fail2ban picks up everything in /etc/fail2ban/jail.conf and then applies
additional/overrides from /etc/fail2ban/jail.local (and probably
/etc/fail2ban/jail.d/*. I didn't even realize there was a jail.d folder
until I saw your post).
In one of those configs (probably /etc/fail2ban/jail.conf) there is
a [sshd] section that is enabled. Add to /etc/fail2ban/jail.local:
[sshd]
enabled = false
Bill
On 9/20/2017 12:46 PM, Stroller wrote:
Hello,
I'm new to Fail2Ban, and still getting to grips with it.
As I understand it, all matches to a filter are treated the same - using the
default sshd filter a bot trying to logon as a nonexistent user is treated the
same as a genuine user who has misspelled their password.
I would prefer to ban an IP the second time it attempts to log on as a
nonexistent user, and allow multiple password attempts if the user exists on
the system.
I have read some documents and HOWTOs, but seem to be struggling a bit with
fail2ban's configuration concepts.
I've found /etc/fail2ban/filter.d/sshd.conf and enabled it by creating a
corresponding /etc/fail2ban/jail.d/sshd.conf, as per Gentoo's wiki. [1]
I would have thought that the logical way to make my own filters would be to
take the existing /etc/fail2ban/filter.d/sshd.conf and make two copies of it -
/etc/fail2ban/filter.d/sshd-badusername.local and
/etc/fail2ban/filter.d/sshd-wrongpassword.local, removing from each the
unwanted regular expressions.
I expected to be able to create /etc/fail2ban/jail.d/sshd-badusername.conf and
/etc/fail2ban/jail.d/sshd-wrongpassword.conf with the following contents:
[sshd-badusername]
enabled = true
logpath = /var/log/messages
[sshd-wrongpassword]
enabled = true
logpath = /var/log/messages
This doesn't work - when I reload fail2ban I get the messages:
ERROR No file(s) found for glob /var/log/auth.log
ERROR Failed during configuration: Have not found any log file for sshd
jail
I don't understand - I didn't think I had any jail called "sshd" anymore - I thought I had two
jails, "sshd-badusername" and "sshd-wrongpassword".
Fail2Ban seems highly modular and configurable, and I feel like I'm missing
something important because there are too many pieces for me to visualise
correctly.
Stroller.
[1] https://wiki.gentoo.org/wiki/Fail2ban#Configuration
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
