Wiki

User Tools

Site Tools

Trace: start monitor_other_services
ubuntu:fail2ban:monitor_other_services

Table of Contents

Ubuntu - Fail2Ban - Monitor other services

By default, fail2ban only monitors sshd.

Confirm this: 

ll /etc/fail2ban/jail.d

returns: 

drwxr-xr-x 2 root root 4096 May 30 19:31 ./
drwxr-xr-x 6 root root 4096 May 30 19:37 ../
-rw-r--r-- 1 root root  117 Jun 10  2024 defaults-debian.conf

NOTE: This shows only a single file, named defaults-debian.conf, within the /etc/fail2ban/jail.d directory.

  • Additional files can be added into that directory to monitor other services.

View this file

most /etc/fail2ban/jail.d/defaults-debian.conf

returns:

/etc/fail2ban/jail.d/defaults-debian.conf
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
backend = systemd
 
[sshd]
enabled = true

NOTE: This shows that the sshd service is enabled for monitoring.

  • This also shows that the actual ban action is controlled by nftables.

Check what other services could be monitored by fail2ban

grep '^\[' /etc/fail2ban/jail.conf | tail -n +3

returns: 

[sshd]
[dropbear]
[selinux-ssh]
[apache-auth]
[apache-badbots]
[apache-noscript]
[apache-overflows]
[apache-nohome]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
[apache-shellshock]
[openhab-auth]
[nginx-http-auth]
[nginx-limit-req]
[nginx-botsearch]
[nginx-bad-request]
[php-url-fopen]
[suhosin]
[lighttpd-auth]
...

To monitor another service

For example, to monitor Vsftpd.

  • Create a new file under /etc/fail2ban/jail.d/ for the specific service.

Create a new file /etc/fail2ban/jail.d/vsftpd.conf and populate with:

/etc/fail2ban/jail.d/vsftpd.conf
[vsftpd]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=vsftpd.service
action = %(action_mw)s

NOTE:

  • [vsftpd] - is the name of a service, from one of the services that fail2ban can monitor.
  • The actual name of the file under /etc/fail2ban/jail.d/ is irrelevant, and can be anything.
    • It is the contents of the file that are used.

Enable the new changes

Reload fail2ban to enable the new service to be monitored. 

sudo systemctl reload fail2ban

Check the fail2ban-client status

`
sudo fail2ban-client status

returns: 

Status
|- Number of jail:      2
`- Jail list:   sshd, vsftpd

NOTE: This shows that the new service, in this example, vsftpd, is being monitored.

Verify settings for the new service being monitored

For this example, verify the status for the vsftpd service: 

sudo fail2ban-client status vsftpd

returns: 

Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:  _SYSTEMD_UNIT=vsftpd.service
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   1.2.3.4
ubuntu/fail2ban/monitor_other_services.txt · Last modified: 2025/05/30 21:14 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki