[SOLVED] Need help with fail2ban configuration specs. Debian 10
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help with fail2ban configuration specs. Debian 10
Hi Everyone,
I have a Debian 10 server running on a VPS.
The only software I installed is: tinyproxy (http proxy) and fail2ban
I am interested in banning all unauthorized login attempts, i.e. attempts to all ports.
I have included my specific settings in the jail.local file.
I believe my settings are correct for banning attempts to login to SSH (although I am not sure about that), but I really want to ban unauthorized attempts to any port.
I have included my specific settings in the fail2ban.local file since I made one change there.
Many thanks !
xmx
===
=== Here are my entries in jail.local
===
<pre>
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
mode = aggressive
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]
</pre>
===
=== Here are my entries in fail2ban.local
===
<pre>
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000
</pre>
Okay now what you want is a firewall that blocks access to all ports except the ones where you want to allow a login. In a pure system you would simply not run any services on any ports except the port you wanted to allow logins to, but if you can't ensure that you use a firewall and block access on all of the ports. Fail to ban does not block logins exactly, it blocks dictionary attacks by detecting failed logins and then blocking access from the specific IP address there was attempting the dictionary attack.
I do not believe that pointing out that the advantage is in using the right tools for the right job is unkind, but I am VERY glad you found a way to make it work the way you wanted. I would still use a mixture of tools to properly secure any of my servers.
Since you have, I suggest you mark this thread <solved>.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.