fail2ban questions

Status
Not open for further replies.

sokalsondha

Member
Nov 6, 2019
37
1
8
Hello everyone
can someone guide me how this fail2ban works?

i mean when fail2ban ban an IP will this IP send to IPtables list for ban? and how do i see that iptables ban list? i mean any command for it?
i can see there are two file called jail.conf and jail.local in both files there is jail names like sip-auth-challenge etc etc etc. which file is the main jail configuration file? jail.conf or jail.local

and can someone tell which jail works how? i mean like one jail called fusionpbx whats that jail for and how its works?
i mean for a particular jail how people will banned? i understand the SSH one as if someone try wrong ssh details for certain time they will be banned for x amount of minutes
but all others very confused.. i think i need to understand all the jails. may be someone can help me please..

1. [freeswitch]

2. [freeswitch-acl]

3. [freeswitch-ip]

4. [auth-challenge-ip]

5. [sip-auth-challenge]

6. [sip-auth-failure]

7. [fusionpbx-404]

8. [fusionpbx]

9. [fusionpbx-mac]

10. [nginx-404]

11. [nginx-dos]


Hope someone spend little bit time for me to help me

Thanks
 

ad5ou

Active Member
Jun 12, 2018
892
204
43
For more information on how each of the jails are triggered, check the conf files in /etc/fail2ban/filter.d/
Example of freeswitch.conf:
Code:
[Definition]

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "<HOST>" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values:  TEXT
#
failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia $
            \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(INVITE\) on sofia pr$

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =
 

sokalsondha

Member
Nov 6, 2019
37
1
8
thanks dear. i have checked those file already.. but its almost same description for everything. i wanted to know more like the real reason
thanks
 

whut

Member
Dec 23, 2022
228
22
18
Fail2ban reads log files and then determines based upon your configuration to block attempts. Each jail is defined in /etc/fail2ban/filter.d/ as @ad5ou had displayed. At this point in learning I would just know they exists and then look elsewhere to better understand f2b. jail.conf is the default configuration for f2b and it is recommended to not edit this file. It is recommended to make any edits within the jail.local file instead, including adding the 'ignoreip' line, which is your list of whitelisted ip addresses and ip address ranges.

Look at https://docs.fusionpbx.com/en/latest/firewall/fail2ban.html?highlight=fail2ban#fail2ban for commands to view iptables and if an ip address or domain has been banned/blocked.

Also see https://www.fail2ban.org/wiki/index.php/Main_Page , though I sometimes find better understanding from web searching for f2b specific knowledge.

Look at and edit your jail.local.
```
[ssh]
enabled = true
port = 22
protocol = ssh
filter = sshd
logpath = /var/log/auth.log
action = iptables-allports[name=sshd, protocol=all]
maxretry = 6
findtime = 60
bantime = 86400
...
```
the ssh jail is enabled
it watches /var/log/auth.log
looking for sshd keyword
ban the ip address (add to iptables on all ports)
when 6 attempts have been made within 60 seconds
ban the ip address for 86,400 seconds
 

ad5ou

Active Member
Jun 12, 2018
892
204
43
thanks dear. i have checked those file already.. but its almost same description for everything. i wanted to know more like the real reason
thanks
Each of the configs have a different "Regex" to test in the various log files fail2ban is set to check. In the example above for Freeswitch log, it checks for "...SIP auth failure" and after the configured failed attempts, it will ban the offending IP.

Another example is from freewistch-ip.conf where it checks for "...Can't find user.." when an offending host attempts random users at the server's IP address. Since Fusionpbx typically uses extension@domainname for real extensions, attempts to register 100@1.1.1.1 is going to trigger that particular jail.

The other posts above should provide useful information.
 
Status
Not open for further replies.