Fail2ban: Difference between revisions
From DWIKI
m (→HOWTO) |
|||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
=Links= | =Links= | ||
*[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki] | *[http://www.fail2ban.org/wiki/index.php/Main_Page Homepage Wiki] | ||
*[https://bornoe.org/blog/2023/09/basic-fail2ban-commands/ Basic fail2ban commands] | |||
*[https://www.sshguard.net/ sshguard, an alternative] | *[https://www.sshguard.net/ sshguard, an alternative] | ||
*[https://wiki.archlinux.org/title/fail2ban Archlinux wiki fail2ban] | *[https://wiki.archlinux.org/title/fail2ban Archlinux wiki fail2ban] | ||
| Line 24: | Line 25: | ||
fail2ban-client unban <IP> | fail2ban-client unban <IP> | ||
==Check in which jails IP is banned== | |||
fail2ban-client banned <ip> | |||
==Get statistics== | ==Get statistics== | ||
fail2ban-client status | fail2ban-client status | ||
===Status of one jail === | |||
fail2ban-client status sshd | |||
<pre> | |||
|- Filter | |||
| |- Currently failed: 0 | |||
| |- Total failed: 14 | |||
| `- File list: /var/log/access.log | |||
`- Actions | |||
|- Currently banned: 8 | |||
|- Total banned: 8 | |||
`- Banned IP list: | |||
</pre> | |||
====Currently failed==== | |||
Not banned yet | |||
=Structure= | =Structure= | ||
| Line 36: | Line 56: | ||
Refers to filter.d/myfilter.conf | Refers to filter.d/myfilter.conf | ||
filter = myfilter.conf | filter = myfilter.conf | ||
===action vs banaction === | |||
==jail.d== | ==jail.d== | ||
==filter.d== | ==filter.d== | ||
Latest revision as of 14:41, 26 March 2025
Links
- Homepage Wiki
- Basic fail2ban commands
- sshguard, an alternative
- Archlinux wiki fail2ban
- Welcome to Fail2Ban’s developers documentation!
- https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-20-04
Custom rules
assp.conf
failregex = \[Worker_.*\] <HOST> \[SMTP Error\] 535 5.7.8 Error: authentication failed:
\[Worker_.*\] \[SSL-in\] \[TLS-out\] <HOST> \[SMTP Error\] 535
\[Worker_.*\] \[MessageLimit\] <HOST>
\[Worker_.*\] <HOST> .* \[SMTP Error\] 554 5.7.1
HOWTO
test filter
fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf
fail2ban-client
unban IP
fail2ban-client unban <IP>
Check in which jails IP is banned
fail2ban-client banned <ip>
Get statistics
fail2ban-client status
Status of one jail
fail2ban-client status sshd
|- Filter | |- Currently failed: 0 | |- Total failed: 14 | `- File list: /var/log/access.log `- Actions |- Currently banned: 8 |- Total banned: 8 `- Banned IP list:
Currently failed
Not banned yet
Structure
Relative to /etc/failban/
jail.local
Refers to jail.d/myjail.conf
[myjail]
Refers to filter.d/myfilter.conf
filter = myfilter.conf
action vs banaction
jail.d
filter.d
action.d
FAQ
Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'
Enabling sshd-ddos filter seems to trigger this
WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')
Crap code, maybe look at usedns in fail.conf
I don't see the rules
Maybe its using ipset, check
ipset list
unban an IP
fail2ban-client set <jailname> unbanip <bannedip>
sshd rule not working on Ubuntu 20.04
Probably silently fails on missing pyinotify
apt install inotify-tools inotify-hookable python-pyinotify
OR change backend:
sshd_backend = systemd
(not working??)
