Hi Finn, Great, thank you. I understand now.
I'll check everything here. Best Regards, Marcos Em qui., 9 de fev. de 2023 às 16:47, <fail2...@fibu-consult.dk> escreveu: > Hi Marcos. > > In the top of jail.conf / jail.local there is below settings: > > > # "bantime" is the number of seconds that a host is banned. > bantime = 10m > > # A host is banned if it has generated "maxretry" during the last > "findtime" > # seconds. > findtime = 10m > > # "maxretry" is the number of failures before a host get banned. > maxretry = 5 > > > These settings will be default if not defined in the individual jails > > Therefore read the conf files there is a lot of settings and knowledge > > And the answer to Your question is properly that it requires 5 errors > (maxretry = 5) in the logfile in a 10 min window (findtime = 10) to > trigger the jail for 10 min (bantime = 10) > > Hope this helps a bit > > /Finn > > > Den 09-02-2023 kl. 19:45 skrev Marcos A.T. Silva: > > Hi Finn, > > > > Understood. Thank you very much. :) > > > > I think I'll learn this one day. Well, it seems things are starting to > > work here. > > > > So, do you know how can I make sure that a jail is really running? > > Because, for example, I've enabled the sshd jail. The enabled jail is as > > below: > > > > ``` > > #mode = normal > > port = ssh > > logpath = %(sshd_log)s > > backend = %(sshd_backend)s > > enabled = true > > ``` > > > > Is the above jail correct? Do I have to put a "filter" part there or > > uncomment the #mode? > > > > Well, I don't know if I am testing it right. But, for example, if I run > > `fail2ban-client status sshd` I receive the below output: > > > > ``` > > Status for the jail: sshd > > |- Filter > > | |- Currently failed: 1 > > | |- Total failed: 1 > > | `- File list: /var/log/auth.log > > `- Actions > > |- Currently banned: 0 > > |- Total banned: 0 > > `- Banned IP list: > > > > ``` > > > > But I think I've tried to login at the server with a wrong passphrase > > for my SSH key twice, and Fail2Ban is only displaying one attempt. Is > > this correct? > > > > Thanks again, and sorry for the disturbance. > > > > Em qui., 9 de fev. de 2023 às 15:34, fail2ban--- via Fail2ban-users > > <fail2ban-users@lists.sourceforge.net > > <mailto:fail2ban-users@lists.sourceforge.net>> escreveu: > > > > Hi Marcos > > > > jail.conf is holding the default settings for the jails > > > > jail.local is where You make Your own settings and customizations. > > > > When You update fail2ban jail.conf may be altered but jail.local will > > not and therfore settings (enabled kails etc. will be safe) > > > > A good idea is to read through the /etc/fail2ban/*.conf files since > the > > makers has included a lot of informations between the lines - some > are > > difficult to understand the first time but eventually You will get > > better knowledge and understanding of this nice and GREAT tool. > > > > Regards, > > /Finn > > > > > > Den 09-02-2023 kl. 19:05 skrev Marcos A.T. Silva: > > > Well, I have installed Fail2Ban from my own once I get this new > > Ubuntu > > > server. I am using Ubuntu 20.04. > > > > > > I only got this working by setting jails as enabled in the > > jail.local > > > file. The individual files in jail.d directory don't work. > > > > > > Em qui., 9 de fev. de 2023 às 14:44, Nick Howitt via > Fail2ban-users > > > <fail2ban-users@lists.sourceforge.net > > <mailto:fail2ban-users@lists.sourceforge.net> > > > <mailto:fail2ban-users@lists.sourceforge.net > > <mailto:fail2ban-users@lists.sourceforge.net>>> escreveu: > > > > > > Surely jail.conf should be left in place as it it supplies > some > > > defaults, especially if you are using a distro packaged > > version? I > > > don't think any jails are enabled by default but it may > depend on > > > the distro. > > > > > > Then use jail.local or files in jail.d/ to enable particular > > filters. > > > > > > Nick > > > > > > On 09/02/2023 17:31, Mauricio Tavares wrote: > > >> On Thu, Feb 9, 2023 at 12:11 PM Marcos A.T. > > Silva<marcos...@gmail.com <mailto:marcos...@gmail.com>> > > <mailto:marcos...@gmail.com <mailto:marcos...