cherry-pick from debian: debian default banactions are nftables, systemd backend for sshd

closes gh-3292

ChangeLog

@@ -11,6 +11,13 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 -----------
 
 ### Fixes
+* `jail.conf`:
+  - default banactions need to be specified in `paths-*.conf` (maintainer level) now
+  - since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables`
+    (can be overwritten in `jail.local` by user)
+* `paths-debian.conf`:
+  - default banactions are `nftables`
+  - sshd backend switched to `systemd` (gh-3292)
 
 ### New Features and Enhancements
 

config/jail.conf

@@ -205,8 +205,8 @@ fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
-banaction = iptables-multiport
+#banaction = iptables-multiport
-banaction_allports = iptables-allports
+#banaction_allports = iptables-allports
 
 # The simplest action to take: ban only
 action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

config/paths-debian.conf

@@ -9,6 +9,11 @@ after  = paths-overrides.local
 
 [DEFAULT]
 
+banaction = nftables
+banaction_allports = nftables[type=allports]
+
+sshd_backend = systemd
+
 syslog_mail = /var/log/mail.log
 
 # control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).