Fail2ban is an intrusion prevention system that monitors a number of server logs, looks for suspicious activity, and bans the originating IPs preventing further malicious attempts. It is an excellent tool to mitigate brute-force or DoS attacks.
Fail2ban’s configuration has many sensible defaults and usually few customisations are required. Still the number of parameters is high and if you want to be sure that fail2ban is configured exactly to your requirements, you can either triple check the configuration manually (which is error prone) or have Tstconfig check it for you automatically.
A look at fail2ban’s configuration file
Fail2ban’s main configuration file is located at
/etc/fail2ban/jail.conf. Typically you leave it as it is and edit a copy at
The file is made of a DEFAULT section, followed by a number of jail sections. The DEFAULT section provides the common defaults. Each jail section provides the details specific to a protocol, server or type of attack, possibly overriding some of the defaults.
The default section may look like this:
[DEFAULT] ignoreip = 127.0.0.1/8 bantime = 600 findtime = 600 maxretry = 3 destemail = root@localhost sendername = Fail2Ban
A jail section may look like this (for ssh):
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6
Testing jail.local with Tstconfig
Create a file called
fail2ban.tstconfig with the following content:
# The configuration file to test file /etc/fail2ban/jail.local # Fail2ban config files conform to the ini syntax syntax ini
You certainly want to customise
destemail and maybe increase the
# Let's focus on the DEFAULT section section DEFAULT # Make sure notifications are sent to the right address property destemail assert_eq email@example.com # Make sure malicious IPs are banned for 30 minutes property bantime assert_eq 1800
In specific jail sections, as a minimum, you want to ensure that the jail is active:
# Make sure ssh logs are watched and bad guys banned section ssh property enabled assert_eq true
Running the tests
From a shell, run the following command:
$ tstconfig fail2ban.tstconfig Tstconfig 0.2 Reading definition file: fail2ban.tstconfig ASSERTION FAILED File: /etc/fail2ban/jail.local Section: DEFAULT Property: destemail Value: root@localhost Assertion: assert_eq firstname.lastname@example.org ASSERTION FAILED File: /etc/fail2ban/jail.local Section: DEFAULT Property: bantime Value: 600 Assertion: assert_eq 1800 SUMMARY REPORT: FAIL Assertions tested: 3 Assertions passed: 1 Assertions failed: 2 Errors: 0
Well, the test failed but the report gives you the exact file, section and property that you need to change to make the test pass.
Other configuration files
Fail2ban has a number of other configuration files, for additional filters (in
/etc/fail2ban/filters.d), actions (in
/etc/fail2ban/actions.d) and jails (in
/etc/fail2ban/jails.d). These files have the same “ini” syntax with sections and properties, so they can be tested in a similar way to we’ve done for