Fail2Ban (Debian): Unterschied zwischen den Versionen
Matt (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
Matt (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
||
| Zeile 1: | Zeile 1: | ||
This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian. | |||
== Basic Commands Cheat Sheet == | |||
== | |||
=== Check Status === | === Check Status === | ||
| Zeile 23: | Zeile 17: | ||
sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 | sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 | ||
═════════════════════╩══════════╩═════════════╩═══════════ | ═════════════════════╩══════════╩═════════════╩═══════════ | ||
Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips: | |||
fail2ban-client status <jail> | |||
fail2ban-client status sshd | fail2ban-client status sshd | ||
Sample output: | Sample output: | ||
Status for the jail: sshd | Status for the jail: sshd | ||
|- Filter | |- Filter | ||
| |- Currently failed: | | |- Currently failed: 187 | ||
| |- Total failed: | | |- Total failed: 1719 | ||
| `- | | `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd | ||
`- Actions | `- Actions | ||
|- Currently banned: | |- Currently banned: 735 | ||
|- Total banned: | |- Total banned: 966 | ||
`- Banned IP list: | `- Banned IP list: 1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ... | ||
Here we see that banned were 594, but currently banned are none. | Here we see that banned were 594, but currently banned are none. | ||
| Zeile 91: | Zeile 86: | ||
https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html | https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html | ||
== Sources == | |||
http://www.fail2ban.org/wiki/index.php/Commands | |||
https://wiki.ubuntuusers.de/fail2ban/ | |||
[[Category:Linux]] | [[Category:Linux]] | ||
Aktuelle Version vom 15. November 2025, 11:51 Uhr
This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian.
Basic Commands Cheat Sheet
Check Status
Show status of Fail2Ban and which jails are active:
fail2ban-client status
Show statistics of all active jails as a table:
fail2ban-client stats
Sample output:
║ ║ Filter ║ Actions Jail ║ Backend ╟─────────────╫─────────── ║ ║ cur │ tot ║ cur │ tot ═════════════════════╬══════════╬═════════════╬═══════════ apache-auth ║ polling ║ 35 │ 18985 ║ 42 │ 862 apache-botsearch ║ polling ║ 8 │ 12 ║ 4 │ 10 apache-noscript ║ polling ║ 49 │ 242 ║ 42 │ 57 sshd ║ systemd ║ 187 │ 1719 ║ 735 │ 966 ═════════════════════╩══════════╩═════════════╩═══════════
Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips:
fail2ban-client status <jail> fail2ban-client status sshd
Sample output:
Status for the jail: sshd |- Filter | |- Currently failed: 187 | |- Total failed: 1719 | `- Journal matches: _SYSTEMD_UNIT=ssh.service + _COMM=sshd `- Actions |- Currently banned: 735 |- Total banned: 966 `- Banned IP list: 1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ...
Here we see that banned were 594, but currently banned are none.
Show banned ip addresses and in which jail they are:
fail2ban-client banned
Examine a IP Address in More Detail
Show in which jails a given ip addresses are banned:
fail2ban-client banned <IP> [<IP> <IP>]
Show banned ip addresses for a given jail and also their release time:
fail2ban-client get <jail> banip --with-time
Filter for a given ip address if needed:
fail2ban-client get <jail> banip --with-time | grep <IP>
Manuell Adressen hinzufügen
Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen:
fail2ban-client set sshd banip <IP> fail2ban-client set sshd unbanip <IP>
Installation
apt-get install fail2ban
Konfiguration
Erweiterung der Konfiguration
Konfigurationsfiles im Lieferumfang:
/etc/fail2ban/fail2ban.conf /etc/fail2ban/jail.conf
Die o.g. Dateien sollten nicht angepasst werden, da sie beim nächsten Update evtl. wieder überschrieben werden.Stattdessen können folgende Dateien angelegt werden:
/etc/fail2ban/fail2ban.local /etc/fail2ban/fail2ban.d/* /etc/fail2ban/jail.local /etc/fail2ban/jail.d/*
Für die Erstellung der .local-Dateien können als Vorlage die jeweiligen .conf-Dateien verwendet werden.
Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben.
Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1
Finetuning
Bei Fehlermeldungen im Log:
Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth]
Erweiterung Parameter failregex in datei /etc/fail2ban/filter.d/sshd.conf um folgende Zeile:
^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$
Developing Fail2Ban Filters
How to Test Fail2Ban Filters?
Use program fail2ban-regex
Example:
fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf
Further Reading:
https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html
