Fail2ban can be configured in so many places.
$ fail2ban-client -i
Fail2Ban v0.10.2 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.
On Debian Buster I can edit my settings in several config files:
/etc/fail2ban/jail.d/defaults-debian.conf
/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf
/etc/fail2ban/action.d/
And - last but not least - some tutorials recommend:
cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The Documentation of fail2ban says:
Modifications should take place in the .local and not in the .conf. This avoids merging problem when upgrading. These files are well documented and detailed information should be available there.
Does that mean, that every .conf File I want to edit should exist as a .local file?
I am confused! Can someone shed some light on this please?
You only need to edit one file.
To avoid problems during system upgrades, you should always copy
jail.conf
tojail.local
and modify the latter only. The same for all other fail2ban config files.Then edit this file and scroll down to the filters you want to use.
In those filters, add
enabled = true
. I recommend not to enable too many filters at the beginning. One or two is enough. Be carefull with the SSH filter if you're are connected via SSH. You might lock yourself out.Filters
Look in the
filter.d
directory to see all available filters. Choose one or two suitable ones. Be sure to understand what their regexes match and what log files you need.Fail2ban works with log files. So the filters must match the appropriate log files. You can test this with
fail2ban-regex <logfile> <filter>
For example
fail2ban-regex /var/log/nginx/default_access.log /etc/fail2ban/filter.d/nginx-botsearch.conf
This filter - for example - looks for
404
errors in your NGINXaccess.log
and blocks them, if the conditions match. For the conditions, see below.Restart fail2ban after you finished editing:
Other settings in your
jail.local
file:All settings can be made global as well as filter specific.
means 10 errors in 10 minutes will result in a 2 hour ban.
If you don't want to use iptables for the banning, you can change your
banaction
. The default banaction uses iptables, which should work on all systems I know but you might not see the bans in your familiar firewall interface.See the actions in
action.d
. With this setting, fail2ban will use ufw to block IPs. Then you can see the ban viaufw status
.Especially for SSH, be sure to exclude your local IP range from banning, so you can't ban yourself :
I would suggest you not to create or modify new filters or actions. Use the included ones and be happy. It's not easy to buiild your own regex patterns and the log file format changes from time to time - which will break your filters. Your system won't be secured then. You should not edit
Apaches
default log format, too.