From ea487f6393bcd0eac27f0226064686d562ad8e4e Mon Sep 17 00:00:00 2001
From: sebres <serg.brester@sebres.de>
Date: Mon, 14 Nov 2016 19:28:37 +0100
Subject: [PATCH] properly fail2ban configuration

---
 Properly fail2ban configuration.md | 75 ++++++++++++++++++++++++++++++
 _Sidebar.md                        |  1 +
 2 files changed, 76 insertions(+)
 create mode 100644 Properly fail2ban configuration.md

diff --git a/Properly fail2ban configuration.md b/Properly fail2ban configuration.md
new file mode 100644
index 0000000..c3ffaae
--- /dev/null
+++ b/Properly fail2ban configuration.md	
@@ -0,0 +1,75 @@
+If not reconfigured, Fail2ban will load configuration files from directory `/etc/fail2ban`. You can find there many files called `*.conf`.<br/>
+Before you start fail2ban service, you should do some configurations appropriate to your system. At least to enable jails that you want to protect with fail2ban.
+
+**[Q]** Should I make my configuration directly in `jail.conf` and `fail2ban.conf`?<br/>
+**[A]** No. You should avoid to change `.conf` files, created by fail2ban installation.
+
+Since this files may be overwritten by package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.<br/>
+Instead, you'll write a new file having `.local` extension. For example any values defined in `jail.local` will override those in `jail.conf` in the same sections (e. g. `[DEFAULT]`).
+
+So for example if original `.conf` file contains:
+```
+[DEFAULT]
+log = /path/to/log
+
+[section1]
+log = /other/path
+enabled = true
+
+[section2]
+enabled = true
+```
+And you'll create a `.local` file contains:
+```
+[DEFAULT]
+log = /my-path/to/log
+```
+The value of parameter `log` in `section1` will be still `/other/path`.<br/>
+But value of parameter `log` in `section2` will be changed to `/my-path/to/log` (because it was not specified in section self, and new default value will be used).
+
+**[Q]** Which configurations are necessary to let fail2ban protect a service?<br/>
+**[A]** You should create a `jail.local` file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution.
+
+For example if you'll, that fail2ban should ban authorization failures occurred in sshd and nginx, but the `error.log` of your your nginx-instance is configured as `/var/log/my-nginx/error.log` you should set also parameter `logpath` additionally to `enabled` in section `[nginx]`.
+
+So your `jail.local` looks like:
+```
+[nginx]
+logpath = /var/log/my-nginx/error.log
+enabled = true
+
+[sshd]
+enabled = true
+```
+
+If you use another version of fail2ban as provided from maintainers of your distribution, you should check another parameters (that may be normally specified in some distribution config files), like:
+- several path-parameters of fail2ban service self (specified in `fail2ban.conf` or includes):
+```
+[Definition]
+logtarget = /var/log/fail2ban.log
+socket =    /var/run/fail2ban/fail2ban.sock
+pidfile =   /var/run/fail2ban/fail2ban.pid
+dbfile =    /var/run/fail2ban/fail2ban.sqlite3
+```
+- other jail parameters (`jail.conf` or includes) like `backend` (e. g. usage of systemd journals expected `systemd` backend), `action` resp. `banaction` (e. g. you can't use `iptables` if your system does not support it), `logpath`, etc.
+
+You can also control resp. configure another optional configurations parameters, like `ignoreip`, etc.
+
+**[Q]** How I can see the current (merged) configuration, that fail2ban will use by start<br/>
+**[A]** You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands:
+```bash
+# dump parameters:
+fail2ban-client -d
+# verbose: output config files will be loaded and dump parameters:
+fail2ban-client -vd
+fail2ban-client -vvd
+```
+
+**[Q]** How I can notify fail2ban, that the configuration was changed<br/>
+**[A]** You should execute `fail2ban-client reload` (in previous versions before 0.10 `fail2ban-client restart`).<br/> 
+
+You can also get and set corresponding parameter individually, using fail2ban client-server communication protocol. For example:
+```bash
+fail2ban-client set pam-generic logencoding UTF-8
+fail2ban-client set nginx findtime 10m
+```
\ No newline at end of file
diff --git a/_Sidebar.md b/_Sidebar.md
index dd10a85..5bfcc2c 100644
--- a/_Sidebar.md
+++ b/_Sidebar.md
@@ -5,4 +5,5 @@
 ---
 <h2>FAQ</h2>
 * <h4>Configuration</h4>
+  - [Properly fail2ban configuration](Properly-fail2ban-configuration)
   - [How fail2ban substitution resp. runtime interpolation works](How-fail2ban-substitution-resp.-runtime-interpolation-works)
\ No newline at end of file