Improve Debian 11's fail2ban rules.

4 files changed, 9 insertions, 15 deletions

diff --git a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
index 3c8c030..3b9ebc8 100644
--- a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
+++ b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
@@ -9,8 +9,8 @@ actionunban =
 
 [Init]
 # With banaction = *-allports there is no need for separate rule names
-set_name = fail2ban
-blocktype = drop
+table = filter
+addr_set = fail2ban
 
 [Init?family=inet6]
-set_name = fail2ban6
+addr_set = fail2ban6
diff --git a/roles/common/files/etc/fail2ban/fail2ban.local b/roles/common/files/etc/fail2ban/fail2ban.local
index 53cba35..23a92e9 100644
--- a/roles/common/files/etc/fail2ban/fail2ban.local
+++ b/roles/common/files/etc/fail2ban/fail2ban.local
@@ -1,16 +1,5 @@
 [Definition]
 
-# Option: logtarget
-# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
-#         Only one log target can be specified.
-#         If you change logtarget from the default value and you are
-#         using logrotate -- also adjust or disable rotation in the
-#         corresponding configuration file
-#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
-# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ]  Default: STDERR
-#
-logtarget = /var/log/fail2ban/fail2ban.log
-
 # Options: dbfile
 # Notes.: Set the file for the fail2ban persistent data to be stored.
 #         A value of ":memory:" means database is only stored in memory
diff --git a/roles/common/files/etc/logcheck/ignore.d.server/common-local b/roles/common/files/etc/logcheck/ignore.d.server/common-local
index b626946..9b0d0fe 100644
--- a/roles/common/files/etc/logcheck/ignore.d.server/common-local
+++ b/roles/common/files/etc/logcheck/ignore.d.server/common-local
@@ -79,6 +79,8 @@ no matching cipher found: client [.@[:alnum:]-]+(,[.@[:alnum:]-]+)* server [.@[:
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ smartd\[[0-9]+\]: Device: /dev/sd[a-z] \[SAT\], CHECK POWER STATUS spins up disk \(0x[0-9a-f]{2} -> 0xff\)$
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ ansible-([_a-z0-9.]+|<stdin>): Invoked with
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ python3\[[0-9]+\]: ansible-[_a-z0-9.]+ Invoked with
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fail2ban-server\[[0-9]+\]: fail2ban\.filter\s*\[[0-9]+\]: INFO\s+\[[._[:alnum:]-]+\] Found [[:xdigit:].:]{3,39} -
+^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ fail2ban-server\[[0-9]+\]: fail2ban\.actions\s*\[[0-9]+\]: NOTICE\s+\[sshd\] (Ban|Unban) [[:xdigit:].:]{3,39}
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::Request::Message::
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: notice Sympa::(Bulk|Spool)::store\(\)
 ^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sympa_msg\[[0-9]+\]: info Sympa::Spool::_create\(\) Creating directory /var/spool/sympa/auth
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
index e3e651f..b34d130 100644
--- a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -2,13 +2,16 @@
 After=nftables.service
 
 [Service]
+ExecStartPre=
+ExecStart=
+ExecStart=/usr/bin/fail2ban-server -xf --logtarget=sysout start
+
 # Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
 SupplementaryGroups=adm
 
 # Hardening
 NoNewPrivileges=yes
 ProtectSystem=strict
-ReadWriteDirectories=/var/log/fail2ban
 RuntimeDirectory=fail2ban
 PrivateDevices=yes
 ProtectControlGroups=yes