Fail2Ban for custom ports

I’m using a different SSHD port than 22 and I’m also using different ports for Webmin.
Where should I change the Fail2Ban configuration?
I would also leave the ports standard so as to intercept attempts on those ports.

Why are there 2 Jail sshd, one at the top and one at the bottom?

OS type and version Debian 12
Webmin version 2.111
Virtualmin version 7.10.0 Pro
Related packages Fail2Ban

You don’t need to do anything. Fail2Ban doesn’t monitor ports, it monitors logs. No matter what port SSH is setup to use, it’ll monitor its logs for login attempts.

depends on what you set here if they get banned or not though

In a normal installation, without webmin, if I go to a definition, for example [sshd], there is port = ssh
Why is there this directive if, as you say, it is not used?

But, as I said initially, I see two of Jail sshd, why? And which is the right one?
I tried installing Fail2Ban on the second VPS and there are two of them here too.
By the way, it doesn’t start here, but I’ll open a separate post.

I believe this is the port that an IP is blocked from when it triggers. It’s not the monitoring port, since it’s the log file or journalctl that gets monitored. iptables-allports would be a good action to apply if you want to block the offender from accessing all services.

You see two [sshd] declarations on a default install? I only have one on the two Debian 12 servers I checked. I’m fairly certain that at least one of those servers is likely running the defaults or close to it. The other has been modified by me. Is it defined in jail.local/jail.conf? What’s the content of each jail? That may provide a clue as to why there’s two.

In both Virtualmin and Webmin little or nothing in the various sections; in Fail2ban not even a comma.
In jail.conf there is:


# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
# normal (default), ddos, extra or aggressive (combines all).
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
#mode   = normal
port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s

In jail.local:

enabled = false

If I change the one at the bottom of the list inserting my port, then in jail.local there is:

enabled = false
action = iptables-allports[port=22222, protocol=tcp]

If I enable the Jail at the bottom of the list, the one at the top is also enabled.
If I open the top one, I find the changes I made to the bottom one.
What a mess.

Also for Virtualmin I always check iptables-allports?
Can I also enter my usermin port here?

Make a new action and jail if you want to check usermin as the regex in the ssh action will be wrong i would guess

If your using allports there is no need to add a port definition as allports will do what it says. Block all ports

The reason you have 2 sshd entries is you have it defined twice once in jail.local & in jail.conf.
edit jail.conf and make the sshd section look like this

this will be somewhere around line 279 in jail.conf. You will notice all you have to do is to add # to the beginning of each line. After doing this you will have one entry for sshd

iptables-allports was in your snapshot; I had interpreted that port and protocol should be placed in the fields identified by the other green arrows.

I haven’t touched the Fail2ban configurations.
If there are 2 entries it is because it was installed twice, without “#”.
It was also installed like this on Webmin.

You didn’t answer me about how to secure different ports on the Webmin jail.
On sshd I put “iptables-all” and no port in the other field.
Can I also put “iptables-all” for Webmin?

I then notice that the definition for Webmin is also present both in conf and in local (as it should be), yet there is only one entry in the list.
So the duplicate problem is limited to sshd.

As for usermin, I have no experience with regex and I wouldn’t even know how to start.
Is it possible that there isn’t something ready already given that Virtualmin uses Usermin for mail and logins?

You use iptables-all in all jails with no problems this means you don’t have to fill in the other values

1 Like

This is ultimately your decision. You can also set a [DEFAULT] jail if you want the same banaction across multiple jails.

It’s your decision regarding what ports to block offenders from based on the jail that they trigger. I personally prefer iptables-allports because most attacks are coming from servers that are performing malicious actions across multiple services and it stands to reason that they’ll be trying their luck on other ports/services as well. If they trigger a ban, then I want them blocked from accessing all services for a certain period. However, that may be too broad for some people. Especially since a malicious attacker could potentially be coming from a shared IP, and blocking all ports will restrict friendly users on the network from accessing all services, including the web server, on your machine.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.