mirror of https://github.com/fail2ban/fail2ban
Small reformatting and review;
Some [QA]'s moved to new section Troubleshooting.mdmaster
sebres
parent
873bc1b982
commit
6935864534
|
|
@ -1,6 +1,7 @@
|
|||
If not reconfigured, Fail2ban will load configuration files from directory `/etc/fail2ban`. You can find there many files called `*.conf`.<br/>
|
||||
Before you start fail2ban service, you should do some configurations appropriate to your system. At least to enable jails that you want to protect with fail2ban.
|
||||
|
||||
***
|
||||
**[Q]** Should I make my configuration directly in `jail.conf` and `fail2ban.conf`?<br/>
|
||||
**[A]** No. You should avoid to change `.conf` files, created by fail2ban installation.
|
||||
|
||||
|
|
@ -27,6 +28,7 @@ log = /my-path/to/log
|
|||
The value of parameter `log` in `section1` will be still `/other/path`.<br/>
|
||||
But value of parameter `log` in `section2` will be changed to `/my-path/to/log` (because it was not specified in section self, and new default value will be used).
|
||||
|
||||
***
|
||||
**[Q]** Which configurations are necessary to let fail2ban protect a service?<br/>
|
||||
**[A]** You should create a `jail.local` file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution.
|
||||
|
||||
|
|
@ -54,7 +56,7 @@ dbfile = /var/run/fail2ban/fail2ban.sqlite3
|
|||
- other jail parameters (`jail.conf` or includes) like `backend` (e. g. usage of systemd journals expected `systemd` backend), `action` resp. `banaction` (e. g. you can't use `iptables` if your system does not support it), `logpath`, etc.
|
||||
|
||||
You can also control resp. configure another optional configurations parameters, like `ignoreip`, etc.
|
||||
|
||||
***
|
||||
**[Q]** How I can see the current (merged) configuration, that fail2ban will use by start<br/>
|
||||
**[A]** You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands:
|
||||
```bash
|
||||
|
|
@ -64,7 +66,7 @@ fail2ban-client -d
|
|||
fail2ban-client -vd
|
||||
fail2ban-client -vvd
|
||||
```
|
||||
|
||||
***
|
||||
**[Q]** How I can notify fail2ban, that the configuration was changed<br/>
|
||||
**[A]** You should execute `fail2ban-client reload` (in previous versions before 0.10 `fail2ban-client restart`).<br/>
|
||||
|
||||
|
|
@ -73,62 +75,27 @@ You can also get and set corresponding parameter individually, using fail2ban cl
|
|||
fail2ban-client set pam-generic logencoding UTF-8
|
||||
fail2ban-client set nginx findtime 10m
|
||||
```
|
||||
|
||||
**[Q]** How should I correctly modify log file locations other than in the jail settings or messing with master .conf files?<br/>
|
||||
**[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/><br/>
|
||||
**[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/>
|
||||
|
||||
To create your .local file<br/>
|
||||
`sudo cp /etc/fail2ban/paths-common.conf /etc/fail2ban/paths-common.local`<br/><br/>
|
||||
|
||||
Please don't copy it:<br/>
|
||||
<s>`cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local`</s><br/>
|
||||
<s>`cp /etc/fail2ban/paths-common.conf /etc/fail2ban/paths-common.local`</s><br/>
|
||||
Just create and edit it with your preferred editor.
