Configuring fail2ban Jails

Published:
by Wayne Smith

The SSH and many other jails have a configuration ready to be enabled. /etc/fail2ban/jails.conf is the main config file for the jails, which holds all the default settings. An /etc/fail2ban/jails.local is used, any changes to the replaces the settings in the jails.conf file. So it is best to change jails.local and keep jails.conf unchanged in case a typo is entered into the file. This keeps the service running while allowing for changes without the need to do a deep dive through the entire configuration.

Files are read in this order ...

/etc/fail2ban/jail.conf
/etc/fail2ban/jail.local
/etc/fail2ban/jail.d/*.conf (Files in folder are read alphabetically)

... with the final last valid setting being used. On some Debian based installs by default jail.d contains defaults-debian.conf which contains:

[sshd]
enabled = true

Changing the ban time from the default to a 24 period can be easily done be changing the /etc/fail2ban/jail.d/defaults-debian.conf or creating a /etc/fail2ban/jail.d/overrides.conf since the defaults-debian.conf does not specify a ban time it does not matter that we remain in alphabetical order, although overrides is alphabetically after defaults.

In /etc/fail2ban/jail.d/defaults-debian.conf or /etc/fail2ban/jail.d/override.conf

[sshd]
enabled = true
bantime = 1440m
# 1440 minutes is 24 hours.

A 24-hour period gives the administrator enough time to review the fail2ban.log and use hosts.deny to permanently ban the IP address from the SSH services if that is the security policy to prevent any future attempts.