i-MSCP Documentation

User Tools

Site Tools

You are here: start » start » howto » fail2ban
Trace: package_full_manual
start:howto:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Last revision Both sides next revision
start:howto:fail2ban [2015/06/15 14:19]
ninos [jail.local] 		start:howto:fail2ban [2016/09/17 15:11]
flames
Line 10: Line 10:
  
 First we need to install fail2ban via aptitude First we need to install fail2ban via aptitude
-<konsole root> + 
-# aptitude update +# aptitude update ​&& ​aptitude install fail2ban
-aptitude install fail2ban +
-</​konsole>​+
  
 ===== Configuration ===== ===== Configuration =====
Line 168: Line 166:
  
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https +port     ​= ​8080,4443 
-filter ​  = nginx-auth+filter ​  = nginx-http-auth
 logpath ​ = /​var/​log/​nginx/​*error.log logpath ​ = /​var/​log/​nginx/​*error.log
 maxretry = 6 maxretry = 6
- 
-# default action is now multiport, so apache-multiport jail was left 
-# for compatibility with previous (<​0.7.6-2) releases 
-[imscp-multiport] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-auth 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 6 
- 
-[imscp-noscript] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-noscript 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 6 
- 
-[imscp-overflows] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-overflows 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 2 
  
  
Line 210: Line 182:
 filter ​  = proftpd filter ​  = proftpd
 logpath ​ = /​var/​log/​auth.log logpath ​ = /​var/​log/​auth.log
 +maxretry = 6
 +
 +
 +[vsftpd]
 +
 +enabled ​ = true
 +port     = ftp,​ftp-data,​ftps,​ftps-data
 +filter ​  = vsftpd-custom
 +logpath ​ = /​var/​log/​vsftpd.log
 maxretry = 6 maxretry = 6
  
Line 224: Line 205:
  
 enabled ​ = true enabled ​ = true
-port     = smtp,​ssmtp,​imap2,​imap3,​imaps,​pop3,​pop3s+port     = smtp,ssmtp,submission,​imap2,​imap3,​imaps,​pop3,​pop3s
 filter ​  = dovecot filter ​  = dovecot
 logpath ​ = /​var/​log/​mail.log logpath ​ = /​var/​log/​mail.log
Line 239: Line 220:
 [roundcube] [roundcube]
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https+port     ​= ​8080,4443
 filter ​  = roundcube filter ​  = roundcube
 logpath ​ = /​var/​www/​imscp/​gui/​public/​tools/​webmail/​logs/​errors logpath ​ = /​var/​www/​imscp/​gui/​public/​tools/​webmail/​logs/​errors
Line 246: Line 227:
 [rainloop] [rainloop]
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https+port     ​= ​8080,4443
 filter ​  = rainloop filter ​  = rainloop
 logpath ​ = /​var/​log/​nginx/​*access.log logpath ​ = /​var/​log/​nginx/​*access.log
 maxretry = 6 maxretry = 6
 +
 +</​code>​
 +
 +==== nginx-http-auth.conf ====
 +
 +Please check if the file **/​etc/​fail2ban/​filter.d/​nginx-http-auth.conf** is available.
 +If not, please create the file with the following content:
 +
 +<​code>​
 +# fail2ban filter configuration for nginx
 +
 +
 +[Definition]
 +
 +
 +failregex = ^ \[error\] \d+#\d+: \*\d+ user "​\S+":?​ (password mismatch|was not found in "​.*"​),​ client: <​HOST>,​ server: \S+, request: "\S+ \S+ HTTP/​\d+\.\d+",​ host: "​\S+"​\s*$
 +
 +ignoreregex =
 +
 +# DEV NOTES:
 +# Based on samples in https://​github.com/​fail2ban/​fail2ban/​pull/​43/​files
 +# Extensive search of all nginx auth failures not done yet.
 +#
 +# Author: Daniel Black
  
 </​code>​ </​code>​
Line 281: Line 286:
  
 ---- ----
- 
-Now restart fail2ban and test if all is working: 
- 
-<konsole root> 
-# service fail2ban restart 
-</​konsole>​ 
- 
 ==== rainloop.conf ==== ==== rainloop.conf ====
  
Line 317: Line 315:
 ---- ----
  
-Now restart ​fail2ban and test if all is working:+Restart ​fail2ban and test if all is working: 
  
-<konsole root> 
 # service fail2ban restart # service fail2ban restart
-</konsole>+ 
 + 
 +===== vsftpd ===== 
 + 
 +Now create a new file **/​etc/​fail2ban/​filter.d/​vsftpd-fixed.conf** and copy the following content into the file: 
 + 
 +<​code>​ 
 +# Fail2Ban filter for vsftp 
 +
 +# Configure VSFTP for "​dual_log_enable=YES",​ and have fail2ban watch 
 +# /​var/​log/​vsftpd.log instead of /​var/​log/​secure. vsftpd.log file shows the 
 +# incoming ip address rather than domain names. 
 + 
 +[INCLUDES] 
 + 
 +before = common.conf 
 + 
 +[Definition] 
 + 
 +__pam_re=\(?​pam_unix(?:​\(\S+\))?​\)?:?​ 
 +_daemon =  vsftpd 
 + 
 +failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<​HOST>​(?:​\s+user=.*)?​\s*$ 
 +            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::​ffff:<​HOST>",​\s*"​530 Permission denied\."​\s*$ 
 + 
 +ignoreregex =  
 + 
 +# Version from fail2ban wiki does't work, fixed version 
 +</code> 
 + 
 +---- 
 + 
 +Restart fail2ban and test if all is working: 
 + 
 + 
 +# service fail2ban restart 
  
 ===== Test & Debug ===== ===== Test & Debug =====
Line 327: Line 361:
 To test your current config use fail2ban-regex. Here an example for dovecot: To test your current config use fail2ban-regex. Here an example for dovecot:
  
-<konsole root> 
 # fail2ban-regex /​var/​log/​mail.log /​etc/​fail2ban/​filter.d/​dovecot.conf # fail2ban-regex /​var/​log/​mail.log /​etc/​fail2ban/​filter.d/​dovecot.conf
-</​konsole>​ 
  
 ===== Links ===== ===== Links =====
 Fail2ban offical website --> [[http://​www.fail2ban.org]] Fail2ban offical website --> [[http://​www.fail2ban.org]]
/var/www/virtual/i-mscp.net/wiki/htdocs/data/pages/start/howto/fail2ban.txt · Last modified: 2016/09/17 15:12 by flames

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki