Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fail2ban instructions fail with error on Ubuntu 20.04, fail2ban v0.11.1 #943

Closed
brookmiles opened this issue May 5, 2022 · 4 comments · Fixed by #1364
Closed

fail2ban instructions fail with error on Ubuntu 20.04, fail2ban v0.11.1 #943

brookmiles opened this issue May 5, 2022 · 4 comments · Fixed by #1364

Comments

@brookmiles
Copy link
Contributor

Following the current instructions:

Edit /etc/fail2ban/jail.local and put this inside:

[DEFAULT]
destemail = [email protected]
sendername = Fail2Ban

[sshd]
enabled = true
port = 22

[sshd-ddos]
enabled = true
port = 22

Results in the following error being logged:

May 05 04:51:01 sunny fail2ban-server[108985]: 2022-05-05 04:51:01,389 fail2ban.configreader   [108985]: ERROR   Found no accessible config files for 'filter.d/sshd-ddos' under /etc/fail2ban
May 05 04:51:01 sunny fail2ban-server[108985]: 2022-05-05 04:51:01,389 fail2ban.jailreader     [108985]: ERROR   Unable to read the filter 'sshd-ddos'
May 05 04:51:01 sunny fail2ban-server[108985]: 2022-05-05 04:51:01,389 fail2ban.jailsreader    [108985]: ERROR   Errors in jail 'sshd-ddos'. Skipping...

The config I used ended up being:

[DEFAULT]
destemail = [email protected]
sendername = Fail2Ban

[sshd]
enabled = true
mode = aggressive

aggressive mode includes ddos mode
@learosema
Copy link

learosema commented Mar 22, 2023
edited
Loading

It should also be added that the fail2ban service needs to be enabled at startup

Something like this:

sudo systemctl enable fail2ban.service

@vmstan
Copy link
Sponsor Contributor

vmstan commented Dec 9, 2023

Fixed by #969

@vmstan vmstan closed this as completed Dec 9, 2023
@brookmiles
Copy link
Contributor Author

Fixed by #969

I don't think #969 is correct. It may remove the error, but the fix is incomplete, it doesn't enable the ddos filter as intended and only enables the basic sshd filters a second time with a different name.

One solution would be to just remove the [sshd-ddos] section and add mode = aggresssive to the main [sshd] section to just enable all of the filters (base + extra + aggressive), which is what I use:

[sshd]
enabled = true
mode = aggressive

Alternatively, if you really didn't want the "extra" filters, but you still want the "ddos" filters, you could enable them with:

[sshd-ddos]
enabled = true
filter = sshd[mode=ddos]
port = 22

But unless there is some specific reason to exclude the "extra" filters, this doesn't seem necessary.

I can write a PR for this, I had just totally forgotten this issue existed until it was closed :)

@vmstan
Copy link
Sponsor Contributor

vmstan commented Dec 10, 2023

Please do 👍

@brookmiles brookmiles mentioned this issue Dec 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix fail2ban sshd setup in jail.local brookmiles/mastodon-documentation
3 participants
@brookmiles @learosema @vmstan