Fail2ban configuration
From wikinotes
Locations
/etc/fail2ban/jail.local
config file /etc/fail2ban/jail.conf
available filters, and configurable options /etc/fail2ban/filters.d/*
log-filter definitions (used for bans) /etc/fail2ban/actions.d/*
firewall ban-action definitions
Overview
- jail.local holds your configuration
- jail.conf exposes configurable settings
- filters match log text to identify attacks
- actions define how bans are performed. They are firewall specific.
Within
jail.local
, create sections (jails) where configure and pair filters with actions.
Where config-sections match sections from jail.conf, they refer to a filter of the same name.
You can also specify the filter using thefilter
key.[DEFAULT] # applied banactions read from 'action.d/nftables.conf' banaction = nftables # pf, ... # enables sshd with default options # (see jail.conf section [sshd]) [sshd] enabled = true # manual configuration [my-sshd-config] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log maxretry = 5 bantime = 1800
Configuration
Jails
Common Jail Settings
filter = sshd # filters.d/sshd.conf logpath = /var/log/messages maxretry = 3 findtime = 600 # seconds bantime = 600 # secondsFilters
Filters are collections of regex expressions.
Info is extracted as regex-named-groups(?P<host> ... )
that can be reused in actions.
There are also builtin regex match groups:
<HOST> # hostname or ipv4 addr (server itself) <ip> # ip-address of <host>Firewalls
Firewalls are configured by the banaction.
iptables
I believe iptables is the default.
nftables
# /etc/fail2ban/jail.local [DEFAULT] banaction = nftablespf
WARNING:
fail2ban blocks SSH from private networks (ex: wireguard)
# /usr/local/etc/fail2ban/jail.local [DEFAULT] banaction = pf# /etc/pf.conf # 2. Tables # add table for banned ips table <fail2ban> persist # 6. Translations # WARNING: causes block on ssh from private networks # (ex: ssh originating from wireguard iface) anchor "f2b/*" # 7. Packet-Filtering # with rules, set a 'quick' (skip all other rules) # rule that blocks banned ips block in quick from <fail2ban>