Hi, So, regarding jail.local and sshd jail, the content is below:
[sshd] # To use more aggressive sshd modes set filter parameter "mode" in jail.local: # normal (default), ddos, extra or aggressive (combines all). # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. #mode = normal port = ssh logpath = %(sshd_log)s backend = %(sshd_backend)s enabled = true I think the above is overriding jail.conf. As the jail.conf file does not have a line `enabled` (with true or false values) for any of the jails, I also suppose anyway that jail.local is overriding that. Is this right? Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users < fail2ban-users@lists.sourceforge.net> escreveu: > There is some misinformation here. Jails can be enabled via configlets in > jail.d/ as well as overrides in jail.local. > > Anyway, what is your full jail config in jail.local? All you need is: > [sshd] > enabled = true > > It will pull everything else from jail.conf. Anything else you put here > will override anything in jail.conf so it is up to you if you want to > accept the default settings in jail.conf or override them. > > > On 09/02/2023 18:45, Marcos A.T. Silva wrote: > > Hi Finn, > > Understood. Thank you very much. :) > > I think I'll learn this one day. Well, it seems things are starting to > work here. > > So, do you know how can I make sure that a jail is really running? > Because, for example, I've enabled the sshd jail. The enabled jail is as > below: > > ``` > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > ``` > > Is the above jail correct? Do I have to put a "filter" part there or > uncomment the #mode? > > Well, I don't know if I am testing it right. But, for example, if I run > `fail2ban-client status sshd` I receive the below output: > > ``` > Status for the jail: sshd > |- Filter > | |- Currently failed: 1 > | |- Total failed: 1 > | `- File list: /var/log/auth.log > `- Actions > |- Currently banned: 0 > |- Total banned: 0 > `- Banned IP list: > > ``` > > But I think I've tried to login at the server with a wrong passphrase for > my SSH key twice, and Fail2Ban is only displaying one attempt. Is this > correct? > > Thanks again, and sorry for the disturbance. > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users < > fail2ban-users@lists.sourceforge.net> escreveu: > >> Hi Marcos >> >> jail.conf is holding the default settings for the jails >> >> jail.local is where You make Your own settings and customizations. >> >> When You update fail2ban jail.conf may be altered but jail.local will >> not and therfore settings (enabled kails etc. will be safe) >> >> A good idea is to read through the /etc/fail2ban/*.conf files since the >> makers has included a lot of informations between the lines - some are >> difficult to understand the first time but eventually You will get >> better knowledge and understanding of this nice and GREAT tool. >> >> Regards, >> /Finn >> >> >> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >> > Well, I have installed Fail2Ban from my own once I get this new Ubuntu >> > server. I am using Ubuntu 20.04. >> > >> > I only got this working by setting jails as enabled in the jail.local >> > file. The individual files in jail.d directory don't work. >> > >> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users >> > <fail2ban-users@lists.sourceforge.net >> > <mailto:fail2ban-users@lists.sourceforge.net>> escreveu: >> > >> > Surely jail.conf should be left in place as it it supplies some >> > defaults, especially if you are using a distro packaged version? I >> > don't think any jails are enabled by default but it may depend on >> > the distro. >> > >> > Then use jail.local or files in jail.d/ to enable particular >> filters. >> > >> > Nick >> > >> > On 09/02/2023 17:31, Mauricio Tavares wrote: >> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. Silva< >> marcos...@gmail.com> <mailto:marcos...@gmail.com> wrote: >> >>> Hi there, >> >>> >> >>> I really can't find enough words to express my gratitude to you >> all guys. :) >> >>> >> >>> I think I am finally putting this to work. >> >>> >> >>> All your suggestions and help made me understand, I think, how >> that works. >> >>> >> >>> I've done the following: >> >>> >> >>> 1) Once, for what I understood, jail.local always overrides >> jail.conf, I left all jails disabled (false) on jail.local. After that, >> I've renamed jail.conf to jail.conf.unused, as Lee suggested. >> >>> >> >> AFAIK jail.conf does not turn anything on; that is the job >> of >> >> jail.local and/or jail.d/something-here.conf >> >> >> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d and put >> there only the content regarding the sshd jail that was in my jail.local, >> enabling this jail. >> >>> >> >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! >> >>> >> >>> Well, I noticed (maybe I am wrong, of course) that I need to use >> both `sudo fail2ban-client start` and `sudo systemctl start fail2ban` to >> make it start and be enabled. Is that right? >> >>> >> >> systemctl start fail2ban should have sufficed. >> >> >> >>> But I rebooted the server and systemctl status shows me that >> Fail2Ban is still active. >> >>> >> >>> Another question, if possible: now I have only sshd jail active, >> as per the above procedures. Is there a way to check if it is really >> running? >> >>> >> >> fail2ban-client status sshd >> >> >> >>> Thanks again. >> >>> >> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio Tavares< >> raubvo...@gmail.com> <mailto:raubvo...@gmail.com> escreveu: >> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. Lammert<l...@omnitec.net> >> <mailto:l...@omnitec.net> wrote: >> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >> >>>>> >> >>>>>> My suggestion is to find which services you are using >> and then >> >>>>>> where they are writing their logs to. Take a look at jail.conf >> (I >> >>>>>> forgot to mention that file). Chances are there are entries >> for most >> >>>>>> of the services there. Case in point, the ssh services, >> including >> >>>>>> selinux-ssh, it knows of are >> >>>>>> >> >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT very >> current. >> >>>>> Much simpler to manage if all of the jails are in separate >> files in >> >>>>> jail.d, .. not in a mile long jail.conf. >> >>>>> >> >>>>> Also, always confirm the installation of ONLY ssh, until you >> know what you >> >>>>> need to monitor. >> >>>>> >> >>>> FYI >> >>>> >> >>>> raub@some-debian-box:~$ cat >> /etc/fail2ban/jail.d/defaults-debian.conf >> >>>> [sshd] >> >>>> enabled = true >> >>>> raub@some-debian-box:~$ >> >>>> >> >>>>> Lee >> >> _______________________________________________ >> >> Fail2ban-users mailing list >> >> Fail2ban-users@lists.sourceforge.net <mailto: >> Fail2ban-users@lists.sourceforge.net> >> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users < >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fail2ban-users@lists.sourceforge.net >> > <mailto:Fail2ban-users@lists.sourceforge.net> >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >> > >> > >> > >> > _______________________________________________ >> > Fail2ban-users mailing list >> > Fail2ban-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> -- >> "After sleeping through a hundred million centuries we have finally >> opened our eyes on a sumptuous planet, sparkling with color, bountiful >> with life. Within decades we must close our eyes again. Isn't it a >> noble, an enlightened way of spending our brief time in the sun, to work >> at understanding the universe and how we have come to wake up in it?" >> [- Professor Richard Dawkins] >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > > _______________________________________________ > Fail2ban-users mailing > listFail2ban-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/fail2ban-users > > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
