Filters play a crucial role in identifying patterns of potentially malicious activities within log files. These filters are sets of rules, defined using regular expressions (regex), that help Fail2Ban recognize specific events or behaviors. In this brief overview, we'll delve into the storage location of filters, provide an example of a predefined filter for SSH, and offer some additional insights.
Filter location
Fail2Ban filter configurations are typically stored in the /etc/fail2ban/filter.d/ directory. Each service or application monitored by Fail2Ban has its own filter configuration file within this directory. For instance, the filter for SSH can often be found in a file named /etc/fail2ban/filter.d/sshd.conf.
Example 1: SSH filter
Let's explore an example of a predefined filter for SSH (sshd.conf):
# /etc/fail2ban/filter.d/sshd.conf
[Definition]
failregex = ^(?: sshd(?:\[\d+\])?: )?Failed \S+ for .* from <HOST>(?: port \d+)?(?: ssh2)?$
ignoreregex =
- failregex: This regular expression is designed to match lines in the SSH log file indicating failed login attempts. It captures relevant information such as the IP address of the client attempting to log in (`<HOST>`). Non-capturing groups `(?: ... )` are used to group certain parts without creating separate capture groups.
- ignoreregex: The ignoreregex line is left empty (ignoreregex =), indicating that there are no additional regular expressions to ignore certain lines in the log file. Users can customize this field to exclude specific patterns if needed.
Example 2 : SFTP filter
Here's another example of a predefined filter in Fail2Ban for Secure File Transfer Protocol (SFTP) (sftp.conf):
# /etc/fail2ban/filter.d/sftp.conf
[Definition]
failregex = ^%(__prefix_line)s(?:Connection closed|Received disconnect|Disconnected from authenticating user <USER>(?: port \d+ \[preauth\])?|fatal:).*? \[preauth\]$
^%(__prefix_line)s(?:error|fatal): Couldn't.*preauth.*gssapi \w+.*$
ignoreregex =- failregex: This filter is designed to match lines in the SFTP server log file indicating various events related to connection closure, disconnection, or errors during pre-authentication. It captures the username (<USER>) associated with the event.
- The first line captures events such as "Connection closed," "Received disconnect," and disconnection from an authenticating user.
- The second line captures errors related to pre-authentication and GSSAPI.
- ignoreregex: The ignoreregex line is left empty (ignoreregex =), indicating that there are no additional regular expressions to ignore certain lines in the log file.
This filter is crafted to identify events indicative of potential security issues or authentication failures in an SFTP server. When integrated into Fail2Ban, this filter can help protect against brute-force attacks and unauthorized access attempts.
Additional note
It's important to note that the structure and content of predefined filters may vary based on the version of Fail2Ban and the specific service or application being monitored. Users should consult the documentation or configuration files specific to their Fail2Ban version for accurate details.