Fail2ban: Difference between revisions

From DWIKI
← Older edit
Tony (talk | contribs)
7,300 edits
Tony (talk | contribs)
7,300 edits
Tony (talk | contribs)
7,300 edits
Tag: wikieditor
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
=Links=
=Links=
*[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki]
*[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki]
*[https://bornoe.org/blog/2023/09/basic-fail2ban-commands/ Basic fail2ban commands]
*[https://www.sshguard.net/ sshguard, an alternative]
*[https://www.sshguard.net/ sshguard, an alternative]
*[https://wiki.archlinux.org/title/fail2ban Archlinux wiki fail2ban]
*[https://fail2ban.readthedocs.io/en/latest/ Welcome to Fail2Ban’s developers documentation!]
*https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04


=Custom rules=
=Custom rules=
Line 12: Line 16:




=HOWTO=
==test filter==
fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf
or
fail2ban-regex --print-all-matched /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf
==fail2ban-client==
===List jails===
fail2ban-client status
===List all banned IPs===
fail2ban-client banned
===unban IP===
fail2ban-client unban <IP>
==Check in which jails IP is banned==
fail2ban-client banned <ip>
==Get statistics==
fail2ban-client status
===Status of one jail ===
fail2ban-client status sshd
<pre>
|- Filter
|  |- Currently failed: 0
|  |- Total failed:    14
|  `- File list:        /var/log/access.log
`- Actions
  |- Currently banned: 8
  |- Total banned:    8
  `- Banned IP list:
</pre>
====Currently failed====
Not banned yet
=Structure=
Relative to '''/etc/failban/'''
==jail.conf and jail.local==
By default jails have names matching their filter name, so
Jail '''myrules''':
[myrules]
uses '''filter.d/myrules.conf'''
And
[myjail]
filter = myfilter
Optionally refers to '''filter.d/myfilter.conf'''
And a custom action defined as
action = myaction
calls '''action.d/myaction.conf'''
===action vs banaction ===
==jail.d==
==filter.d==
==action.d==


=FAQ=
=FAQ=
==Fail2ban whitelist==
ignoreip


== Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'==
 
 
 
==Fail2ban loglevels==
CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG, TRACEDEBUG, HEAVYDEBUG
==Lots of already banned==
 
==Error messages==
 
=== Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'===
Enabling sshd-ddos filter seems to trigger this
Enabling sshd-ddos filter seems to trigger this


==WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')==
===WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')===
Crap code, maybe look at usedns in fail.conf
Crap code, maybe look at usedns in fail.conf




==test filter==
===Unable to read the filter===
fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf
"because of wrong configuration", so it can read it
 


===Received UnknownJailException===
Try to remove the jail somehow


==I don't see the rules==
==I don't see the rules==
Line 41: Line 123:
  sshd_backend = systemd
  sshd_backend = systemd
(not working??)
(not working??)
==Enable a jail without restarting fail2ban==
Set enabled = true in config and run
fail2ban-client reload
[[Category:Security]]

Latest revision as of 09:54, 11 February 2026

Links

Custom rules

assp.conf

failregex =  \[Worker_.*\] <HOST> \[SMTP Error\] 535 5.7.8 Error: authentication failed: 
                        \[Worker_.*\] \[SSL-in\] \[TLS-out\] <HOST> \[SMTP Error\] 535 
                       \[Worker_.*\] \[MessageLimit\] <HOST>
                       \[Worker_.*\] <HOST> .* \[SMTP Error\] 554 5.7.1


HOWTO

test filter

fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf

or 

fail2ban-regex --print-all-matched /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf

fail2ban-client

List jails

fail2ban-client status

List all banned IPs

fail2ban-client banned

unban IP

fail2ban-client unban <IP>

Check in which jails IP is banned

fail2ban-client banned <ip>

Get statistics

fail2ban-client status


Status of one jail

fail2ban-client status sshd

|- Filter
|  |- Currently failed: 0
|  |- Total failed:     14
|  `- File list:        /var/log/access.log
`- Actions
   |- Currently banned: 8
   |- Total banned:     8
   `- Banned IP list:

Currently failed

Not banned yet

Structure

Relative to /etc/failban/

jail.conf and jail.local

By default jails have names matching their filter name, so

Jail myrules: 

[myrules]

uses filter.d/myrules.conf


And 

[myjail]
filter = myfilter

Optionally refers to filter.d/myfilter.conf

And a custom action defined as 

action = myaction

calls action.d/myaction.conf


action vs banaction

jail.d

filter.d

action.d

FAQ

Fail2ban whitelist

ignoreip



Fail2ban loglevels

CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG, TRACEDEBUG, HEAVYDEBUG

Lots of already banned

Error messages

Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'

Enabling sshd-ddos filter seems to trigger this

WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')

Crap code, maybe look at usedns in fail.conf


Unable to read the filter

"because of wrong configuration", so it can read it


Received UnknownJailException

Try to remove the jail somehow

I don't see the rules

Maybe its using ipset, check 

ipset list


unban an IP

fail2ban-client set <jailname> unbanip <bannedip>


sshd rule not working on Ubuntu 20.04

Probably silently fails on missing pyinotify 

apt install inotify-tools inotify-hookable python-pyinotify

OR change backend: 

sshd_backend = systemd

(not working??)

Enable a jail without restarting fail2ban

Set enabled = true in config and run 

fail2ban-client reload
Retrieved from "https://wiki.dhits.nl/index.php?title=Fail2ban&oldid=10251"