Fail2ban on Debian Buster - the right way to configure?

Fail2ban can be configured in so many places.

$ fail2ban-client -i 
Fail2Ban v0.10.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

On Debian Buster I can edit my settings in several config files:

/etc/fail2ban/jail.d/defaults-debian.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/action.d/

And - last but not least - some tutorials recommend:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The Documentation of fail2ban says:

Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there.

Does that mean, that every .conf File I want to edit should exist as a .local file?

I am confused! Can someone shed some light on this please?


Solution 1:

You only need to edit one file.

To avoid problems during system upgrades, you should always copy jail.conf to jail.local and modify the latter only. The same for all other fail2ban config files.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit this file and scroll down to the filters you want to use.

In those filters, add enabled = true. I recommend not to enable too many filters at the beginning. One or two is enough. Be carefull with the SSH filter if you're are connected via SSH. You might lock yourself out.

Filters

Look in the filter.d directory to see all available filters. Choose one or two suitable ones. Be sure to understand what their regexes match and what log files you need.

Fail2ban works with log files. So the filters must match the appropriate log files. You can test this with

fail2ban-regex <logfile> <filter>

For example

fail2ban-regex /var/log/nginx/default_access.log /etc/fail2ban/filter.d/nginx-botsearch.conf

This filter - for example - looks for 404 errors in your NGINX access.log and blocks them, if the conditions match. For the conditions, see below.

Restart fail2ban after you finished editing:

systemctl restart fail2ban

Other settings in your jail.local file:

All settings can be made global as well as filter specific.

bantime  = 7200
findtime  = 10m
maxretry = 10

means 10 errors in 10 minutes will result in a 2 hour ban.

If you don't want to use iptables for the banning, you can change your banaction. The default banaction uses iptables, which should work on all systems I know but you might not see the bans in your familiar firewall interface.

banaction = ufw

See the actions in action.d. With this setting, fail2ban will use ufw to block IPs. Then you can see the ban via ufw status.

Especially for SSH, be sure to exclude your local IP range from banning, so you can't ban yourself :

ignoreip = 127.0.0.1/8 ::1 192.168.178.0/24

I would suggest you not to create or modify new filters or actions. Use the included ones and be happy. It's not easy to buiild your own regex patterns and the log file format changes from time to time - which will break your filters. Your system won't be secured then. You should not edit Apaches default log format, too.