You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(11) |
Oct
(8) |
Nov
(10) |
Dec
(8) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(6) |
Feb
(1) |
Mar
(43) |
Apr
(17) |
May
(2) |
Jun
(8) |
Jul
(9) |
Aug
(14) |
Sep
(15) |
Oct
(25) |
Nov
(20) |
Dec
(12) |
2007 |
Jan
(29) |
Feb
(19) |
Mar
(8) |
Apr
(12) |
May
(10) |
Jun
(9) |
Jul
(40) |
Aug
(33) |
Sep
(74) |
Oct
(19) |
Nov
(31) |
Dec
(13) |
2008 |
Jan
(50) |
Feb
(52) |
Mar
(43) |
Apr
(21) |
May
(68) |
Jun
(28) |
Jul
(6) |
Aug
(25) |
Sep
(14) |
Oct
(32) |
Nov
(7) |
Dec
(13) |
2009 |
Jan
(25) |
Feb
(1) |
Mar
(2) |
Apr
(8) |
May
(4) |
Jun
(6) |
Jul
(24) |
Aug
(40) |
Sep
(24) |
Oct
(15) |
Nov
(31) |
Dec
(35) |
2010 |
Jan
(6) |
Feb
(1) |
Mar
(23) |
Apr
(16) |
May
(4) |
Jun
(36) |
Jul
(20) |
Aug
(13) |
Sep
(36) |
Oct
(12) |
Nov
(9) |
Dec
(2) |
2011 |
Jan
(16) |
Feb
(9) |
Mar
(21) |
Apr
(33) |
May
(27) |
Jun
(31) |
Jul
(20) |
Aug
(7) |
Sep
(20) |
Oct
(41) |
Nov
(29) |
Dec
(52) |
2012 |
Jan
(127) |
Feb
(36) |
Mar
(15) |
Apr
(40) |
May
(23) |
Jun
(43) |
Jul
(84) |
Aug
(50) |
Sep
(31) |
Oct
(45) |
Nov
(43) |
Dec
(47) |
2013 |
Jan
(39) |
Feb
(83) |
Mar
(50) |
Apr
(50) |
May
(79) |
Jun
(87) |
Jul
(71) |
Aug
(41) |
Sep
(39) |
Oct
(81) |
Nov
(61) |
Dec
(74) |
2014 |
Jan
(76) |
Feb
(50) |
Mar
(45) |
Apr
(62) |
May
(59) |
Jun
(21) |
Jul
(93) |
Aug
(64) |
Sep
(53) |
Oct
(44) |
Nov
(37) |
Dec
(43) |
2015 |
Jan
(60) |
Feb
(72) |
Mar
(35) |
Apr
(50) |
May
(52) |
Jun
(89) |
Jul
(110) |
Aug
(94) |
Sep
(77) |
Oct
(82) |
Nov
(41) |
Dec
(26) |
2016 |
Jan
(42) |
Feb
(44) |
Mar
(26) |
Apr
(55) |
May
(26) |
Jun
(17) |
Jul
(63) |
Aug
(38) |
Sep
(43) |
Oct
(50) |
Nov
(45) |
Dec
(55) |
2017 |
Jan
(26) |
Feb
(29) |
Mar
(28) |
Apr
(40) |
May
(2) |
Jun
(16) |
Jul
(22) |
Aug
(21) |
Sep
(35) |
Oct
(47) |
Nov
(10) |
Dec
(15) |
2018 |
Jan
(18) |
Feb
(35) |
Mar
(71) |
Apr
(9) |
May
(39) |
Jun
(19) |
Jul
(14) |
Aug
(108) |
Sep
(5) |
Oct
(34) |
Nov
(24) |
Dec
(13) |
2019 |
Jan
(13) |
Feb
(19) |
Mar
(33) |
Apr
(11) |
May
(21) |
Jun
(61) |
Jul
(21) |
Aug
(80) |
Sep
(26) |
Oct
(10) |
Nov
(8) |
Dec
(4) |
2020 |
Jan
(26) |
Feb
(81) |
Mar
(31) |
Apr
(37) |
May
(52) |
Jun
(10) |
Jul
(47) |
Aug
(25) |
Sep
(63) |
Oct
(36) |
Nov
(19) |
Dec
(18) |
2021 |
Jan
(49) |
Feb
(11) |
Mar
(18) |
Apr
(21) |
May
(66) |
Jun
(8) |
Jul
(35) |
Aug
(30) |
Sep
(10) |
Oct
(31) |
Nov
(4) |
Dec
(23) |
2022 |
Jan
(1) |
Feb
(16) |
Mar
(34) |
Apr
(6) |
May
(2) |
Jun
|
Jul
(1) |
Aug
(17) |
Sep
(1) |
Oct
(2) |
Nov
(4) |
Dec
(16) |
2023 |
Jan
(10) |
Feb
(39) |
Mar
(7) |
Apr
(44) |
May
(17) |
Jun
(20) |
Jul
|
Aug
(2) |
Sep
(10) |
Oct
(7) |
Nov
(3) |
Dec
(3) |
2024 |
Jan
(1) |
Feb
(10) |
Mar
(8) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: James M. <moe...@sm...> - 2023-03-31 17:21:50
|
On 2023-03-30 10:37, James Moe via Fail2ban-users wrote: > Fail2ban-regex matches the regex in the log files. Fail2ban itself does not. > I had thought a specific regex was failing to match. Further testing shows that the whole jail acts as though it is disabled. "enabled = true" in the jail's definition. What would cause this? Status for the jail: cgpro-smtp |- Filter | |- Currently failed: 61 | |- Total failed: 115 | `- File list: /data01/var/CommuniGate/cgp-current.log `- Actions |- Currently banned: 532 |- Total banned: 538 `- Banned IP list: 177.99.171.69 ... -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: James M. <moe...@sm...> - 2023-03-30 21:58:11
|
On 2023-03-30 10:37, James Moe via Fail2ban-users wrote: > Cound this issue be possibly related to the "ignoreregex"? > Nope. I removed the ignoreregex rule. It made no difference to the failure to match. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: James M. <moe...@sm...> - 2023-03-30 17:38:02
|
fail2ban v1.0.1.1 Fail2ban-regex matches the regex in the log files. Fail2ban itself does not. ---[ filter ]---- failregex = ^.*SMTPI.*\(\[<HOST>\].*\).*?failed to open.*\:(465|587)\..*Error Code=unknown user account.*$ ^.*SMTPI.*\(\[<HOST>\].*\).*?failed to open.*\:(465|587)\..*Error Code=account is not available on this system.*$ ^.*\[<HOST>\]\:.* failed to accept a secure connection for DOMAIN.*$ ^.*\[<HOST>\]\:.* 476 connections from your host are denied.* ^.* from \[<HOST>\]\:.* Error Code\=incorrect password ignoreregex = 127\.0\.0\.1 datepattern = %%H:%%M:%%S ----[ end ]---- ----[ typical log entry (probably wrapped) ]---- 16:53:05.720 1 ACCOUNT(sohnen-moe.cherie) login(SMTP) from [60.169.66.113]:43301(TLS) failed. Error Code=incorrect password ----[ end ]---- There many more entries that have 127.0.0.1 as the <HOST> than there are actual IPs. Hence the ignoreregex. Cound this issue be possibly related to the "ignoreregex"? -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: James M. <moe...@sm...> - 2023-03-22 22:49:25
|
On 2023-03-22 14:03, Nick Howitt via Fail2ban-users wrote: > Use an "ignoreregex = 127\.0\.0\.1" line. > That works! Thank you. -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: Nick H. <ni...@ho...> - 2023-03-22 21:21:32
|
Use an "ignoreregex = 127\.0\.0\.1" line. Or just set an ignoreip of 127.0.0.1. On 22/03/2023 19:22, James Moe via Fail2ban-users wrote: > > We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it > is always a dictionary attack. > > We also have a SPAM proxy (ASSP) that filters incoming mail before sending a > connection to the mail server; the connections are for ports 25 and 587. The > mail server logs these connections as: > 11:01:16.678 4 SMTPI-022601([127.0.0.1]) rsp: 334 VXNlcm5hbWU6 > > When a spammer uses port 465, though, it bypasses the filter and connects to the > mail server directly: > 10:37:36.384 4 SMTPI-022587([176.111.173.47]) rsp: 334 VXNlcm5hbWU6 > > My question is: How do I create a regular expression that ignores the log > entries with "127.0.0.1?" > > The current regex is: > failregex = ^.*\[<HOST>\] .* 334 VXNlcm5hbWU6.* > |
From: James M. <moe...@sm...> - 2023-03-22 19:22:34
|
We scan our mail logs for the use of "auth LOGIN". No legit user uses LOGIN; it is always a dictionary attack. We also have a SPAM proxy (ASSP) that filters incoming mail before sending a connection to the mail server; the connections are for ports 25 and 587. The mail server logs these connections as: 11:01:16.678 4 SMTPI-022601([127.0.0.1]) rsp: 334 VXNlcm5hbWU6 When a spammer uses port 465, though, it bypasses the filter and connects to the mail server directly: 10:37:36.384 4 SMTPI-022587([176.111.173.47]) rsp: 334 VXNlcm5hbWU6 My question is: How do I create a regular expression that ignores the log entries with "127.0.0.1?" The current regex is: failregex = ^.*\[<HOST>\] .* 334 VXNlcm5hbWU6.* -- James Moe moe dot james at sohnen-moe dot com 520.743.3936 Think. |
From: Steve C. <ste...@gm...> - 2023-03-18 22:41:37
|
hello, running fail2ban version 0.9.3 on ubuntu it appears the default action script is iptables-multiport I want to learn how to add a comment when banning an ip, and have that comment include data / information from the log file f2b is monitoring, for example, in a log file made by mail / courier / imap, it contains this line: imapd: LOGIN FAILED, user=cow...@do..., ip=[::ffff:183.157.169.196] so I created a file in/etc/fail2ban/action.d named iptables-multiport.local and pasted this information (found in the FAQ section of f2b user guide website). actionban = lgm=$(printf '%%.1000s\n...' "<matches>"); <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype> "comment=$lgm" --comment "$lgm" then I restarted f2b systemctl restart fail2ban journalctl -ru fail2ban showed it restarted without errors how can I check if this is working? will it be written in the iptables, or will it be written in the fail2ban log, or will it be written in /var/log/ufw.log ? after i find out where i can see the results, i will probably need to come back and learn how to capture information from the source log so the comments make sense thank you |
From: Tim B. <ti...@bo...> - 2023-02-14 09:00:12
|
Am Dienstag, dem 14.02.2023 um 08:31 +0100 schrieb Wolfgang Paul Rauchholz: > I thought because I am using firewalld that would be the right thing > to do. Obviously not. > Anyway, I changed the config file, but still the same error message. Some lines of /var/log/fail2ban.log containing error messages might be helpful... Cheers, tim |
From: Wolfgang P. R. <wp....@gm...> - 2023-02-14 07:31:21
|
I thought because I am using firewalld that would be the right thing to do. Obviously not. Anyway, I changed the config file, but still the same error message. I looks now like this: [INCLUDES] before = paths-fedora.conf [DEFAULT] bantime = 1d maxretry = 3 findtime = 10m banaction = iptables-multiport banaction_allports = iptables-allports # # Ban Increments # # "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... bantime.increment = true # ban & send an e-mail with whois report and relevant log lines to the destemail. action_mwl = %(action_)s %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] ignoreip = 127.0.0.1/8 ::1 10.5.2.0/24 [sshd] enabled = true mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: enabled = true mode = more port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] enabled = true filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [postfix-sasl] enabled = true filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s Wolfgang Rauchholz +34 627 994 977 https://www.linkedin.com/in/wolfgangrauchholz/ On Mon, Feb 13, 2023 at 8:25 PM Wolfgang Paul Rauchholz < wp....@gm...> wrote: > Hello fail2ban community > Recently I setup a home server under Rocky Linux 8.7 > To protect form intrusion I installed fail2ban. I get the error as > described above. > I checked google, but could not find the mistake. > Thanks for helpin me to fix the error. > > > [INCLUDES] > before = paths-fedora.conf > > [DEFAULT] > bantime = 1d > maxretry = 3 > findtime = 10m > > banaction = firewallcmd-rich-rules[actiontype=<multiport>] > banaction_allports = firewallcmd-rich-rules[actiontype=<allports>] > > # > # Ban Increments > # > > # "bantime.increment" allows to use database for searching of previously > banned ip's to increase a > # default ban time using special formula, default it is banTime * 1, 2, 4, > 8, 16, 32... > bantime.increment = true > > # ban & send an e-mail with whois report and relevant log lines to the > destemail. > action_mwl = %(action_)s > %(mta)s-whois-lines[sender="%(sender)s", > dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] > > ignoreip = 127.0.0.1/8 ::1 10.5.2.0/24 > > [sshd] > enabled = true > mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > > [postfix] > # To use another modes set filter parameter "mode" in jail.local: > enabled = true > mode = more > port = smtp,465,submission > logpath = %(postfix_log)s > backend = %(postfix_backend)s > > [postfix-rbl] > enabled = true > filter = postfix[mode=rbl] > port = smtp,465,submission > logpath = %(postfix_log)s > backend = %(postfix_backend)s > maxretry = 1 > > [postfix-sasl] > enabled = true > filter = postfix[mode=auth] > port = smtp,465,submission,imap,imaps,pop3,pop3s > logpath = %(postfix_log)s > backend = %(postfix_backend)s > > [dovecot] > enabled = true > port = pop3,pop3s,imap,imaps,submission,465,sieve > logpath = %(dovecot_log)s > backend = %(dovecot_backend)s > > Wolfgang Rauchholz > +34 627 994 977 > https://www.linkedin.com/in/wolfgangrauchholz/ > > |
From: Tim B. <ti...@bo...> - 2023-02-13 22:26:18
|
Hello Wolfgang! Your fail2ban fails to ban ;-) because the execution of your banaction failed. According to your config, the command is firewallcmd-rich-rules[actiontype=<multiport>] At least i never heard of such a command. Did you copy the config from some web site? You might try replacing this by iptables-multiport Works for me on a rather fresh install. Cheers, tim |
From: Wolfgang P. R. <wp....@gm...> - 2023-02-13 19:25:42
|
Hello fail2ban community Recently I setup a home server under Rocky Linux 8.7 To protect form intrusion I installed fail2ban. I get the error as described above. I checked google, but could not find the mistake. Thanks for helpin me to fix the error. [INCLUDES] before = paths-fedora.conf [DEFAULT] bantime = 1d maxretry = 3 findtime = 10m banaction = firewallcmd-rich-rules[actiontype=<multiport>] banaction_allports = firewallcmd-rich-rules[actiontype=<allports>] # # Ban Increments # # "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... bantime.increment = true # ban & send an e-mail with whois report and relevant log lines to the destemail. action_mwl = %(action_)s %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] ignoreip = 127.0.0.1/8 ::1 10.5.2.0/24 [sshd] enabled = true mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s [postfix] # To use another modes set filter parameter "mode" in jail.local: enabled = true mode = more port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s [postfix-rbl] enabled = true filter = postfix[mode=rbl] port = smtp,465,submission logpath = %(postfix_log)s backend = %(postfix_backend)s maxretry = 1 [postfix-sasl] enabled = true filter = postfix[mode=auth] port = smtp,465,submission,imap,imaps,pop3,pop3s logpath = %(postfix_log)s backend = %(postfix_backend)s [dovecot] enabled = true port = pop3,pop3s,imap,imaps,submission,465,sieve logpath = %(dovecot_log)s backend = %(dovecot_backend)s Wolfgang Rauchholz +34 627 994 977 https://www.linkedin.com/in/wolfgangrauchholz/ |
