-
-
Save AndisGrossteins/0b041d1449b8b65ce4ac92d71f0dd2f3 to your computer and use it in GitHub Desktop.
| DEPRECATED CODE!!!!1!one!!1 | |
| Please read the replies before using this code or commenting! | |
| For a better solution, use the fail2ban's persistence SQLite database with long purge time. | |
| See this answer on Server Fault StackExchange: https://serverfault.com/a/810798/72732 | |
| [Definition] | |
| # Option: actionstart | |
| # Notes.: command executed once at the start of Fail2Ban. | |
| # Values: CMD | |
| # | |
| actionstart = iptables -N fail2ban-<name> | |
| iptables -A fail2ban-<name> -j RETURN | |
| iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
| cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \ | |
| | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done | |
| # Option: actionstop | |
| # Notes.: command executed once at the end of Fail2Ban | |
| # Values: CMD | |
| # | |
| actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> | |
| iptables -F fail2ban-<name> | |
| iptables -X fail2ban-<name> | |
| # Option: actioncheck | |
| # Notes.: command executed once before each actionban command | |
| # Values: CMD | |
| # | |
| actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]' | |
| # Option: actionban | |
| # Notes.: command executed when banning an IP. Take care that the | |
| # command is executed with Fail2Ban user rights. | |
| # Tags: See jail.conf(5) man page | |
| # Values: CMD | |
| # | |
| actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> | |
| if ! grep -q "fail2ban-<name> <ip>" /etc/fail2ban/persistent.bans; then echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; fi |
Can someone point me to where the log files of banned Ip addresses are stored? I want to see if any have been banned as I still seem to have a lot of failed IP attempt logins from far away places.
@David-Frick if you are using Raspbian (ie Linux), and configured your system with fail2ban it should be stored at /var/log.
Check the /etc/fail2ban/fail2ban.conf it has a line with the path like this: logtarget = /var/log/fail2ban.log
I might have missed something, but why would one use the above configuration instead of the SQLite persistent storage used by fail2ban since version 0.9? See for example https://serverfault.com/a/810798
Also, the original discussion when this feature was added can be found here: https://sourceforge.net/p/fail2ban/mailman/message/31710813/
I might have missed something, but why would one use the above configuration instead of the SQLite persistent storage used by fail2ban since version 0.9? See for example https://serverfault.com/a/810798
Thanks for pointing that out. I must've missed or forgotten about the feature when I discussed the issue on that blog post.
Now that I think about it, I had used the persistent SQLite storage for recidive jail at least once on a server I manage.
Got it, thanks for info.
Hi Guys I followed the guide but f2b give me an error at line 44:
dic 31 00:11:14 raspberrypi fail2ban-server[32170]: Failed during configuration: Error in action definition 'iptables-multiport[name=sshd, bantime="-1", port="ssh", protocol="tcp", chain="<known/chain>"]': Source contains parsing errors
dic 31 00:11:14 raspberrypi fail2ban-server[32170]: [line 44]: 'if ! grep -q "f2b-<name> <ip>" /etc/fail2ban/persistent.bans; then echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; fi\n'
Is it because something has changed at f2b?
Is it because something has changed at f2b?
Hi, @payapony!
Have you read the replies? This one in particular.
none of these examples seem to include modifications for unban
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>
sed -i '/fail2ban-<name> <ip>/d' /etc/fail2ban/persistent.bans
The issue as mentioned by jirislav can be circumvented by adding the 'fixed strings' parameter for grep:
grep -Fq ...