I’m not sure if this is still a problem but in the past fail2ban had problems on Centos using default logpath, e.g. “logpath = %(syslog_mail)s”, “logpath = %(postfix_log)s”… should be changed to “logpath = /var/log/maillog” or to say full path to the log files. This problem was common in the past on Centos 6 and 7 so if you see that f2b have problem to read from log files you know what could be the problem.
You should really use SSH or SFTP and manually edit fail2ban and to make it easier to understand here is one example:
+++ Create jail.local in the same directory where is located jail.conf
+++ Copy from jail.conf from beginning up to first jail and change settings as you want (important one i will mark with *** X ***
):
[INCLUDES]
#before = paths-distro.conf
before = paths-fedora.conf <--------- this will change based on your OS so do not copy from me!!!
The DEFAULT allows a global definition of the options. They can be overridden
in each jail afterwards.
[DEFAULT]
MISCELLANEOUS OPTIONS
“ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
ban a host which matches an address in this list. Several addresses can be
defined using space separator.
ignoreip = 127.0.0.1/8 1
External command that will take an tagged arguments to ignore, e.g. ,
and return true if the IP is to be ignored. False otherwise.
ignorecommand = /path/to/command
ignorecommand =
“bantime” is the number of seconds that a host is banned.
bantime = 86400 2
A host is banned if it has generated “maxretry” during the last “findtime”
seconds.
findtime = 86400 3
“maxretry” is the number of failures before a host get banned.
maxretry = 2 4
“backend” specifies the backend used to get files modification.
Available options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”.
This option can be overridden in each jail as well.
pyinotify: requires pyinotify (a file alteration monitor) to be installed.
If pyinotify is not installed, Fail2ban will use auto.
gamin: requires Gamin (a file alteration monitor) to be installed.
If Gamin is not installed, Fail2ban will use auto.
polling: uses a polling algorithm which does not require external libraries.
systemd: uses systemd python library to access the systemd journal.
Specifying “logpath” is not valid for this backend.
See “journalmatch” in the jails associated filter config
auto: will try to use the following backends, in order:
pyinotify, gamin, polling.
backend = auto
“usedns” specifies if jails should trust hostnames in logs,
warn when DNS lookups are performed, or ignore all hostnames in logs
yes: if a hostname is encountered, a DNS lookup will be performed.
warn: if a hostname is encountered, a DNS lookup will be performed,
but it will be logged as a warning.
no: if a hostname is encountered, will not be used for banning,
but it will be logged as info.
usedns = no
“logencoding” specifies the encoding of the log files handled by the jail
This is used to decode the lines from the log file.
Typical examples: “ascii”, “utf-8”
auto: will use the system locale setting
logencoding = utf-8
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way.
Enable only relevant to your setup jails in your .local or jail.d/*.conf
true: jail will be enabled and log files will get monitored for changes
false: jail is not enabled
enabled = false 5
“filter” defines the filter to use by the jail.
By default jails have names matching their filter name
filter = %(name)s
ACTIONS
Some options used for actions
Destination email address used solely for the interpolations in
jail.{conf,local,d/*} configuration files.
destemail =
Sender email address used solely for some actions
sender =
E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
mailing. Change mta configuration parameter to mail if you want to
revert to conventional ‘mail’.
mta = sendmail
Default protocol
protocol = all
Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
Ports to be banned
Usually should be overridden in a particular jail
port = 0:65535
Action shortcuts. To be used to define action parameter
Default banning action (e.g. iptables, iptables-new,
iptables-multiport, shorewall, etc) It is used to define
action_* variables. Can be overridden globally or per
section within jail.local file
banaction = iptables-allports 6
The simplest action to take: ban only
action_ = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(name)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
Choose default action. To change, just override value of ‘action’ with the
interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
globally (section [DEFAULT]) or per specific section
action = %(action_)s
1 - You can add your IP or IP of some other server/service to prevent f2b to ban that IP. Between each IP leave one empty space, e.g. 111.111.111.111 222.222.222.222 333.333.333.333 …
2 / 3 - My suggestion for bantime and findtime to set to 24 hours (86400). If you go for more your iptables could fill up with many banned IPs, slow down your website and honestly there is no need to ban for more than 24 hours.
4 - Maxretry is usually set to 3-5 but if the server is only for you or just one client i would suggest to go for 2 or 3. You can change this for specific jail by adding “maxretry = XX”
5 - I would leave this on “disabled” and then use “enabled = true” for each jail. Because you will copy only jails what you want to use this option could be set to “enabled” but i’m used doing in this way so its up to you. If you go with “enabled” then you dont need “enabled = true” for each jail.
6 - Just use “iptables-allports”. This means if one IP was banned because of brute-force on mail server it will be banned on all ports.
+++ For jails just check which one you want to use and then copy one by one from jail.conf and paste to the bottom in jail.local:
[postfix]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog
[postfix-rbl]
enabled = true
port = smtp,465,submission
logpath = /var/log/maillog
maxretry = 1
[apache-badbots]
enabled = true
Ban hosts which agent identifies spammer robots crawling the web
for email addresses. The mail outputs are buffered.
port = http,https
logpath = /var/log/virtualmin/yourdomain.com_error_log
/var/log/virtualmin/yourdomain.com_access_log
bantime = 172800
maxretry = 1
[apache-noscript]
enabled = true
port = http,https
logpath = /var/log/virtualmin/yourdomain.com_error_log
/var/log/virtualmin/yourdomain.com_access_log
maxretry = 6
This are few jail examples so you can see how it looks. For each jail you can change default settings like maxretry from 2-3 lower to 1 or you could increase to 5, same for bantime, etc.
You should be safe to copy all settings i posted here aside of jails, this one its entirely up to you and depends what you have active on the server, what you want to protect, and so on…
You can see in my example i used full path to the log files to be sure f2b will be able to read from them.