From: <fai...@fi...> - 2023-02-10 14:57:57
|
What do You mean by 'are they really necessary' ? and yes it's a bit scary/very complicated if You are new to regex. You need something that filters those logfiles You will scan for whatever You want to avoid, and a lot of very skilled people have been creating many filters that are available when installing fail2ban - all for free - they should for most part fill Your needs and if not, then You may/can make Your own rules either editing the rule You will use or create Your own new rule - and You have shown You're able to test so thats a good way of becoming more familiar to the stuff. It's okay to ask questions, but frankly there's lots of good stuff on the web - inserted 2 examples below and as I wrote before read the fundamentals so You get a good knowledge of what fail2ban is and how it works (it seems as if You don't - really😉) https://www.the-art-of-web.com/system/fail2ban-filters/ https://webdock.io/en/docs/how-guides/security-guides/how-configure-fail2ban-common-services Cheers /Finn Den 10-02-2023 kl. 15:27 skrev Marcos A.T. Silva: > Hi again, > > So, I found that regex (and ignoreregex and failregex) part, as well the > filters, a bit complicated. Are they really necessary? Or are the > default settings enough? > > Sorry for asking so many questions. > > Thanks in advance. > > Em qui., 9 de fev. de 2023 às 16:47, <fai...@fi... > <mailto:fai...@fi...>> escreveu: > > Hi Marcos. > > In the top of jail.conf / jail.local there is below settings: > > > # "bantime" is the number of seconds that a host is banned. > bantime = 10m > > # A host is banned if it has generated "maxretry" during the last > "findtime" > # seconds. > findtime = 10m > > # "maxretry" is the number of failures before a host get banned. > maxretry = 5 > > > These settings will be default if not defined in the individual jails > > Therefore read the conf files there is a lot of settings and knowledge > > And the answer to Your question is properly that it requires 5 errors > (maxretry = 5) in the logfile in a 10 min window (findtime = 10) to > trigger the jail for 10 min (bantime = 10) > > Hope this helps a bit > > /Finn > > > Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva: > > Hi Finn, > > > > Understood. Thank you very much. :) > > > > I think I'll learn this one day. Well, it seems things are > starting to > > work here. > > > > So, do you know how can I make sure that a jail is really running? > > Because, for example, I've enabled the sshd jail. The enabled > jail is as > > below: > > > > ``` > > #mode = normal > > port = ssh > > logpath = %(sshd_log)s > > backend = %(sshd_backend)s > > enabled = true > > ``` > > > > Is the above jail correct? Do I have to put a "filter" part there or > > uncomment the #mode? > > > > Well, I don't know if I am testing it right. But, for example, if > I run > > `fail2ban-client status sshd` I receive the below output: > > > > ``` > > Status for the jail: sshd > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 1 > > | `- File list: /var/log/auth.log > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > > > ``` > > > > But I think I've tried to login at the server with a wrong > passphrase > > for my SSH key twice, and Fail2Ban is only displaying one > attempt. Is > > this correct? > > > > Thanks again, and sorry for the disturbance. > > > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > > <fai...@li... > <mailto:fai...@li...> > > <mailto:fai...@li... > <mailto:fai...@li...>>> escreveu: > > > > Hi Marcos > > > > jail.conf is holding the default settings for the jails > > > > jail.local is where You make Your own settings and > customizations. > > > > When You update fail2ban jail.conf may be altered but > jail.local will > > not and therfore settings (enabled kails etc. will be safe) > > > > A good idea is to read through the /etc/fail2ban/*.conf files > since the > > makers has included a lot of informations between the lines - > some are > > difficult to understand the first time but eventually You > will get > > better knowledge and understanding of this nice and GREAT tool. > > > > Regards, > > /Finn > > > > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > > Well, I have installed Fail2Ban from my own once I get > this new > > Ubuntu > > > server. I am using Ubuntu 20.04. > > > > > > I only got this working by setting jails as enabled in the > > jail.local > > > file. The individual files in jail.d directory don't work. > > > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via > Fail2ban-users > > > <fai...@li... > <mailto:fai...@li...> > > <mailto:fai...@li... > <mailto:fai...@li...>> > > > <mailto:fai...@li... > <mailto:fai...@li...> > > <mailto:fai...@li... > <mailto:fai...@li...>>>> escreveu: > > > > > > Surely jail.conf should be left in place as it it > supplies some > > > defaults, especially if you are using a distro packaged > > version? I > > > don't think any jails are enabled by default but it > may depend on > > > the distro. > > > > > > Then use jail.local or files in jail.d/ to enable > particular > > filters. > > > > > > Nick > > > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > > Silva<mar...@gm... <mailto:mar...@gm...> > <mailto:mar...@gm... <mailto:mar...@gm...>>> > > <mailto:mar...@gm... <mailto:mar...@gm...> > <mailto:mar...@gm... <mailto:mar...@gm...>>> wrote: > > >>> Hi there, > > >>> > > >>> I really can't find enough words to express my > gratitude to > > you all guys. :) > > >>> > > >>> I think I am finally putting this to work. > > >>> > > >>> All your suggestions and help made me understand, I > think, > > how that works. > > >>> > > >>> I've done the following: > > >>> > > >>> 1) Once, for what I understood, jail.local always > overrides > > jail.conf, I left all jails disabled (false) on jail.local. After > > that, I've renamed jail.conf to jail.conf.unused, as Lee > suggested. > > >>> > > >> AFAIK jail.conf does not turn anything on; that is > > the job of > > >> jail.local and/or jail.d/something-here.conf > > >> > > >>> 2) Now I created a sshd.conf file in > /etc/fail2ban/jail.d > > and put there only the content regarding the sshd jail that > was in > > my jail.local, enabling this jail. > > >>> > > >>> 3) Finally I tried to start Fail2Ban and it worked! > Thank you! > > >>> > > >>> Well, I noticed (maybe I am wrong, of course) that I > need > > to use both `sudo fail2ban-client start` and `sudo systemctl > start > > fail2ban` to make it start and be enabled. Is that right? > > >>> > > >> systemctl start fail2ban should have sufficed. > > >> > > >>> But I rebooted the server and systemctl status shows me > > that Fail2Ban is still active. > > >>> > > >>> Another question, if possible: now I have only sshd jail > > active, as per the above procedures. Is there a way to check > if it > > is really running? > > >>> > > >> fail2ban-client status sshd > > >> > > >>> Thanks again. > > >>> > > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > > Tavares<rau...@gm... <mailto:rau...@gm...> > <mailto:rau...@gm... <mailto:rau...@gm...>>> > > <mailto:rau...@gm... <mailto:rau...@gm...> > <mailto:rau...@gm... <mailto:rau...@gm...>>> escreveu: > > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > > Lammert<lv...@om... <mailto:lv...@om...> > <mailto:lv...@om... <mailto:lv...@om...>>> > > <mailto:lv...@om... <mailto:lv...@om...> > <mailto:lv...@om... <mailto:lv...@om...>>> wrote: > > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > > >>>>> > > >>>>>> My suggestion is to find which services > you are > > using and then > > >>>>>> where they are writing their logs to. Take a look at > > jail.conf (I > > >>>>>> forgot to mention that file). Chances are there are > > entries for most > > >>>>>> of the services there. Case in point, the ssh > services, > > including > > >>>>>> selinux-ssh, it knows of are > > >>>>>> > > >>>>> It appears that the fail2ban package for Ubuntu 20 > is NOT > > very current. > > >>>>> Much simpler to manage if all of the jails are in > > separate files in > > >>>>> jail.d, .. not in a mile long jail.conf. > > >>>>> > > >>>>> Also, always confirm the installation of ONLY ssh, > until > > you know what you > > >>>>> need to monitor. > > >>>>> > > >>>> FYI > > >>>> > > >>>> raub@some-debian-box:~$ cat > > /etc/fail2ban/jail.d/defaults-debian.conf > > >>>> [sshd] > > >>>> enabled = true > > >>>> raub@some-debian-box:~$ > > >>>> > > >>>>> Lee > > >> _______________________________________________ > > >> Fail2ban-users mailing list > > >> Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>> > > <mailto:Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>>> > > >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>>> > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>> > > > <mailto:Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>>> > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>>> > > > > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>> > > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > -- > > "After sleeping through a hundred million centuries we have > finally > > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > > with life. Within decades we must close our eyes again. Isn't > it a > > noble, an enlightened way of spending our brief time in the > sun, to > > work > > at understanding the universe and how we have come to wake up > in it?" > > [- Professor Richard Dawkins] > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to > work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > -- "After sleeping through a hundred million centuries we have finally opened our eyes on a sumptuous planet, sparkling with color, bountiful with life. Within decades we must close our eyes again. Isn't it a noble, an enlightened way of spending our brief time in the sun, to work at understanding the universe and how we have come to wake up in it?" [- Professor Richard Dawkins] |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-10 14:27:06
|
Hi again, So, I found that regex (and ignoreregex and failregex) part, as well the filters, a bit complicated. Are they really necessary? Or are the default settings enough? Sorry for asking so many questions. Thanks in advance. Em qui., 9 de fev. de 2023 às 16:47, <fai...@fi...> escreveu: > Hi Marcos. > > In the top of jail.conf / jail.local there is below settings: > > > # "bantime" is the number of seconds that a host is banned. > bantime = 10m > > # A host is banned if it has generated "maxretry" during the last > "findtime" > # seconds. > findtime = 10m > > # "maxretry" is the number of failures before a host get banned. > maxretry = 5 > > > These settings will be default if not defined in the individual jails > > Therefore read the conf files there is a lot of settings and knowledge > > And the answer to Your question is properly that it requires 5 errors > (maxretry = 5) in the logfile in a 10 min window (findtime = 10) to > trigger the jail for 10 min (bantime = 10) > > Hope this helps a bit > > /Finn > > > Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva: > > Hi Finn, > > > > Understood. Thank you very much. :) > > > > I think I'll learn this one day. Well, it seems things are starting to > > work here. > > > > So, do you know how can I make sure that a jail is really running? > > Because, for example, I've enabled the sshd jail. The enabled jail is as > > below: > > > > ``` > > #mode = normal > > port = ssh > > logpath = %(sshd_log)s > > backend = %(sshd_backend)s > > enabled = true > > ``` > > > > Is the above jail correct? Do I have to put a "filter" part there or > > uncomment the #mode? > > > > Well, I don't know if I am testing it right. But, for example, if I run > > `fail2ban-client status sshd` I receive the below output: > > > > ``` > > Status for the jail: sshd > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 1 > > | `- File list: /var/log/auth.log > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > > > ``` > > > > But I think I've tried to login at the server with a wrong passphrase > > for my SSH key twice, and Fail2Ban is only displaying one attempt. Is > > this correct? > > > > Thanks again, and sorry for the disturbance. > > > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > > <fai...@li... > > <mailto:fai...@li...