Fail2ban: Difference between revisions

From James's Wiki
No edit summary
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 10: Line 10:
  sudo nano /var/log/fail2ban.log
  sudo nano /var/log/fail2ban.log


==trying to resolve errors:==
==Configuration==
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode  = normal
enabled = true
port    = ssh
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
logpath = %(sshd_log)s
backend = %(sshd_backend)s


<poem>
==unban==
018-03-14 19:45:55,363 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE
iptables -w -F f2b-recidive
iptables -w -X f2b-recidive -- stdout: b''
2018-03-14 19:45:55,364 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
iptables -w -F f2b-recidive
iptables -w -X f2b-recidive -- stderr: b'iptables: Too many links.\n'
2018-03-14 19:45:55,365 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -j f2b-recidive
iptables -w -F f2b-recidive
iptables -w -X f2b-recidive -- returned 1
2018-03-14 19:45:55,366 fail2ban.actions        [571]: ERROR  Failed to stop jail 'recidive' action 'iptables-allports': Error stopping action
2018-03-14 19:45:55,367 fail2ban.jail          [571]: INFO    Jail 'recidive' stopped
2018-03-14 19:45:56,450 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stdout: b''
2018-03-14 19:45:56,451 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- stderr: b'iptables: Too many links.\n'
2018-03-14 19:45:56,452 fail2ban.action        [571]: ERROR  iptables -w -D INPUT -p tcp -m multiport --dports 2222 -j f2b-sshd
iptables -w -F f2b-sshd
iptables -w -X f2b-sshd -- returned 1
2018-03-14 19:45:56,453 fail2ban.actions        [571]: ERROR  Failed to stop jail 'sshd' action 'iptables-multiport': Error stopping action
2018-03-14 19:45:56,454 fail2ban.jail          [571]: INFO    Jail 'sshd' stopped
2018-03-14 19:45:57,452 fail2ban.jail          [571]: INFO    Jail 'sshd-ddos' stopped
2018-03-14 19:45:57,457 fail2ban.server        [571]: INFO    Exiting Fail2ban
2018-03-14 19:46:16,950 fail2ban.server        [588]: INFO    Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-03-14 19:46:16,972 fail2ban.database      [588]: INFO    Connected to fail2ban persistent database '/var/lib/fail2ban/fail2ban.sqlite3'
2018-03-14 19:46:16,992 fail2ban.jail          [588]: INFO    Creating new jail 'sshd'
2018-03-14 19:46:17,099 fail2ban.jail          [588]: INFO    Jail 'sshd' uses pyinotify {}
2018-03-14 19:46:17,200 fail2ban.jail          [588]: INFO    Initiated 'pyinotify' backend
2018-03-14 19:46:17,203 fail2ban.filter        [588]: INFO    Set jail log file encoding to UTF-8
</poem>


steps taken:
The hard part is finding the right jail:
sudo apt install python-pyinotify


sudo nano /etc/fail2ban/jail.local
Use iptables -L -n to find the rule name...
 
...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.
changed: <code>backend = auto</code>
to: <code>backend = pyinotify</code>

Latest revision as of 13:01, 24 March 2023

sudo cp /etc/fail2ban/fail2ban.conf /etc/fail2ban/fail2ban.local
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

to edit config edit the jail.local file!!!

sudo nano /etc/fail2ban/jail.local

Log Files

sudo nano /var/log/fail2ban.log

Configuration

[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
enabled = true
port    = ssh
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w
logpath = %(sshd_log)s
backend = %(sshd_backend)s

unban

fail2ban-client set YOURJAILNAMEHERE unbanip IPADDRESSHERE

The hard part is finding the right jail:

Use iptables -L -n to find the rule name... ...then use fail2ban-client status to get the actual jail names. The rule name and jail name may not be the same but it should be clear which one is related to which.