This is an old revision of the document!
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local sudo nano /etc/fail2ban/jail.local
Once inside the configuration file jail.local edit the destination email and the action parameter. Read the conf file and decide which combination of m, w, l is right for your situation.
<destemail = email> <action = %(action_mwl)s>
If you attempt to log in via ssh and fail within any 4 hour period 4 different times, then you are immediately blocked.
[DEFAULT] bantime = 1w findtime = 240m maxretry = 4
The recidive filter below states that the last 3 weeks will be reviewed and if the ip address in question was banned more for 2 or more of those weeks, then the stricter ban of 20 weeks takes effect. If you plan to review 3 weeks of information, with up to three violations each for a week, then you probably need at least 21 days of data. I rounded to 30 for slightly more granularity.
[recidive] enabled = true logpath = /var/log/fail2ban.log banaction = %(banaction_allports)s bantime = 20w findtime = 3w
In order for this to work, the database purge parameter needs to be adjusted to be greater than or equal to what you specify for the find time in recidive.
sudo nano /etc/fail2ban/fail2ban.conf <dbpurgeage = 30d>
Once your configuration changes are done, restart the service, and then check the logs to verify functionality and debug as needed. Verify what fail2ban has done to your iptables in order to enact the policies above.
sudo systemctl restart fail2ban.service sudo tail -f /var/log/fail2ban.log sudo iptables -L f2b-sshd
Hope this helps!
— oemb1905 2019/11/02 19:20
