windows 2003 AS
-
-
-# No need to be more specific, it passes:
-# *:128:1:48:M*,N,N,S:U:-Windows:XP/2000 while downloading (leak!) XXX quirk
-# there is an equiv similar generic sig w/o the quirk
-
-# ----------------- HP/UX -------------------
-
-32768:64:1:44:M*:			HP-UX:B.10.20::HP-UX B.10.20
-32768:64:0:48:M*,W0,N:			HP-UX:11.0::HP-UX 11.0
-32768:64:1:48:M*,W0,N:			HP-UX:11.10::HP-UX 11.0 or 11.11
-32768:64:1:48:M*,W0,N:			HP-UX:11.11::HP-UX 11.0 or 11.11
-
-# Whoa. Hardcore WSS.
-0:64:0:48:M*,W0,N:			HP-UX:B.11.00:A:HP-UX B.11.00 A (RFC1323)
-
-# ----------------- RiscOS ------------------
-
-# We don't yet support the ?12 TCP option
-#16384:64:1:68:M1460,N,W0,N,N,T,N,N,?12:	RISCOS:3.70-4.36::RISC OS 3.70-4.36
-12288:32:0:44:M536:				RISC OS:3.70:4.10:RISC OS 3.70 inet 4.10
-
-# XXX quirk
-# 4096:64:1:56:M1460,N,N,T:T:			RISC OS:3.70:freenet:RISC OS 3.70 freenet 2.00
-
-
-
-# ----------------- BSD/OS ------------------
-
-# Once again, power of two WSS is also shared by MacOS X with DF set
-8192:64:1:60:M1460,N,W0,N,N,T:		BSD/OS:3.1::BSD/OS 3.1-4.3 (or MacOS X 10.2 w/DF)
-8192:64:1:60:M1460,N,W0,N,N,T:		BSD/OS:4.0-4.3::BSD/OS 3.1-4.3 (or MacOS X 10.2)
-
-
-# ---------------- NewtonOS -----------------
-
-4096:64:0:44:M1420:		NewtonOS:2.1::NewtonOS 2.1
-
-# ---------------- NeXTSTEP -----------------
-
-S4:64:0:44:M1024:		NeXTSTEP:3.3::NeXTSTEP 3.3
-S8:64:0:44:M512:		NeXTSTEP:3.3::NeXTSTEP 3.3
-
-# ------------------ BeOS -------------------
-
-1024:255:0:48:M*,N,W0:		BeOS:5.0-5.1::BeOS 5.0-5.1
-12288:255:0:44:M1402:		BeOS:5.0::BeOS 5.0.x
-
-# ------------------ OS/400 -----------------
-
-8192:64:1:60:M1440,N,W0,N,N,T:	OS/400:VR4-VR5::OS/400 VR4/R5
-4096:64:1:60:M1440,N,W0,N,N,T:	OS/400:V4R5:CF67032:OS/400 V4R5 + CF67032
-
-# XXX quirk
-# 28672:64:0:44:M1460:A:OS/390:?
-
-# ------------------ ULTRIX -----------------
-
-16384:64:0:40:.:		ULTRIX:4.5::ULTRIX 4.5
-
-# ------------------- QNX -------------------
-
-S16:64:0:44:M512:		QNX:::QNX demodisk
-
-# ------------------ Novell -----------------
-
-16384:128:1:44:M1460:		Novell:NW:5.0:Novel Netware 5.0
-6144:128:1:44:M1460:		Novell:IW:4.11:Novell IntranetWare 4.11
-6144:128:1:44:M1368:		Novell:BM::Novell BorderManager ?
-
-6144:128:1:52:M*,W0,N,S,N,N:	Novell:Netware:6:Novell Netware 6 SP3
-
-
-# ----------------- SCO ------------------
-S3:64:1:60:M1460,N,W0,N,N,T:	SCO:UnixWare:7.1:SCO UnixWare 7.1
-S17:64:1:60:M1380,N,W0,N,N,T:	SCO:UnixWare:7.1:SCO UnixWare 7.1.3 MP3
-S23:64:1:44:M1380:		SCO:OpenServer:5.0:SCO OpenServer 5.0
-
-# ------------------- DOS -------------------
-
-2048:255:0:44:M536:		DOS:WATTCP:1.05:DOS Arachne via WATTCP/1.05
-T2:255:0:44:M984:		DOS:WATTCP:1.05Arachne:Arachne via WATTCP/1.05 (eepro)
-
-# ------------------ OS/2 -------------------
-
-S56:64:0:44:M512:		OS/2:4::OS/2 4
-28672:64:0:44:M1460:		OS/2:4::OS/2 Warp 4.0
-
-# ----------------- TOPS-20 -----------------
-
-# Another hardcore MSS, one of the ACK leakers hunted down.
