Understanding Fail2Ban Configuration: Jail.local vs Jail.conf – Override or Replacement Mechanism


1 views

In Fail2Ban's architecture, jail.local functions as an override to jail.conf, not a complete replacement. This is a common pattern in Unix/Linux configuration systems where:

  • jail.conf contains default values (managed by package maintainers)
  • jail.local contains your customizations (managed by system administrators)

Fail2Ban loads configurations in this specific order:

1. First reads jail.conf (base configuration)
2. Then applies jail.local (custom overrides)
3. Finally applies command-line parameters

This means you only need to specify values you want to change in jail.local. For example, to modify just the SSH ban duration:

[sshd]
enabled = true
bantime = 86400  # Overrides default 10m from jail.conf

Consider these real-world scenarios:

Case 1: Minimal Override (recommended approach)

[DEFAULT]
ignoreip = 192.168.1.0/24  # Only override IP whitelist

[sshd]
maxretry = 5  # Only change retry count

Case 2: Complete Section Replacement

[apache-auth]
enabled = true
filter = apache-auth
port = http,https
logpath = %(apache_error_log)s
maxretry = 3
  • Never modify jail.conf directly (package updates may overwrite it)
  • Use jail.local for all customizations
  • Comment your changes in jail.local
  • Test configurations with fail2ban-client -t

To verify how settings merge:

fail2ban-client -d | grep "sshd.*bantime"

This will show the effective configuration including all overrides.

Fail2Ban follows a well-established configuration pattern common in Unix/Linux applications where .conf files serve as the default configuration and .local files provide user customizations. This design allows for clean separation between:

  • Package-maintained default settings (jail.conf)
  • User-specific modifications (jail.local)

The jail.local file operates as an override rather than a complete replacement for jail.conf. Here's what happens under the hood:

  1. Fail2Ban first loads all settings from jail.conf
  2. Then it applies any matching directives from jail.local
  3. Non-matching settings in jail.conf remain unchanged

Example 1: Minimal jail.local for SSH customization

[sshd]
enabled = true
maxretry = 3
findtime = 300
bantime = 86400

Example 2: Adding new jail while preserving defaults

[nginx-botsearch]
enabled = true
port = http,https
filter = nginx-botsearch
logpath = /var/log/nginx/access.log
maxretry = 5
  • Never modify jail.conf directly as package updates may overwrite it
  • Keep jail.local minimal - only include changed settings
  • Use comments to document why changes were made
  • Test configurations with fail2ban-client reload

To verify how your configurations are being applied:

fail2ban-client -d | grep 'jail.*conf'

This will show you the exact loading order and any conflicts that may occur.