LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Home Forums Reviews Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-10-2020, 06:13 AM   #1
fakie_flip
Senior Member
 
Registered: Feb 2005
Location: San Antonio, Texas
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,454

Rep: Reputation: 85
Fail2ban


How much overhead is there for leaving fail2ban to check for a lot of services that I do not have installed and web apps that I do not have in Apache? Is it best to leave all of those uncommented out in jail.conf? I thought I was not supposed to edit that file. Commenting them out in jail.local won't disable them.


The guide I am following is for Ubuntu, and I am running CentOS 7. So that is probably why it says that by default only sshd in Fail2ban is enabled, and for me, it seems at least 20 types or more are enabled by default in my jail.conf file.



So if I do edit the jail.conf to comment out a lot of unneeded checks, when fail2ban upgrades by my distro, it will overwrite that file, and I will need to do it each time.


What is the best course of action?
 
Old 01-10-2020, 06:34 AM   #2
wpeckham
Senior Member
 
Registered: Apr 2010
Location: Continental USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix, Mint-DE, Sparky, Vsido, tinycore, Q4OS
Posts: 3,169

Rep: Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375Reputation: 1375
In my experience fail2ban only fires up on an access to ser4vices it monitors. If the service is not there, it will never fire up for that access. My experience with it is more than a year old now, and that was not the latest version, but if it is representative of the current behavior you need not worry. Check the man page for the config file for detail on disabling monitoring of specific services. (OR, just read the original file: it used to be very well commented.)
 
Old 01-10-2020, 09:40 AM   #3
theodore.s
LQ Newbie
 
Registered: Jul 2018
Location: Athens, Greece
Distribution: Slackware
Posts: 19

Rep: Reputation: Disabled
Even if a host tries an attack to a service that you don't run, it is not a bad idea to let fail2ban ban it as a precaution. You may avoid the overhead and dangers of subsequent attacks, especially in the case of web applications.
 
Old 01-10-2020, 09:38 PM   #4
fakie_flip
Senior Member
 
Registered: Feb 2005
Location: San Antonio, Texas
Distribution: Gentoo Hardened using OpenRC not Systemd
Posts: 1,454

Original Poster
Rep: Reputation: 85
It turns out that the servicea were not enabled just because they were uncoented. I had to add "enabled = true" for each one that I wanted to enable.

Postfix is configured as well as Fail2ban, and I get an email with whois, and some logs from an attack that Fail2ban banned.
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Fail2Ban Question nomb Debian 0 05-21-2007 08:28 AM
LXer: Preventing Brute Force Attacks With Fail2ban On Debian Etch LXer Syndicated Linux News 0 05-03-2007 03:46 PM
fail2ban not blocking vsftp samnjugu Linux - Security 1 04-11-2007 03:35 AM
fail2ban and proftpd 1.3 reeseslover531 Linux - Security 4 02-14-2007 08:10 AM
Weird problem with fail2ban miza Linux - Software 0 10-28-2006 10:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration