cherry-pick from debian: debian default banactions are nftables, syst…

…emd backend for sshd closes gh-3292
fail2ban · Apr 26, 2024 · d0d0728 · d0d0728
1 parent c143275
commit d0d0728
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -11,6 +11,13 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 -----------
 
 ### Fixes
+* `jail.conf`:
+ - default banactions need to be specified in `paths-*.conf` (maintainer level) now
+ - since stock fail2ban includes `paths-debian.conf` by default, banactions are `nftables`
+ (can be overwritten in `jail.local` by user)
+* `paths-debian.conf`:
+ - default banactions are `nftables`
+ - sshd backend switched to `systemd` (gh-3292)
 
 ### New Features and Enhancements
 

diff --git a/config/jail.conf b/config/jail.conf
@@ -205,8 +205,8 @@ fail2ban_agent = Fail2Ban/%(fail2ban_version)s
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
-banaction = iptables-multiport
-banaction_allports = iptables-allports
+#banaction = iptables-multiport
+#banaction_allports = iptables-allports
 
 # The simplest action to take: ban only
 action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

diff --git a/config/paths-debian.conf b/config/paths-debian.conf
@@ -9,6 +9,11 @@ after = paths-overrides.local
 
 [DEFAULT]
 
+banaction = nftables
+banaction_allports = nftables[type=allports]
+
+sshd_backend = systemd
+
 syslog_mail = /var/log/mail.log
 
 # control the `mail.warn` setting, see `/etc/rsyslog.d/50-default.conf` (if commented `mail.*` wins).