Fail2ban on Debian Buster - the right way to configure?

fail2ban debian-buster

Fail2ban can be configured in so many places.

$ fail2ban-client -i 
Fail2Ban v0.10.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

On Debian Buster I can edit my settings in several config files:

/etc/fail2ban/jail.d/defaults-debian.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/action.d/

And - last but not least - some tutorials recommend:

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The Documentation of fail2ban says:

Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there.

Does that mean, that every .conf File I want to edit should exist as a .local file?

I am confused! Can someone shed some light on this please?


Solution 1:

You only need to edit one file.

To avoid problems during system upgrades, you should always copy jail.conf to jail.local and modify the latter only. The same for all other fail2ban config files.

cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Then edit this file and scroll down to the filters you want to use.

In those filters, add enabled = true. I recommend not to enable too many filters at the beginning. One or two is enough. Be carefull with the SSH filter if you're are connected via SSH. You might lock yourself out.

Filters

Look in the filter.d directory to see all available filters. Choose one or two suitable ones. Be sure to understand what their regexes match and what log files you need.

Fail2ban works with log files. So the filters must match the appropriate log files. You can test this with

fail2ban-regex <logfile> <filter>

For example

fail2ban-regex /var/log/nginx/default_access.log /etc/fail2ban/filter.d/nginx-botsearch.conf

This filter - for example - looks for 404 errors in your NGINX access.log and blocks them, if the conditions match. For the conditions, see below.

Restart fail2ban after you finished editing:

systemctl restart fail2ban

Other settings in your jail.local file:

All settings can be made global as well as filter specific.

bantime  = 7200
findtime  = 10m
maxretry = 10

means 10 errors in 10 minutes will result in a 2 hour ban.

If you don't want to use iptables for the banning, you can change your banaction. The default banaction uses iptables, which should work on all systems I know but you might not see the bans in your familiar firewall interface.

banaction = ufw

See the actions in action.d. With this setting, fail2ban will use ufw to block IPs. Then you can see the ban via ufw status.

Especially for SSH, be sure to exclude your local IP range from banning, so you can't ban yourself :

ignoreip = 127.0.0.1/8 ::1 192.168.178.0/24

I would suggest you not to create or modify new filters or actions. Use the included ones and be happy. It's not easy to buiild your own regex patterns and the log file format changes from time to time - which will break your filters. Your system won't be secured then. You should not edit Apaches default log format, too.

Related

Need to push backups across two WANs to maximize off-site backup upload speed
How to disable keepalive in curl
TCPdump write permission error when using -w option
OSCAP doesn't work for remediation on Ubuntu 18.04 install
Group Policy Confilcts
NVMe disk problems - smartctl 0x2002 status
Azure File Share mount with AAD Credentials
Nginx php-fpm on Docker desktop issue
What exactly can I conclude from "High scoring spam message has been dropped (in reply to end of DATA command)"?
how to check whether the system time is synchronised to NTP server without knowing the ntp client used in the product?
Will certbot actually renew my certificate?
Good NFS multipath solution