Understood. Thank you, I will check that. Em qui., 9 de fev. de 2023 às 16:42, Nick Howitt via Fail2ban-users < fail2ban-users@lists.sourceforge.net> escreveu:
> If the three lines port, logpath and backend are the same in jail.conf, > you don't need them in jail.local. Jail.local only overrides the parameters > you specify otherwise it gets them from jail.conf. > > On 09/02/2023 19:34, Marcos A.T. Silva wrote: > > Hi, > > So, regarding jail.local and sshd jail, the content is below: > > [sshd] > > # To use more aggressive sshd modes set filter parameter "mode" in > jail.local: > # normal (default), ddos, extra or aggressive (combines all). > # See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example > and details. > #mode = normal > port = ssh > logpath = %(sshd_log)s > backend = %(sshd_backend)s > enabled = true > > I think the above is overriding jail.conf. As the jail.conf file does not > have a line `enabled` (with true or false values) for any of the jails, I > also suppose anyway that jail.local is overriding that. Is this right? > > Em qui., 9 de fev. de 2023 às 15:59, Nick Howitt via Fail2ban-users < > fail2ban-users@lists.sourceforge.net> escreveu: > >> There is some misinformation here. Jails can be enabled via configlets in >> jail.d/ as well as overrides in jail.local. >> >> Anyway, what is your full jail config in jail.local? All you need is: >> [sshd] >> enabled = true >> >> It will pull everything else from jail.conf. Anything else you put here >> will override anything in jail.conf so it is up to you if you want to >> accept the default settings in jail.conf or override them. >> >> >> On 09/02/2023 18:45, Marcos A.T. Silva wrote: >> >> Hi Finn, >> >> Understood. Thank you very much. :) >> >> I think I'll learn this one day. Well, it seems things are starting to >> work here. >> >> So, do you know how can I make sure that a jail is really running? >> Because, for example, I've enabled the sshd jail. The enabled jail is as >> below: >> >> ``` >> #mode = normal >> port = ssh >> logpath = %(sshd_log)s >> backend = %(sshd_backend)s >> enabled = true >> ``` >> >> Is the above jail correct? Do I have to put a "filter" part there or >> uncomment the #mode? >> >> Well, I don't know if I am testing it right. But, for example, if I run >> `fail2ban-client status sshd` I receive the below output: >> >> ``` >> Status for the jail: sshd >> |- Filter >> | |- Currently failed: 1 >> | |- Total failed: 1 >> | `- File list: /var/log/auth.log >> `- Actions >> |- Currently banned: 0 >> |- Total banned: 0 >> `- Banned IP list: >> >> ``` >> >> But I think I've tried to login at the server with a wrong passphrase for >> my SSH key twice, and Fail2Ban is only displaying one attempt. Is this >> correct? >> >> Thanks again, and sorry for the disturbance. >> >> Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users < >> fail2ban-users@lists.sourceforge.net> escreveu: >> >>> Hi Marcos >>> >>> jail.conf is holding the default settings for the jails >>> >>> jail.local is where You make Your own settings and customizations. >>> >>> When You update fail2ban jail.conf may be altered but jail.local will >>> not and therfore settings (enabled kails etc. will be safe) >>> >>> A good idea is to read through the /etc/fail2ban/*.conf files since the >>> makers has included a lot of informations between the lines - some are >>> difficult to understand the first time but eventually You will get >>> better knowledge and understanding of this nice and GREAT tool. >>> >>> Regards, >>> /Finn >>> >>> >>> Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: >>> > Well, I have installed Fail2Ban from my own once I get this new Ubuntu >>> > server. I am using Ubuntu 20.04. >>> > >>> > I only got this working by setting jails as enabled in the jail.local >>> > file. The individual files in jail.d directory don't work. >>> > >>> > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via Fail2ban-users >>> > <fail2ban-users@lists.sourceforge.net >>> > <mailto:fail2ban-users@lists.sourceforge.net>> escreveu: >>> > >>> > Surely jail.conf should be left in place as it it supplies some >>> > defaults, especially if you are using a distro packaged version? I >>> > don't think any jails are enabled by default but it may depend on >>> > the distro. >>> > >>> > Then use jail.local or files in jail.d/ to enable particular >>> filters. >>> > >>> > Nick >>> > >>> > On 09/02/2023 17:31, Mauricio Tavares wrote: >>> >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. Silva< >>> marcos...@gmail.com> <mailto:marcos...