-# XXX QUIRK 0:64:0:44:M1460:A:TOPS-20:version 7
-0:64:0:44:M1460:		TOPS-20:7::TOPS-20 version 7
-
-# ----------------- FreeMiNT ----------------
-
-S44:255:0:44:M536:		FreeMiNT:1:16A:FreeMiNT 1 patch 16A (Atari)
-
-# ------------------ AMIGA ------------------
-
-# XXX TCP option 12
-# S32:64:1:56:M*,N,N,S,N,N,?12:.:AMIGA:3.9 BB2 with Miami stack
-
-# ------------------ Plan9 ------------------
-
-65535:255:0:48:M1460,W0,N:	Plan9:4::Plan9 edition 4
-
-# ----------------- AMIGAOS -----------------
-
-16384:64:1:48:M1560,N,N,S:	AMIGAOS:3.9::AMIGAOS 3.9 BB2 MiamiDX
-
-###########################################
-# Appliance / embedded / other signatures #
-###########################################
-
-# ---------- Firewalls / routers ------------
-
-S12:64:1:44:M1460:			@Checkpoint:::Checkpoint (unknown 1)
-S12:64:1:48:N,N,S,M1460:		@Checkpoint:::Checkpoint (unknown 2)
-4096:32:0:44:M1460:			ExtremeWare:4.x::ExtremeWare 4.x
-
-# XXX TCP option 12
-# S32:64:0:68:M512,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO w/Checkpoint NG FP3
-# S16:64:0:68:M1024,N,W0,N,N,T,N,N,?12:.:Nokia:IPSO 3.7 build 026
-
-S4:64:1:60:W0,N,S,T,M1460:		FortiNet:FortiGate:50:FortiNet FortiGate 50
-
-8192:64:1:44:M1460:			Eagle:::Eagle Secure Gateway
-
-S52:128:1:48:M1260,N,N,N,N:		LinkSys:WRV54G::LinkSys WRV54G VPN router
-
-
-
-# ------- Switches and other stuff ----------
-
-4128:255:0:44:M*:			Cisco:::Cisco Catalyst 3500, 7500 etc
-S8:255:0:44:M*:				Cisco:12008::Cisco 12008
-60352:128:1:64:M1460,N,W2,N,N,T,N,N,S:	Alteon:ACEswitch::Alteon ACEswitch
-64512:128:1:44:M1370:			Nortel:Contivity Client::Nortel Conectivity Client
-
-
-# ---------- Caches and whatnots ------------
-
-S4:64:1:52:M1460,N,N,S,N,W0:		AOL:web cache::AOL web cache
-
-32850:64:1:64:N,W1,N,N,T,N,N,S,M*:	NetApp:5.x::NetApp Data OnTap 5.x
-16384:64:1:64:M1460,N,N,S,N,W0,N:	NetApp:5.3:1:NetApp 5.3.1
-65535:64:0:64:M1460,N,N,S,N,W*,N,N,T:	NetApp:5.3-5.5::NetApp 5.3-5.5
-65535:64:0:60:M1460,N,W0,N,N,T:		NetApp:CacheFlow::NetApp CacheFlow
-8192:64:1:64:M1460,N,N,S,N,W0,N,N,T:	NetApp:5.2:1:NetApp NetCache 5.2.1
-20480:64:1:64:M1460,N,N,S,N,W0,N,N,T:	NetApp:4.1::NetApp NetCache4.1
-
-65535:64:0:60:M1460,N,W0,N,N,T:		CacheFlow:4.1::CacheFlow CacheOS 4.1
-8192:64:0:60:M1380,N,N,N,N,N,N,T:	CacheFlow:1.1::CacheFlow CacheOS 1.1
-
-S4:64:0:48:M1460,N,N,S:			Cisco:Content Engine::Cisco Content Engine
-
-27085:128:0:40:.:			Dell:PowerApp cache::Dell PowerApp (Linux-based)
-
-65535:255:1:48:N,W1,M1460:		Inktomi:crawler::Inktomi crawler
-S1:255:1:60:M1460,S,T,N,W0:		LookSmart:ZyBorg::LookSmart ZyBorg
-
-16384:255:0:40:.:			Proxyblocker:::Proxyblocker (what's this?)
