Haack's Wiki

User Tools

Site Tools

Trace:
computing:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
computing:fail2ban [2019/11/03 04:25] oemb1905computing:fail2ban [2024/12/13 16:22] (current) oemb1905
Line 3: Line 3:
   * **Jonathan Haack**   * **Jonathan Haack**
   * **Haack's Networking**   * **Haack's Networking**
-  * **oemb1905@jonathanhaack.com**+  * **oemb1905@jonathanhaack.com** 
  
 ------------------------------------------- -------------------------------------------
Line 21: Line 21:
   <action = %(action_mwl)s>   <action = %(action_mwl)s>
  
-If you attempt to log in via ssh and fail within any 4 hour period 4 different times, then you are immediately blocked.+If you attempt to log in via ssh and fail within any 4 hour period 4 different times, then you are immediately blocked for a week.
  
   [DEFAULT]   [DEFAULT]
Line 28: Line 28:
   maxretry = 4   maxretry = 4
  
-The recidive filter below states that the last 3 weeks will be reviewed and if the ip address in question was banned more for 2 or more of those weeks, then the stricter ban of 20 weeks takes effect.  If you plan to review 3 weeks of information, with up to three violations each for a week, then you probably need at least 21 days of data.  I rounded to 30 for slightly more granularity. +TheIf over the last 3 weeks the ip address in question was banned at least twice, then the stricter ban of 20 weeks takes effect.  If you plan to review 3 weeks of information, with up to three violations each for a week, then you probably need at least 21 days of data.  I rounded to 30 for slightly more granularity. 
  
   [recidive]   [recidive]
Line 36: Line 36:
   bantime  = 20w   bantime  = 20w
   findtime = 3w   findtime = 3w
-  maxretry = 1+  maxretry = 2
  
 In order for this to work, the database purge parameter needs to be adjusted to be greater than or equal to what you specify for the find time in recidive. In order for this to work, the database purge parameter needs to be adjusted to be greater than or equal to what you specify for the find time in recidive.
Line 58: Line 58:
   sudo fail2ban-client status   sudo fail2ban-client status
  
-Hope this helps!+Hope this helps!  Oh yeah ... here is how to remove a false positive!
  
- --- //[[oemb1905@jonathanhaack.com|oemb1905]] 2019/11/02 19:48//+  fail2ban-client set ssh unbanip 10.xx.15x.12x 
 +  fail2ban-client unban --all 
 + 
 +Another method that does more than individual services, and instead zaps all records: 
 + 
 +  sudo systemctl stop fail2ban 
 +  sudo truncate -s 0 /var/log/fail2ban.log 
 +  sudo rm /var/lib/fail2ban/fail2ban.sqlite3 
 +  sudo systemctl restart fail2ban 
 + 
 +Systemd log issues. Change the sshd jail as follows 
 + 
 +  sudo nano /etc/fail2ban/jail.local 
 +  backend = systemd 
 +  #backend = %(sshd_backend)s 
 +   
 +Some recommend adding backend = systemd into jail.conf, but I've found that does nothing. The error over ipv6 not being set and using auto can be removed as follows: 
 +   
 +  sudo nano /etc/fail2ban/fail2ban.conf  
 +  'allowipv6 = auto' 
 + 
 + --- //[[alerts@haacksnetworking.org|oemb1905]] 2024/12/13 16:22//
computing/fail2ban.1572755116.txt.gz · Last modified: 2019/11/03 04:25 by oemb1905

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki