[HowTo] Install and configure a working fail2ban

I’m updating this again to reflect the current available version of fail2ban

• This was tested on the current version of OSMC on the Raspberry Pi 1 B (May 2018);

First, lets install everything we need:

sudo apt install python3-systemd fail2ban

Next, edit your /etc/fail2ban/jail.d/jail.local (new file, use sudo) using your preferred editor and add in the following:

[DEFAULT]
default_backend = systemd
backend = systemd

[sshd]
enabled = true

Last, but not least, enable fail2ban on boot and start it.

sudo systemctl enable fail2ban && sudo systemctl start fail2ban

Enjoy.

sudo fail2ban-client status sshd
Status for the jail: sshd
|- Filter
|  |- Currently failed:	0
|  |- Total failed:	180
|  `- Journal matches:	_SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
   |- Currently banned:	1
   |- Total banned:	1
   `- Banned IP list:	61.177.172.23

Could you give some examples of situations where people should run this? Most people’s Pi’s aren’t exposed to the outside world.

Fail2ban is useful either when you have any kind of service running on OSMC facing the internet (i.e. SSH) or when you’re OSMC is on a non-private network (i.e. college/university campus network).

As i wasn’t able to install the fail2ban, I have solved the problem by changing the ssh port and by iptables rules:

iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 600 --hitcount 5 -j LOGDROP

For me this is good enough. I can see the log with journalctl -k.

Hi yuusou, and thanks for your post. I’m still stuck with fail2ban, i get an error at fixing the dependencies, and in the end the fail2ban service can’t start. Still the same error message (fail2ban installation problem).
Maybe I don’t have the latest OSMC (haven’t seen any update in september?), will try to update that.

Hi guys,
I’ve just tryed to install fail2ban with that guide and even if on Raspian it works great… on OSMC I can’t get fail2ban started. Can you please help me?

I’ve updated the post, basically changed the order of what you do to make it more streamlined.
Tested on a brand spanking new install.

Instead of fail2ban, you could access OSMC using SSH but in your router don’t forward the common 22 port but for example port 9382 (randomly chosen) to the internal 22.

And then use SSH tunneling to access any other service running on your OSMC device:

Thanks @yuusou, this worked out great. I had an issue with the configuration file but just reading through the jail.conf properly helped me. Great post!

FYI, fail2ban seems to be in the repos now, so just installing it will suffice:

sudo apt-get install fail2ban

Fail2ban 0.9.3 or later?

Seems it is 0.8.13-1.

I’ve updated this HowTo to reflect the current available versions of fail2ban and OSMC.
I’ve also listed the exact version I’ve used so you know what works.

@axil versions below 0.9.3 don’t support systemd, that’s why we need the newer version. Sorry for the late reply.

After installing python3-systemd dependency, I downloaded v0.9.6-1 from the link and tried to install it. Got this:

Selecting previously unselected package fail2ban.
(Reading database … 61586 files and directories currently installed.)
Preparing to unpack fail2ban_0.9.6-1_all.deb …
Unpacking fail2ban (0.9.6-1) …
Setting up fail2ban (0.9.6-1) …
Job for fail2ban.service failed. See ‘systemctl status fail2ban.service’ and ‘journalctl -xn’ for details.
invoke-rc.d: initscript fail2ban, action “start” failed.
dpkg: error processing package fail2ban (–install):
subprocess installed post-installation script returned error exit status 1
Processing triggers for systemd (215-17+deb8u6) …
Errors were encountered while processing:
fail2ban

Any help would be appreciated! Thanks!

Try:
sudo touch /var/log/fail2ban.log
and start fail2ban service again.

Did this:

sudo touch /var/log/fail2ban.log
sudo service fail2ban start

Got this:

Job for fail2ban.service failed. See ‘systemctl status fail2ban.service’ and ‘journalctl -xn’ for details.

Running the command returned:

• fail2ban.service - Fail2Ban Service
  Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled)
  Active: failed (Result: start-limit) since Sun 2017-03-12 11:36:34 CDT; 4s ago
  Docs: man:fail2ban(1)
  Process: 14582 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)

No journal files were found after running “journalctl -xn”…

Did you edit the jail file and run sudo apt -f install?

This is happening because you don’t have a working configuration, meaning dpkg can’t start the process thus failing the install.
Is your /etc/fail2ban/jail.d/jail.local file configured as I indicated in the first post? It seems as though you’re missing the default_backend flag.

