Re: [Fail2ban-users] Fail2Ban cannot start due to logs

[fail2ban--- via Fail2ban-users]

Hi Marcos.

In the top of jail.conf / jail.local there is below settings:

# "bantime" is the number of seconds that a host is banned.
bantime  = 10m

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 10m

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


These settings will be default if not defined in the individual jails

Therefore read the conf files there is a lot of settings and knowledge

And the answer to Your question is properly that it requires 5 errors 
(maxretry = 5) in the logfile in a 10 min window (findtime = 10) to 
trigger the jail for 10 min (bantime = 10)

Hope this helps a bit

/Finn


Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva:
Hi Finn,

Understood. Thank you very much. :)

I think I'll learn this one day. Well, it seems things are starting to 
work here.

So, do you know how can I make sure that a jail is really running? 
Because, for example, I've enabled the sshd jail. The enabled jail is as 
below:

```
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled  = true
```

Is the above jail correct? Do I have to put a "filter" part there or 
uncomment the #mode?

Well, I don't know if I am testing it right. But, for example, if I run 
`fail2ban-client status sshd` I receive the below output:

```
Status for the jail: sshd
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     1
|  `- File list:        /var/log/auth.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

```

But I think I've tried to login at the server with a wrong passphrase 
for my SSH key twice, and Fail2Ban is only displaying one attempt. Is 
this correct?

Thanks again, and sorry for the disturbance.

Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users 
<fail2ban-users@lists.sourceforge.net 
<mailto:fail2ban-users@lists.sourceforge.net>> escreveu:

    Hi Marcos

    jail.conf is holding the default settings for the jails

    jail.local is where You make Your own settings and customizations.

    When You update fail2ban jail.conf may be altered but jail.local will
    not and therfore settings (enabled kails etc. will be safe)

    A good idea is to read through the /etc/fail2ban/*.conf files since the
    makers has included a lot of informations between the lines - some are
    difficult to understand the first time but eventually You will get
    better knowledge and understanding of this nice and GREAT tool.