|
||||
|
||||
Now if you want for example an Nginx filter to read all your Nginx Access Logs for multiple web sites<br/>
|
||||
|
||||
Instead of using in your jail:<br/>
|
||||
`logpath = /var/log/nginx/*access*.log`<br/><br/>
|
||||
|
||||
Edit the line in paths-common.local or paths-debian.local (whichever you are using) and add change the nginx_access_log line as follows<br/>
|
||||
`nginx_access_log = /var/log/nginx/*access*.log`<br/><br/>
|
||||
|
||||
- Either do it in `jail.local`:<br/>
|
||||
`[nginx]`<br/>
|
||||
`logpath = /var/log/nginx/*access*.log`<br/>
|
||||
`enabled = true`<br/>
|
||||
- Or instead of using in your jail:<br/>
|
||||
Edit the line in `paths-common.local` or `paths-debian.local` (whichever you are using) and add the entry with `nginx_access_log` line as follows<br/>
|
||||
`[DEFAULT]`<br/>
|
||||
`nginx_access_log = /var/log/nginx/*access*.log`<br/>
|
||||
<br/>
|
||||
Then in your jail you would rather use<br/>
|
||||
`logpath = %(nginx_access_log)s`<br/><br/>
|
||||
`logpath = %(nginx_access_log)s`<br/>
|
||||
|
||||
|
||||
**[Q]** I messed up Fail2Ban during Testing and blocked out my own IP address, how do I completely reset Fail2Ban to get it off to a clean start?<br/>
|
||||
**[A]** To reset fail2ban completely and start off fresh<br/><br/>
|
||||
In newer versions of Fail2Ban you can simply run the command<br/>
|
||||
`sudo fail2ban-client set <JAIL> unbanip <IP>`<br/>
|
||||
Which will remove all entries for that IP in both the fail2ban.log file and fail2ban.sqlite3 database file.<br/><br/>
|
||||
|
||||
Should you ever want to completely clear and reset the Fail2Ban log file and SQLite database for whatever reason you can do the following:<br/><br/>
|
||||
Stop Fail2Ban<br/>
|
||||
`sudo service fail2ban stop`<br/><br/>
|
||||
Empty the Fail2Ban LogFile<br/>
|
||||
`sudo truncate -s 0 /var/log/fail2ban.log`<br/><br/>
|
||||
Delete the Fail2Ban SQLite Database File<br/>
|
||||
`sudo rm /var/lib/fail2ban/fail2ban.sqlite3`<br/><br/>
|
||||
Restart Fail2Ban<br/>
|
||||
`sudo service fail2ban restart`<br/><br/>
|
||||
Also consider deleting any of your Apache, Nginx or Auth log files or just the entries that may contain your own IP address used during testing, as once Fail2Ban starts again, depending on your jail settings, it will just block you again.<br/><br/>
|
||||
|
||||
**[Q]** Fail2Ban will not start and is giving me the following error message "Job for fail2ban.service failed. See 'systemctl status fail2ban.service' and 'journalctl -xn' for details." but checking those does not help me trace where my error is.<br/>
|
||||
**[A]** <br/>
|
||||
First take a look in journal log of fail2ban.service by running<br/>
|
||||
`journalctl -ru fail2ban`<br/><br/>
|
||||
If you find and fix your error then reload fail2ban using<br/>
|
||||
`sudo service fail2ban restart`<br/><br/>
|
||||
|
||||
Your fail2ban.log file in /var/log/fail2ban.log is also a very good place to keep a check for errors.<br/><br/>
|
||||
|
||||
**For Heavy Debugging Users**<br/>
|
||||
You can run the Fail2Ban-Client in a very verbose mode using the following commands which will show you all output when Fail2Ban is loading, this is also a useful method for tracing errors in jails, filters and actions.<br/><br/>
|
||||
Stop the Failban Server by running<br/>
|
||||
`sudo service fail2ban stop`<br/><br/>
|
||||
Make sure the Fail2Ban client is also not running by running the following<br/>
|
||||
`sudo fail2ban-client -vvv -x stop`<br/><br/>
|
||||
Then start the Fail2Ban client in verbose mode as follows<br/>
|
||||
`sudo fail2ban-client -vvv -x start`<br/><br/>
|
||||
This will show you exactly in which jail, filter or action your error lies.
