github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Rebuild to FAQ style using details/summary html-tags

master
Serg G. Brester 2017-06-30 16:47:08 +02:00
parent 1ac4d48a97
commit 188ef03fe5
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Properly-fail2ban-configuration.md

@ -3,10 +3,11 @@ Before you start fail2ban service, you should do some configurations appropriate
*** ***
**[Q]** Should I make my configuration directly in `jail.conf` and `fail2ban.conf`?<br/> **[Q]** Should I make my configuration directly in `jail.conf` and `fail2ban.conf`?<br/>
**[A]** No. You should avoid to change `.conf` files, created by fail2ban installation. **[A]** No. You should avoid to change `.conf` files, created by fail2ban installation. Instead, you'll write new files having `.local` extension.
<details>
Since this files may be overwritten by package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.<br/> Since this stock files may be overwritten by the package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.<br/>
Instead, you'll write a new file having `.local` extension. For example any values defined in `jail.local` will override those in `jail.conf` in the same sections (e. g. `[DEFAULT]`). So to set your jail configuration, don't change `jail.conf`. To customize some filter configuration, don't change `filter.conf`. Instead, create a new file with `.local` extension and write there only the settings to overwrite resp. to extend the values of original configuration. For example any values defined in `jail.local` will override those in `jail.conf` in the same sections (e. g. `[DEFAULT]`).
So for example if original `.conf` file contains: So for example if original `.conf` file contains:
``` ```
@ -27,9 +28,12 @@ logpath = /my-path/to/log
``` ```
The value of parameter `logpath` in `section1` will be still `/other/path`.<br/> The value of parameter `logpath` in `section1` will be still `/other/path`.<br/>
But value of parameter `logpath` in `section2` will be changed to `/my-path/to/log` (because it was not specified in section self, and new default value will be used). But value of parameter `logpath` in `section2` will be changed to `/my-path/to/log` (because it was not specified in section self, and new default value will be used).
</details>
*** ***
**[Q]** Which configurations are necessary to let fail2ban protect a service?<br/> **[Q]** Which configurations are necessary to let fail2ban protect a service?
<details><summary>Answer</summary>
**[A]** You should create a `jail.local` file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution. **[A]** You should create a `jail.local` file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution.
For example if you'll, that fail2ban should ban authorization failures occurred in sshd and nginx, but the `error.log` of your your nginx-instance is configured as `/var/log/my-nginx/error.log` you should set also parameter `logpath` additionally to `enabled` in section `[nginx]`. For example if you'll, that fail2ban should ban authorization failures occurred in sshd and nginx, but the `error.log` of your your nginx-instance is configured as `/var/log/my-nginx/error.log` you should set also parameter `logpath` additionally to `enabled` in section `[nginx]`.
@ -56,8 +60,12 @@ dbfile = /var/run/fail2ban/fail2ban.sqlite3
- other jail parameters (`jail.conf` or includes) like `backend` (e. g. usage of systemd journals expected `systemd` backend), `action` resp. `banaction` (e. g. you can't use `iptables` if your system does not support it), `logpath`, etc. - other jail parameters (`jail.conf` or includes) like `backend` (e. g. usage of systemd journals expected `systemd` backend), `action` resp. `banaction` (e. g. you can't use `iptables` if your system does not support it), `logpath`, etc.
You can also control resp. configure another optional configurations parameters, like `ignoreip`, etc. You can also control resp. configure another optional configurations parameters, like `ignoreip`, etc.
</details>
*** ***
**[Q]** How I can see the current (merged) configuration, that fail2ban will use by start<br/> **[Q]** How I can see the current (merged) configuration, that fail2ban will use by start
<details><summary>Answer</summary>
**[A]** You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands: **[A]** You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands:
```bash ```bash
# dump parameters: # dump parameters:
@ -66,8 +74,13 @@ fail2ban-client -d
fail2ban-client -vd fail2ban-client -vd
fail2ban-client -vvd fail2ban-client -vvd
``` ```
</details>
*** ***
**[Q]** How I can notify fail2ban, that the configuration was changed<br/> **[Q]** How I can notify fail2ban, that the configuration was changed
<details><summary>Answer</summary>
**[A]** You should execute `fail2ban-client reload` (in previous versions before 0.10 `fail2ban-client restart`).<br/> **[A]** You should execute `fail2ban-client reload` (in previous versions before 0.10 `fail2ban-client restart`).<br/>
You can also get and set corresponding parameter individually, using fail2ban client-server communication protocol. For example: You can also get and set corresponding parameter individually, using fail2ban client-server communication protocol. For example:
@ -75,8 +88,12 @@ You can also get and set corresponding parameter individually, using fail2ban cl
fail2ban-client set pam-generic logencoding UTF-8 fail2ban-client set pam-generic logencoding UTF-8
fail2ban-client set nginx findtime 10m fail2ban-client set nginx findtime 10m
``` ```
</details>
*** ***
**[Q]** How should I correctly modify log file locations other than in the jail settings or messing with master .conf files?<br/> **[Q]** How should I correctly modify log file locations other than in the jail settings or messing with master .conf files?
<details><summary>Answer</summary>
**[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/> **[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/>
To create your .local file<br/> To create your .local file<br/>
@ -98,4 +115,4 @@ Edit the line in `paths-common.local` or `paths-debian.local` (whichever you are
`nginx_access_log = /var/log/nginx/*access*.log`<br/> `nginx_access_log = /var/log/nginx/*access*.log`<br/>
Then in your jail you would rather use<br/> Then in your jail you would rather use<br/>
`logpath = %(nginx_access_log)s`<br/> `logpath = %(nginx_access_log)s`<br/>
</details>