i-MSCP Documentation

User Tools

Site Tools

You are here: start » start » howto » fail2ban
Trace:
start:howto:fail2ban

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
start:howto:fail2ban [2015/06/15 14:16]
ninos [jail.local] 		start:howto:fail2ban [2016/09/17 15:12] (current)
flames [jail.local]
Line 10: Line 10:
  
 First we need to install fail2ban via aptitude First we need to install fail2ban via aptitude
-<konsole root> + 
-# aptitude update +# aptitude update ​&& ​aptitude install fail2ban
-aptitude install fail2ban +
-</​konsole>​+
  
 ===== Configuration ===== ===== Configuration =====
Line 168: Line 166:
  
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https +port     ​= ​8080,4443 
-filter ​  = nginx-auth+filter ​  = nginx-http-auth
 logpath ​ = /​var/​log/​nginx/​*error.log logpath ​ = /​var/​log/​nginx/​*error.log
 maxretry = 6 maxretry = 6
- 
-# default action is now multiport, so apache-multiport jail was left 
-# for compatibility with previous (<​0.7.6-2) releases 
-[imscp-multiport] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-auth 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 6 
- 
-[imscp-noscript] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-noscript 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 6 
- 
-[imscp-overflows] 
- 
-enabled ​ = true 
-port     = http,https 
-filter ​  = nginx-overflows 
-logpath ​ = /​var/​log/​nginx/​*error.log 
-maxretry = 2 
  
  
Line 210: Line 182:
 filter ​  = proftpd filter ​  = proftpd
 logpath ​ = /​var/​log/​auth.log logpath ​ = /​var/​log/​auth.log
 +maxretry = 6
 +
 +
 +[vsftpd]
 +
 +enabled ​ = true
 +port     = ftp,​ftp-data,​ftps,​ftps-data
 +filter ​  = vsftpd-fixed
 +logpath ​ = /​var/​log/​vsftpd.log
 maxretry = 6 maxretry = 6
  
Line 224: Line 205:
  
 enabled ​ = true enabled ​ = true
-port     = smtp,​ssmtp,​imap2,​imap3,​imaps,​pop3,​pop3s+port     = smtp,ssmtp,submission,​imap2,​imap3,​imaps,​pop3,​pop3s
 filter ​  = dovecot filter ​  = dovecot
 logpath ​ = /​var/​log/​mail.log logpath ​ = /​var/​log/​mail.log
Line 239: Line 220:
 [roundcube] [roundcube]
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https+port     ​= ​8080,4443
 filter ​  = roundcube filter ​  = roundcube
 logpath ​ = /​var/​www/​imscp/​gui/​public/​tools/​webmail/​logs/​errors logpath ​ = /​var/​www/​imscp/​gui/​public/​tools/​webmail/​logs/​errors
Line 246: Line 227:
 [rainloop] [rainloop]
 enabled ​ = true enabled ​ = true
-port     ​= ​http,https+port     ​= ​8080,4443
 filter ​  = rainloop filter ​  = rainloop
-logpath ​ = /var/www/imscp/gui/​public/​tools/​rainloop/​logs/​errors+logpath ​ = /var/log/nginx/*access.log
 maxretry = 6 maxretry = 6
 +
 +</​code>​
 +
 +==== nginx-http-auth.conf ====
 +
 +Please check if the file **/​etc/​fail2ban/​filter.d/​nginx-http-auth.conf** is available.
 +If not, please create the file with the following content:
 +
 +<​code>​
 +# fail2ban filter configuration for nginx
 +
 +
 +[Definition]
 +
 +
 +failregex = ^ \[error\] \d+#\d+: \*\d+ user "​\S+":?​ (password mismatch|was not found in "​.*"​),​ client: <​HOST>,​ server: \S+, request: "\S+ \S+ HTTP/​\d+\.\d+",​ host: "​\S+"​\s*$
 +
 +ignoreregex =
 +
 +# DEV NOTES:
 +# Based on samples in https://​github.com/​fail2ban/​fail2ban/​pull/​43/​files
 +# Extensive search of all nginx auth failures not done yet.
 +#
 +# Author: Daniel Black
  
 </​code>​ </​code>​
Line 281: Line 286:
  
 ---- ----
- 
-Now restart fail2ban and test if all is working: 
- 
-<konsole root> 
-# service fail2ban restart 
-</​konsole>​ 
- 
 ==== rainloop.conf ==== ==== rainloop.conf ====
  
Line 317: Line 315:
 ---- ----
  
-Now restart ​fail2ban and test if all is working:+Restart ​fail2ban and test if all is working: 
  
-<konsole root> 
 # service fail2ban restart # service fail2ban restart
-</konsole>+ 
 + 
 +===== vsftpd ===== 
 + 
 +Now create a new file **/​etc/​fail2ban/​filter.d/​vsftpd-fixed.conf** and copy the following content into the file: 
 + 
 +<​code>​ 
 +# Fail2Ban filter for vsftp 
 +
 +# Configure VSFTP for "​dual_log_enable=YES",​ and have fail2ban watch 
 +# /​var/​log/​vsftpd.log instead of /​var/​log/​secure. vsftpd.log file shows the 
 +# incoming ip address rather than domain names. 
 + 
 +[INCLUDES] 
 + 
 +before = common.conf 
 + 
 +[Definition] 
 + 
 +__pam_re=\(?​pam_unix(?:​\(\S+\))?​\)?:?​ 
 +_daemon =  vsftpd 
 + 
 +failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<​HOST>​(?:​\s+user=.*)?​\s*$ 
 +            ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::​ffff:<​HOST>",​\s*"​530 Permission denied\."​\s*$ 
 + 
 +ignoreregex =  
 + 
 +# Version from fail2ban wiki does't work, fixed version 
 +</code> 
 + 
 +---- 
 + 
 +Restart fail2ban and test if all is working: 
 + 
 + 
 +# service fail2ban restart 
  
 ===== Test & Debug ===== ===== Test & Debug =====
Line 327: Line 361:
 To test your current config use fail2ban-regex. Here an example for dovecot: To test your current config use fail2ban-regex. Here an example for dovecot:
  
-<konsole root> 
 # fail2ban-regex /​var/​log/​mail.log /​etc/​fail2ban/​filter.d/​dovecot.conf # fail2ban-regex /​var/​log/​mail.log /​etc/​fail2ban/​filter.d/​dovecot.conf
-</​konsole>​ 
  
 ===== Links ===== ===== Links =====
 Fail2ban offical website --> [[http://​www.fail2ban.org]] Fail2ban offical website --> [[http://​www.fail2ban.org]]
/var/www/virtual/i-mscp.net/wiki/htdocs/data/attic/start/howto/fail2ban.1434377783.txt.gz · Last modified: 2015/06/15 14:16 by ninos

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki