-
Check if the path to log files are correct. Use full path e.g. “logpath = /var/log/secure” and not “logpath = %(sshd_log)s”. I found that sometimes if you are not using full path f2b have a problem to read log files. If you didnt enabled anything extra you should use only two logfiles: “logpath = /var/log/secure” and “/var/log/maillog”. First log is for everything i mentioned in my previous post aside of email server and second is for the emails.
-
Check how many failed attempts you have in f2b. If you are the only one using your server you could limit this to 3 (personally i have on 2 but if you are new to this dont go under 3).
-
Check “findtime” and set on what you think is the best. I have on 24 hours (86400) and there is no need to go for more.
-
If you go for more than 24 hours then check in “fail2ban.conf” for “dbpurgeage” and increase to 48h or more depending what is your “findtime”. Best to increase dbpurgeage by 24h (24, 48, 72,…) even if “findtime” is increased less than 24 hours (full day). Default time for “dbpurgeage” is 24 hours (86400).
There is two places where you can set this values, globally in the beginning of the jail.local (or .conf) and per jail. In case you have this values under specific jail it will overwrite global values, so just to know. My advice keep the global values as there is no need to set them per jail (at least you dont need it now).
To help you this is my “jail.local”:
[INCLUDES]
#before = paths-distro.conf
before = paths-fedora.conf
The DEFAULT allows a global definition of the options. They can be overridden
in each jail afterwards.
[DEFAULT]
MISCELLANEOUS OPTIONS
“ignoreip” can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
ban a host which matches an address in this list. Several addresses can be
defined using space separator.
ignoreip = 127.0.0.1/8
External command that will take an tagged arguments to ignore, e.g. ,
and return true if the IP is to be ignored. False otherwise.
ignorecommand = /path/to/command
ignorecommand =
“bantime” is the number of seconds that a host is banned.
bantime = 86400
A host is banned if it has generated “maxretry” during the last “findtime”
seconds.
findtime = 86400
“maxretry” is the number of failures before a host get banned.
maxretry = 2
“backend” specifies the backend used to get files modification.
Available options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”.
This option can be overridden in each jail as well.
pyinotify: requires pyinotify (a file alteration monitor) to be installed.
If pyinotify is not installed, Fail2ban will use auto.
gamin: requires Gamin (a file alteration monitor) to be installed.
If Gamin is not installed, Fail2ban will use auto.
polling: uses a polling algorithm which does not require external libraries.
systemd: uses systemd python library to access the systemd journal.
Specifying “logpath” is not valid for this backend.
See “journalmatch” in the jails associated filter config
auto: will try to use the following backends, in order:
pyinotify, gamin, polling.
backend = auto
“usedns” specifies if jails should trust hostnames in logs,
warn when DNS lookups are performed, or ignore all hostnames in logs
yes: if a hostname is encountered, a DNS lookup will be performed.
warn: if a hostname is encountered, a DNS lookup will be performed,
but it will be logged as a warning.
no: if a hostname is encountered, will not be used for banning,
but it will be logged as info.
usedns = warn
“logencoding” specifies the encoding of the log files handled by the jail
This is used to decode the lines from the log file.
Typical examples: “ascii”, “utf-8”
auto: will use the system locale setting
logencoding = utf-8
“enabled” enables the jails.
By default all jails are disabled, and it should stay this way.
Enable only relevant to your setup jails in your .local or jail.d/*.conf
true: jail will be enabled and log files will get monitored for changes
false: jail is not enabled
enabled = false
“filter” defines the filter to use by the jail.
By default jails have names matching their filter name
filter = %(name)s
ACTIONS
Some options used for actions
Destination email address used solely for the interpolations in
jail.{conf,local,d/*} configuration files.
destemail = [!removed - not for public eyes!]
Sender email address used solely for some actions
sender = [!removed - not for public eyes!]
E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
mailing. Change mta configuration parameter to mail if you want to
revert to conventional ‘mail’.
mta = sendmail
Default protocol
protocol = all
Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
Ports to be banned
Usually should be overridden in a particular jail
port = 0:65535
Action shortcuts. To be used to define action parameter
Default banning action (e.g. iptables, iptables-new,
iptables-multiport, shorewall, etc) It is used to define
action_* variables. Can be overridden globally or per
section within jail.local file
banaction = iptables-allports
The simplest action to take: ban only
action_ = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(name)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(name)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
Choose default action. To change, just override value of ‘action’ with the
interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
globally (section [DEFAULT]) or per specific section
action = %(action_)s
Didnt include jails as this is something you need to sort out but it should be easy, just copy them from jail.conf, and i didnt want to get email notifications because it would fill up my email with tons of useless informations thats why i used “action = %(action_)s”. There is no need to have email notification every time f2b ban someone. If not using email notifications leave “destemail” and “sender” empty or default value, i think its “root@localhost”.
All this is based on f2b v0.9.3 and if you are using different version then there is a chance my jail.local will not work for you.
P.S. Your log from “/var/log/maillog” show classic bruteforce attacks and you will get a lot of them so get used.