github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Rebuild to FAQ style using details/summary html-tags

master
Serg G. Brester 2017-06-30 16:49:59 +02:00
parent 188ef03fe5
commit 3d40da457d
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
How-fail2ban-works.md

@ -7,6 +7,7 @@ Fail2Ban comes out-of-the-box ready to read many standard log files, such as tho
***
**[Q]** Fail2ban does not detect some authentication failures resp. banning does not occurred
<details><summary>Answer</summary>
**[A]** There can be many reasons:
- corresponding jail for scanning the log file or systemd journal is not enabled (or idle). See [here](Properly-fail2ban-configuration) how the jail can be enabled.
@ -21,9 +22,11 @@ You can use another fail2ban tool `fail2ban-regex` to check resp. build your own
- the banning action is not specified resp. something going wrong by execution of the ban-action. For example if iptables action used, you can verify it by checking of iptables entries, where you should find the fail2ban jail name (prefixed with `f2b-`) as chain and the rule corresponding the IP address.<br/>
Mostly you'll see then too many log-lines like following in the `fail2ban.log`:<br/>
` NOTICE [jail] 192.0.2.25 already banned`<br/>
</details>
***
**[Q]** Fail2ban detects resp. incorrectly blocks some authentication attempts as failure (e. g. bans my IP address).
<details><summary>Answer</summary>
**[A]** It may be, that the expression is not good enough or the matching just occurs in pre-authentication step (e. g. by handshake) and so even per success login you have one failure (in sense of your configuration of fail2ban), so normally for the "fix" in this case, it will be enough to increase `maxretry` resp. to decrease `findtime` for this jail.
@ -48,13 +51,16 @@ Following script shows all failures of all IPs across all jails:
```bash
?sudo? python -c "db='/var/lib/fail2ban/fail2ban.sqlite3'; import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.ERROR); from fail2ban.server.database import Fail2BanDb; db = Fail2BanDb(db); t = db.getBansMerged(); print('\n'.join((('%s - %d attempts, matches:\n %s' % (t.getIP(), t.getAttempt(), '\n '.join(t.getMatches())) ) for t in t)))"
```
</details>
***
**[Q]** Fail2ban does not ban and logs include `iptables v...: unknown option "-w"`
<details><summary>Answer</summary>
**[A]** Default configuration of Fail2Ban requires iptables with locking support (`-w` option). If you run on a system with older iptables (before `1.4.20`), you need to disable locking option by e.g. providing `/etc/fail2ban/action.d/iptables-common.local` file with
```
[Init]
lockingopt =
```
```
</details>