>> escreveu: > > > > Hi Marcos > > > > jail.conf is holding the default settings for the jails > > > > jail.local is where You make Your own settings and customizations. > > > > When You update fail2ban jail.conf may be altered but jail.local will > > not and therfore settings (enabled kails etc. will be safe) > > > > A good idea is to read through the /etc/fail2ban/*.conf files since > the > > makers has included a lot of informations between the lines - some > are > > difficult to understand the first time but eventually You will get > > better knowledge and understanding of this nice and GREAT tool. > > > > Regards, > > /Finn > > > > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > > Well, I have installed Fail2Ban from my own once I get this new > > Ubuntu > > > server. I am using Ubuntu 20.04. > > > > > > I only got this working by setting jails as enabled in the > > jail.local > > > file. The individual files in jail.d directory don't work. > > > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via > Fail2ban-users > > > <fai...@li... > > <mailto:fai...@li...> > > > <mailto:fai...@li... > > <mailto:fai...@li...>>> escreveu: > > > > > > Surely jail.conf should be left in place as it it supplies > some > > > defaults, especially if you are using a distro packaged > > version? I > > > don't think any jails are enabled by default but it may > depend on > > > the distro. > > > > > > Then use jail.local or files in jail.d/ to enable particular > > filters. > > > > > > Nick > > > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > > Silva<mar...@gm... <mailto:mar...@gm...>> > > <mailto:mar...@gm... <mailto:mar...@gm...>> wrote: > > >>> Hi there, > > >>> > > >>> I really can't find enough words to express my gratitude to > > you all guys. :) > > >>> > > >>> I think I am finally putting this to work. > > >>> > > >>> All your suggestions and help made me understand, I think, > > how that works. > > >>> > > >>> I've done the following: > > >>> > > >>> 1) Once, for what I understood, jail.local always overrides > > jail.conf, I left all jails disabled (false) on jail.local. After > > that, I've renamed jail.conf to jail.conf.unused, as Lee suggested. > > >>> > > >> AFAIK jail.conf does not turn anything on; that is > > the job of > > >> jail.local and/or jail.d/something-here.conf > > >> > > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > > and put there only the content regarding the sshd jail that was in > > my jail.local, enabling this jail. > > >>> > > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank > you! > > >>> > > >>> Well, I noticed (maybe I am wrong, of course) that I need > > to use both `sudo fail2ban-client start` and `sudo systemctl start > > fail2ban` to make it start and be enabled. Is that right? > > >>> > > >> systemctl start fail2ban should have sufficed. > > >> > > >>> But I rebooted the server and systemctl status shows me > > that Fail2Ban is still active. > > >>> > > >>> Another question, if possible: now I have only sshd jail > > active, as per the above procedures. Is there a way to check if it > > is really running? > > >>> > > >> fail2ban-client status sshd > > >> > > >>> Thanks again. > > >>> > > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > > Tavares<rau...@gm... <mailto:rau...@gm...>> > > <mailto:rau...@gm... <mailto:rau...@gm...>> escreveu: > > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > > Lammert<lv...@om... <mailto:lv...@om...>> > > <mailto:lv...@om... <mailto:lv...@om...>> wrote: > > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > > >>>>> > > >>>>>> My suggestion is to find which services you are > > using and then > > >>>>>> where they are writing their logs to. Take a look at > > jail.conf (I > > >>>>>> forgot to mention that file). Chances are there are > > entries for most > > >>>>>> of the services there. Case in point, the ssh services, > > including > > >>>>>> selinux-ssh, it knows of are > > >>>>>> > > >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT > > very current. > > >>>>> Much simpler to manage if all of the jails are in > > separate files in > > >>>>> jail.d, .. not in a mile long jail.conf. > > >>>>> > > >>>>> Also, always confirm the installation of ONLY ssh, until > > you know what you > > >>>>> need to monitor. > > >>>>> > > >>>> FYI > > >>>> > > >>>> raub@some-debian-box:~$ cat > > /etc/fail2ban/jail.d/defaults-debian.conf > > >>>> [sshd] > > >>>> enabled = true > > >>>> raub@some-debian-box:~$ > > >>>> > > >>>>> Lee > > >> _______________________________________________ > > >> Fail2ban-users mailing list > > >> Fai...@li... > > <mailto:Fai...@li...> > > <mailto:Fai...@li... > > <mailto:Fai...@li...>> > > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > <mailto:Fai...@li... > > <mailto:Fai...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > > "After sleeping through a hundred million centuries we have finally > > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > > with life. Within decades we must close our eyes again. Isn't it a > > noble, an enlightened way of spending our brief time in the sun, to > > work > > at understanding the universe and how we have come to wake up in it?" > > [- Professor Richard Dawkins] > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-10 10:08:37
|
I will try that. Thank you. Em qui., 9 de fev. de 2023 às 16:48, Nick Howitt via Fail2ban-users < fai...@li...> escreveu: > I have a bunch of configlets in jail.d such as: > /etc/fail2ban/jail.d/cyrus-imap.conf: > [cyrus-imap] > enabled = true > port = imap,imap3,imaps,pop3,pop3s > maxretry = 1 > bantime = 432000 > findtime = 86400 > > And I do all my enabling like that. > > On 09/02/2023 19:36, fail2ban--- via Fail2ban-users wrote: > > Hi Nick. > > I'm do not agree it's misinformation but otherwise You're right > (below taken from top of jail.conf file) > > # HOW TO ACTIVATE JAILS: > # > # YOU SHOULD NOT MODIFY THIS FILE. > # > # It will probably be overwritten or improved in a distribution update. > # > # Provide customizations in a jail.local file or a > jail.d/customisation.local. > # For example to change the default bantime for all jails and to enable > the > # ssh-iptables jail the following (uncommented) would appear in the .local > file. > # See man 5 jail.conf for details. > > > /Finn > > > Den 09-02-2023 kl. 19:59 skrev Nick Howitt via Fail2ban-users: > > There is some misinformation here. Jails can be enabled via configlets in > jail.d/ as well as overrides in jail.local. > > Anyway, what is your full jail config in jail.local? All you need is: > [sshd] > enabled = true > > It will pull everything else from jail.conf. Anything else you put here > will override anything in jail.conf so it is up to you if you want to > accept the default settings in jail.conf or override them. > > > On 09/02/2023 18:45, Marcos A.T. Silva wrote: > > Hi Finn, > > Understood. Thank you very much. :) > > I think I'll learn this one day. Well, it seems things are starting to > work here. > > So, do you know how can I make sure that a jail is really running? > Because, for example, I've enabled the sshd jail. The enabled jail is as > below: > > ``` > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > ``` > > Is the above jail correct? Do I have to put a "filter" part there or > uncomment the #mode? > > Well, I don't know if I am testing it right. But, for example, if I run > `fail2ban-client status sshd` I receive the below output: > > ``` > Status for the jail: sshd > |- Filter > | |- Currently failed: 1 > | |- Total failed: 1 > | `- File list: /var/log/auth.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > ``` > > But I think I've tried to login at the server with a wrong passphrase for > my SSH key twice, and Fail2Ban is only displaying one attempt. Is this > correct? > > Thanks again, and sorry for the disturbance. > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > <fai...@li...> > <fai...@li...> escreveu: > > Hi Marcos > > jail.conf is holding the default settings for the jails > > jail.local is where You make Your own settings and customizations. > > When You update fail2ban jail.conf may be altered but jail.local will > not and therfore settings (enabled kails etc. will be safe) > > A good idea is to read through the /etc/fail2ban/*.conf files > since the > makers has included a lot of informations between the lines - some > are > difficult to understand the first time but eventually You will get > better knowledge and understanding of this nice and GREAT tool. > > Regards, > /Finn > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > Well, I have installed Fail2Ban from my own once I get this new > Ubuntu > > server. I am using Ubuntu 20.04. > > > > I only got this working by setting jails as enabled in the > jail.local > > file. The individual files in jail.d directory don't work. > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users > > <fai...@li... > > <mailto:fai...@li...> > <fai...@li...>> escreveu: > > > > Surely jail.conf should be left in place as it it supplies some > > defaults, especially if you are using a distro packaged > version? I > > don't think any jails are enabled by default but it may > depend on > > the distro. > > > > Then use jail.local or files in jail.d/ to enable particular > filters. > > > > Nick > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > Silva<mar...@gm...> <mar...@gm...> > <mailto:mar...@gm...> <mar...@gm...> wrote: > >>> Hi there, > >>> > >>> I really can't find enough words to express my gratitude > to you all guys. :) > >>> > >>> I think I am finally putting this to work. > >>> > >>> All your suggestions and help made me understand, I think, > how that works. > >>> > >>> I've done the following: > >>> > >>> 1) Once, for what I understood, jail.local always > overrides jail.conf, I left all jails disabled (false) on > jail.local. After that, I've renamed jail.conf to > jail.conf.unused, as Lee suggested. > >>> > >> AFAIK jail.conf does not turn anything on; that is > the job of > >> jail.local and/or jail.d/something-here.conf > >> > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > and put there only the content regarding the sshd jail that was in > my jail.local, enabling this jail. > >>> > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! > >>> > >>> Well, I noticed (maybe I am wrong, of course) that I need > to use both `sudo fail2ban-client start` and `sudo systemctl start > fail2ban` to make it start and be enabled. Is that right? > >>> > >> systemctl start fail2ban should have sufficed. > >> > >>> But I rebooted the server and systemctl status shows me > that Fail2Ban is still active. > >>> > >>> Another question, if possible: now I have only sshd jail > active, as per the above procedures. Is there a way to check if it > is really running? > >>> > >> fail2ban-client status sshd > >> > >>> Thanks again. > >>> > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > Tavares<rau...@gm...> <rau...@gm...> > <mailto:rau...@gm...> <rau...@gm...> escreveu: > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > Lammert<lv...@om...> <lv...@om...> <mailto:lv...@om...> > <lv...@om...> wrote: > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > >>>>> > >>>>>> My suggestion is to find which services you are > using and then > >>>>>> where they are writing their logs to. Take a look at > jail.conf (I > >>>>>> forgot to mention that file). Chances are there are > entries for most > >>>>>> of the services there. Case in point, the ssh services, > including > >>>>>> selinux-ssh, it knows of are > >>>>>> > >>>>> It appears that the fail2ban package for Ubuntu 20 is > NOT very current. > >>>>> Much simpler to manage if all of the jails are in > separate files in > >>>>> jail.d, .. not in a mile long jail.conf. > >>>>> > >>>>> Also, always confirm the installation of ONLY ssh, until > you know what you > >>>>> need to monitor. > >>>>> > >>>> FYI > >>>> > >>>> raub@some-debian-box:~$ cat > /etc/fail2ban/jail.d/defaults-debian.conf > >>>> [sshd] > >>>> enabled = true > >>>> raub@some-debian-box:~$ > >>>> > >>>>> Lee > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fai...@li... > <mailto:Fai...@li...> > <Fai...@li...> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > <Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- "After sleeping through a hundred million centuries we have > finally > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, > to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-10 10:08:07
|