-
-65535:255:0:48:M*,N,N,S:		Redline:::Redline T|X 2200
-
-32696:128:0:40:M1460:			Spirent:Avalanche::Spirent Web Avalanche HTTP benchmarking engine
-
-# ----------- Embedded systems --------------
-
-S9:255:0:44:M536:			PalmOS:Tungsten:C:PalmOS Tungsten C
-S5:255:0:44:M536:			PalmOS:3-4::PalmOS 3/4
-S4:255:0:44:M536:			PalmOS:3:5:PalmOS 3.5
-2948:255:0:44:M536:			PalmOS:3:5:PalmOS 3.5.3 (Handera)
-S29:255:0:44:M536:			PalmOS:5::PalmOS 5.0
-16384:255:0:44:M1398:			PalmOS:5.2:Clie:PalmOS 5.2 (Clie)
-S14:255:0:44:M1350:			PalmOS:5.2:Treo:PalmOS 5.2.1 (Treo)
-
-S23:64:1:64:N,W1,N,N,T,N,N,S,M1460:	SymbianOS:7::SymbianOS 7
-
-8192:255:0:44:M1460:			SymbianOS:6048::Symbian OS 6048 (Nokia 7650?)
-8192:255:0:44:M536:			SymbianOS:9210::Symbian OS (Nokia 9210?)
-S22:64:1:56:M1460,T,S:			SymbianOS:P800::Symbian OS ? (SE P800?)
-S36:64:1:56:M1360,T,S:			SymbianOS:6600::Symbian OS 60xx (Nokia 6600?)
-
-
-# Perhaps S4?
-5840:64:1:60:M1452,S,T,N,W1:		Zaurus:3.10::Zaurus 3.10
-
-32768:128:1:64:M1460,N,W0,N,N,T0,N,N,S:	PocketPC:2002::PocketPC 2002
-
-S1:255:0:44:M346:			Contiki:1.1:rc0:Contiki 1.1-rc0
-
-4096:128:0:44:M1460:			Sega:Dreamcast:3.0:Sega Dreamcast Dreamkey 3.0
-T5:64:0:44:M536:			Sega:Dreamcast:HKT-3020:Sega Dreamcast HKT-3020 (browser disc 51027)
-S22:64:1:44:M1460:			Sony:PS2::Sony Playstation 2 (SOCOM?)
-
-S12:64:0:44:M1452:			AXIS:5600:v5.64:AXIS Printer Server 5600 v5.64
-
-3100:32:1:44:M1460:			Windows:CE:2.0:Windows CE 2.0
-
-####################
-# Fancy signatures #
-####################
-
-1024:64:0:40:.:				*NMAP:syn scan:1:NMAP syn scan (1)
-2048:64:0:40:.:				*NMAP:syn scan:2:NMAP syn scan (2)
-3072:64:0:40:.:				*NMAP:syn scan:3:NMAP syn scan (3)
-4096:64:0:40:.:				*NMAP:syn scan:4:NMAP syn scan (4)
-
-# Requires quirks support
-# 1024:64:0:40:.:A:*NMAP:TCP sweep probe (1)
-# 2048:64:0:40:.:A:*NMAP:TCP sweep probe (2)
-# 3072:64:0:40:.:A:*NMAP:TCP sweep probe (3)
-# 4096:64:0:40:.:A:*NMAP:TCP sweep probe (4)
-
-1024:64:0:60:W10,N,M265,T:		*NMAP:OS:1:NMAP OS detection probe (1)
-2048:64:0:60:W10,N,M265,T:		*NMAP:OS:2:NMAP OS detection probe (2)
-3072:64:0:60:W10,N,M265,T:		*NMAP:OS:3:NMAP OS detection probe (3)
-4096:64:0:60:W10,N,M265,T:		*NMAP:OS:4:NMAP OS detection probe (4)
-
-32767:64:0:40:.:			*NAST:::NASTsyn scan
-
-# Requires quirks support
-# 12345:255:0:40:.:A:-p0f:sendsyn utility
-
-
-#####################################
-# Generic signatures - just in case #
-#####################################
-
-#*:64:1:60:M*,N,W*,N,N,T:		@FreeBSD:4.0-4.9::FreeBSD 4.x/5.x
-#*:64:1:60:M*,N,W*,N,N,T:		@FreeBSD:5.0-5.1::FreeBSD 4.x/5.x
-
-*:128:1:52:M*,N,W0,N,N,S:		@Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
-*:128:1:52:M*,N,W0,N,N,S:		@Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
-*:128:1:52:M*,N,W*,N,N,S:		@Windows:XP:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
