Fail2Ban (Debian): Unterschied zwischen den Versionen

This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian.

Basic Commands Cheat Sheet

Check Status

Show status of Fail2Ban and which jails are active:

fail2ban-client status

Show statistics of all active jails as a table:

fail2ban-client stats

Sample output:

                     ║          ║ Filter      ║ Actions
Jail                 ║ Backend  ╟─────────────╫───────────
                     ║          ║ cur │   tot ║ cur │ tot
═════════════════════╬══════════╬═════════════╬═══════════
apache-auth          ║ polling  ║  35 │ 18985 ║  42 │ 862
apache-botsearch     ║ polling  ║   8 │    12 ║   4 │  10
apache-noscript      ║ polling  ║  49 │   242 ║  42 │  57
sshd                 ║ systemd  ║ 187 │  1719 ║ 735 │ 966
═════════════════════╩══════════╩═════════════╩═══════════

Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips:

fail2ban-client status <jail>
fail2ban-client status sshd

Sample output:

Status for the jail: sshd
|- Filter
|  |- Currently failed: 187
|  |- Total failed:     1719
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 735
   |- Total banned:     966
   `- Banned IP list:   1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ...

Here we see that banned were 594, but currently banned are none.

Show banned ip addresses and in which jail they are:

fail2ban-client banned

Examine a IP Address in More Detail

Show in which jails a given ip addresses are banned:

fail2ban-client banned <IP> [<IP> <IP>]

Show banned ip addresses for a given jail and also their release time:

fail2ban-client get <jail> banip --with-time

Filter for a given ip address if needed:

fail2ban-client get <jail> banip --with-time | grep <IP>

Manuell Adressen hinzufügen

Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen:

fail2ban-client set sshd banip <IP>
fail2ban-client set sshd unbanip <IP>

Installation

apt-get install fail2ban

Konfiguration

Erweiterung der Konfiguration

Konfigurationsfiles im Lieferumfang:

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf

Die o.g. Dateien sollten nicht angepasst werden, da sie beim nächsten Update evtl. wieder überschrieben werden.Stattdessen können folgende Dateien angelegt werden:

/etc/fail2ban/fail2ban.local
/etc/fail2ban/fail2ban.d/*
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*

Für die Erstellung der .local-Dateien können als Vorlage die jeweiligen .conf-Dateien verwendet werden.

Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben.

Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1

Finetuning

Bei Fehlermeldungen im Log:

Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth]

Erweiterung Parameter failregex in datei /etc/fail2ban/filter.d/sshd.conf um folgende Zeile:

^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

Developing Fail2Ban Filters

How to Test Fail2Ban Filters?

Use program fail2ban-regex

Example:

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf

Further Reading:

https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html

Sources

http://www.fail2ban.org/wiki/index.php/Commands

https://wiki.ubuntuusers.de/fail2ban/