Hi Finn, Great, thank you. I understand now. I'll check everything here. Best Regards, Marcos Em qui., 9 de fev. de 2023 às 16:47, <fai...@fi...> escreveu: > Hi Marcos. > > In the top of jail.conf / jail.local there is below settings: > > > # "bantime" is the number of seconds that a host is banned. > bantime = 10m > > # A host is banned if it has generated "maxretry" during the last > "findtime" > # seconds. > findtime = 10m > > # "maxretry" is the number of failures before a host get banned. > maxretry = 5 > > > These settings will be default if not defined in the individual jails > > Therefore read the conf files there is a lot of settings and knowledge > > And the answer to Your question is properly that it requires 5 errors > (maxretry = 5) in the logfile in a 10 min window (findtime = 10) to > trigger the jail for 10 min (bantime = 10) > > Hope this helps a bit > > /Finn > > > Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva: > > Hi Finn, > > > > Understood. Thank you very much. :) > > > > I think I'll learn this one day. Well, it seems things are starting to > > work here. > > > > So, do you know how can I make sure that a jail is really running? > > Because, for example, I've enabled the sshd jail. The enabled jail is as > > below: > > > > ``` > > #mode = normal > > port = ssh > > logpath = %(sshd_log)s > > backend = %(sshd_backend)s > > enabled = true > > ``` > > > > Is the above jail correct? Do I have to put a "filter" part there or > > uncomment the #mode? > > > > Well, I don't know if I am testing it right. But, for example, if I run > > `fail2ban-client status sshd` I receive the below output: > > > > ``` > > Status for the jail: sshd > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 1 > > | `- File list: /var/log/auth.log > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > > > ``` > > > > But I think I've tried to login at the server with a wrong passphrase > > for my SSH key twice, and Fail2Ban is only displaying one attempt. Is > > this correct? > > > > Thanks again, and sorry for the disturbance. > > > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > > <fai...@li... > > <mailto:fai...@li...>> escreveu: > > > > Hi Marcos > > > > jail.conf is holding the default settings for the jails > > > > jail.local is where You make Your own settings and customizations. > > > > When You update fail2ban jail.conf may be altered but jail.local will > > not and therfore settings (enabled kails etc. will be safe) > > > > A good idea is to read through the /etc/fail2ban/*.conf files since > the > > makers has included a lot of informations between the lines - some > are > > difficult to understand the first time but eventually You will get > > better knowledge and understanding of this nice and GREAT tool. > > > > Regards, > > /Finn > > > > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > > Well, I have installed Fail2Ban from my own once I get this new > > Ubuntu > > > server. I am using Ubuntu 20.04. > > > > > > I only got this working by setting jails as enabled in the > > jail.local > > > file. The individual files in jail.d directory don't work. > > > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via > Fail2ban-users > > > <fai...@li... > > <mailto:fai...@li...> > > > <mailto:fai...@li... > > <mailto:fai...@li...>>> escreveu: > > > > > > Surely jail.conf should be left in place as it it supplies > some > > > defaults, especially if you are using a distro packaged > > version? I > > > don't think any jails are enabled by default but it may > depend on > > > the distro. > > > > > > Then use jail.local or files in jail.d/ to enable particular > > filters. > > > > > > Nick > > > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > > Silva<mar...@gm... <mailto:mar...@gm...>> > > <mailto:mar...@gm... <mailto:mar...@gm...>> wrote: > > >>> Hi there, > > >>> > > >>> I really can't find enough words to express my gratitude to > > you all guys. :) > > >>> > > >>> I think I am finally putting this to work. > > >>> > > >>> All your suggestions and help made me understand, I think, > > how that works. > > >>> > > >>> I've done the following: > > >>> > > >>> 1) Once, for what I understood, jail.local always overrides > > jail.conf, I left all jails disabled (false) on jail.local. After > > that, I've renamed jail.conf to jail.conf.unused, as Lee suggested. > > >>> > > >> AFAIK jail.conf does not turn anything on; that is > > the job of > > >> jail.local and/or jail.d/something-here.conf > > >> > > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > > and put there only the content regarding the sshd jail that was in > > my jail.local, enabling this jail. > > >>> > > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank > you! > > >>> > > >>> Well, I noticed (maybe I am wrong, of course) that I need > > to use both `sudo fail2ban-client start` and `sudo systemctl start > > fail2ban` to make it start and be enabled. Is that right? > > >>> > > >> systemctl start fail2ban should have sufficed. > > >> > > >>> But I rebooted the server and systemctl status shows me > > that Fail2Ban is still active. > > >>> > > >>> Another question, if possible: now I have only sshd jail > > active, as per the above procedures. Is there a way to check if it > > is really running? > > >>> > > >> fail2ban-client status sshd > > >> > > >>> Thanks again. > > >>> > > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > > Tavares<rau...@gm... <mailto:rau...@gm...>> > > <mailto:rau...@gm... <mailto:rau...@gm...>> escreveu: > > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > > Lammert<lv...@om... <mailto:lv...@om...>> > > <mailto:lv...@om... <mailto:lv...@om...>> wrote: > > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > > >>>>> > > >>>>>> My suggestion is to find which services you are > > using and then > > >>>>>> where they are writing their logs to. Take a look at > > jail.conf (I > > >>>>>> forgot to mention that file). Chances are there are > > entries for most > > >>>>>> of the services there. Case in point, the ssh services, > > including > > >>>>>> selinux-ssh, it knows of are > > >>>>>> > > >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT > > very current. > > >>>>> Much simpler to manage if all of the jails are in > > separate files in > > >>>>> jail.d, .. not in a mile long jail.conf. > > >>>>> > > >>>>> Also, always confirm the installation of ONLY ssh, until > > you know what you > > >>>>> need to monitor. > > >>>>> > > >>>> FYI > > >>>> > > >>>> raub@some-debian-box:~$ cat > > /etc/fail2ban/jail.d/defaults-debian.conf > > >>>> [sshd] > > >>>> enabled = true > > >>>> raub@some-debian-box:~$ > > >>>> > > >>>>> Lee > > >> _______________________________________________ > > >> Fail2ban-users mailing list > > >> Fai...@li... > > <mailto:Fai...@li...> > > <mailto:Fai...@li... > > <mailto:Fai...@li...>> > > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > <mailto:Fai...@li... > > <mailto:Fai...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fai...@li... > > <mailto:Fai...@li...> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > > "After sleeping through a hundred million centuries we have finally > > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > > with life. Within decades we must close our eyes again. Isn't it a > > noble, an enlightened way of spending our brief time in the sun, to > > work > > at understanding the universe and how we have come to wake up in it?" > > [- Professor Richard Dawkins] > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-10 10:06:49
|
Understood. Thank you, I will check that. Em qui., 9 de fev. de 2023 às 16:42, Nick Howitt via Fail2ban-users < fai...@li...> escreveu: > If the three lines port, logpath and backend are the same in jail.conf, > you don't need them in jail.local. Jail.local only overrides the parameters > you specify otherwise it gets them from jail.conf. > > On 09/02/2023 19:34, Marcos A.T. Silva wrote: > > Hi, > > So, regarding jail.local and sshd jail, the content is below: > > [sshd] > > # To use more aggressive sshd modes set filter parameter "mode" in > jail.local: > # normal (default), ddos, extra or aggressive (combines all). > # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example > and details. > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > > I think the above is overriding jail.conf. As the jail.conf file does not > have a line `enabled` (with true or false values) for any of the jails, I > also suppose anyway that jail.local is overriding that. Is this right? > > Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users < > fai...@li...> escreveu: > >> There is some misinformation here. Jails can be enabled via configlets in >> jail.d/ as well as overrides in jail.local. >> >> Anyway, what is your full jail config in jail.local? All you need is: >> [sshd] >> enabled = true >> >> It will pull everything else from jail.conf. Anything else you put here >> will override anything in jail.conf so it is up to you if you want to >> accept the default settings in jail.conf or override them. >> >> >> On 09/02/2023 18:45, Marcos A.T. Silva wrote: >> >> Hi Finn, >> >> Understood. Thank you very much. :) >> >> I think I'll learn this one day. Well, it seems things are starting to >> work here. >> >> So, do you know how can I make sure that a jail is really running? >> Because, for example, I've enabled the sshd jail. The enabled jail is as >> below: >> >> ``` >> #mode = normal >> port = ssh >> logpath = %(sshd_log)s >> backend = %(sshd_backend)s >> enabled = true >> ``` >> >> Is the above jail correct? Do I have to put a "filter" part there or >> uncomment the #mode? >> >> Well, I don't know if I am testing it right. But, for example, if I run >> `fail2ban-client status sshd` I receive the below output: >> >> ``` >> Status for the jail: sshd >> |- Filter >> | |- Currently failed: 1 >> | |- Total failed: 1 >> | `- File list: /var/log/auth.log >> `- Actions >> |- Currently banned: 0 >> |- Total banned: 0 >> `- Banned IP list: >> >> ``` >> >> But I think I've tried to login at the server with a wrong passphrase for >> my SSH key twice, and Fail2Ban is only displaying one attempt. Is this >> correct? >> >> Thanks again, and sorry for the disturbance. >> >> Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users < >> fai...@li...> escreveu: >> >>> Hi Marcos >>> >>> jail.conf is holding the default settings for the jails >>> >>> jail.local is where You make Your own settings and customizations. >>> >>> When You update fail2ban jail.conf may be altered but jail.local will >>> not and therfore settings (enabled kails etc. will be safe) >>> >>> A good idea is to read through the /etc/fail2ban/*.conf files since the >>> makers has included a lot of informations between the lines - some are >>> difficult to understand the first time but eventually You will get >>> better knowledge and understanding of this nice and GREAT tool. >>> >>> Regards, >>> /Finn >>> >>> >>> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >>> > Well, I have installed Fail2Ban from my own once I get this new Ubuntu >>> > server. I am using Ubuntu 20.04. >>> > >>> > I only got this working by setting jails as enabled in the jail.local >>> > file. The individual files in jail.d directory don't work. >>> > >>> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users >>> > <fai...@li... >>> > <mailto:fai...@li...>> escreveu: >>> > >>> > Surely jail.conf should be left in place as it it supplies some >>> > defaults, especially if you are using a distro packaged version? I >>> > don't think any jails are enabled by default but it may depend on >>> > the distro. >>> > >>> > Then use jail.local or files in jail.d/ to enable particular >>> filters. >>> > >>> > Nick >>> > >>> > On 09/02/2023 17:31, Mauricio Tavares wrote: >>> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. Silva< >>> mar...@gm...> <mailto:mar...@gm...> wrote: >>> >>> Hi there, >>> >>> >>> >>> I really can't find enough words to express my gratitude to you >>> all guys. :) >>> >>> >>> >>> I think I am finally putting this to work. >>> >>> >>> >>> All your suggestions and help made me understand, I think, how >>> that works. >>> >>> >>> >>> I've done the following: >>> >>> >>> >>> 1) Once, for what I understood, jail.local always overrides >>> jail.conf, I left all jails disabled (false) on jail.local. After that, >>> I've renamed jail.conf to jail.conf.unused, as Lee suggested. >>> >>> >>> >> AFAIK jail.conf does not turn anything on; that is the job >>> of >>> >> jail.local and/or jail.d/something-here.conf >>> >> >>> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d and >>> put there only the content regarding the sshd jail that was in my >>> jail.local, enabling this jail. >>> >>> >>> >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! >>> >>> >>> >>> Well, I noticed (maybe I am wrong, of course) that I need to use >>> both `sudo fail2ban-client start` and `sudo systemctl start fail2ban` to >>> make it start and be enabled. Is that right? >>> >>> >>> >> systemctl start fail2ban should have sufficed. >>> >> >>> >>> But I rebooted the server and systemctl status shows me that >>> Fail2Ban is still active. >>> >>> >>> >>> Another question, if possible: now I have only sshd jail active, >>> as per the above procedures. Is there a way to check if it is really >>> running? >>> >>> >>> >> fail2ban-client status sshd >>> >> >>> >>> Thanks again. >>> >>> >>> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio Tavares< >>> rau...