Fail2ban configuration: Difference between revisions
From wikinotes
(→pf) |
No edit summary |
||
Line 31: | Line 31: | ||
banaction = nftables # pf, ... | banaction = nftables # pf, ... | ||
# enables sshd with default options | # enables sshd with default options | ||
# (see jail.conf section [sshd]) | # (see jail.conf section [sshd]) | ||
[sshd] | [sshd] | ||
Line 127: | Line 127: | ||
</source> | </source> | ||
</blockquote><!-- pf --> | </blockquote><!-- pf --> | ||
</blockquote><!-- firewalls --> | |||
</blockquote><!-- configuration --> | </blockquote><!-- configuration --> |
Latest revision as of 16:27, 2 July 2022
Locations
/etc/fail2ban/jail.local
config file /etc/fail2ban/jail.conf
available filters, and configurable options /etc/fail2ban/filters.d/*
log-filter definitions (used for bans) /etc/fail2ban/actions.d/*
firewall ban-action definitions
Overview
- jail.local holds your configuration
- jail.conf exposes configurable settings
- filters match log text to identify attacks
- actions define how bans are performed. They are firewall specific.
Within
jail.local
, create sections (jails) where configure and pair filters with actions.
Where config-sections match sections from jail.conf, they refer to a filter of the same name.
You can also specify the filter using thefilter
key.[DEFAULT] # applied banactions read from 'action.d/nftables.conf' banaction = nftables # pf, ... # enables sshd with default options # (see jail.conf section [sshd]) [sshd] enabled = true # manual configuration [my-sshd-config] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/auth.log maxretry = 5 bantime = 1800
Configuration
Jails
Common Jail Settings
filter = sshd # filters.d/sshd.conf logpath = /var/log/messages maxretry = 3 findtime = 600 # seconds bantime = 600 # secondsFilters
Filters are collections of regex expressions.
Info is extracted as regex-named-groups(?P<host> ... )
that can be reused in actions.
There are also builtin regex match groups:
<HOST> # hostname or ipv4 addr (server itself) <ip> # ip-address of <host>Firewalls
Firewalls are configured by the banaction.
iptables
I believe iptables is the default.
nftables
# /etc/fail2ban/jail.local [DEFAULT] banaction = nftablespf
WARNING:
fail2ban blocks SSH from private networks (ex: wireguard)
# /usr/local/etc/fail2ban/jail.local [DEFAULT] banaction = pf# /etc/pf.conf # 2. Tables # add table for banned ips table <fail2ban> persist # 6. Translations # WARNING: causes block on ssh from private networks # (ex: ssh originating from wireguard iface) anchor "f2b/*" # 7. Packet-Filtering # with rules, set a 'quick' (skip all other rules) # rule that blocks banned ips block in quick from <fail2ban>