Fail2ban: Difference between revisions

From James's Wiki
No edit summary
No edit summary
 
(7 intermediate revisions by the same user not shown)
Line 2: Line 2:


  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
to edit config edit the jail.local file!!!


  sudo nano /etc/fail2ban/jail.local
  sudo nano /etc/fail2ban/jail.local


==Log Files==
sudo nano /var/log/fail2ban.log


to edit config edit the jail.local file!!!
==Configuration==
 
[sshd]
==trying to resolve errors:==
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
 
# normal (default), ddos, extra or aggressive (combines all).
<poem>
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
018-03-14 19:45:55,363 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
#mode   = normal
iptables -w -F f2b-recidive
enabled = true
iptables -w -X f2b-recidive -- stdout: b''
port    = ssh
2018-03-14 19:45:55,364 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
# initial ban time:
iptables -w -F f2b-recidive
bantime = 1h
iptables -w -X f2b-recidive -- stderr: b'iptables: Too many links.\n'
# incremental banning:
2018-03-14 19:45:55,365 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
bantime.increment = true
iptables -w -F f2b-recidive
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
iptables -w -X f2b-recidive -- returned 1
bantime.factor = 24
2018-03-14 19:45:55,366 fail2ban.actions        [571]: ERROR  Failed to stop jail 'recidive' action 'iptables-allports': Error stopping action
# max banning time = 5 week:
2018-03-14 19:45:55,367 fail2ban.jail          [571]: INFO    Jail 'recidive' stopped
bantime.maxtime = 5w
2018-03-14 19:45:56,450 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
logpath = %(sshd_log)s
iptables -w -F f2b-sshd
backend = %(sshd_backend)s
iptables -w -X f2b-sshd -- stdout: b''
2018-03-14 19:45:56,451 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: b'iptables: Too many links.\n'
2018-03-14 19:45:56,452 fail2ban.action        [571]: ERROR   iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- returned 1
2018-03-14 19:45:56,453 fail2ban.actions        [571]: ERROR  Failed to stop jail 'sshd' action 'iptables-multiport': Error stopping action
2018-03-14 19:45:56,454 fail2ban.jail          [571]: INFO    Jail 'sshd' stopped
2018-03-14 19:45:57,452 fail2ban.jail          [571]: INFO    Jail 'sshd-ddos' stopped
2018-03-14 19:45:57,457 fail2ban.server        [571]: INFO    Exiting Fail2ban
2018-03-14 19:46:16,950 fail2ban.server        [588]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-03-14 19:46:16,972 fail2ban.database      [588]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-03-14 19:46:16,992 fail2ban.jail          [588]: INFO    Creating new jail 'sshd'
2018-03-14 19:46:17,099 fail2ban.jail          [588]: INFO    Jail 'sshd' uses pyinotify {}
2018-03-14 19:46:17,200 fail2ban.jail          [588]: INFO    Initiated 'pyinotify' backend
2018-03-14 19:46:17,203 fail2ban.filter        [588]: INFO    Set jail log file encoding to UTF-8
</poem>


steps taken:
==unban==
sudo apt install python-pyinotify
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE


sudo nano /etc/fail2ban/jail.local
The hard part is finding the right jail:


changed: <code>backend = auto</code>
Use iptables -L -n to find the rule name...
to: <code>backend = pyinotify</code>
...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Latest revision as of 13:01, 24 March 2023

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

to edit config edit the jail.local file!!! 

sudo nano /etc/fail2ban/jail.local

Log Files

sudo nano /var/log/fail2ban.log

Configuration

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
logpath = %(sshd_log)s
backend = %(sshd_backend)s

unban

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name... ...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Retrieved from "https://wiki.jamesclaus.com/index.php?title=Fail2ban&oldid=858"
Powered by MediaWiki