Getting fail2ban working on Ubuntu 20.04

Any Linux system that’s exposed to the world tends to get a lot of hack attempts at it. I’ve typically run fail2ban on mine to try to mitigate this, but on Ubuntu 20.04 I was unable to get it to actually detect various attempts.

There are a lot of tutorials out there for fail2ban in general and even several on older versions of Ubuntu, but there’s one slight change on 20.04 (or maybe even an earlier version) which makes them not work. After a lot of hair-pulling I found one particular tutorial which had, buried almost in the marginalia, the magic thing I needed to get it working: basically, you need to use the systemd log scanning backend, as none of the others seem to actually have access to the logs themselves, at least not without a lot of hassle.

So, the short version: add backend = systemd to the [DEFAULT] section of /etc/fail2ban/jail.local. But read on for some sshd configuration notes as well!

Read more…

Well that blew up…

So, I found out that my wildcard SSL certificates weren’t being renewed, which in turn was because certbot needed to be able to edit DNS records in order to do so. In investigating that I found that I couldn’t install the latest version of certbot and its Linode plugin, which led me to discover that my server was actually running the i386 ubuntu core with amd64 grafted onto it, instead of being actual amd64, which was in turn because this server had been provisioned years ago and i386 was the supported configuration.

So I went through the exercise of trying to switch over to amd64, found that the best path forward was to back up all my data (which was already done since I keep incremental backups every night) and just reimage. Which seemed like a pain. But the alternative for a more graceful transition was to set up a new VPS, migrate stuff across, and then decommission the old VPS, which would have also been a pain.

So anyway I decided that since my server was still basically running 32-bit and would be stuck there forever if I didn’t rip off the band-aid, I’d rip off the band-aid.

While I was at it, I’d been meaning to switch to nginx for years, and this was a good enough excuse as any.

Read more…