Okay, I wasn’t aware that the “configuration” at that point was still broken. Completing the instructions got it working. Sorry about that!

Hello,
I successfully installed fail2bain fail2ban_0.9.6-2 using this post on the current osmc version (mar 2018)

and followed this post to monitor ssl accesses to domoticz Setup fail2ban - Domoticz

this is my /etc/fail2ban/jail.d/jail.local

[DEFAULT]
default_backend = systemd
backend = systemd

[sshd]
enabled = true

[domoticz]
enabled = true
port = 443
filter = domoticz
logpath = /tmp/domoticz.txt
maxretry = 5
findtime = 3600

Still using the domoticz.com post I created a /etc/fail2ban/filter.d/domoticz.conf failreg definition :

failregex = Error: Failed login attempt from for user ‘.’ !
Error: Failed login attempt from for '.’ !
Error: [Web:8080] Failed authentication attempt, ignoring client request (remote address: )
Error: [web:443] Failed authentication attempt, ignoring client request (remote address: )

tested the config manually with a sammple log, then with the real domoticz log :

fail2ban-regex /tmp/domoticz.txt /etc/fail2ban/filter.d/domoticz.conf

worked fine : Lines: 9538 lines, 0 ignored, 61 matched, 9477 missed

Trouble is, when I enable the service, no ip is banned, and the process is consuming 20-40% CPU

fail2ban log looks fine to me :

2018-03-20 13:55:23,202 fail2ban.server [29051]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.9.6
2018-03-20 13:55:23,204 fail2ban.database [29051]: INFO Connected to fail2ban persistent database ‘/var/lib/fail2ban/fail2ban.sqlite3’
2018-03-20 13:55:23,212 fail2ban.jail [29051]: INFO Creating new jail ‘sshd’
2018-03-20 13:55:23,267 fail2ban.jail [29051]: INFO Jail ‘sshd’ uses systemd {}
2018-03-20 13:55:23,353 fail2ban.jail [29051]: INFO Initiated ‘systemd’ backend
2018-03-20 13:55:23,356 fail2ban.filter [29051]: INFO Set findtime = 600
2018-03-20 13:55:23,359 fail2ban.actions [29051]: INFO Set banTime = 600
2018-03-20 13:55:23,359 fail2ban.filter [29051]: INFO Set maxRetry = 5
2018-03-20 13:55:23,361 fail2ban.filter [29051]: INFO Set jail log file encoding to ANSI_X3.4-1968
2018-03-20 13:55:23,362 fail2ban.filter [29051]: INFO Set maxlines = 10
2018-03-20 13:55:23,721 fail2ban.filtersystemd [29051]: INFO Added journal match for: ‘_SYSTEMD_UNIT=sshd.service + _COMM=sshd’
2018-03-20 13:55:23,754 fail2ban.jail [29051]: INFO Creating new jail ‘domoticz’
2018-03-20 13:55:23,755 fail2ban.jail [29051]: INFO Jail ‘domoticz’ uses systemd {}
2018-03-20 13:55:23,766 fail2ban.jail [29051]: INFO Initiated ‘systemd’ backend
2018-03-20 13:55:23,769 fail2ban.filter [29051]: INFO Set findtime = 3600
2018-03-20 13:55:23,775 fail2ban.actions [29051]: INFO Set banTime = 1000
2018-03-20 13:55:23,777 fail2ban.filter [29051]: INFO Set maxRetry = 3
2018-03-20 13:55:23,779 fail2ban.filter [29051]: INFO Set jail log file encoding to ANSI_X3.4-1968
2018-03-20 13:55:23,829 fail2ban.jail [29051]: INFO Jail ‘sshd’ started
2018-03-20 13:55:23,831 fail2ban.filtersystemd [29051]: NOTICE Jail started without ‘journalmatch’ set. Jail regexs will be checked against all journal entries, which is not advised for performance reasons.
2018-03-20 13:55:23,843 fail2ban.jail [29051]: INFO Jail ‘domoticz’ started

That is, until I tried the DEBUG mode, and got this message repeated constantly

[29051]: DEBUG Read systemd journal entry: ‘2018-03-20T13:53:36.481418osmc kernel: [73497.021350] WARN::dwc_otg_handle_mode_mismatch_intr:68: Mode Mismatch Interrupt: currently in Host mode\n’

What could be wrong ? Any help would be greatly appreciated