diff --git a/docs/general/networking/fail2ban.md b/docs/general/networking/fail2ban.md index fbc8eb9c8..1a2d6d735 100644 --- a/docs/general/networking/fail2ban.md +++ b/docs/general/networking/fail2ban.md @@ -15,6 +15,7 @@ Jellyfin produces logs that can be monitored by Fail2ban to prevent brute-force - Jellyfin remotely accessible - Fail2ban installed and running - Knowing where the logs for Jellyfin are stored: by default `/var/log/jellyfin/` for desktop and `/config/log/` for docker containers. +- For systemd or nftables users (Debian, Ubuntu) there are some additional steps needed, see *optional steps for systemd and nftables* at the end of this document. ### Step one: create the jail @@ -31,7 +32,7 @@ Add this to the new file, replacing `/path_to_logs` with the path to the log fil backend = auto enabled = true -port = 80,443 +port = 80,443,8096,8920 protocol = tcp filter = jellyfin maxretry = 3 @@ -86,3 +87,28 @@ Assuming you've at least one failed authentication attempt, you can test this ne ```bash sudo fail2ban-regex /path_to_logs/*.log /etc/fail2ban/filter.d/jellyfin.conf --print-all-matched ``` + +### Optional steps for systemd and nftables + +Systemd users like Debian or Ubuntu currently require some additional configs for fail2ban to work. +Change the file /etc/fail2ban/jail.d/defaults-debian.conf to: + +```bash +[sshd] +enabled = true +backend = systemd + +[DEFAULT] +banaction = nftables +banaction_allports = nftables[type=allports] +``` + +Without telling the sshd jail to use systemd as a backend, fail2ban won't even start. The `banaction` is set to send the bans to nftables instead of unused iptables. +In a similar manner, without adding the `banaction` default, fail2ban will try to use iptables that got replaced by nftables. + +You also have to enable nftables to start at boot. + +```bash +sudo systemctl enable nftables +sudo systemctl start nftables +```