Fail2ban configuration

From wikinotes

Locations

/etc/fail2ban/jail.local config file
/etc/fail2ban/jail.conf available filters, and configurable options
/etc/fail2ban/filters.d/* log-filter definitions (used for bans)
/etc/fail2ban/actions.d/* firewall ban-action definitions


Overview

  • jail.local holds your configuration
  • jail.conf exposes configurable settings
  • filters match log text to identify attacks
  • actions define how bans are performed. They are firewall specific.

Within jail.local, create sections (jails) where configure and pair filters with actions.
Where config-sections match sections from jail.conf, they refer to a filter of the same name.
You can also specify the filter using the filter key.

[DEFAULT]
# applied banactions read from 'action.d/nftables.conf'
banaction = nftables  # pf, ...

# enables sshd with default options
# (see jail.conf section [sshd])
[sshd]
enabled = true

# manual configuration
[my-sshd-config]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/auth.log
maxretry = 5
bantime = 1800


Configuration

Jails

Common Jail Settings

filter = sshd   # filters.d/sshd.conf
logpath = /var/log/messages
maxretry = 3
findtime = 600  # seconds
bantime = 600   # seconds

Filters

Filters are collections of regex expressions.
Info is extracted as regex-named-groups (?P<host> ... ) that can be reused in actions.

There are also builtin regex match groups:

<HOST>  # hostname or ipv4 addr (server itself)
<ip>    # ip-address of <host>

Firewalls

Firewalls are configured by the banaction.

iptables

I believe iptables is the default.

nftables

# /etc/fail2ban/jail.local

[DEFAULT]
banaction = nftables

pf

WARNING:

fail2ban blocks SSH from private networks (ex: wireguard)

# /usr/local/etc/fail2ban/jail.local

[DEFAULT]
banaction = pf
# /etc/pf.conf

# 2. Tables
# add table for banned ips
table <fail2ban> persist

# 6. Translations
# WARNING: causes block on ssh from private networks
#          (ex: ssh originating from wireguard iface)
anchor "f2b/*"

# 7. Packet-Filtering
# with rules, set a 'quick' (skip all other rules)
# rule that blocks banned ips
block in quick from <fail2ban>