This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
start:howto:fail2ban [2015/09/28 15:39] mrpink |
start:howto:fail2ban [2016/09/17 15:12] (current) flames [jail.local] |
||
---|---|---|---|
Line 10: | Line 10: | ||
First we need to install fail2ban via aptitude | First we need to install fail2ban via aptitude | ||
- | <konsole root> | + | |
- | # aptitude update | + | # aptitude update && aptitude install fail2ban |
- | # aptitude install fail2ban | + | |
- | </konsole> | + | |
===== Configuration ===== | ===== Configuration ===== | ||
Line 184: | Line 182: | ||
filter = proftpd | filter = proftpd | ||
logpath = /var/log/auth.log | logpath = /var/log/auth.log | ||
+ | maxretry = 6 | ||
+ | |||
+ | |||
+ | [vsftpd] | ||
+ | |||
+ | enabled = true | ||
+ | port = ftp,ftp-data,ftps,ftps-data | ||
+ | filter = vsftpd-fixed | ||
+ | logpath = /var/log/vsftpd.log | ||
maxretry = 6 | maxretry = 6 | ||
Line 229: | Line 236: | ||
==== nginx-http-auth.conf ==== | ==== nginx-http-auth.conf ==== | ||
- | Please check if the nginx-http-auth.conf file is available in /etc/fail2ban/filter.d/ | + | Please check if the file **/etc/fail2ban/filter.d/nginx-http-auth.conf** is available. |
- | If not, please create a new file **/etc/fail2ban/filter.d/nginx-http-auth.conf** and copy the following content into the file: | + | If not, please create the file with the following content: |
<code> | <code> | ||
Line 308: | Line 315: | ||
---- | ---- | ||
- | Now restart fail2ban and test if all is working: | + | Restart fail2ban and test if all is working: |
- | <konsole root> | ||
# service fail2ban restart | # service fail2ban restart | ||
- | </konsole> | + | |
+ | |||
+ | ===== vsftpd ===== | ||
+ | |||
+ | Now create a new file **/etc/fail2ban/filter.d/vsftpd-fixed.conf** and copy the following content into the file: | ||
+ | |||
+ | <code> | ||
+ | # Fail2Ban filter for vsftp | ||
+ | # | ||
+ | # Configure VSFTP for "dual_log_enable=YES", and have fail2ban watch | ||
+ | # /var/log/vsftpd.log instead of /var/log/secure. vsftpd.log file shows the | ||
+ | # incoming ip address rather than domain names. | ||
+ | |||
+ | [INCLUDES] | ||
+ | |||
+ | before = common.conf | ||
+ | |||
+ | [Definition] | ||
+ | |||
+ | __pam_re=\(?pam_unix(?:\(\S+\))?\)?:? | ||
+ | _daemon = vsftpd | ||
+ | |||
+ | failregex = ^%(__prefix_line)s%(__pam_re)s\s+Permission denied; logname=\S* uid=\S* euid=\S* tty=(ftp)? ruser=\S* rhost=<HOST>(?:\s+user=.*)?\s*$ | ||
+ | ^ \[pid \d+\] \[.+\]\s+FTP response: Client "::ffff:<HOST>",\s*"530 Permission denied\."\s*$ | ||
+ | |||
+ | ignoreregex = | ||
+ | |||
+ | # Version from fail2ban wiki does't work, fixed version | ||
+ | </code> | ||
+ | |||
+ | ---- | ||
+ | |||
+ | Restart fail2ban and test if all is working: | ||
+ | |||
+ | |||
+ | # service fail2ban restart | ||
===== Test & Debug ===== | ===== Test & Debug ===== | ||
Line 318: | Line 361: | ||
To test your current config use fail2ban-regex. Here an example for dovecot: | To test your current config use fail2ban-regex. Here an example for dovecot: | ||
- | <konsole root> | ||
# fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | # fail2ban-regex /var/log/mail.log /etc/fail2ban/filter.d/dovecot.conf | ||
- | </konsole> | ||
===== Links ===== | ===== Links ===== | ||
Fail2ban offical website --> [[http://www.fail2ban.org]] | Fail2ban offical website --> [[http://www.fail2ban.org]] |