Fail2ban: Difference between revisions

From James's Wiki
No edit summary
No edit summary
 
(9 intermediate revisions by the same user not shown)
Line 2: Line 2:


  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
to edit config edit the jail.local file!!!


  sudo nano /etc/fail2ban/jail.local
  sudo nano /etc/fail2ban/jail.local
<poem>
 
trying to resolve errors:
==Log Files==
018-03-14 19:45:55,363 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
sudo nano /var/log/fail2ban.log
iptables -w -F f2b-recidive
 
iptables -w -X f2b-recidive -- stdout: b''
==Configuration==
2018-03-14 19:45:55,364 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
[sshd]
iptables -w -F f2b-recidive
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
iptables -w -X f2b-recidive -- stderr: b'iptables: Too many links.\n'
# normal (default), ddos, extra or aggressive (combines all).
2018-03-14 19:45:55,365 fail2ban.action        [571]: ERROR   iptables -w -D INPUT -p tcp -j f2b-recidive
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
iptables -w -F f2b-recidive
#mode   = normal
iptables -w -X f2b-recidive -- returned 1
enabled = true
2018-03-14 19:45:55,366 fail2ban.actions        [571]: ERROR  Failed to stop jail 'recidive' action 'iptables-allports': Error stopping action
port    = ssh
2018-03-14 19:45:55,367 fail2ban.jail          [571]: INFO    Jail 'recidive' stopped
# initial ban time:
2018-03-14 19:45:56,450 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
bantime = 1h
iptables -w -F f2b-sshd
# incremental banning:
iptables -w -X f2b-sshd -- stdout: b''
bantime.increment = true
2018-03-14 19:45:56,451 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
iptables -w -F f2b-sshd
bantime.factor = 24
iptables -w -X f2b-sshd -- stderr: b'iptables: Too many links.\n'
# max banning time = 5 week:
2018-03-14 19:45:56,452 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
bantime.maxtime = 5w
iptables -w -F f2b-sshd
logpath = %(sshd_log)s
iptables -w -X f2b-sshd -- returned 1
backend = %(sshd_backend)s
2018-03-14 19:45:56,453 fail2ban.actions        [571]: ERROR  Failed to stop jail 'sshd' action 'iptables-multiport': Error stopping action
 
2018-03-14 19:45:56,454 fail2ban.jail          [571]: INFO    Jail 'sshd' stopped
==unban==
2018-03-14 19:45:57,452 fail2ban.jail           [571]: INFO    Jail 'sshd-ddos' stopped
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
2018-03-14 19:45:57,457 fail2ban.server        [571]: INFO    Exiting Fail2ban
 
2018-03-14 19:46:16,950 fail2ban.server        [588]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
The hard part is finding the right jail:
2018-03-14 19:46:16,972 fail2ban.database      [588]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
 
2018-03-14 19:46:16,992 fail2ban.jail          [588]: INFO    Creating new jail 'sshd'
Use iptables -L -n to find the rule name...
2018-03-14 19:46:17,099 fail2ban.jail          [588]: INFO    Jail 'sshd' uses pyinotify {}
...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
2018-03-14 19:46:17,200 fail2ban.jail           [588]: INFO    Initiated 'pyinotify' backend
2018-03-14 19:46:17,203 fail2ban.filter        [588]: INFO    Set jail log file encoding to UTF-8
</poem>

Latest revision as of 13:01, 24 March 2023

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

to edit config edit the jail.local file!!! 

sudo nano /etc/fail2ban/jail.local

Log Files

sudo nano /var/log/fail2ban.log

Configuration

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
logpath = %(sshd_log)s
backend = %(sshd_backend)s

unban

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name... ...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.

Retrieved from "https://wiki.jamesclaus.com/index.php?title=Fail2ban&oldid=858"
Powered by MediaWiki