====== Ubuntu - Fail2Ban - Monitor other services ======

By default, fail2ban only monitors sshd.

Confirm this:

<code bash>
ll /etc/fail2ban/jail.d 
</code>

returns:

<code bash>
drwxr-xr-x 2 root root 4096 May 30 19:31 ./
drwxr-xr-x 6 root root 4096 May 30 19:37 ../
-rw-r--r-- 1 root root  117 Jun 10  2024 defaults-debian.conf
</code>

<WRAP info>
**NOTE:**  This shows only a single file, named **defaults-debian.conf**, within the **/etc/fail2ban/jail.d** directory.

  * Additional files can be added into that directory to monitor other services.
</WRAP>

----

==== View this file ====

<code bash>
most /etc/fail2ban/jail.d/defaults-debian.conf
</code>

returns:

<file bash /etc/fail2ban/jail.d/defaults-debian.conf>
[DEFAULT]
banaction = nftables
banaction_allports = nftables[type=allports]
backend = systemd

[sshd]
enabled = true
</file>

<WRAP info>
**NOTE:**  This shows that the sshd service is enabled for monitoring.

  * This also shows that the actual ban action is controlled by nftables.

</WRAP>

----

===== Check what other services could be monitored by fail2ban =====

<code bash>
grep '^\[' /etc/fail2ban/jail.conf | tail -n +3 
</code>

returns:

<code>
[sshd]
[dropbear]
[selinux-ssh]
[apache-auth]
[apache-badbots]
[apache-noscript]
[apache-overflows]
[apache-nohome]
[apache-botsearch]
[apache-fakegooglebot]
[apache-modsecurity]
[apache-shellshock]
[openhab-auth]
[nginx-http-auth]
[nginx-limit-req]
[nginx-botsearch]
[nginx-bad-request]
[php-url-fopen]
[suhosin]
[lighttpd-auth]
...
</code>

----

==== To monitor another service ====

For example, to monitor Vsftpd.

  * Create a new file under **/etc/fail2ban/jail.d/** for the specific service.

Create a new file **/etc/fail2ban/jail.d/vsftpd.conf** and populate with:

<file bash /etc/fail2ban/jail.d/vsftpd.conf>
[vsftpd]
enabled = true
backend = systemd
journalmatch = _SYSTEMD_UNIT=vsftpd.service
action = %(action_mw)s
</file>

<WRAP info>
**NOTE:**  

  * **[vsftpd]** - is the name of a service, from one of the services that fail2ban can monitor.

  * The actual name of the file under **/etc/fail2ban/jail.d/** is irrelevant, and can be anything.
    * It is the contents of the file that are used.

</WRAP>

----

==== Enable the new changes ====

Reload fail2ban to enable the new service to be monitored.

<code bash>
sudo systemctl reload fail2ban 
</code>

----

==== Check the fail2ban-client status ====

<code bash>`
sudo fail2ban-client status
</code>

returns:

<code>
Status
|- Number of jail:      2
`- Jail list:   sshd, vsftpd
</code>

<WRAP info>
**NOTE:**  This shows that the new service, in this example, vsftpd, is being monitored.
</WRAP>

----

==== Verify settings for the new service being monitored ====

For this example, verify the status for the vsftpd service:

<code bash>
sudo fail2ban-client status vsftpd
</code>

returns:

<code>
Status for the jail: vsftpd
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     3
|  `- Journal matches:  _SYSTEMD_UNIT=vsftpd.service
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   1.2.3.4
</code>

----