Fail2ban

From DWIKI

Links

Custom rules

assp.conf

failregex =  \[Worker_.*\] <HOST> \[SMTP Error\] 535 5.7.8 Error: authentication failed: 
                        \[Worker_.*\] \[SSL-in\] \[TLS-out\] <HOST> \[SMTP Error\] 535 
                       \[Worker_.*\] \[MessageLimit\] <HOST>
                       \[Worker_.*\] <HOST> .* \[SMTP Error\] 554 5.7.1


HOWTO

test filter

fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf


fail2ban-client

unban IP

fail2ban-client unban <IP>


Get statistics

fail2ban-client status


Status of one jail

fail2ban-client status sshd

|- Filter
|  |- Currently failed: 0
|  |- Total failed:     14
|  `- File list:        /var/log/access.log
`- Actions
   |- Currently banned: 8
   |- Total banned:     8
   `- Banned IP list:

Currently failed

Not banned yet

Structure

Relative to /etc/failban/

jail.local

Refers to jail.d/myjail.conf 

[myjail]

Refers to filter.d/myfilter.conf 

filter = myfilter.conf


action vs banaction

jail.d

filter.d

action.d

FAQ

Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'

Enabling sshd-ddos filter seems to trigger this

WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')

Crap code, maybe look at usedns in fail.conf



I don't see the rules

Maybe its using ipset, check 

ipset list


unban an IP

fail2ban-client set <jailname> unbanip <bannedip>


sshd rule not working on Ubuntu 20.04

Probably silently fails on missing pyinotify 

apt install inotify-tools inotify-hookable python-pyinotify

OR change backend: 

sshd_backend = systemd

(not working??)

Retrieved from "https://wiki.dhits.nl/index.php?title=Fail2ban&oldid=9510"