Question about Fail2ban setting utilizing the ‘backend’ option.

fbeye · 12-08-2018, 11:46 AM

Hello!

Was wondering if anyone here was using fail2ban (in a Slackware environment).
The backend option is used to pick up any changes in the logs, so I am to believe.

I currently have each jail I am using use /var/log/maillog (for dovecote and postfix) and have backend commented out (#). Is this alright? I do so because if it is enabled to either auto or polling I get a “Jail is not a part of the JournalFilter instance” and I have no idea what that means.

Any suggestions?

bassmadrigal · 12-10-2018, 01:35 PM

I only use fail2ban to manage my ssh logs, and I have backend set to auto in my /etc/fail2ban/jail.local and the backend for sshd to be the default of %(sshd_backend)s

Habitual · 12-14-2018, 02:09 PM

Quote:

Originally Posted by fbeye

Hello!

Was wondering if anyone here was using fail2ban (in a Slackware environment).
The backend option is used to pick up any changes in the logs, so I am to believe.

I currently have each jail I am using use /var/log/maillog (for dovecote and postfix) and have backend commented out (#). Is this alright? I

Sure, butt...
it means that f2b will use the [ DEFAULT ]
for any missing or not declared directive
My [ DEFAULT ]

Code:

[DEFAULT]
ignoreip = {space separated list of "safe" IPs Never to be banned}
bantime  = 86400
findtime = 600
maxretry = 1
backend = polling
destemail = email@domain.com
banaction = my_custom_banaction
mta = sendmail
protocol = tcp
chain = INPUT
loglevel = 3
usedns = yes

# "backend" specifies the backend used to get files modification.
# auto: will try to use the following backends, in order:
backend = auto

In your jail.local (just a copy of jail.conf)
There is a
[ DEFAULT ]
stanza.

the entry provided by the f2b author is

Code:

[dovecot]

enabled = false
port    = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
filter  = dovecot
logpath = /var/log/mail.log

and I see no "backend" directive so, it looks for use the polling directive from
my [ DEFAULT ]

all documented in /etc/fail2ban/jail.conf

Code:

# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
#            If pyinotify is not installed, Fail2ban will use auto.
# gamin:     requires Gamin (a file alteration monitor) to be installed.
#            If Gamin is not installed, Fail2ban will use auto.
# polling:   uses a polling algorithm which does not require external libraries.
# auto:      will try to use the following backends, in order:
#            pyinotify, gamin, polling.
backend = auto

My advice is make a copy of /etc/fail2ban/jail.conf as /etc/fail2ban/jail.local and stick only the enabled jails in there.
The file /etc/fail2ban/jail.local survives upgrades.