Fail2ban I search 2 files

nl.smart · 2 June 2023 18:19

Hi,

I installed fail2ban, firewalld is set, I don’t find where are located the file

logpath = %(sshd_log)s
backend = %(sshd_backend)s

jail.local

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 300
ignoreip = 192.168.1.0/24

I found some idea on this page

[nls@h2 ~]$ sudo systemctl status fail2ban
[sudo] password for nls:
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: disabled)
     Active: active (running) since Fri 2023-06-02 19:40:28 CEST; 34min ago
       Docs: man:fail2ban(1)
    Process: 2554 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 2556 (fail2ban-server)
      Tasks: 5 (limit: 9292)
     Memory: 21.8M
        CPU: 2.879s
     CGroup: /system.slice/fail2ban.service
             └─2556 /usr/bin/python /usr/bin/fail2ban-server -xf start

juin 02 19:40:28 h2 systemd[1]: Starting Fail2Ban Service...
juin 02 19:40:28 h2 systemd[1]: Started Fail2Ban Service.
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,451 fail2ban.configreader   [2556]: WARNING 'allowipv6' not defined in 'Definiti>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.configreader   [2556]: ERROR   Found no accessible config files for>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.jailreader     [2556]: ERROR   Unable to read the filter 'phpmyadmi>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.jailsreader    [2556]: ERROR   Errors in jail 'phpmyadmin'. Skippin>
juin 02 19:40:28 h2 fail2ban-server[2556]: Server ready
...skipping...
● fail2ban.service - Fail2Ban Service
     Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled; preset: disabled)
     Active: active (running) since Fri 2023-06-02 19:40:28 CEST; 34min ago
       Docs: man:fail2ban(1)
    Process: 2554 ExecStartPre=/bin/mkdir -p /run/fail2ban (code=exited, status=0/SUCCESS)
   Main PID: 2556 (fail2ban-server)
      Tasks: 5 (limit: 9292)
     Memory: 21.8M
        CPU: 2.879s
     CGroup: /system.slice/fail2ban.service
             └─2556 /usr/bin/python /usr/bin/fail2ban-server -xf start

juin 02 19:40:28 h2 systemd[1]: Starting Fail2Ban Service...
juin 02 19:40:28 h2 systemd[1]: Started Fail2Ban Service.
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,451 fail2ban.configreader   [2556]: WARNING 'allowipv6' not defined in 'Definiti>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.configreader   [2556]: ERROR   Found no accessible config files for>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.jailreader     [2556]: ERROR   Unable to read the filter 'phpmyadmi>
juin 02 19:40:28 h2 fail2ban-server[2556]: 2023-06-02 19:40:28,470 fail2ban.jailsreader    [2556]: ERROR   Errors in jail 'phpmyadmin'. Skippin>
juin 02 19:40:28 h2 fail2ban-server[2556]: Server ready


[nls@h2 ~]$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: disabled)
     Active: active (running) since Fri 2023-06-02 18:45:56 CEST; 1h 29min ago
       Docs: man:firewalld(1)
   Main PID: 1857 (firewalld)
      Tasks: 2 (limit: 9292)
     Memory: 28.0M
        CPU: 878ms
     CGroup: /system.slice/firewalld.service
             └─1857 /usr/bin/python /usr/bin/firewalld --nofork --nopid

juin 02 18:45:56 h2 systemd[1]: Starting firewalld - dynamic firewall daemon...
juin 02 18:45:56 h2 systemd[1]: Started firewalld - dynamic firewall daemon.
[nls@h2 ~]$

thanks for your feedback

xabbu · 2 June 2023 18:32

Check the /etc/fail2ban/paths-arch.conf file, it will be loaded.

In the end it should result in sshd_backend = systemd since sshd logs are in the systemd journal. There is no sshd log file anymore on Arch and Manjaro.

This jail seems to be your problem, not the sshd one.

nl.smart · 2 June 2023 21:21

Thanks for your answer.

The paths-arch.conf file is looking so :

# Arch

[INCLUDES]

before = paths-common.conf

after  = paths-overrides.local


[DEFAULT]

apache_error_log = /var/log/httpd/*error_log

apache_access_log = /var/log/httpd/*access_log

exim_main_log = /var/log/exim/main.log

mysql_log = /var/log/mariadb/mariadb.log
            /var/log/mysqld.log

roundcube_errors_log = /var/log/roundcubemail/errors

# These services will log to the journal via syslog, so use the journal by
# default.
syslog_backend = systemd
sshd_backend = systemd
dropbear_backend = systemd
proftpd_backend = systemd
pureftpd_backend = systemd
wuftpd_backend = systemd
postfix_backend = systemd
dovecot_backend = systemd

I tried to set the jail.local with this parameter

[DEFAULT]
ignoreip = 192.168.1.0/24
backend = systemd

[sshd]
enabled  = true
port     = ssh
filter   = sshd
maxretry = 3
bantime = 600
action = firewallcmd-ipset

I don’t forget to read the doc
https://wiki.archlinux.org/title/Fail2ban

nl.smart · 3 June 2023 12:31

ok, now I search the log file for phpmyadmin and mysql.
nothing in the var/log/ folder

thanks for your help.

xabbu · 3 June 2023 12:44

Check your journal. If you want files, start reading the documentation for these programs and your webserver.

nl.smart · 4 June 2023 04:36

it’s solved, I set fail2ban like it, your feedback are welcome

jail.local

# my config
[DEFAULT]
bantime = 10m
findtime = 10m
maxretry = 3

action = %(action_)s

[apache-auth]
enabled  = true
filter   = apache-auth
logpath  = /var/log/httpd/error_log
port     = http,https

[phpmyadmin-syslog]
enabled  = true
filter   = phpmyadmin-syslog
logpath  = /var/log/phpmyadmin_error.log
port     = http,https