Lunetikk's IT Wiki

User Tools

Site Tools

You are here: start » linux » ubuntu » fail2ban
Trace:
linux:ubuntu:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux:ubuntu:fail2ban [2018/01/08 10:06] – created lunetikklinux:ubuntu:fail2ban [2019/10/29 10:45] (current) lunetikk
Line 6: Line 6:
  
 ===== Configuration ===== ===== Configuration =====
 +
 +"jail.conf" maybe gets overwritten by updates. Create your own config file
 +<code>cp -a /etc/fail2ban/jail.conf /etc/fail2ban/jail.local</code>
 +
 +
 +Things you should edit
 +<code>
 +#Add any IP which you want NOT to be banned, use space for seperation
 +ignoreip = 127.0.0.1/8 192.168.178.1
 +
 +# "bantime" is the number of seconds that a host is banned.
 +bantime  = 86400
 +
 +# A host is banned if it has generated "maxretry" during the last "findtime"
 +# seconds.
 +findtime = 1200
 +maxretry = 3
 +
 +#Add this to check your ssh login attempts
 +[ssh]
 +
 +enabled  = true
 +#port     = ssh
 +port     = 22
 +filter   = sshd
 +#action   = iptables[name=SSH, port=2022, protocol=tcp]
 +#           sendmail-whois-lines[name=SSH, dest="[email protected],[email protected]", [email protected], sendername="Fail2Ban", logpath=/var/log/auth.log]
 +logpath  = /var/log/auth.log
 +maxretry = 3
 +
 +[vsftpd]
 +
 +enabled  = true
 +port     = ftp,ftp-data,ftps,ftps-data
 +filter   = vsftpd
 +logpath  = /var/log/vsftpd.log
 +# or overwrite it in jails.local to be
 +# logpath = /var/log/auth.log
 +# if you want to rely on PAM failed login attempts
 +# vsftpd's failregex should match both of those formats
 +maxretry = 3
 +
 +
 +# To log wrong MySQL access attempts add to /etc/my.cnf:
 +# log-error=/var/log/mysqld.log
 +# log-warning = 2
 +[mysqld-auth]
 +
 +enabled  = true
 +filter   = mysqld-auth
 +port     = 3306
 +logpath  = /var/log/mysql/error.log
 +
 +[repeatoffender]
 +
 +enabled  = true
 +filter   = repeatoffender
 +action   = repeatoffender[name=repeatoffender]
 +           sendmail-whois[name=Repeat-Offender, [email protected], [email protected]]
 +logpath  = /var/log/fail2ban*
 +maxretry = 3
 +#findtime is 365 days
 +findtime = 31536000
 +bantime  = -1
 +
 +</code>
 +
 +===== Abusemails =====
 +
 +Click the following link for more info about abuse automatisation\\
 +[[linux:ubuntu:blocklist|Blocklist]]
 +
 +===== Commands =====
 +
 +==== Unban ====
 +
 +<code>
 +fail2ban-client set <JAIL> unbanip <IP>
 +#example
 +fail2ban-client set ssh unbanip 192.168.178.1 
 +</code>
 +
 +==== Ban ====
 +
 +<code>
 +fail2ban-client set <JAIL> banip <IP>
 +#example
 +fail2ban-client set ssh banip 192.168.178.1  
 +</code>
 +
 +==== Other ====
 +
 +Get a list of commands
 +<code>fail2ban-client --help</code>
 +
 +===== Troubleshooting =====
 +
 +==== IP gets banned everytime ====
 +
 +An IP listed in "ignoreip" still gets banned everytime you reload/restart/start your Fail2ban service.\\
 +
 +__Reason:__ \\
 +The IP was banned before you added it to "ignoreip"  \\
 +
 +__Fix:__ \\
 +The IP is added to the file "ip.blocklist.repeatoffender". \\
 +Open the file and remove the IP.
 +
  
linux/ubuntu/fail2ban.1515402390.txt.gz · Last modified: 2018/01/08 10:06 by lunetikk

Page Tools

Impressum Datenschutz
Except where otherwise noted, content on this wiki is licensed under the following license: Public Domain
Public Domain Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki