Replies: 1 comment
-
Regarding aggressive and key auth see #2765 (comment) and below. As for double counting there was few issues about that - #2462 and #2506, however they'd be fixed in your version, so please provide the excerpt of fail2ban-regex output to see which REs are affected. And better also the excerpt from journal to see which messages it may find.
at least with the messages from attempts that will be counted twice. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello,
I've just installed fail2ban on a brand new Debian 12 server.
I heard that it no longer uses the old log files, but instead used "Journalctl" so it's a bit different...?
I installed it using the following commands:
Then I made sure to explicitly set "allowipv6" to "yes" in this file on the "[DEFAULT]" jail (I created this new file)
Then I created a "jail.local" file using:
sudo nano /etc/fail2ban/jail.local
And inside it I placed the following (I have set my SSH port to be "12345", so I set my jail to block both 22 and on my custom SSH port):
I save it and (re)start the fail2ban service to apply changes.
Then I check my fail2ban status using:
The commands above tell me I got 1 jail active (sshd).
And it also tells me how many failed login attempts and banned IPs.
And I see the service is active (i did systemctl start fail2ban) when I run
sudo systemctl status fail2ban
.So far so good, everything is enabled and running.
But my question is: is this a correct setup?
I have SSH key authentication activated on my server and I don't allow root login for example.
If I make the following SSH login attempts, it doesn't seem to ban the user at all, no matter if I make 20 failed login attempts:
The only time it actually adds user to ban list, is when I enter the SSH key and then mistype the passphrase to it:
And I noticed that for each failed login attempt I make, it actually increments failed attempts by +2.
So I think something is weird in the logs.
When I don't have
[mode=aggressive]
it doesn't ban at all.So this whole "journalctl" seems to be working weird in Debian 12. I don't know... something seems off.
Even though I disable port 22 for ssh, shouldn't it also ban users that try login using it?
This is how I can check my Journalctl logs:
I can see when I failed my login or when I authenticated.
And I have also the following 4 commands to view "fail2ban-regex", but I'm not sure what this is used for?
Basically, I just want to hear input from someone else who has a BRAND NEW Debian 12 server with fail2ban, using a custom port and SSH keys. How do you personally set it up? Can you give me some examples? My solution works but only when the SSH key fails. So maybe I shouldn't worry about people trying to login via Port 22, or people that try login using "root"? But I wonder why it increment my failed login attempt by +2 everytime. I initially wanted to have like 5 failed attempts before a ban, but I had to raise it to 7-10 now because of it, in case I myself do a typo sometime.
I feel like I have set it up correctly but now I am a bit unsure if it actually works. Like what do I specifically look for in logs? Are regex working fine? where do I adjust regex for it?
Is there anything else I should change?
I did notice that inside this file:
I can adjust "loglevel". It's currently set to "INFO".
And my "logtarget" is "/var/log/fail2ban.log", but it says it can be "SYSTEMD-JOURNAL". Should I change this to that, on Debian 12? inside my "fail2ban.local" file..?
I have not modified the fail2ban.local more than the "allowipv6".
Beta Was this translation helpful? Give feedback.
All reactions