    Regards,
    /Finn


    Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva:
     > Well, I have installed Fail2Ban from my own once I get this new
    Ubuntu
     > server. I am using Ubuntu 20.04.
     >
     > I only got this working by setting jails as enabled in the
    jail.local
     > file. The individual files in jail.d directory don't work.
     >
     > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users
     > <fail2ban-users@lists.sourceforge.net
    <mailto:fail2ban-users@lists.sourceforge.net>
     > <mailto:fail2ban-users@lists.sourceforge.net
    <mailto:fail2ban-users@lists.sourceforge.net>>> escreveu:
     >
     >     Surely jail.conf should be left in place as it it supplies some
     >     defaults, especially if you are using a distro packaged
    version? I
     >     don't think any jails are enabled by default but it may depend on
     >     the distro.
     >
     >     Then use jail.local or files in jail.d/ to enable particular
    filters.
     >
     >     Nick
     >
     >     On 09/02/2023 17:31, Mauricio Tavares wrote:
     >>     On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T.
    Silva<marcos...@gmail.com <mailto:marcos...@gmail.com>> 
    <mailto:marcos...@gmail.com <mailto:marcos...@gmail.com>>  wrote:
     >>>     Hi there,
     >>>
     >>>     I really can't find enough words to express my gratitude to
    you all guys. :)
     >>>
     >>>     I think I am finally putting this to work.
     >>>
     >>>     All your suggestions and help made me understand, I think,
    how that works.
     >>>
     >>>     I've done the following:
     >>>
     >>>     1) Once, for what I understood, jail.local always overrides
    jail.conf, I left all jails disabled (false) on jail.local. After
    that, I've renamed jail.conf to jail.conf.unused, as Lee suggested.
     >>>
     >>            AFAIK jail.conf does not turn anything on; that is
    the job of
     >>     jail.local and/or jail.d/something-here.conf
     >>
     >>>     2) Now I created a sshd.conf file in /etc/fail2ban/jail.d
    and put there only the content regarding the sshd jail that was in
    my jail.local, enabling this jail.
     >>>
     >>>     3) Finally I tried to start Fail2Ban and it worked! Thank you!
     >>>
     >>>     Well, I noticed (maybe I am wrong, of course) that I need
    to use both `sudo fail2ban-client start` and `sudo systemctl start
    fail2ban` to make it start and be enabled. Is that right?
     >>>
     >>            systemctl start fail2ban should have sufficed.
     >>
     >>>     But I rebooted the server and systemctl status shows me
    that Fail2Ban is still active.
     >>>
     >>>     Another question, if possible: now I have only sshd jail
    active, as per the above procedures. Is there a way to check if it
    is really running?
     >>>
     >>     fail2ban-client status sshd
     >>
     >>>     Thanks again.
     >>>
     >>>     Em qui., 9 de fev. de 2023 às 12:13, Mauricio
    Tavares<raubvo...@gmail.com <mailto:raubvo...@gmail.com>> 
    <mailto:raubvo...@gmail.com <mailto:raubvo...@gmail.com>>  escreveu:
     >>>>     On Thu, Feb 9, 2023 at 10:11 AM L. V.
    Lammert<l...@omnitec.net <mailto:l...@omnitec.net>> 
    <mailto:l...@omnitec.net <mailto:l...@omnitec.net>>  wrote:
     >>>>>     On Thu, 9 Feb 2023, Mauricio Tavares wrote:
     >>>>>
     >>>>>>            My suggestion is to find which services you are
    using and then
     >>>>>>     where they are writing their logs to. Take a look at
    jail.conf (I
     >>>>>>     forgot to mention that file). Chances are there are
    entries for most
     >>>>>>     of the services there. Case in point, the ssh services,
    including
     >>>>>>     selinux-ssh, it knows of are
     >>>>>>
     >>>>>     It appears that the fail2ban package for Ubuntu 20 is NOT
    very current.
     >>>>>     Much simpler to manage if all of the jails are in
    separate files in
     >>>>>     jail.d, .. not in a mile long jail.conf.
     >>>>>
     >>>>>     Also, always confirm the installation of ONLY ssh, until
    you know what you
     >>>>>     need to monitor.
     >>>>>
     >>>>     FYI
     >>>>
     >>>>     raub@some-debian-box:~$ cat
    /etc/fail2ban/jail.d/defaults-debian.conf
     >>>>     [sshd]
     >>>>     enabled = true
     >>>>     raub@some-debian-box:~$
     >>>>
     >>>>>              Lee
     >>     _______________________________________________
     >>     Fail2ban-users mailing list
     >> Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net> 
    <mailto:Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>>
     >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> 
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>>
     >
     >     _______________________________________________
     >     Fail2ban-users mailing list
     > Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
     >     <mailto:Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>>
     > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>
     >     <https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>>
     >
     >
     >
     > _______________________________________________
     > Fail2ban-users mailing list
     > Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
     > https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>

    -- 
    "After sleeping through a hundred million centuries we have finally
    opened our eyes on a sumptuous planet, sparkling with color, bountiful
    with life. Within decades we must close our eyes again. Isn't it a
    noble, an enlightened way of spending our brief time in the sun, to
    work
    at understanding the universe and how we have come to wake up in it?"
    [- Professor Richard Dawkins]


    _______________________________________________
    Fail2ban-users mailing list
    Fail2ban-users@lists.sourceforge.net
    <mailto:Fail2ban-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/fail2ban-users
    <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>


--
"After sleeping through a hundred million centuries we have finally 
opened our eyes on a sumptuous planet, sparkling with color, bountiful 
with life. Within decades we must close our eyes again. Isn't it a 
noble, an enlightened way of spending our brief time in the sun, to work 
at understanding the universe and how we have come to wake up in it?"
[- Professor Richard Dawkins]


_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users