-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfail2ban.txt
57 lines (44 loc) · 3.24 KB
/
fail2ban.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# There is a \e[33mfail2ban-server\e[0m which just runs, and a \e[33mfail2ban-client\e[0m which starts/reloads/stops the server
# and sends it all the configuration. You can also do this from systemctl, but apparently the two methods are not compatible.
$ man jail.conf
# the too-short;didn't-bother-reading of it is there are
# - \e[33mfilters\e[0m: regular expressions that match patterns in logfiles, thresholds (x times in y minutes) and such
# - \e[33mactions\e[0m: [groups of] commands to execute, eg send mail, add rules to iptables and/or firewalld
# - \e[33mjails\e[0m: combinations of a filter, log file location(s) and one or more actions: if a filter triggers, the actions will run
# NB: in a jail.d/*.conf (and similar) file, \e[38;5;208maction\e[0m and \e[38;5;208mbanaction\e[0m values refer to "action(s) from /etc/fail2ban/action.d/ without
# the .conf/.local extension." ie, their \e[1mfilenames sans extension\e[0m.
# A lot of the actions talk to \e[38;5;208mfirewall-cmd\e[0m, but with \e[38;5;208m--direct\e[0m, meaning they're really talking to \e[38;5;208miptables\e[0m, and the added/removed rules
# \e[1mdo not show up\e[0m in the output of \e[38;5;208mfirewall-cmd --list-all\e[0m; use \e[38;5;208miptables -L -n\e[0m instead.
# Fail2ban will create 'chains' in the iptables that hook into existing iptable chains. A chain is a set of rules that are applied to
# Incoming, Outgoing or Forwarded packets. Processes (like fail2ban) can add custom chains that hook into these predefined chains with its
# own sets of rules.
# Since there are a lot of jail config files already, mostly you just need to enable them in a new file in jail.d:
$ cat jail.d/20-traefik.conf
[traefik-http-status]
# bots that trigger too many error codes like 404, 403 etc.
enabled = true
filter = traefik-http-status
logpath=/var/log/traefik/access.log
backend=polling
banaction=firewallcmd-allports
# more or less everything lives in \e[38;5;226m/etc/fail2ban\e[0m, but it keeps state in a sqlite db in \e[38;5;226m/var/lib/fail2ban/\e[0m
# the logfile is conveniently \e[38;5;226m/var/log/fail2ban.log\e[0m
# By default, jails and filters have the same name, so a jail doesn't need to explicitly define its filter (but it's good practice).
# also good to know: variables can be defined \e[1mafter\e[0m they're used, and the config in general relies a lot on variables and default
# values, which can come from pretty much anywhere.
$ fail2ban-client banned \e[36m# list currently banned IPs per jail\e[0m
$ fail2ban-client status \e[36m# list jails\e[0m
$ fail2ban-client status <jail> \e[36m# get some stats on a specific jail like 'sshd'\e[0m
$ fail2ban-client get <jail> bantime \e[36m# get various properties of this jail\e[0m
$ fail2ban-client -h|--help \e[36m# get help (the 'help' command doesn't seem to work, only these options)\e[0m
$ fail2ban-client set <jail> unbanip <address> \e[36m# unban an IP address\e[0m
# random script that checks today's logs for (un)bans
#!/usr/bin/env bash
if [[ -f /var/log/fail2ban.log ]]; then
fail2bans=$(cat /var/log/fail2ban.log | grep $(date +%F) | grep -e Ban -e Unban)
if [[ -n $fail2bans ]]; then
echo -e " \e[33mFail2bans of today:\e[0m"
echo -n "$fail2bans" | sed 's/^/ /'
echo
fi;
fi;