I’m trying to get a very simple fail2ban setup working on 13.2 but I can’t get it to work. Are the fail2ban packages broken on 13.2 (I did the exact same thing on CentOS 7 and it worked fine) ?
Copied the jail.conf and fail2ban.conf to .local corresponding files (jail.local and fail2ban.local)
jail.local only has this in it:
[DEFAULT]
ignoreip = 127.0.0.1/8
backend = systemd
I created a new sshd.conf in /etc/fail2ban/jail.d/sshd.conf:
fail2ban SSH
block ssh after 3 unsuccessful login attempts for 10 minutes
-check your action setting. action.d/ipconfig.conf should have a port listed for ssh. i’ve never declared a port number. i’ve always used what’s listed in this file. Your action statement, for iptables, should reflect the iptables.conf. Your parameters probably don’t match.
-i don’t see a filter listed in your jail declaration. Without a filter it cannot match the correct log entries.
i installed via zypper, only opensuse repos no packman, and it’s always worked.
I finally got it working!
For some reasons, fail2ban on OpenSUSE 13.2 isn’t parsing anything in journald. I installed rsyslog, changed the backend line to auto in jail.local (instead of systemd) added the line “logpath = /var/log/messages” in my ssh-iptables.conf file, restarted fail2ban and it started working immediately.
Actually your problem and solution is very common.
There are a multitude of legacy log analysis tools that “since forever” have analyzed legacy logfiles in /var/log/ which don’t read the systemd journal.