@gm...> <mailto:rau...@gm...> escreveu: >>> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. Lammert<lv...@om...> >>> <mailto:lv...@om...> wrote: >>> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >>> >>>>> >>> >>>>>> My suggestion is to find which services you are using >>> and then >>> >>>>>> where they are writing their logs to. Take a look at >>> jail.conf (I >>> >>>>>> forgot to mention that file). Chances are there are entries >>> for most >>> >>>>>> of the services there. Case in point, the ssh services, >>> including >>> >>>>>> selinux-ssh, it knows of are >>> >>>>>> >>> >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT very >>> current. >>> >>>>> Much simpler to manage if all of the jails are in separate >>> files in >>> >>>>> jail.d, .. not in a mile long jail.conf. >>> >>>>> >>> >>>>> Also, always confirm the installation of ONLY ssh, until you >>> know what you >>> >>>>> need to monitor. >>> >>>>> >>> >>>> FYI >>> >>>> >>> >>>> raub@some-debian-box:~$ cat >>> /etc/fail2ban/jail.d/defaults-debian.conf >>> >>>> [sshd] >>> >>>> enabled = true >>> >>>> raub@some-debian-box:~$ >>> >>>> >>> >>>>> Lee >>> >> _______________________________________________ >>> >> Fail2ban-users mailing list >>> >> Fai...@li... <mailto: >>> Fai...@li...> >>> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users < >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fai...@li... >>> > <mailto:Fai...@li...> >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fai...@li... >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> -- >>> "After sleeping through a hundred million centuries we have finally >>> opened our eyes on a sumptuous planet, sparkling with color, bountiful >>> with life. Within decades we must close our eyes again. Isn't it a >>> noble, an enlightened way of spending our brief time in the sun, to work >>> at understanding the universe and how we have come to wake up in it?" >>> [- Professor Richard Dawkins] >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> >> >> _______________________________________________ >> Fail2ban-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-10 10:05:45
|
I will try. Thank you Lee. Em qui., 9 de fev. de 2023 às 16:37, L. V. Lammert <lv...@om...> escreveu: > On Thu, 9 Feb 2023, Marcos A.T. Silva wrote: > > > I think the above is overriding jail.conf. As the jail.conf file does not > > have a line `enabled` (with true or false values) for any of the jails, I > > also suppose anyway that jail.local is overriding that. Is this right? > > > Prevent confusion and move all of your jails into jails.d/<jailname>.conf. > > Lee > |
From: Nick H. <ni...@ho...> - 2023-02-09 19:47:40
|
I have a bunch of configlets in jail.d such as: /etc/fail2ban/jail.d/cyrus-imap.conf: [cyrus-imap] enabled = true port = imap,imap3,imaps,pop3,pop3s maxretry = 1 bantime = 432000 findtime = 86400 And I do all my enabling like that. On 09/02/2023 19:36, fail2ban--- via Fail2ban-users wrote: > Hi Nick. > > I'm do not agree it's misinformation but otherwise You're right > (below taken from top of jail.conf file) > > # HOW TO ACTIVATE JAILS: > # > # YOU SHOULD NOT MODIFY THIS FILE. > # > # It will probably be overwritten or improved in a distribution update. > # > # Provide customizations in a jail.local file or a > jail.d/customisation.local. > # For example to change the default bantime for all jails and to > enable the > # ssh-iptables jail the following (uncommented) would appear in the > .local file. > # See man 5 jail.conf for details. > > > /Finn > > > Den 09-02-2023 kl. 19:59 skrev Nick Howitt via Fail2ban-users: >> There is some misinformation here. Jails can be enabled via >> configlets in jail.d/ as well as overrides in jail.local. >> >> Anyway, what is your full jail config in jail.local? All you need is: >> [sshd] >> enabled = true >> >> It will pull everything else from jail.conf. Anything else you put >> here will override anything in jail.conf so it is up to you if you >> want to accept the default settings in jail.conf or override them. >> >> >> On 09/02/2023 18:45, Marcos A.T. Silva wrote: >>> Hi Finn, >>> >>> Understood. Thank you very much. :) >>> >>> I think I'll learn this one day. Well, it seems things are starting >>> to work here. >>> >>> So, do you know how can I make sure that a jail is really running? >>> Because, for example, I've enabled the sshd jail. The enabled jail >>> is as below: >>> >>> ``` >>> #mode = normal >>> port = ssh >>> logpath = %(sshd_log)s >>> backend = %(sshd_backend)s >>> enabled = true >>> ``` >>> >>> Is the above jail correct? Do I have to put a "filter" part there or >>> uncomment the #mode? >>> >>> Well, I don't know if I am testing it right. But, for example, if I >>> run `fail2ban-client status sshd` I receive the below output: >>> >>> ``` >>> Status for the jail: sshd >>> |- Filter >>> | |- Currently failed: 1 >>> | |- Total failed: 1 >>> | `- File list: /var/log/auth.log >>> `- Actions >>> |- Currently banned: 0 >>> |- Total banned: 0 >>> `- Banned IP list: >>> >>> ``` >>> >>> But I think I've tried to login at the server with a wrong >>> passphrase for my SSH key twice, and Fail2Ban is only displaying one >>> attempt. Is this correct? >>> >>> Thanks again, and sorry for the disturbance. >>> >>> Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users >>> <fai...@li...> escreveu: >>> >>> Hi Marcos >>> >>> jail.conf is holding the default settings for the jails >>> >>> jail.local is where You make Your own settings and customizations. >>> >>> When You update fail2ban jail.conf may be altered but jail.local >>> will >>> not and therfore settings (enabled kails etc. will be safe) >>> >>> A good idea is to read through the /etc/fail2ban/*.conf files >>> since the >>> makers has included a lot of informations between the lines - some >>> are >>> difficult to understand the first time but eventually You will get >>> better knowledge and understanding of this nice and GREAT tool. >>> >>> Regards, >>> /Finn >>> >>> >>> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >>> > Well, I have installed Fail2Ban from my own once I get this new >>> Ubuntu >>> > server. I am using Ubuntu 20.04. >>> > >>> > I only got this working by setting jails as enabled in the >>> jail.local >>> > file. The individual files in jail.d directory don't work. >>> > >>> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via >>> Fail2ban-users >>> > <fai...@li... >>> > <mailto:fai...@li...>> escreveu: >>> > >>> > Surely jail.conf should be left in place as it it supplies >>> some >>> > defaults, especially if you are using a distro packaged >>> version? I >>> > don't think any jails are enabled by default but it may >>> depend on >>> > the distro. >>> > >>> > Then use jail.local or files in jail.d/ to enable particular >>> filters. >>> > >>> > Nick >>> > >>> > On 09/02/2023 17:31, Mauricio Tavares wrote: >>> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. >>> Silva<mar...@gm...> <mailto:mar...@gm...> wrote: >>> >>> Hi there, >>> >>> >>> >>> I really can't find enough words to express my gratitude >>> to you all guys. :) >>> >>> >>> >>> I think I am finally putting this to work. >>> >>> >>> >>> All your suggestions and help made me understand, I think, >>> how that works. >>> >>> >>> >>> I've done the following: >>> >>> >>> >>> 1) Once, for what I understood, jail.local always >>> overrides jail.conf, I left all jails disabled (false) on >>> jail.local. After that, I've renamed jail.conf to >>> jail.conf.unused, as Lee suggested. >>> >>> >>> >> AFAIK jail.conf does not turn anything on; that is >>> the job of >>> >> jail.local and/or jail.d/something-here.conf >>> >> >>> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d >>> and put there only the content regarding the sshd jail that was in >>> my jail.local, enabling this jail. >>> >>> >>> >>> 3) Finally I tried to start Fail2Ban and it worked! >>> Thank you! >>> >>> >>> >>> Well, I noticed (maybe I am wrong, of course) that I need >>> to use both `sudo fail2ban-client start` and `sudo systemctl start >>> fail2ban` to make it start and be enabled. Is that right? >>> >>> >>> >> systemctl start fail2ban should have sufficed. >>> >> >>> >>> But I rebooted the server and systemctl status shows me >>> that Fail2Ban is still active. >>> >>> >>> >>> Another question, if possible: now I have only sshd jail >>> active, as per the above procedures. Is there a way to check if it >>> is really running? >>> >>> >>> >> fail2ban-client status sshd >>> >> >>> >>> Thanks again. >>> >>> >>> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio >>> Tavares<rau...@gm...> <mailto:rau...@gm...> escreveu: >>> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. >>> Lammert<lv...@om...> <mailto:lv...@om...> wrote: >>> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >>> >>>>> >>> >>>>>> My suggestion is to find which services you are >>> using and then >>> >>>>>> where they are writing their logs to. Take a look at >>> jail.conf (I >>> >>>>>> forgot to mention that file). Chances are there are >>> entries for most >>> >>>>>> of the services there. Case in point, the ssh services, >>> including >>> >>>>>> selinux-ssh, it knows of are >>> >>>>>> >>> >>>>> It appears that the fail2ban package for Ubuntu 20 is >>> NOT very current. >>> >>>>> Much simpler to manage if all of the jails are in >>> separate files in >>> >>>>> jail.d, .. not in a mile long jail.conf. >>> >>>>> >>> >>>>> Also, always confirm the installation of ONLY ssh, until >>> you know what you >>> >>>>> need to monitor. >>> >>>>> >>> >>>> FYI >>> >>>> >>> >>>> raub@some-debian-box:~$ cat >>> /etc/fail2ban/jail.d/defaults-debian.conf >>> >>>> [sshd] >>> >>>> enabled = true >>> >>>> raub@some-debian-box:~$ >>> >>>> >>> >>>>> Lee >>> >> _______________________________________________ >>> >> Fail2ban-users mailing list >>> >> Fai...@li... >>> <mailto:Fai...@li...> >>> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fai...@li... >>> > <mailto:Fai...@li...> >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fai...@li... >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> -- "After sleeping through a hundred million centuries we >>> have finally >>> opened our eyes on a sumptuous planet, sparkling with color, >>> bountiful >>> with life. Within decades we must close our eyes again. Isn't it a >>> noble, an enlightened way of spending our brief time in the sun, >>> to work >>> at understanding the universe and how we have come to wake up in >>> it?" >>> [- Professor Richard Dawkins] >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fai...@li... >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: <fai...@fi...> - 2023-02-09 19:47:36
|
Hi Marcos. In the top of jail.conf / jail.local there is below settings: # "bantime" is the number of seconds that a host is banned. bantime = 10m # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 10m # "maxretry" is the number of failures before a host get banned. maxretry = 5 These settings will be default if not defined in the individual jails Therefore read the conf files there is a lot of settings and knowledge And the answer to Your question is properly that it requires 5 errors (maxretry = 5) in the logfile in a 10 min window (findtime = 10) to trigger the jail for 10 min (bantime = 10) Hope this helps a bit /Finn Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva: > Hi Finn, > > Understood. Thank you very much. :) > > I think I'll learn this one day. Well, it seems things are starting to > work here. > > So, do you know how can I make sure that a jail is really running? > Because, for example, I've enabled the sshd jail. The enabled jail is as > below: > > ``` > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > ``` > > Is the above jail correct? Do I have to put a "filter" part there or > uncomment the #mode? > > Well, I don't know if I am testing it right. But, for example, if I run > `fail2ban-client status sshd` I receive the below output: > > ``` > Status for the jail: sshd > |- Filter > | |- Currently failed: 1 > | |- Total failed: 1 > | `- File list: /var/log/auth.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > ``` > > But I think I've tried to login at the server with a wrong passphrase > for my SSH key twice, and Fail2Ban is only displaying one attempt. Is > this correct? > > Thanks again, and sorry for the disturbance. > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > <fai...@li... > <mailto:fai...@li...