Re: fail2ban fails to ban apache...
François Patte francois.pa...@mi.parisdescartes.fr wrote: Bonjour, I try to configure fail2ban in order to ban IP which try to connect to directories protected by .htaccess. Here is my [apache] section in jail.conf: enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3 But I tested filling the auth form with erroneous login/password and nothing happens! Nothing appeared in /var/log/fail2ban.log... Show filter.d/apache-auth and show the output of a: tail -F /var/log/apache*/*error.log while you make the bad requests (you might need to do a $(find ...) to handle those wildcards - I'm also unsure if f2b deals with apache*). Also, if you've logged an invalid request, do yourself a favor and create a test directory with different files of different failure lines and run fail2ban-regex against them. Then, when you alter a regex, you can easily see if something you didn't want changed. I tried the same for ssh connections and the IP of the computer from which I tried was banned after the third attempt. What is missing in my config? Here is the ssh section in jail.conf: enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cf358a0c-2eb9-4205-9c7b-a135e5c4c...@email.android.com
Re: fail2ban fails to ban apache...
On 22/12/13 04:01, François Patte wrote: Bonjour, I try to configure fail2ban in order to ban IP which try to connect to directories protected by .htaccess. Surely you mean try to configure fail2ban in order to ban IP addresses which repeatedly *fail* to login to a apache protected directory Protected by .htaccess could mean:- Redirect 301 /admn/scripts/setup.php http://goatse.info/ rather than:- AuthUserFile /somewhere/htusers AuthType something AuthName something require valid-user Probably an English thing. Hope I've understood you correctly and you actually mean auth as opposed to redirect. Here is my [apache] section in jail.conf: enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3 But I tested filling the auth form with erroneous login/password and nothing happens! Nothing appeared in /var/log/fail2ban.log... Did you modify /etc/fail2ban/filter.d/apache-auth.conf? I tried the same for ssh connections and the IP of the computer from which I tried was banned after the third attempt. What is missing in my config? Nothing. That's the correct behaviour (three strikes and out). NOTE: fail2ban only bans *IP* addresses snipped Refs:- man fail2ban http://www.fail2ban.org Kind regards. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52b6bde2.6090...@gmail.com
fail2ban fails to ban apache...
Bonjour, I try to configure fail2ban in order to ban IP which try to connect to directories protected by .htaccess. Here is my [apache] section in jail.conf: enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3 But I tested filling the auth form with erroneous login/password and nothing happens! Nothing appeared in /var/log/fail2ban.log... I tried the same for ssh connections and the IP of the computer from which I tried was banned after the third attempt. What is missing in my config? Here is the ssh section in jail.conf: enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 Thanks -- François Patte UFR de mathématiques et informatique Laboratoire CNRS MAP5, UMR 8145 Université Paris Descartes 45, rue des Saints Pères F-75270 Paris Cedex 06 Tél. +33 (0)1 8394 5849 http://www.math-info.univ-paris5.fr/~patte signature.asc Description: OpenPGP digital signature
Re: fail2ban fails to ban apache...
Sorry, I meant this to go to the list... On 12/21/2013 12:01 PM, François Patte wrote: Bonjour, I try to configure fail2ban in order to ban IP which try to connect to directories protected by .htaccess. Here is my [apache] section in jail.conf: enabled = true port = http,https filter = apache-auth logpath = /var/log/apache*/*error.log maxretry = 3 But I tested filling the auth form with erroneous login/password and nothing happens! Nothing appeared in /var/log/fail2ban.log... You did stop and restart fail2ban after making the changes, right? I don't use Apache authorization on any of my sites, so I can't duplicate your problem. However, look at your /var/log/apache2.error.log - what is the entry you get there when you get an authorization failure? (btw - I don't use wildcards in my fail2ban entries - don't know if it makes a difference or not.) Then look at /etc/fail2ban/filter.d - the regex in there must match the entry in your /var/log/apache2/error.log file. The regex in your apache-auth.conf file must match the entry in your error.log file for fail2ban to work (I've found not all fail2ban regex's are accurate). I tried the same for ssh connections and the IP of the computer from which I tried was banned after the third attempt. What is missing in my config? Here is the ssh section in jail.conf: enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 Thanks See above. As a side, I use iptables ipt_recent module to handle ssh violations. I find it more reliable (no waiting for log entries to be written out). Jerry -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52b655f8.70...@attglobal.net