Create Fail2ban jail Manually

fail2ban-manually-create-jail.md

Manually create a Fail2Ban jail using fail2ban-client (pre-0.10)

N.B. any syntax / function changes made within fail2ban-client will alter the commands used. The commands used here worked with versions 0.8.6-3wheezy3 and 0.8.13-1. 0.9 may or may not work exactly using the below.

For anyone visiting this and stuck on a version pre 0.10 where you want to add a jail but do not want run reload (which pre 0.10 stops and starts all enabled jails as well as reparsing the config

• Modify jail.local and add any required files to filter.d / action.d
• Interrogate jail.local / filter.d / action.d for settings to use
• Interrogate existing running jail for useful items (if neccessary)
• Use fail2ban-client to create and start new jail.

Commands for interrogation of a running jail

# fail2ban-client get ssh ignoreip
These IP addresses/networks are ignored:
|- 127.0.0.1/8
|- another ip
`- last ip

# fail2ban-client get ssh actionstart iptables-multiport
iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>

Commands used to create and start jail

Here I've used new-jail as the name of the jail you want to create (you may wish to keep it the same as you've defined in jail.local for consistency)

• {my-logpath} is what you would define logpath as in your jail.local
• {my-regex} is a quoted string (due to bash expansions) of what you would define failregex as in your jail.local
• repeat the line with addignoreip for all addresses to use for ignoreip
• the values used for actionstart, actioncheck, actionstop, actionban, actionunban are the same as those that were already in use for iptables-allports within another jail
• Unsure if its the version I was using or not but most fail2ban variables found had to be expanded when using this way i.e. note <name>, <protocol>, <port>, <chain>, <blocktype> have all be replaced in the below statements. The only variables I left in the statements were <ip> for the iptables-allports statements and <HOST> in the addfailregex statement.

# fail2ban-client add new-jail auto
# fail2ban-client set new-jail maxretry 1
# fail2ban-client set new-jail findtime 2592000
# fail2ban-client set new-jail bantime 604800
# fail2ban-client set new-jail addlogpath {my-logpath}
# fail2ban-client set new-jail addfailregex '{my-regex}'
# fail2ban-client set new-jail addignoreip 127.0.0.1/8
# fail2ban-client set new-jail addaction iptables-allports
# fail2ban-client set new-jail actionstart iptables-allports 'iptables -N fail2ban-new-jail
iptables -A fail2ban-new-jail -j RETURN
iptables -I INPUT -p tcp -j fail2ban-new-jail'
# fail2ban-client set new-jail actioncheck iptables-allports "iptables -n -L INPUT | grep -q 'fail2ban-new-jail[ \t]'"
# fail2ban-client set new-jail actionstop iptables-allports "iptables -D INPUT -p tcp -j fail2ban-new-jail
iptables -F fail2ban-new-jail
iptables -X fail2ban-new-jail"
# fail2ban-client set new-jail actionban iptables-allports "iptables -I fail2ban-new-jail 1 -s <ip> -j REJECT --reject-with icmp-port-unreachable"
# fail2ban-client set new-jail actionunban iptables-allports "iptables -D fail2ban-new-jail -s <ip> -j REJECT --reject-with icmp-port-unreachable"
# fail2ban-client start new-jail

Encountered error messages

If fail2ban doesnt like anything you've done it will log it to the error log

WARNING Jail name 'new-jail' might be too long and some commands (e.g. iptables) might not function correctly. Please shorten

Your jail name is too long. Remember fail2ban prefixes your jail name in iptables names with fail2ban-.

ERROR iptables -I fail2ban-apache-ordownload 1 -s 202.148.244.155 -j <blocktype> returned 200

You did not change <blocktype> in your banaction

ERROR iptables -n -L INPUT | grep -q 'fail2ban-new-jail[ \t]' returned 100

The iptables jump entry does not exist

Your startaction is not creating the chain and appropriate jump entry