Fail2ban

From DWIKI
Revision as of 09:54, 11 February 2026 by Tony (talk | contribs) (FAQ)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Links

Custom rules

assp.conf

failregex =  \[Worker_.*\] <HOST> \[SMTP Error\] 535 5.7.8 Error: authentication failed: 
                        \[Worker_.*\] \[SSL-in\] \[TLS-out\] <HOST> \[SMTP Error\] 535 
                       \[Worker_.*\] \[MessageLimit\] <HOST>
                       \[Worker_.*\] <HOST> .* \[SMTP Error\] 554 5.7.1


HOWTO

test filter

fail2ban-regex /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf

or 

fail2ban-regex --print-all-matched /usr/share/assp/logs/maillog.txt /etc/fail2ban/filter.d/assp.conf

fail2ban-client

List jails

fail2ban-client status

List all banned IPs

fail2ban-client banned

unban IP

fail2ban-client unban <IP>

Check in which jails IP is banned

fail2ban-client banned <ip>

Get statistics

fail2ban-client status


Status of one jail

fail2ban-client status sshd

|- Filter
|  |- Currently failed: 0
|  |- Total failed:     14
|  `- File list:        /var/log/access.log
`- Actions
   |- Currently banned: 8
   |- Total banned:     8
   `- Banned IP list:

Currently failed

Not banned yet

Structure

Relative to /etc/failban/

jail.conf and jail.local

By default jails have names matching their filter name, so

Jail myrules: 

[myrules]

uses filter.d/myrules.conf


And 

[myjail]
filter = myfilter

Optionally refers to filter.d/myfilter.conf

And a custom action defined as 

action = myaction

calls action.d/myaction.conf


action vs banaction

jail.d

filter.d

action.d

FAQ

Fail2ban whitelist

ignoreip



Fail2ban loglevels

CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG, TRACEDEBUG, HEAVYDEBUG

Lots of already banned

Error messages

Error in FilterPyinotify callback: 'module' object has no attribute '_strptime_time'

Enabling sshd-ddos filter seems to trigger this

WARNING Unable to find a corresponding IP address for client: (-2, 'Name or service not known')

Crap code, maybe look at usedns in fail.conf


Unable to read the filter

"because of wrong configuration", so it can read it


Received UnknownJailException

Try to remove the jail somehow

I don't see the rules

Maybe its using ipset, check 

ipset list


unban an IP

fail2ban-client set <jailname> unbanip <bannedip>


sshd rule not working on Ubuntu 20.04

Probably silently fails on missing pyinotify 

apt install inotify-tools inotify-hookable python-pyinotify

OR change backend: 

sshd_backend = systemd

(not working??)

Enable a jail without restarting fail2ban

Set enabled = true in config and run 

fail2ban-client reload
Retrieved from "https://wiki.dhits.nl/index.php?title=Fail2ban&oldid=10251"