From d0d07285234871bad3dc0c359d0ec03365b6dddc Mon Sep 17 00:00:00 2001 From: sebres Date: Fri, 26 Apr 2024 00:25:19 +0200 Subject: [PATCH] cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd closes gh-3292 --- ChangeLog | 7 +++++++ config/jail.conf | 4 ++-- config/paths-debian.conf | 5 +++++ 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8d9fb2a6..66539a37 100644 --- a/ChangeLog +++ b/ChangeLog @@ -11,6 +11,13 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition ----------- ### Fixes +* `jail.conf`: + - default banactions need to be specified in `paths-*.conf` (maintainer level) now + - since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables` + (can be overwritten in `jail.local` by user) +* `paths-debian.conf`: + - default banactions are `nftables` + - sshd backend switched to `systemd` (gh-3292) ### New Features and Enhancements diff --git a/config/jail.conf b/config/jail.conf index 01e1fdf7..a1ced24d 100644 --- a/config/jail.conf +++ b/config/jail.conf @@ -205,8 +205,8 @@ fail2ban_agent = Fail2Ban/%(fail2ban_version)s # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file -banaction = iptables-multiport -banaction_allports = iptables-allports +#banaction = iptables-multiport +#banaction_allports = iptables-allports # The simplest action to take: ban only action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] diff --git a/config/paths-debian.conf b/config/paths-debian.conf index 1f5ea37d..f3bf4ff0 100644 --- a/config/paths-debian.conf +++ b/config/paths-debian.conf @@ -9,6 +9,11 @@ after = paths-overrides.local [DEFAULT] +banaction = nftables +banaction_allports = nftables[type=allports] + +sshd_backend = systemd + syslog_mail = /var/log/mail.log # control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).