Fail2ban: Difference between revisions
From DWIKI
m (→FAQ) |
|||
| (12 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Links= | =Links= | ||
*[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki] | *[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki] | ||
*[https://bornoe.org/blog/2023/09/basic-fail2ban-commands/ Basic fail2ban commands] | |||
*[https://www.sshguard.net/ sshguard, an alternative] | *[https://www.sshguard.net/ sshguard, an alternative] | ||
*[https://wiki.archlinux.org/title/fail2ban Archlinux wiki fail2ban] | *[https://wiki.archlinux.org/title/fail2ban Archlinux wiki fail2ban] | ||
*[https://fail2ban.readthedocs.io/en/latest/ Welcome to Fail2Ban’s developers documentation!] | |||
*https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04 | |||
=Custom rules= | =Custom rules= | ||
| Line 21: | Line 24: | ||
===unban IP=== | ===unban IP=== | ||
fail2ban-client unban <IP> | fail2ban-client unban <IP> | ||
==Check in which jails IP is banned== | |||
fail2ban-client banned <ip> | |||
==Get statistics== | |||
fail2ban-client status | |||
===Status of one jail === | |||
fail2ban-client status sshd | |||
<pre> | |||
|- Filter | |||
| |- Currently failed: 0 | |||
| |- Total failed: 14 | |||
| `- File list: /var/log/access.log | |||
`- Actions | |||
|- Currently banned: 8 | |||
|- Total banned: 8 | |||
`- Banned IP list: | |||
</pre> | |||
====Currently failed==== | |||
Not banned yet | |||
=Structure= | =Structure= | ||
Relative to '''etc/failban/''' | Relative to '''/etc/failban/''' | ||
==jail.conf and jail.local== | |||
By default jails have names matching their filter name, so | |||
Jail '''myrules''': | |||
[myrules] | |||
uses '''filter.d/myrules.conf''' | |||
And | |||
[myjail] | |||
filter = myfilter | |||
Optionally refers to '''filter.d/myfilter.conf''' | |||
And a custom action defined as | |||
action = myaction | |||
calls '''action.d/myaction.conf''' | |||
===action vs banaction === | |||
==jail.d== | ==jail.d== | ||
==filter.d== | ==filter.d== | ||
==action.d== | ==action.d== | ||
=FAQ= | =FAQ= | ||
==Error messages== | |||
== Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'== | === Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'=== | ||
Enabling sshd-ddos filter seems to trigger this | Enabling sshd-ddos filter seems to trigger this | ||
==WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')== | ===WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')=== | ||
Crap code, maybe look at usedns in fail.conf | Crap code, maybe look at usedns in fail.conf | ||
===Unable to read the filter=== | |||
"because of wrong configuration", so it can read it | |||
| Line 55: | Line 106: | ||
sshd_backend = systemd | sshd_backend = systemd | ||
(not working??) | (not working??) | ||
[[Category:Security]] | |||
Latest revision as of 11:56, 17 April 2025
Links
- Homepage Wiki
- Basic fail2ban commands
- sshguard, an alternative
- Archlinux wiki fail2ban
- Welcome to Fail2Ban’s developers documentation!
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04
Custom rules
assp.conf
failregex = \[Worker_.*\] <HOST> \[SMTP Error\] 535 5.7.8 Error: authentication failed:
\[Worker_.*\] \[SSL-in\] \[TLS-out\] <HOST> \[SMTP Error\] 535
\[Worker_.*\] \[MessageLimit\] <HOST>
\[Worker_.*\] <HOST> .* \[SMTP Error\] 554 5.7.1
HOWTO
test filter
fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf
fail2ban-client
unban IP
fail2ban-client unban <IP>
Check in which jails IP is banned
fail2ban-client banned <ip>
Get statistics
fail2ban-client status
Status of one jail
fail2ban-client status sshd
|- Filter | |- Currently failed: 0 | |- Total failed: 14 | `- File list: /var/log/access.log `- Actions |- Currently banned: 8 |- Total banned: 8 `- Banned IP list:
Currently failed
Not banned yet
Structure
Relative to /etc/failban/
jail.conf and jail.local
By default jails have names matching their filter name, so
Jail myrules:
[myrules]
uses filter.d/myrules.conf
And
[myjail] filter = myfilter
Optionally refers to filter.d/myfilter.conf
And a custom action defined as
action = myaction
calls action.d/myaction.conf
action vs banaction
jail.d
filter.d
action.d
FAQ
Error messages
Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'
Enabling sshd-ddos filter seems to trigger this
WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')
Crap code, maybe look at usedns in fail.conf
Unable to read the filter
"because of wrong configuration", so it can read it
I don't see the rules
Maybe its using ipset, check
ipset list
unban an IP
fail2ban-client set <jailname> unbanip <bannedip>
sshd rule not working on Ubuntu 20.04
Probably silently fails on missing pyinotify
apt install inotify-tools inotify-hookable python-pyinotify
OR change backend:
sshd_backend = systemd
(not working??)
