Fail2Ban (Debian): Unterschied zwischen den Versionen
Matt (Diskussion | Beiträge) |
Matt (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
||
| (10 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian. | |||
== Basic Commands Cheat Sheet == | |||
=== Check Status === | |||
Show status of Fail2Ban and which jails are active: | |||
fail2ban-client status | |||
Show statistics of all active jails as a table: | |||
fail2ban-client stats | |||
Sample output: | |||
║ ║ Filter ║ Actions | |||
Jail ║ Backend ╟─────────────╫─────────── | |||
║ ║ cur │ tot ║ cur │ tot | |||
═════════════════════╬══════════╬═════════════╬═══════════ | |||
apache-auth ║ polling ║ 35 │ 18985 ║ 42 │ 862 | |||
apache-botsearch ║ polling ║ 8 │ 12 ║ 4 │ 10 | |||
apache-noscript ║ polling ║ 49 │ 242 ║ 42 │ 57 | |||
sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 | |||
═════════════════════╩══════════╩═════════════╩═══════════ | |||
Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips: | |||
fail2ban-client status <jail> | |||
fail2ban-client status sshd | |||
Sample output: | |||
Status for the jail: sshd | |||
|- Filter | |||
| |- Currently failed: 187 | |||
| |- Total failed: 1719 | |||
| `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd | |||
`- Actions | |||
|- Currently banned: 735 | |||
|- Total banned: 966 | |||
`- Banned IP list: 1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ... | |||
Here we see that banned were 594, but currently banned are none. | |||
Show banned ip addresses and in which jail they are: | |||
fail2ban-client banned | |||
=== Examine a IP Address in More Detail === | |||
Show in which jails a given ip addresses are banned: | |||
fail2ban-client banned <IP> [<IP> <IP>] | |||
Show banned ip addresses for a given jail and also their release time: | |||
fail2ban-client get <jail> banip --with-time | |||
Filter for a given ip address if needed: | |||
fail2ban-client get <jail> banip --with-time | grep <IP> | |||
=== Manuell Adressen hinzufügen === | |||
Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen: | |||
fail2ban-client set sshd banip <IP> | |||
fail2ban-client set sshd unbanip <IP> | |||
== Installation == | == Installation == | ||
apt-get install fail2ban | apt-get install fail2ban | ||
== Konfiguration == | == Konfiguration == | ||
=== Erweiterung der Konfiguration === | |||
Konfigurationsfiles im Lieferumfang: | Konfigurationsfiles im Lieferumfang: | ||
/etc/fail2ban/fail2ban.conf | /etc/fail2ban/fail2ban.conf | ||
| Zeile 23: | Zeile 65: | ||
Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben. | Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben. | ||
Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt. | Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1 | ||
== | |||
=== Finetuning === | |||
fail2ban | Bei Fehlermeldungen im Log: | ||
Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth] | |||
Erweiterung Parameter <code>failregex</code> in datei <code>/etc/fail2ban/filter.d/sshd.conf</code> um folgende Zeile: | |||
. | ^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$ | ||
== Developing Fail2Ban Filters == | |||
=== How to Test Fail2Ban Filters? === | |||
Use program <code>fail2ban-regex</code> | |||
Example: | |||
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf | |||
Further Reading: | |||
https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html | |||
== Sources == | |||
http://www.fail2ban.org/wiki/index.php/Commands | |||
https://wiki.ubuntuusers.de/fail2ban/ | |||
[[Category:Linux]] | [[Category:Linux]] | ||
Aktuelle Version vom 15. November 2025, 11:51 Uhr
This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian.
Basic Commands Cheat Sheet
Check Status
Show status of Fail2Ban and which jails are active:
fail2ban-client status
Show statistics of all active jails as a table:
fail2ban-client stats
Sample output:
║ ║ Filter ║ Actions Jail ║ Backend ╟─────────────╫─────────── ║ ║ cur │ tot ║ cur │ tot ═════════════════════╬══════════╬═════════════╬═══════════ apache-auth ║ polling ║ 35 │ 18985 ║ 42 │ 862 apache-botsearch ║ polling ║ 8 │ 12 ║ 4 │ 10 apache-noscript ║ polling ║ 49 │ 242 ║ 42 │ 57 sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 ═════════════════════╩══════════╩═════════════╩═══════════
Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips:
fail2ban-client status <jail> fail2ban-client status sshd
Sample output:
Status for the jail: sshd |- Filter | |- Currently failed: 187 | |- Total failed: 1719 | `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd `- Actions |- Currently banned: 735 |- Total banned: 966 `- Banned IP list: 1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ...
Here we see that banned were 594, but currently banned are none.
Show banned ip addresses and in which jail they are:
fail2ban-client banned
Examine a IP Address in More Detail
Show in which jails a given ip addresses are banned:
fail2ban-client banned <IP> [<IP> <IP>]
Show banned ip addresses for a given jail and also their release time:
fail2ban-client get <jail> banip --with-time
Filter for a given ip address if needed:
fail2ban-client get <jail> banip --with-time | grep <IP>
Manuell Adressen hinzufügen
Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen:
fail2ban-client set sshd banip <IP> fail2ban-client set sshd unbanip <IP>
Installation
apt-get install fail2ban
Konfiguration
Erweiterung der Konfiguration
Konfigurationsfiles im Lieferumfang:
/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Die o.g. Dateien sollten nicht angepasst werden, da sie beim nächsten Update evtl. wieder überschrieben werden.Stattdessen können folgende Dateien angelegt werden:
/etc/fail2ban/fail2ban.local /etc/fail2ban/fail2ban.d/* /etc/fail2ban/jail.local /etc/fail2ban/jail.d/*
Für die Erstellung der .local-Dateien können als Vorlage die jeweiligen .conf-Dateien verwendet werden.
Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben.
Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1
Finetuning
Bei Fehlermeldungen im Log:
Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth]
Erweiterung Parameter failregex in datei /etc/fail2ban/filter.d/sshd.conf um folgende Zeile:
^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$
Developing Fail2Ban Filters
How to Test Fail2Ban Filters?
Use program fail2ban-regex
Example:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Further Reading:
https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html
