Update fail2ban.md

docs/general/networking/fail2ban.md

@@ -15,6 +15,7 @@ Jellyfin produces logs that can be monitored by Fail2ban to prevent brute-force
 - Jellyfin remotely accessible
 - Fail2ban installed and running
 - Knowing where the logs for Jellyfin are stored: by default `/var/log/jellyfin/` for desktop and `/config/log/` for docker containers.
+- For systemd or nftables users (Debian, Ubuntu) there are some additional steps needed, see *optional steps for systemd and nftables* at the end of this document.
 
 ### Step one: create the jail
 
@@ -31,7 +32,7 @@ Add this to the new file, replacing `/path_to_logs` with the path to the log fil
 
 backend = auto
 enabled = true
-port = 80,443
+port = 80,443,8096,8920
 protocol = tcp
 filter = jellyfin
 maxretry = 3
@@ -86,3 +87,28 @@ Assuming you've at least one failed authentication attempt, you can test this ne
 ```bash
 sudo fail2ban-regex /path_to_logs/*.log /etc/fail2ban/filter.d/jellyfin.conf --print-all-matched
 ```
+
+### Optional steps for systemd and nftables
+
+Systemd users like Debian or Ubuntu currently require some additional configs for fail2ban to work.
+Change the file /etc/fail2ban/jail.d/defaults-debian.conf to:
+
+```bash
+[sshd]
+enabled = true
+backend = systemd
+
+[DEFAULT]
+banaction = nftables
+banaction_allports = nftables[type=allports]
+```
+
+Without telling the sshd jail to use systemd as a backend, fail2ban won't even start. The `banaction` is set to send the bans to nftables instead of unused iptables.
+In a similar manner, without adding the `banaction` default, fail2ban will try to use iptables that got replaced by nftables.
+
+You also have to enable nftables to start at boot.
+
+```bash
+sudo systemctl enable nftables
+sudo systemctl start nftables
+```