@gmail.com>> wrote: > > >>> Hi there, > > >>> > > >>> I really can't find enough words to express my gratitude to > > you all guys. :) > > >>> > > >>> I think I am finally putting this to work. > > >>> > > >>> All your suggestions and help made me understand, I think, > > how that works. > > >>> > > >>> I've done the following: > > >>> > > >>> 1) Once, for what I understood, jail.local always overrides > > jail.conf, I left all jails disabled (false) on jail.local. After > > that, I've renamed jail.conf to jail.conf.unused, as Lee suggested. > > >>> > > >> AFAIK jail.conf does not turn anything on; that is > > the job of > > >> jail.local and/or jail.d/something-here.conf > > >> > > >>> 2) Now I created a sshd.conf file in /etc/fail2ban/jail.d > > and put there only the content regarding the sshd jail that was in > > my jail.local, enabling this jail. > > >>> > > >>> 3) Finally I tried to start Fail2Ban and it worked! Thank > you! > > >>> > > >>> Well, I noticed (maybe I am wrong, of course) that I need > > to use both `sudo fail2ban-client start` and `sudo systemctl start > > fail2ban` to make it start and be enabled. Is that right? > > >>> > > >> systemctl start fail2ban should have sufficed. > > >> > > >>> But I rebooted the server and systemctl status shows me > > that Fail2Ban is still active. > > >>> > > >>> Another question, if possible: now I have only sshd jail > > active, as per the above procedures. Is there a way to check if it > > is really running? > > >>> > > >> fail2ban-client status sshd > > >> > > >>> Thanks again. > > >>> > > >>> Em qui., 9 de fev. de 2023 às 12:13, Mauricio > > Tavares<raubvo...@gmail.com <mailto:raubvo...@gmail.com>> > > <mailto:raubvo...@gmail.com <mailto:raubvo...@gmail.com>> escreveu: > > >>>> On Thu, Feb 9, 2023 at 10:11 AM L. V. > > Lammert<l...@omnitec.net <mailto:l...@omnitec.net>> > > <mailto:l...@omnitec.net <mailto:l...@omnitec.net>> wrote: > > >>>>> On Thu, 9 Feb 2023, Mauricio Tavares wrote: > > >>>>> > > >>>>>> My suggestion is to find which services you are > > using and then > > >>>>>> where they are writing their logs to. Take a look at > > jail.conf (I > > >>>>>> forgot to mention that file). Chances are there are > > entries for most > > >>>>>> of the services there. Case in point, the ssh services, > > including > > >>>>>> selinux-ssh, it knows of are > > >>>>>> > > >>>>> It appears that the fail2ban package for Ubuntu 20 is NOT > > very current. > > >>>>> Much simpler to manage if all of the jails are in > > separate files in > > >>>>> jail.d, .. not in a mile long jail.conf. > > >>>>> > > >>>>> Also, always confirm the installation of ONLY ssh, until > > you know what you > > >>>>> need to monitor. > > >>>>> > > >>>> FYI > > >>>> > > >>>> raub@some-debian-box:~$ cat > > /etc/fail2ban/jail.d/defaults-debian.conf > > >>>> [sshd] > > >>>> enabled = true > > >>>> raub@some-debian-box:~$ > > >>>> > > >>>>> Lee > > >> _______________________________________________ > > >> Fail2ban-users mailing list > > >> Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net> > > <mailto:Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net>> > > >> https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net> > > > <mailto:Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net>> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users>> > > > > > > > > > > > > _______________________________________________ > > > Fail2ban-users mailing list > > > Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net> > > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > > "After sleeping through a hundred million centuries we have finally > > opened our eyes on a sumptuous planet, sparkling with color, > bountiful > > with life. Within decades we must close our eyes again. Isn't it a > > noble, an enlightened way of spending our brief time in the sun, to > > work > > at understanding the universe and how we have come to wake up in it?" > > [- Professor Richard Dawkins] > > > > > > _______________________________________________ > > Fail2ban-users mailing list > > Fail2ban-users@lists.sourceforge.net > > <mailto:Fail2ban-users@lists.sourceforge.net> > > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > <https://lists.sourceforge.net/lists/listinfo/fail2ban-users> > > > > -- > "After sleeping through a hundred million centuries we have finally > opened our eyes on a sumptuous planet, sparkling with color, bountiful > with life. Within decades we must close our eyes again. Isn't it a > noble, an enlightened way of spending our brief time in the sun, to work > at understanding the universe and how we have come to wake up in it?" > [- Professor Richard Dawkins] >
_______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
