Fail2Ban (Debian)

Aus Matts Wiki
Version vom 15. November 2025, 11:51 Uhr von Matt (Diskussion | Beiträge)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)

This article contains instructions for installation, configuration and monitoring of Fail2Ban on Debian.

Basic Commands Cheat Sheet

Check Status

Show status of Fail2Ban and which jails are active: 

fail2ban-client status

Show statistics of all active jails as a table: 

fail2ban-client stats

Sample output: 

                     ║          ║ Filter      ║ Actions
Jail                 ║ Backend  ╟─────────────╫───────────
                     ║          ║ cur │   tot ║ cur │ tot
═════════════════════╬══════════╬═════════════╬═══════════
apache-auth          ║ polling  ║  35 │ 18985 ║  42 │ 862
apache-botsearch     ║ polling  ║   8 │    12 ║   4 │  10
apache-noscript      ║ polling  ║  49 │   242 ║  42 │  57
sshd                 ║ systemd  ║ 187 │  1719 ║ 735 │ 966
═════════════════════╩══════════╩═════════════╩═══════════

Show status of a particular jail, i.e. sshd, including some stats and a list of blocked ips: 

fail2ban-client status <jail>
fail2ban-client status sshd

Sample output: 

Status for the jail: sshd
|- Filter
|  |- Currently failed: 187
|  |- Total failed:     1719
|  `- Journal matches:  _SYSTEMD_UNIT=ssh.service + _COMM=sshd
`- Actions
   |- Currently banned: 735
   |- Total banned:     966
   `- Banned IP list:   1.238.106.229 1.55.33.86 101.100.194.199 xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx ...

Here we see that banned were 594, but currently banned are none.

Show banned ip addresses and in which jail they are: 

fail2ban-client banned

Examine a IP Address in More Detail

Show in which jails a given ip addresses are banned: 

fail2ban-client banned <IP> [<IP> <IP>]

Show banned ip addresses for a given jail and also their release time: 

fail2ban-client get <jail> banip --with-time

Filter for a given ip address if needed: 

fail2ban-client get <jail> banip --with-time | grep <IP>

Manuell Adressen hinzufügen

Beispiel, um manuell IP-Adressen in den Jail SSHD zu bannen oder dort zu entfernen: 

fail2ban-client set sshd banip <IP>
fail2ban-client set sshd unbanip <IP>

Installation

apt-get install fail2ban

Konfiguration

Erweiterung der Konfiguration

Konfigurationsfiles im Lieferumfang: 

/etc/fail2ban/fail2ban.conf
/etc/fail2ban/jail.conf

Die o.g. Dateien sollten nicht angepasst werden, da sie beim nächsten Update evtl. wieder überschrieben werden.Stattdessen können folgende Dateien angelegt werden: 

/etc/fail2ban/fail2ban.local
/etc/fail2ban/fail2ban.d/*
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*

Für die Erstellung der .local-Dateien können als Vorlage die jeweiligen .conf-Dateien verwendet werden.

Es muss darauf geachtet werden, dass die Dateien immer Abschnitte in Eckigen klammern haben.

Permanenter Ban wird umgesetzt indem man bantime auf einen negativen Wert setzt, z.B. -1

Finetuning

Bei Fehlermeldungen im Log: 

Dec 31 20:00:00 server sshd[23400]: Connection closed by xxx.xxx.xxx.xxx port xxxxx [preauth]

Erweiterung Parameter failregex in datei /etc/fail2ban/filter.d/sshd.conf um folgende Zeile: 

^%(__prefix_line)sConnection closed by <HOST> port \d+ \[preauth\]$

Developing Fail2Ban Filters

How to Test Fail2Ban Filters?

Use program fail2ban-regex

Example: 

fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf


Further Reading:

https://manpages.debian.org/unstable/fail2ban/fail2ban-regex.1.en.html

Sources

http://www.fail2ban.org/wiki/index.php/Commands

https://wiki.ubuntuusers.de/fail2ban/

Abgerufen von „https://otremba.net/w/index.php?title=Fail2Ban_(Debian)&oldid=3750