|
||||
Once you can start the fail2ban-client successfully using `sudo fail2ban-client -vvv -x start`<br/><br/>
|
||||
Then stop it again using <br/>
|
||||
`sudo fail2ban-client -vvv -x stop`<br/><br/>
|
||||
and then start the Fail2Ban Server<br/>
|
||||
`sudo service fail2ban restart`<br/><br/>
|
||||
|
|
@ -0,0 +1,49 @@
|
|||
**[Q]** I messed up Fail2Ban during Testing and blocked out my own IP address, how do I completely reset Fail2Ban to get it off to a clean start?<br/>
|
||||
**[A]** In newer versions of Fail2Ban you can simply run the command<br/>
|
||||
`?sudo? fail2ban-client unban <IP> ... <IP>`<br/>
|
||||
Which will remove all entries for that IP from your firewall system (using banning actions) and from fail2ban database file `fail2ban.sqlite3` for all jails.<br/>
|
||||
But fail2ban still holds the offsets of already processed log-lines in the database (so this entries will be bypassed if fail2ban should be restarted later).
|
||||
|
||||
**[A]** Up to version 0.10 you can do it only per jail:<br/>
|
||||
`?sudo? fail2ban-client set <JAIL> unbanip <IP>`
|
||||
|
||||
**[A]** To reset fail2ban completely and start off fresh **(not to be recommended)**<br/>
|
||||
Should you ever want to completely clear and reset the Fail2Ban log file and SQLite database for whatever reason you can do the following:
|
||||
- Stop Fail2Ban<br/>
|
||||
`?sudo? service fail2ban stop`
|
||||
- Empty the Fail2Ban LogFile<br/>
|
||||
`?sudo? truncate -s 0 /var/log/fail2ban.log`
|
||||
- Delete the Fail2Ban SQLite Database File<br/>
|
||||
`?sudo? rm /var/lib/fail2ban/fail2ban.sqlite3`
|
||||
- Restart Fail2Ban<br/>
|
||||
`?sudo? service fail2ban restart`
|
||||
|
||||
If you delete fail2ban database, also consider deleting any of your Apache, Nginx or Auth log files or just the entries that may contain your own IP address used during testing, as once Fail2Ban starts again, depending on your jail settings, it will just block you again.
|
||||
***
|
||||
**[Q]** Fail2Ban will not start and is giving me the following error message "Job for fail2ban.service failed. See 'systemctl status fail2ban.service' and 'journalctl -xn' for details." but checking those does not help me trace where my error is.</span><br/>
|
||||
**[A]** First take a look in journal log of fail2ban.service by running<br/>
|
||||
`journalctl -ru fail2ban`<br/>
|
||||
|
||||
Your fail2ban.log file in `/var/log/fail2ban.log` is also a very good place to keep a check for errors.<br/>
|
||||
|
||||
If you find and fix your error then reload fail2ban using:<br/>
|
||||
- Reload (works only since 0.10):<br/>
|
||||
`?sudo? service fail2ban reload`<br/>
|
||||
- Or more aggressive (using restart).<br/>
|
||||
`?sudo? service fail2ban restart`<br/>
|
||||
Please note: all banned IPs will be unbanned and banned again after restart.<br/>
|
||||
|
||||
**For Heavy Debugging Users**<br/>
|
||||
You can run the Fail2Ban-Client in a very verbose mode using the following commands which will show you all output when Fail2Ban is loading, this is also a useful method for tracing errors in jails, filters and actions.<br/><br/>
|
||||
Stop the Failban Server by running<br/>
|
||||
`?sudo? service fail2ban stop`<br/><br/>
|
||||
Make sure the Fail2Ban client is also not running by running the following<br/>
|
||||
`?sudo? fail2ban-client -vvv -x stop`<br/><br/>
|
||||
Then start the Fail2Ban client in verbose mode as follows<br/>
|
||||
`?sudo? fail2ban-client -vvv -x start`<br/><br/>
|
||||
This will show you exactly in which jail, filter or action your error lies.
|
||||
Once you can start the fail2ban-client successfully using `?sudo? fail2ban-client -vvv -x start`<br/><br/>
|
||||
Then stop it again using <br/>
|
||||
`?sudo? fail2ban-client -vvv -x stop`<br/><br/>
|
||||
and then start the Fail2Ban Server<br/>
|
||||
`?sudo? service fail2ban restart`<br/><br/>
|
||||
Loading…
Reference in New Issue