From 2e7396ee665f0b5199bfb032cf1d31f48f80af33 Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 26 Apr 2024 00:25:19 +0200 Subject: [PATCH] debian default banactions are nftables, systemd backend for sshd closes gh-3292 --- ChangeLog | 7 +++++++ config/jail.conf | 4 ++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index c9ba7d5a..2c95dcac 100644 --- a/ChangeLog +++ b/ChangeLog @@ -15,6 +15,13 @@ ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-3 you can use the 0.11 or 1.0 version of fail2ban or upgrade python (or even build it from source). ### Fixes +* `jail.conf`: + - default banactions need to be specified in `paths-*.conf` (maintainer level) now + - since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables` + (can be overwritten in `jail.local` by user) +* `paths-debian.conf`: + - default banactions are `nftables` + - sshd backend switched to `systemd` (gh-3292) * circumvent SEGFAULT in a python's socket module by getaddrinfo with disabled IPv6 (gh-3438) * avoid sporadic error in pyinotify backend if pending file deleted in other thread, e. g. by flushing logs (gh-3635) * `action.d/cloudflare-token.conf` - fixes gh-3479, url-encode args by unban diff --git a/config/jail.conf b/config/jail.conf index 01e1fdf7..a1ced24d 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -205,8 +205,8 @@ fail2ban_agent = Fail2Ban/%(fail2ban_version)s # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file -banaction = iptables-multiport -banaction_allports = iptables-allports +#banaction = iptables-multiport +#banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]