>> escreveu: > > Hi Marcos > > jail.conf is holding the default settings for the jails > > jail.local is where You make Your own settings and customizations. > > When You update fail2ban jail.conf may be altered but jail.local will > not and therfore settings (enabled kails etc. will be safe) > > A good idea is to read through the /etc/fail2ban/*.conf files since the > makers has included a lot of informations between the lines - some are > difficult to understand the first time but eventually You will get > better knowledge and understanding of this nice and GREAT tool. > > Regards, > /Finn > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > Well, I have installed Fail2Ban from my own once I get this new > Ubuntu > > server. I am using Ubuntu 20.04. > > > > I only got this working by setting jails as enabled in the > jail.local > > file. The individual files in jail.d directory don't work. > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users > > <fai...@li... > <mailto:fai...@li...> > > <mailto:fai...@li... > <mailto:fai...@li...>>> escreveu: > > > > Surely jail.conf should be left in place as it it supplies some > > defaults, especially if you are using a distro packaged > version? I > > don't think any jails are enabled by default but it may depend on > > the distro. > > > > Then use jail.local or files in jail.d/ to enable particular > filters. > > > > Nick > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > Silva<mar...@gm... <mailto:mar...@gm...>> > <mailto:mar...@gm... <mailto:mar...@gm...>> wrote: > >>> Hi there, > >>> > >>> I really can't find enough words to express my gratitude to > you all guys. :) > >>> > >>> I think I am finally putting this to work. > >>> > >>> All your suggestions and help made me understand, I think, > how that works. > >>> > >>> I've done the following: > >>> > >>> 1) Once, for what I understood, jail.local always overrides > jail.conf, I left all jails disabled (false) on jail.local. After > that, I've renamed jail.conf to jail.conf.unused, as Lee suggested. > >>> > >> AFAIK jail.conf does not turn anything on; that is > the job of > >> jail.local and/or jail.d/something-here.conf > >> > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > and put there only the content regarding the sshd jail that was in > my jail.local, enabling this jail. > >>> > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! > >>> > >>> Well, I noticed (maybe I am wrong, of course) that I need > to use both `sudo fail2ban-client start` and `sudo systemctl start > fail2ban` to make it start and be enabled. Is that right? > >>> > >> systemctl start fail2ban should have sufficed. > >> > >>> But I rebooted the server and systemctl status shows me > that Fail2Ban is still active. > >>> > >>> Another question, if possible: now I have only sshd jail > active, as per the above procedures. Is there a way to check if it > is really running? > >>> > >> fail2ban-client status sshd > >> > >>> Thanks again. > >>> > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > Tavares<rau...@gm... <mailto:rau...@gm...>> > <mailto:rau...@gm... <mailto:rau...@gm...>> escreveu: > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > Lammert<lv...@om... <mailto:lv...@om...>> > <mailto:lv...@om... <mailto:lv...@om...>> wrote: > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > >>>>> > >>>>>> My suggestion is to find which services you are > using and then > >>>>>> where they are writing their logs to. Take a look at > jail.conf (I > >>>>>> forgot to mention that file). Chances are there are > entries for most > >>>>>> of the services there. Case in point, the ssh services, > including > >>>>>> selinux-ssh, it knows of are > >>>>>> > >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT > very current. > >>>>> Much simpler to manage if all of the jails are in > separate files in > >>>>> jail.d, .. not in a mile long jail.conf. > >>>>> > >>>>> Also, always confirm the installation of ONLY ssh, until > you know what you > >>>>> need to monitor. > >>>>> > >>>> FYI > >>>> > >>>> raub@some-debian-box:~$ cat > /etc/fail2ban/jail.d/defaults-debian.conf > >>>> [sshd] > >>>> enabled = true > >>>> raub@some-debian-box:~$ > >>>> > >>>>> Lee > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fai...@li... > <mailto:Fai...@li...> > <mailto:Fai...@li... > <mailto:Fai...@li...>> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > <mailto:Fai...@li...> > > <mailto:Fai...@li... > <mailto:Fai...@li...>> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to > work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > <mailto:Fai...@li...> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > -- "After sleeping through a hundred million centuries we have finally opened our eyes on a sumptuous planet, sparkling with color, bountiful with life. Within decades we must close our eyes again. Isn't it a noble, an enlightened way of spending our brief time in the sun, to work at understanding the universe and how we have come to wake up in it?" [- Professor Richard Dawkins] |
From: Nick H. <ni...@ho...> - 2023-02-09 19:41:36
|
If the three lines port, logpath and backend are the same in jail.conf, you don't need them in jail.local. Jail.local only overrides the parameters you specify otherwise it gets them from jail.conf. On 09/02/2023 19:34, Marcos A.T. Silva wrote: > Hi, > > So, regarding jail.local and sshd jail, the content is below: > > [sshd] > > # To use more aggressive sshd modes set filter parameter "mode" in > jail.local: > # normal (default), ddos, extra or aggressive (combines all). > # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage > example and details. > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > > I think the above is overriding jail.conf. As the jail.conf file does > not have a line `enabled` (with true or false values) for any of the > jails, I also suppose anyway that jail.local is overriding that. Is > this right? > > Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users > <fai...@li...> escreveu: > > There is some misinformation here. Jails can be enabled via > configlets in jail.d/ as well as overrides in jail.local. > > Anyway, what is your full jail config in jail.local? All you need is: > [sshd] > enabled = true > > It will pull everything else from jail.conf. Anything else you put > here will override anything in jail.conf so it is up to you if you > want to accept the default settings in jail.conf or override them. > > > On 09/02/2023 18:45, Marcos A.T. Silva wrote: >> Hi Finn, >> >> Understood. Thank you very much. :) >> >> I think I'll learn this one day. Well, it seems things are >> starting to work here. >> >> So, do you know how can I make sure that a jail is really >> running? Because, for example, I've enabled the sshd jail. The >> enabled jail is as below: >> >> ``` >> #mode = normal >> port = ssh >> logpath = %(sshd_log)s >> backend = %(sshd_backend)s >> enabled = true >> ``` >> >> Is the above jail correct? Do I have to put a "filter" part there >> or uncomment the #mode? >> >> Well, I don't know if I am testing it right. But, for example, if >> I run `fail2ban-client status sshd` I receive the below output: >> >> ``` >> Status for the jail: sshd >> |- Filter >> | |- Currently failed: 1 >> | |- Total failed: 1 >> | `- File list: /var/log/auth.log >> `- Actions >> |- Currently banned: 0 >> |- Total banned: 0 >> `- Banned IP list: >> >> ``` >> >> But I think I've tried to login at the server with a wrong >> passphrase for my SSH key twice, and Fail2Ban is only displaying >> one attempt. Is this correct? >> >> Thanks again, and sorry for the disturbance. >> >> Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via >> Fail2ban-users <fai...@li...> escreveu: >> >> Hi Marcos >> >> jail.conf is holding the default settings for the jails >> >> jail.local is where You make Your own settings and >> customizations. >> >> When You update fail2ban jail.conf may be altered but >> jail.local will >> not and therfore settings (enabled kails etc. will be safe) >> >> A good idea is to read through the /etc/fail2ban/*.conf files >> since the >> makers has included a lot of informations between the lines - >> some are >> difficult to understand the first time but eventually You >> will get >> better knowledge and understanding of this nice and GREAT tool. >> >> Regards, >> /Finn >> >> >> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >> > Well, I have installed Fail2Ban from my own once I get this >> new Ubuntu >> > server. I am using Ubuntu 20.04. >> > >> > I only got this working by setting jails as enabled in the >> jail.local >> > file. The individual files in jail.d directory don't work. >> > >> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via >> Fail2ban-users >> > <fai...@li... >> > <mailto:fai...@li...>> escreveu: >> > >> > Surely jail.conf should be left in place as it it >> supplies some >> > defaults, especially if you are using a distro packaged >> version? I >> > don't think any jails are enabled by default but it may >> depend on >> > the distro. >> > >> > Then use jail.local or files in jail.d/ to enable >> particular filters. >> > >> > Nick >> > >> > On 09/02/2023 17:31, Mauricio Tavares wrote: >> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. >> Silva<mar...@gm...> <mailto:mar...@gm...> wrote: >> >>> Hi there, >> >>> >> >>> I really can't find enough words to express my >> gratitude to you all guys. :) >> >>> >> >>> I think I am finally putting this to work. >> >>> >> >>> All your suggestions and help made me understand, I >> think, how that works. >> >>> >> >>> I've done the following: >> >>> >> >>> 1) Once, for what I understood, jail.local always >> overrides jail.conf, I left all jails disabled (false) on >> jail.local. After that, I've renamed jail.conf to >> jail.conf.unused, as Lee suggested. >> >>> >> >> AFAIK jail.conf does not turn anything on; that >> is the job of >> >> jail.local and/or jail.d/something-here.conf >> >> >> >>> 2) Now I created a sshd.conf file in >> /etc/fail2ban/jail.d and put there only the content regarding >> the sshd jail that was in my jail.local, enabling this jail. >> >>> >> >>> 3) Finally I tried to start Fail2Ban and it worked! >> Thank you! >> >>> >> >>> Well, I noticed (maybe I am wrong, of course) that I >> need to use both `sudo fail2ban-client start` and `sudo >> systemctl start fail2ban` to make it start and be enabled. Is >> that right? >> >>> >> >> systemctl start fail2ban should have sufficed. >> >> >> >>> But I rebooted the server and systemctl status shows >> me that Fail2Ban is still active. >> >>> >> >>> Another question, if possible: now I have only sshd >> jail active, as per the above procedures. Is there a way to >> check if it is really running? >> >>> >> >> fail2ban-client status sshd >> >> >> >>> Thanks again. >> >>> >> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio >> Tavares<rau...@gm...> <mailto:rau...@gm...> >> escreveu: >> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. >> Lammert<lv...@om...> <mailto:lv...@om...> wrote: >> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >> >>>>> >> >>>>>> My suggestion is to find which services you >> are using and then >> >>>>>> where they are writing their logs to. Take a look >> at jail.conf (I >> >>>>>> forgot to mention that file). Chances are there >> are entries for most >> >>>>>> of the services there. Case in point, the ssh >> services, including >> >>>>>> selinux-ssh, it knows of are >> >>>>>> >> >>>>> It appears that the fail2ban package for Ubuntu 20 >> is NOT very current. >> >>>>> Much simpler to manage if all of the jails are in >> separate files in >> >>>>> jail.d, .. not in a mile long jail.conf. >> >>>>> >> >>>>> Also, always confirm the installation of ONLY ssh, >> until you know what you >> >>>>> need to monitor. >> >>>>> >> >>>> FYI >> >>>> >> >>>> raub@some-debian-box:~$ cat >> /etc/fail2ban/jail.d/defaults-debian.conf >> >>>> [sshd] >> >>>> enabled = true >> >>>> raub@some-debian-box:~$ >> >>>> >> >>>>> Lee >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fai...@li... >> <mailto:Fai...@li...> >> >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > <mailto:Fai...@li...> >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > >> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> -- >> "After sleeping through a hundred million centuries we have >> finally >> opened our eyes on a sumptuous planet, sparkling with color, >> bountiful >> with life. Within decades we must close our eyes again. Isn't >> it a >> noble, an enlightened way of spending our brief time in the >> sun, to work >> at understanding the universe and how we have come to wake up >> in it?" >> [- Professor Richard Dawkins] >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: L. V. L. <lv...@om...> - 2023-02-09 19:38:05
|
On Thu, 9 Feb 2023, Marcos A.T. Silva wrote: > I think the above is overriding jail.conf. As the jail.conf file does not > have a line `enabled` (with true or false values) for any of the jails, I > also suppose anyway that jail.local is overriding that. Is this right? > Prevent confusion and move all of your jails into jails.d/<jailname>.conf. Lee |
From: <fai...@fi...> - 2023-02-09 19:36:44
|
