Hello everyone, it's been a long time !

Today I want to share with you my fail2ban setup hopefully it could help you to get it sorted and you'll also have my filters I have created along the time.

To start couple of things regarding my setup, I'm running fail2ban v0.9.6 on Debian 9 also as firewall I'm using iptables so my actions are creating iptables rules. Also the fail2ban folder is configure organize like this:

    /etc/fail2ban/
              |/filter.d/
              |        |defaults_filters.conf
              |        |my_filters.local
              |/action.d/
              |        |defaults_action.conf
              |        |my_actions.local
              |/jail.d/
              |         |defaults-debian.conf
              |/jail.conf
              |/jail.local

In the /filter.d folder you have the files (Fail2ban provides some by defaults) which contain the regex to parse your log files and identify the host to ban In the /action.d folder you have the files regarding the actions to be taken when a match has been found in the log you are parsing In the /Jail.d folder you have the files in which you will combine the filter and the actions, basically you will a rule which says with your filter if you find this do this selected action stored in /action.d folder.

With fail2ban you have two types of extensions ".conf" and ".local" you can use both of them without any issue but if you have 2 files with same name all the parameters in the ".local" files will supersedes the parameters in the ".conf" file, as well the config files in the /jail.d folder supersede the default jail.conf. My understanding is that fail2ban loads in this order:

  1. 1- jail.conf
  2. 2- jail.local
  3. 3- /jail.d/jail.conf
  4. 4- /jail.d/jail.local

I won't go deeply in the cli, the help is pretty good but briefly you have

  • fail2ban-server which you will practically never use and it's the background process which is doing the log monitoring.
  • fail2ban-client which is the tool with which you start the server, trigger the actions, useful for tests, manual ban etc..
  • fail2ban-regex this is useful to test you filters against a specific log to be sure your regex is correct

This is rough overview to understand the logic of the software if you want to go deeper you can find the old manual(but still useful) here

You can find all my config in my Github

Hope that helps

Matth