@gmail.com> wrote: >>> >>> Hi there, >>> >>> >>> >>> I really can't find enough words to express my gratitude to you >>> all guys. :) >>> >>> >>> >>> I think I am finally putting this to work. >>> >>> >>> >>> All your suggestions and help made me understand, I think, how >>> that works. >>> >>> >>> >>> I've done the following: >>> >>> >>> >>> 1) Once, for what I understood, jail.local always overrides >>> jail.conf, I left all jails disabled (false) on jail.local. After that, >>> I've renamed jail.conf to jail.conf.unused, as Lee suggested. >>> >>> >>> >> AFAIK jail.conf does not turn anything on; that is the job >>> of >>> >> jail.local and/or jail.d/something-here.conf >>> >> >>> >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d and >>> put there only the content regarding the sshd jail that was in my >>> jail.local, enabling this jail. >>> >>> >>> >>> 3) Finally I tried to start Fail2Ban and it worked! Thank you! >>> >>> >>> >>> Well, I noticed (maybe I am wrong, of course) that I need to use >>> both `sudo fail2ban-client start` and `sudo systemctl start fail2ban` to >>> make it start and be enabled. Is that right? >>> >>> >>> >> systemctl start fail2ban should have sufficed. >>> >> >>> >>> But I rebooted the server and systemctl status shows me that >>> Fail2Ban is still active. >>> >>> >>> >>> Another question, if possible: now I have only sshd jail active, >>> as per the above procedures. Is there a way to check if it is really >>> running? >>> >>> >>> >> fail2ban-client status sshd >>> >> >>> >>> Thanks again. >>> >>> >>> >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio Tavares< >>> raubvo...@gmail.com> <mailto:raubvo...@gmail.com> escreveu: >>> >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. Lammert<l...@omnitec.net> >>> <mailto:l...@omnitec.net> wrote: >>> >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: >>> >>>>> >>> >>>>>> My suggestion is to find which services you are using >>> and then >>> >>>>>> where they are writing their logs to. Take a look at >>> jail.conf (I >>> >>>>>> forgot to mention that file). Chances are there are entries >>> for most >>> >>>>>> of the services there. Case in point, the ssh services, >>> including >>> >>>>>> selinux-ssh, it knows of are >>> >>>>>> >>> >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT very >>> current. >>> >>>>> Much simpler to manage if all of the jails are in separate >>> files in >>> >>>>> jail.d, .. not in a mile long jail.conf. >>> >>>>> >>> >>>>> Also, always confirm the installation of ONLY ssh, until you >>> know what you >>> >>>>> need to monitor. >>> >>>>> >>> >>>> FYI >>> >>>> >>> >>>> raub@some-debian-box:~$ cat >>> /etc/fail2ban/jail.d/defaults-debian.conf >>> >>>> [sshd] >>> >>>> enabled = true >>> >>>> raub@some-debian-box:~$ >>> >>>> >>> >>>>> Lee >>> >> _______________________________________________ >>> >> Fail2ban-users mailing list >>> >> Fail2ban-users@lists.sourceforge.net <mailto: >>> Fail2ban-users@lists.sourceforge.net> >>> >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users < >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fail2ban-users@lists.sourceforge.net >>> > <mailto:Fail2ban-users@lists.sourceforge.net> >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> >>> > >>> > >>> > >>> > _______________________________________________ >>> > Fail2ban-users mailing list >>> > Fail2ban-users@lists.sourceforge.net >>> > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >>> -- >>> "After sleeping through a hundred million centuries we have finally >>> opened our eyes on a sumptuous planet, sparkling with color, bountiful >>> with life. Within decades we must close our eyes again. Isn't it a >>> noble, an enlightened way of spending our brief time in the sun, to work >>> at understanding the universe and how we have come to wake up in it?" >>> [- Professor Richard Dawkins] >>> >>> >>> _______________________________________________ >>> Fail2ban-users mailing list >>> Fail2ban-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >>> >> >> >> _______________________________________________ >> Fail2ban-users mailing >> listFail2ban-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/fail2ban-users >> >> >> _______________________________________________ >> Fail2ban-users mailing list >> Fail2ban-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users >> > > _______________________________________________ > Fail2ban-users mailing list > Fail2ban-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fail2ban-users >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
