[SOLVED] Need help with fail2ban configuration specs. Debian 10

xmx · 01-31-2024, 11:02 AM

Hi Everyone,

I have a Debian 10 server running on a VPS.
The only software I installed is: tinyproxy (http proxy) and fail2ban

I am interested in banning all unauthorized login attempts, i.e. attempts to all ports.

I have included my specific settings in the jail.local file.
I believe my settings are correct for banning attempts to login to SSH (although I am not sure about that), but I really want to ban unauthorized attempts to any port.

I have included my specific settings in the fail2ban.local file since I made one change there.

Many thanks !
xmx

===
=== Here are my entries in jail.local
===

<pre>
#
# JAILS
#

#
# SSH servers
#

[sshd]

# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode = normal
enabled = true
mode = aggressive
port = 22
filter = sshd
logpath = /var/log/auth.log
bantime = 2000000
findtime = 7200
maxretry = 2
backend = %(sshd_backend)s
action = iptables-multiport[name=sshd, port="ssh", protocol=tcp]
</pre>

===
=== Here are my entries in fail2ban.local
===

<pre>
# Options: dbpurgeage
# Notes.: Sets age at which bans should be purged from the database
# Values: [ SECONDS ] Default: 86400 (24hours)
dbpurgeage = 2100000
</pre>

wpeckham · 01-31-2024, 11:48 PM

Okay now what you want is a firewall that blocks access to all ports except the ones where you want to allow a login. In a pure system you would simply not run any services on any ports except the port you wanted to allow logins to, but if you can't ensure that you use a firewall and block access on all of the ports. Fail to ban does not block logins exactly, it blocks dictionary attacks by detecting failed logins and then blocking access from the specific IP address there was attempting the dictionary attack.

Use the right tool for the right job.

xmx · 02-01-2024, 09:24 AM

Indeed I do understand how fail2ban works.
Banning all ports is possible and I have read MANY posts talking "about" it but not specifying it.

I have been very close to figuring it out.

Your unkind closing remark aside, the purpose of banning all ports is that you can add services at any time and fail2ban will accommodate them.

When you are a developer, like me, (54 years) there is a great deal of experimenting ongoing all the time !!

Anyway, I FIGURED IT OUT ! Yay for me !

banaction_allports = iptables-allports
action_ap = %(banaction_allports)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_ap)s

wpeckham · 02-01-2024, 10:52 AM

Quote:

Originally Posted by xmx

Indeed I do understand how fail2ban works.
Banning all ports is possible and I have read MANY posts talking "about" it but not specifying it.

I have been very close to figuring it out.

Your unkind closing remark aside, the purpose of banning all ports is that you can add services at any time and fail2ban will accommodate them.

When you are a developer, like me, (54 years) there is a great deal of experimenting ongoing all the time !!

Anyway, I FIGURED IT OUT ! Yay for me !

banaction_allports = iptables-allports
action_ap = %(banaction_allports)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_ap)s

I do not believe that pointing out that the advantage is in using the right tools for the right job is unkind, but I am VERY glad you found a way to make it work the way you wanted. I would still use a mixture of tools to properly secure any of my servers.

Since you have, I suggest you mark this thread <solved>.