By default, fail2ban only monitors sshd.
Confirm this:
ll /etc/fail2ban/jail.d
returns:
drwxr-xr-x 2 root root 4096 May 30 19:31 ./ drwxr-xr-x 6 root root 4096 May 30 19:37 ../ -rw-r--r-- 1 root root 117 Jun 10 2024 defaults-debian.conf
NOTE: This shows only a single file, named defaults-debian.conf, within the /etc/fail2ban/jail.d directory.
most /etc/fail2ban/jail.d/defaults-debian.conf
returns:
[DEFAULT] banaction = nftables banaction_allports = nftables[type=allports] backend = systemd [sshd] enabled = true
NOTE: This shows that the sshd service is enabled for monitoring.
grep '^\[' /etc/fail2ban/jail.conf | tail -n +3
returns:
[sshd] [dropbear] [selinux-ssh] [apache-auth] [apache-badbots] [apache-noscript] [apache-overflows] [apache-nohome] [apache-botsearch] [apache-fakegooglebot] [apache-modsecurity] [apache-shellshock] [openhab-auth] [nginx-http-auth] [nginx-limit-req] [nginx-botsearch] [nginx-bad-request] [php-url-fopen] [suhosin] [lighttpd-auth] ...
For example, to monitor Vsftpd.
Create a new file /etc/fail2ban/jail.d/vsftpd.conf and populate with:
[vsftpd] enabled = true backend = systemd journalmatch = _SYSTEMD_UNIT=vsftpd.service action = %(action_mw)s
NOTE:
Reload fail2ban to enable the new service to be monitored.
sudo systemctl reload fail2ban
` sudo fail2ban-client status
returns:
Status |- Number of jail: 2 `- Jail list: sshd, vsftpd
NOTE: This shows that the new service, in this example, vsftpd, is being monitored.
For this example, verify the status for the vsftpd service:
sudo fail2ban-client status vsftpd
returns:
Status for the jail: vsftpd |- Filter | |- Currently failed: 0 | |- Total failed: 3 | `- Journal matches: _SYSTEMD_UNIT=vsftpd.service `- Actions |- Currently banned: 1 |- Total banned: 1 `- Banned IP list: 1.2.3.4