Differences

This shows you the differences between two versions of the page.

--- start:howto:fail2ban [2013/08/27 14:38]
mrpink
+++ start:howto:fail2ban [2016/09/17 15:12] (current)
flames [jail.local]
@@ Line 10: / Line 10: @@
 First we need to install fail2ban via aptitude
-<konsole root>
-# aptitude update
-# aptitude install fail2ban
-</konsole>
-===== Configs =====
+# aptitude update && aptitude install fail2ban
+===== Configuration =====
 You will find the config files in the directory /etc/fail2ban/.
@@ Line 131: / Line 129: @@
 port     = http,https
 filter   = apache-auth
-logpath  = /var/log/apache2/users/*error.log
+logpath  = /var/log/apache2/*/error.log
 maxretry = 6
@@ Line 141: / Line 139: @@
 port     = http,https
 filter   = apache-auth
-logpath  = /var/log/apache2/users/*error.log
+logpath  = /var/log/apache2/*/error.log
 maxretry = 6
@@ Line 149: / Line 147: @@
 port     = http,https
 filter   = apache-noscript
-logpath  = /var/log/apache2/users/*error.log
+logpath  = /var/log/apache2/*/error.log
 maxretry = 6
@@ Line 157: / Line 155: @@
 port     = http,https
 filter   = apache-overflows
-logpath  = /var/log/apache2/users/*error.log
+logpath  = /var/log/apache2/*/error.log
 maxretry = 2
@@ Line 168: / Line 166: @@
 enabled  = true
-port     = http,https
+port     = 8080,4443
-filter   = apache-auth
+filter   = nginx-http-auth
-logpath  = /var/log/apache2/*error.log
+logpath  = /var/log/nginx/*error.log
 maxretry = 6
-# default action is now multiport, so apache-multiport jail was left
-# for compatibility with previous (<0.7.6-2) releases
-[imscp-multiport]
-enabled  = true
-port     = http,https
-filter   = apache-auth
-logpath  = /var/log/apache2/*error.log
-maxretry = 6
-[imscp-noscript]
-enabled  = true
-port     = http,https
-filter   = apache-noscript
-logpath  = /var/log/apache2/*error.log
-maxretry = 6
-[imscp-overflows]
-enabled  = true
-port     = http,https
-filter   = apache-overflows
-logpath  = /var/log/apache2/*error.log
-maxretry = 2
@@ Line 210: / Line 182: @@
 filter   = proftpd
 logpath  = /var/log/auth.log
+maxretry = 6
+[vsftpd]
+enabled  = true
+port     = ftp,ftp-data,ftps,ftps-data
+filter   = vsftpd-fixed
+logpath  = /var/log/vsftpd.log
 maxretry = 6
@@ Line 224: / Line 205: @@
 enabled  = true
-port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+port     = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
 filter   = dovecot
 logpath  = /var/log/mail.log
 maxretry = 8
+#
+# Webmail
+#
+#
+# Webmail authenticators: Don't forget to comment the unused webmailers out
+#
 [roundcube]
 enabled  = true
-port     = http,https
+port     = 8080,4443
 filter   = roundcube
 logpath  = /var/www/imscp/gui/public/tools/webmail/logs/errors
 maxretry = 6
+[rainloop]
+enabled  = true
+port     = 8080,4443
+filter   = rainloop
+logpath  = /var/log/nginx/*access.log
+maxretry = 6
+</code>
+==== nginx-http-auth.conf ====
+Please check if the file **/etc/fail2ban/filter.d/nginx-http-auth.conf** is available.
+If not, please create the file with the following content:
+<code>
+# fail2ban filter configuration for nginx
+[Definition]
+failregex = ^ \[error\] \d+#\d+: \*\d+ user "\S+":? (password mismatch|was not found in ".*"), client: <HOST>, server: \S+, request: "\S+ \S+ HTTP/\d+\.\d+", host: "\S+"\s*$
+ignoreregex =
+# DEV NOTES:
+# Based on samples in https://github.com/fail2ban/fail2ban/pull/43/files
+# Extensive search of all nginx auth failures not done yet.
+#
+# Author: Daniel Black
 </code>
@@ Line 267: / Line 286: @@
 ----
+==== rainloop.conf ====
+Now create a new file **/etc/fail2ban/filter.d/rainloop.conf** and copy the following content into the file:
+<code>
+# rainloop configuration file
+#
+[Definition]
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>\S+)
+# Values:  TEXT
+#
+failregex = ^<HOST> -.*POST /rainloop/index.php\?/Ajax/0/ HTTP/1.1" 200
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
+</code>
+----
+Restart fail2ban and test if all is working:
-Now restart fail2ban and test if all is working:
-<konsole root>
 # service fail2ban restart
-</konsole>
+===== vsftpd =====
+Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file:
+<code>
+# Fail2Ban filter for vsftp
+#
+# Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch
+# /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the
+# incoming ip address rather than domain names.
+[INCLUDES]
+before = common.conf
+[Definition]
+__pam_re=\(?pam_unix(?:\(\S+\))?\)?:?
+_daemon =  vsftpd
+failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$
+            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$
+ignoreregex =
+# Version from fail2ban wiki does't work, fixed version
+</code>
+----
+Restart fail2ban and test if all is working:
+# service fail2ban restart
 ===== Test & Debug =====
@@ Line 278: / Line 361: @@
 To test your current config use fail2ban-regex. Here an example for dovecot:
-<konsole root>
 # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf
-</konsole>
 ===== Links =====
 Fail2ban offical website --> [[http://www.fail2ban.org]]

i-MSCP Documentation

User Tools

Site Tools

Differences

Page Tools