Hi Nick. I'm do not agree it's misinformation but otherwise You're right (below taken from top of jail.conf file) # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwritten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. /Finn Den 09-02-2023 kl. 19:59 skrev Nick Howitt via Fail2ban-users: > There is some misinformation here. Jails can be enabled via configlets > in jail.d/ as well as overrides in jail.local. > > Anyway, what is your full jail config in jail.local? All you need is: > [sshd] > enabled = true > > It will pull everything else from jail.conf. Anything else you put here > will override anything in jail.conf so it is up to you if you want to > accept the default settings in jail.conf or override them. > > > On 09/02/2023 18:45, Marcos A.T. Silva wrote: >> Hi Finn, >> >> Understood. Thank you very much. :) >> >> I think I'll learn this one day. Well, it seems things are starting to >> work here. >> >> So, do you know how can I make sure that a jail is really running? >> Because, for example, I've enabled the sshd jail. The enabled jail is >> as below: >> >> ``` >> #mode = normal >> port = ssh >> logpath = %(sshd_log)s >> backend = %(sshd_backend)s >> enabled = true >> ``` >> >> Is the above jail correct? Do I have to put a "filter" part there or >> uncomment the #mode? >> >> Well, I don't know if I am testing it right. But, for example, if I >> run `fail2ban-client status sshd` I receive the below output: >> >> ``` >> Status for the jail: sshd >> |- Filter >> | |- Currently failed: 1 >> | |- Total failed: 1 >> | `- File list: /var/log/auth.log >> `- Actions >> |- Currently banned: 0 >> |- Total banned: 0 >> `- Banned IP list: >> >> ``` >> >> But I think I've tried to login at the server with a wrong passphrase >> for my SSH key twice, and Fail2Ban is only displaying one attempt. Is >> this correct? >> >> Thanks again, and sorry for the disturbance. >> >> Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users >> <fai...@li...> escreveu: >> >> Hi Marcos >> >> jail.conf is holding the default settings for the jails >> >> jail.local is where You make Your own settings and customizations. >> >> When You update fail2ban jail.conf may be altered but jail.local will >> not and therfore settings (enabled kails etc. will be safe) >> >> A good idea is to read through the /etc/fail2ban/*.conf files >> since the >> makers has included a lot of informations between the lines - some >> are >> difficult to understand the first time but eventually You will get >> better knowledge and understanding of this nice and GREAT tool. >> >> Regards, >> /Finn >> >> >> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >> > Well, I have installed Fail2Ban from my own once I get this new >> Ubuntu >> > server. I am using Ubuntu 20.04. >> > >> > I only got this working by setting jails as enabled in the >> jail.local >> > file. The individual files in jail.d directory don't work. >> > >> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users >> > <fai...@li... >> > <mailto:fai...@li...>> escreveu: >> > >> > Surely jail.conf should be left in place as it it supplies some >> > defaults, especially if you are using a distro packaged >> version? I >> > don't think any jails are enabled by default but it may >> depend on >> > the distro. >> > >> > Then use jail.local or files in jail.d/ to enable particular >> filters. >> > >> > Nick >> > >> > On 09/02/2023 17:31, Mauricio Tavares wrote: >> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. >> Silva<mar...@gm...> <mailto:mar...@gm...> wrote: >> >>> Hi there, >> >>> >> >>> I really can't find enough words to express my gratitude >> to you all guys. :) >> >>> >> >>> I think I am finally putting this to work. >> >>> >> >>> All your suggestions and help made me understand, I think, >> how that works. >> >>> >> >>> I've done the following: >> >>> >> >>> 1) Once, for what I understood, jail.local always >> overrides jail.conf, I left all jails disabled (false) on >> jail.local. After that, I've renamed jail.conf to >> jail.conf.unused, as Lee suggested. >> >>> >> >> AFAIK jail.conf does not turn anything on; that is >> the job of >> >> jail.local and/or jail.d/something-here.conf >> >> >> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d >> and put there only the content regarding the sshd jail that was in >> my jail.local, enabling this jail. >> >>> >> >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! >> >>> >> >>> Well, I noticed (maybe I am wrong, of course) that I need >> to use both `sudo fail2ban-client start` and `sudo systemctl start >> fail2ban` to make it start and be enabled. Is that right? >> >>> >> >> systemctl start fail2ban should have sufficed. >> >> >> >>> But I rebooted the server and systemctl status shows me >> that Fail2Ban is still active. >> >>> >> >>> Another question, if possible: now I have only sshd jail >> active, as per the above procedures. Is there a way to check if it >> is really running? >> >>> >> >> fail2ban-client status sshd >> >> >> >>> Thanks again. >> >>> >> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio >> Tavares<rau...@gm...> <mailto:rau...@gm...> escreveu: >> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. >> Lammert<lv...@om...> <mailto:lv...@om...> wrote: >> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >> >>>>> >> >>>>>> My suggestion is to find which services you are >> using and then >> >>>>>> where they are writing their logs to. Take a look at >> jail.conf (I >> >>>>>> forgot to mention that file). Chances are there are >> entries for most >> >>>>>> of the services there. Case in point, the ssh services, >> including >> >>>>>> selinux-ssh, it knows of are >> >>>>>> >> >>>>> It appears that the fail2ban package for Ubuntu 20 is >> NOT very current. >> >>>>> Much simpler to manage if all of the jails are in >> separate files in >> >>>>> jail.d, .. not in a mile long jail.conf. >> >>>>> >> >>>>> Also, always confirm the installation of ONLY ssh, until >> you know what you >> >>>>> need to monitor. >> >>>>> >> >>>> FYI >> >>>> >> >>>> raub@some-debian-box:~$ cat >> /etc/fail2ban/jail.d/defaults-debian.conf >> >>>> [sshd] >> >>>> enabled = true >> >>>> raub@some-debian-box:~$ >> >>>> >> >>>>> Lee >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fai...@li... >> <mailto:Fai...@li...> >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > <mailto:Fai...@li...> >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> -- >> "After sleeping through a hundred million centuries we have finally >> opened our eyes on a sumptuous planet, sparkling with color, >> bountiful >> with life. Within decades we must close our eyes again. Isn't it a >> noble, an enlightened way of spending our brief time in the sun, >> to work >> at understanding the universe and how we have come to wake up in it?" >> [- Professor Richard Dawkins] >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- "After sleeping through a hundred million centuries we have finally opened our eyes on a sumptuous planet, sparkling with color, bountiful with life. Within decades we must close our eyes again. Isn't it a noble, an enlightened way of spending our brief time in the sun, to work at understanding the universe and how we have come to wake up in it?" [- Professor Richard Dawkins] |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-09 19:34:46
|
Hi, So, regarding jail.local and sshd jail, the content is below: [sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true I think the above is overriding jail.conf. As the jail.conf file does not have a line `enabled` (with true or false values) for any of the jails, I also suppose anyway that jail.local is overriding that. Is this right? Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users < fai...@li...> escreveu: > There is some misinformation here. Jails can be enabled via configlets in > jail.d/ as well as overrides in jail.local. > > Anyway, what is your full jail config in jail.local? All you need is: > [sshd] > enabled = true > > It will pull everything else from jail.conf. Anything else you put here > will override anything in jail.conf so it is up to you if you want to > accept the default settings in jail.conf or override them. > > > On 09/02/2023 18:45, Marcos A.T. Silva wrote: > > Hi Finn, > > Understood. Thank you very much. :) > > I think I'll learn this one day. Well, it seems things are starting to > work here. > > So, do you know how can I make sure that a jail is really running? > Because, for example, I've enabled the sshd jail. The enabled jail is as > below: > > ``` > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > ``` > > Is the above jail correct? Do I have to put a "filter" part there or > uncomment the #mode? > > Well, I don't know if I am testing it right. But, for example, if I run > `fail2ban-client status sshd` I receive the below output: > > ``` > Status for the jail: sshd > |- Filter > | |- Currently failed: 1 > | |- Total failed: 1 > | `- File list: /var/log/auth.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > ``` > > But I think I've tried to login at the server with a wrong passphrase for > my SSH key twice, and Fail2Ban is only displaying one attempt. Is this > correct? > > Thanks again, and sorry for the disturbance. > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users < > fai...@li...> escreveu: > >> Hi Marcos >> >> jail.conf is holding the default settings for the jails >> >> jail.local is where You make Your own settings and customizations. >> >> When You update fail2ban jail.conf may be altered but jail.local will >> not and therfore settings (enabled kails etc. will be safe) >> >> A good idea is to read through the /etc/fail2ban/*.conf files since the >> makers has included a lot of informations between the lines - some are >> difficult to understand the first time but eventually You will get >> better knowledge and understanding of this nice and GREAT tool. >> >> Regards, >> /Finn >> >> >> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >> > Well, I have installed Fail2Ban from my own once I get this new Ubuntu >> > server. I am using Ubuntu 20.04. >> > >> > I only got this working by setting jails as enabled in the jail.local >> > file. The individual files in jail.d directory don't work. >> > >> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users >> > <fai...@li... >> > <mailto:fai...@li...>> escreveu: >> > >> > Surely jail.conf should be left in place as it it supplies some >> > defaults, especially if you are using a distro packaged version? I >> > don't think any jails are enabled by default but it may depend on >> > the distro. >> > >> > Then use jail.local or files in jail.d/ to enable particular >> filters. >> > >> > Nick >> > >> > On 09/02/2023 17:31, Mauricio Tavares wrote: >> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. Silva< >> mar...@gm...> <mailto:mar...@gm...> wrote: >> >>> Hi there, >> >>> >> >>> I really can't find enough words to express my gratitude to you >> all guys. :) >> >>> >> >>> I think I am finally putting this to work. >> >>> >> >>> All your suggestions and help made me understand, I think, how >> that works. >> >>> >> >>> I've done the following: >> >>> >> >>> 1) Once, for what I understood, jail.local always overrides >> jail.conf, I left all jails disabled (false) on jail.local. After that, >> I've renamed jail.conf to jail.conf.unused, as Lee suggested. >> >>> >> >> AFAIK jail.conf does not turn anything on; that is the job >> of >> >> jail.local and/or jail.d/something-here.conf >> >> >> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d and put >> there only the content regarding the sshd jail that was in my jail.local, >> enabling this jail. >> >>> >> >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! >> >>> >> >>> Well, I noticed (maybe I am wrong, of course) that I need to use >> both `sudo fail2ban-client start` and `sudo systemctl start fail2ban` to >> make it start and be enabled. Is that right? >> >>> >> >> systemctl start fail2ban should have sufficed. >> >> >> >>> But I rebooted the server and systemctl status shows me that >> Fail2Ban is still active. >> >>> >> >>> Another question, if possible: now I have only sshd jail active, >> as per the above procedures. Is there a way to check if it is really >> running? >> >>> >> >> fail2ban-client status sshd >> >> >> >>> Thanks again. >> >>> >> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio Tavares< >> rau...@gm...> <mailto:rau...@gm...> escreveu: >> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. Lammert<lv...@om...> >> <mailto:lv...@om...> wrote: >> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >> >>>>> >> >>>>>> My suggestion is to find which services you are using >> and then >> >>>>>> where they are writing their logs to. Take a look at jail.conf >> (I >> >>>>>> forgot to mention that file). Chances are there are entries >> for most >> >>>>>> of the services there. Case in point, the ssh services, >> including >> >>>>>> selinux-ssh, it knows of are >> >>>>>> >> >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT very >> current. >> >>>>> Much simpler to manage if all of the jails are in separate >> files in >> >>>>> jail.d, .. not in a mile long jail.conf. >> >>>>> >> >>>>> Also, always confirm the installation of ONLY ssh, until you >> know what you >> >>>>> need to monitor. >> >>>>> >> >>>> FYI >> >>>> >> >>>> raub@some-debian-box:~$ cat >> /etc/fail2ban/jail.d/defaults-debian.conf >> >>>> [sshd] >> >>>> enabled = true >> >>>> raub@some-debian-box:~$ >> >>>> >> >>>>> Lee >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fai...@li... <mailto: >> Fai...@li...> >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users < >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > <mailto:Fai...@li...> >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fai...@li... >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> -- >> "After sleeping through a hundred million centuries we have finally >> opened our eyes on a sumptuous planet, sparkling with color, bountiful >> with life. Within decades we must close our eyes again. Isn't it a >> noble, an enlightened way of spending our brief time in the sun, to work >> at understanding the universe and how we have come to wake up in it?" >> [- Professor Richard Dawkins] >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fai...@li... >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > > _______________________________________________ > Fail2ban-users mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |
From: Nick H. <ni...@ho...> - 2023-02-09 18:59:15
|
There is some misinformation here. Jails can be enabled via configlets in jail.d/ as well as overrides in jail.local. Anyway, what is your full jail config in jail.local? All you need is: [sshd] enabled = true It will pull everything else from jail.conf. Anything else you put here will override anything in jail.conf so it is up to you if you want to accept the default settings in jail.conf or override them. On 09/02/2023 18:45, Marcos A.T. Silva wrote: > Hi Finn, > > Understood. Thank you very much. :) > > I think I'll learn this one day. Well, it seems things are starting to > work here. > > So, do you know how can I make sure that a jail is really running? > Because, for example, I've enabled the sshd jail. The enabled jail is > as below: > > ``` > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > ``` > > Is the above jail correct? Do I have to put a "filter" part there or > uncomment the #mode? > > Well, I don't know if I am testing it right. But, for example, if I > run `fail2ban-client status sshd` I receive the below output: > > ``` > Status for the jail: sshd > |- Filter > | |- Currently failed: 1 > | |- Total failed: 1 > | `- File list: /var/log/auth.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > ``` > > But I think I've tried to login at the server with a wrong passphrase > for my SSH key twice, and Fail2Ban is only displaying one attempt. Is > this correct? > > Thanks again, and sorry for the disturbance. > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > <fai...@li...> escreveu: > > Hi Marcos > > jail.conf is holding the default settings for the jails > > jail.local is where You make Your own settings and customizations. > > When You update fail2ban jail.conf may be altered but jail.local will > not and therfore settings (enabled kails etc. will be safe) > > A good idea is to read through the /etc/fail2ban/*.conf files > since the > makers has included a lot of informations between the lines - some > are > difficult to understand the first time but eventually You will get > better knowledge and understanding of this nice and GREAT tool. > > Regards, > /Finn > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > Well, I have installed Fail2Ban from my own once I get this new > Ubuntu > > server. I am using Ubuntu 20.04. > > > > I only got this working by setting jails as enabled in the > jail.local > > file. The individual files in jail.d directory don't work. > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users > > <fai...@li... > > <mailto:fai...@li...>> escreveu: > > > > Surely jail.conf should be left in place as it it supplies some > > defaults, especially if you are using a distro packaged > version? I > > don't think any jails are enabled by default but it may > depend on > > the distro. > > > > Then use jail.local or files in jail.d/ to enable particular > filters. > > > > Nick > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > Silva<mar...@gm...> <mailto:mar...@gm...> wrote: > >>> Hi there, > >>> > >>> I really can't find enough words to express my gratitude > to you all guys. :) > >>> > >>> I think I am finally putting this to work. > >>> > >>> All your suggestions and help made me understand, I think, > how that works. > >>> > >>> I've done the following: > >>> > >>> 1) Once, for what I understood, jail.local always > overrides jail.conf, I left all jails disabled (false) on > jail.local. After that, I've renamed jail.conf to > jail.conf.unused, as Lee suggested. > >>> > >> AFAIK jail.conf does not turn anything on; that is > the job of > >> jail.local and/or jail.d/something-here.conf > >> > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > and put there only the content regarding the sshd jail that was in > my jail.local, enabling this jail. > >>> > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! > >>> > >>> Well, I noticed (maybe I am wrong, of course) that I need > to use both `sudo fail2ban-client start` and `sudo systemctl start > fail2ban` to make it start and be enabled. Is that right? > >>> > >> systemctl start fail2ban should have sufficed. > >> > >>> But I rebooted the server and systemctl status shows me > that Fail2Ban is still active. > >>> > >>> Another question, if possible: now I have only sshd jail > active, as per the above procedures. Is there a way to check if it > is really running? > >>> > >> fail2ban-client status sshd > >> > >>> Thanks again. > >>> > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > Tavares<rau...@gm...> <mailto:rau...@gm...> escreveu: > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > Lammert<lv...@om...> <mailto:lv...@om...> wrote: > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > >>>>> > >>>>>> My suggestion is to find which services you are > using and then > >>>>>> where they are writing their logs to. Take a look at > jail.conf (I > >>>>>> forgot to mention that file). Chances are there are > entries for most > >>>>>> of the services there. Case in point, the ssh services, > including > >>>>>> selinux-ssh, it knows of are > >>>>>> > >>>>> It appears that the fail2ban package for Ubuntu 20 is > NOT very current. > >>>>> Much simpler to manage if all of the jails are in > separate files in > >>>>> jail.d, .. not in a mile long jail.conf. > >>>>> > >>>>> Also, always confirm the installation of ONLY ssh, until > you know what you > >>>>> need to monitor. > >>>>> > >>>> FYI > >>>> > >>>> raub@some-debian-box:~$ cat > /etc/fail2ban/jail.d/defaults-debian.conf > >>>> [sshd] > >>>> enabled = true > >>>> raub@some-debian-box:~$ > >>>> > >>>>> Lee > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fai...@li... > <mailto:Fai...@li...> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, > to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users |
From: Marcos A.T. S. <mar...@gm...> - 2023-02-09 18:45:26
|
Hi Finn, Understood. Thank you very much. :) I think I'll learn this one day. Well, it seems things are starting to work here. So, do you know how can I make sure that a jail is really running? Because, for example, I've enabled the sshd jail. The enabled jail is as below: ``` #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true ``` Is the above jail correct? Do I have to put a "filter" part there or uncomment the #mode? Well, I don't know if I am testing it right. But, for example, if I run `fail2ban-client status sshd` I receive the below output: ``` Status for the jail: sshd |- Filter | |- Currently failed: 1 | |- Total failed: 1 | `- File list: /var/log/auth.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: ``` But I think I've tried to login at the server with a wrong passphrase for my SSH key twice, and Fail2Ban is only displaying one attempt. Is this correct? Thanks again, and sorry for the disturbance. Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users < fai...@li...> escreveu: > Hi Marcos > > jail.conf is holding the default settings for the jails > > jail.local is where You make Your own settings and customizations. > > When You update fail2ban jail.conf may be altered but jail.local will > not and therfore settings (enabled kails etc. will be safe) > > A good idea is to read through the /etc/fail2ban/*.conf files since the > makers has included a lot of informations between the lines - some are > difficult to understand the first time but eventually You will get > better knowledge and understanding of this nice and GREAT tool. > > Regards, > /Finn > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > Well, I have installed Fail2Ban from my own once I get this new Ubuntu > > server. I am using Ubuntu 20.04. > > > > I only got this working by setting jails as enabled in the jail.local > > file. The individual files in jail.d directory don't work. > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users > > <fai...@li... > > <mailto:fai...@li...>> escreveu: > > > > Surely jail.conf should be left in place as it it supplies some > > defaults, especially if you are using a distro packaged version? I > > don't think any jails are enabled by default but it may depend on > > the distro. > > > > Then use jail.local or files in jail.d/ to enable particular filters. > > > > Nick > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. Silva< > mar...@gm...> <mailto:mar...@gm...> wrote: > >>> Hi there, > >>> > >>> I really can't find enough words to express my gratitude to you > all guys. :) > >>> > >>> I think I am finally putting this to work. > >>> > >>> All your suggestions and help made me understand, I think, how > that works. > >>> > >>> I've done the following: > >>> > >>> 1) Once, for what I understood, jail.local always overrides > jail.conf, I left all jails disabled (false) on jail.local. After that, > I've renamed jail.conf to jail.conf.unused, as Lee suggested. > >>> > >> AFAIK jail.conf does not turn anything on; that is the job of > >> jail.local and/or jail.d/something-here.conf > >> > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d and put > there only the content regarding the sshd jail that was in my jail.local, > enabling this jail. > >>> > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! > >>> > >>> Well, I noticed (maybe I am wrong, of course) that I need to use > both `sudo fail2ban-client start` and `sudo systemctl start fail2ban` to > make it start and be enabled. Is that right? > >>> > >> systemctl start fail2ban should have sufficed. > >> > >>> But I rebooted the server and systemctl status shows me that > Fail2Ban is still active. > >>> > >>> Another question, if possible: now I have only sshd jail active, > as per the above procedures. Is there a way to check if it is really > running? > >>> > >> fail2ban-client status sshd > >> > >>> Thanks again. > >>> > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio Tavares< > rau...@gm...> <mailto:rau...@gm...> escreveu: > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. Lammert<lv...@om...> > <mailto:lv...@om...> wrote: > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > >>>>> > >>>>>> My suggestion is to find which services you are using > and then > >>>>>> where they are writing their logs to. Take a look at jail.conf > (I > >>>>>> forgot to mention that file). Chances are there are entries for > most > >>>>>> of the services there. Case in point, the ssh services, > including > >>>>>> selinux-ssh, it knows of are > >>>>>> > >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT very > current. > >>>>> Much simpler to manage if all of the jails are in separate files > in > >>>>> jail.d, .. not in a mile long jail.conf. > >>>>> > >>>>> Also, always confirm the installation of ONLY ssh, until you > know what you > >>>>> need to monitor. > >>>>> > >>>> FYI > >>>> > >>>> raub@some-debian-box:~$ cat > /etc/fail2ban/jail.d/defaults-debian.conf > >>>> [sshd] > >>>> enabled = true > >>>> raub@some-debian-box:~$ > >>>> > >>>>> Lee > >> _______________________________________________ > >> Fail2ban-users mailing list > >> Fai...@li... <mailto: > Fai...@li...> > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users < > https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > <mailto:Fai...@li...> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fai...@li... > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] > > > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > |