github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix typos, improve readability.

master
Thorian93 2020-10-17 13:44:46 +02:00
parent 18b3da3ee9
commit f87c448e41
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Proper-fail2ban-configuration.md

@ -1,13 +1,13 @@
If not reconfigured, Fail2ban will load configuration files from directory `/etc/fail2ban`. You can find there many files called `*.conf`.<br/>
Before you start fail2ban service, you should do some configurations appropriate to your system. At least to enable jails that you want to protect with fail2ban.
If not configured manually, Fail2ban will load configuration files from the directory `/etc/fail2ban`. You can find many files called `*.conf` there.<br/>
Before you start the fail2ban service for the first time, you should do some configuration appropriate to your system. The least would be to enable jails for the services that you want to protect with fail2ban.
***
**[Q]** Should I make my configuration directly in `jail.conf` and `fail2ban.conf`?<br/>
**[A]** No. You should avoid to change `.conf` files, created by fail2ban installation. Instead, you'll write new files having `.local` extension.
**[A]** No. You should avoid to change `.conf` files, created by fail2ban installation. Instead, you should create new files with a `.local` extension.
<details>
Since this stock files may be overwritten by the package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.<br/>
So to set your jail configuration, don't change `jail.conf`. To customize some filter configuration, don't change `filter.conf`. Instead, create a new file with `.local` extension and write there only the settings to overwrite resp. to extend the values of original configuration. For example any values defined in `jail.local` will override those in `jail.conf` in the same sections (e. g. `[DEFAULT]`).
Since these stock files may be overwritten by the package upgrades, or because your changes may be incompatible with some future versions, you shouldn't edit it in-place.<br/>
So to set your jail configuration, don't change `jail.conf`. To customize some filter configuration, don't change `filter.conf`. Instead, create a new file with a `.local` extension and insert only the settings you want to override or the settings you want to append to the default configuration. For example any values defined in `jail.local` will override those in `jail.conf` in the same sections (e. g. `[DEFAULT]`).
So for example if original `.conf` file contains:
```ini
@ -27,16 +27,16 @@ And you'll create a `.local` file contains:
logpath = /my-path/to/log
```
The value of parameter `logpath` in `section1` will be still `/other/path`.<br/>
But value of parameter `logpath` in `section2` will be changed to `/my-path/to/log` (because it was not specified in section self, and new default value will be used).
But value of parameter `logpath` in `section2` will be changed to `/my-path/to/log` (because it was not specified in the section itself, so the new default value will be used).
</details>
***
**[Q]** Which configurations are necessary to let fail2ban protect a service?
**[Q]** What configuration is necessary to let fail2ban protect a service?
<details><summary>Answer</summary>
**[A]** You should create a `jail.local` file and at least enable there corresponding jails (all jails are disabled by default) resp. overwrite there all the settings you've different from normally stock installation, or even create your own jails (and/or) filters, that are not available in default configuration of the fail2ban distribution.
**[A]** You should create a `jail.local` file and at least enable the corresponding jails (all jails are disabled by default) or overwrite the default settings which you want to change, or even create your own jails (and/or) filters, that are not available in the default configuration of fail2ban.
For example if your intention is to monitor authorization failures occurred in sshd and nginx, but the `error.log` of your your nginx-instance is configured as `/var/log/my-nginx/error.log` you should set also parameter `logpath` additionally to `enabled` in section `[nginx]`.
For example if your intention is to monitor authorization failures occurring in sshd and nginx, but the `error.log` of your your nginx-instance is configured as `/var/log/my-nginx/error.log` you should set the `logpath` parameter appropriately additionally to `enabled` in section `[nginx]`.
So your `jail.local` looks like:
```ini
@ -48,8 +48,8 @@ enabled = true
enabled = true
```
If you use another version of fail2ban as provided from maintainers of your distribution, you should check another parameters (that may be normally specified in some distribution config files), like:
- several path-parameters of fail2ban service self (specified in `fail2ban.conf` or includes):
If you use another version of fail2ban as provided by the maintainers of your distribution, you should check other parameters (that may be normally specified in some distribution config files), like:
- several path-parameters of fail2ban service itself (specified in `fail2ban.conf` or includes):
```ini
[Definition]
logtarget = /var/log/fail2ban.log
@ -63,10 +63,10 @@ You can also control resp. configure another optional configurations parameters,
</details>
***
**[Q]** How I can see the current (merged) configuration, that fail2ban will use by start
**[Q]** How I can see the current (merged) configuration, that fail2ban will use
<details><summary>Answer</summary>
**[A]** You can dump your current configuration (all the parameters that fail2ban loads by start) with following commands:
**[A]** You can dump your current configuration (all the parameters that fail2ban loads on startup) with the following commands:
```bash
# dump parameters:
fail2ban-client -d
@ -83,7 +83,7 @@ fail2ban-client -vvd
**[A]** You should execute `fail2ban-client reload` (in previous versions before 0.10 `fail2ban-client restart`).<br/>
You can also get and set corresponding parameter individually, using fail2ban client-server communication protocol. For example:
You can also get and set parameters individually during runtime, using the fail2ban client-server communication protocol. For example:
```bash
fail2ban-client set pam-generic logencoding UTF-8
fail2ban-client set nginx findtime 10m
@ -94,7 +94,7 @@ fail2ban-client set nginx findtime 10m
**[Q]** How should I correctly modify log file locations other than in the jail settings or messing with master .conf files?
<details><summary>Answer</summary>
**[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.com (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/>
**[A]** To make a modification to the default log file locations you should create a .local file of paths-common.conf or paths-debian.conf (whichever you are using in jail.local) and make changes only in your .local files which keeps it nicely structured for your jail(s) settings and avoids problems when Fail2Ban is updated<br/>
To create your .local file<br/>