-*:128:1:52:M*,N,W*,N,N,S:		@Windows:2000:RFC1323:Windows XP/2000 (RFC1323 no tstamp)
-*:128:1:64:M*,N,W0,N,N,T0,N,N,S:	@Windows:XP:RFC1323:Windows XP/2000 (RFC1323)
-*:128:1:64:M*,N,W0,N,N,T0,N,N,S:	@Windows:2000:RFC1323:Windows XP/2000 (RFC1323)
-*:128:1:64:M*,N,W*,N,N,T0,N,N,S:	@Windows:XP:RFC1323:Windows XP (RFC1323, w+)
-*:128:1:48:M536,N,N,S:			@Windows:98::Windows 98
-*:128:1:48:M*,N,N,S:			@Windows:XP::Windows XP/2000
-*:128:1:48:M*,N,N,S:			@Windows:2000::Windows XP/2000
-
-
diff --git a/nftables/router.nft b/nftables/router.nft
deleted file mode 100644
index 6300a55..0000000
--- a/nftables/router.nft
+++ /dev/null
@@ -1,16 +0,0 @@
-# Sample configuration snippet for nftables service.
-# Meant to be included by main.nft, not for direct use.
-
-# a common table for both IPv4 and IPv6
-table inet nftables_svc {
-
-	# base-chain for traffic forwarded by this host
-	# re-uses 'allow' chain from main.nft
-	chain FORWARD {
-		type filter hook forward priority filter + 20
-		policy accept
-
-		jump allow
-		reject with icmpx type host-unreachable
-	}
-}
diff --git a/sysconfig/ebtables-config b/sysconfig/ebtables-config
deleted file mode 100644
index 69d9289..0000000
--- a/sysconfig/ebtables-config
+++ /dev/null
@@ -1,11 +0,0 @@
-# Save current firewall rules on stop.
-#   Value: yes|no,  default: no
-# Saves all firewall rules if firewall gets stopped
-# (e.g. on system shutdown).
-EBTABLES_SAVE_ON_STOP="no"
-
-# Save (and restore) rule counters.
-#   Value: yes|no,  default: no
-# Save rule counters when saving a kernel table to a file. If the
-# rule counters were saved, they will be restored when restoring the table.
-EBTABLES_SAVE_COUNTER="no"
diff --git a/sysconfig/firewalld b/sysconfig/firewalld
deleted file mode 100644
index 08196b9..0000000
--- a/sysconfig/firewalld
+++ /dev/null
@@ -1,3 +0,0 @@
-# firewalld command line args
-# possible values: --debug
-FIREWALLD_ARGS=
diff --git a/sysconfig/nftables.conf b/sysconfig/nftables.conf
deleted file mode 100644
index c3d9649..0000000
--- a/sysconfig/nftables.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# Uncomment the include statement here to load the default config sample
-# in /etc/nftables for nftables service.
-
-#include "/etc/nftables/main.nft"
-
-# To customize, either edit the samples in /etc/nftables, append further
-# commands to the end of this file or overwrite it after first service
-# start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
diff --git a/systemd/system/multi-user.target.wants/fail2ban.service b/systemd/system/multi-user.target.wants/fail2ban.service
deleted file mode 120000
index c1d3169..0000000
--- a/systemd/system/multi-user.target.wants/fail2ban.service
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/systemd/system/fail2ban.service
\ No newline at end of file