nicht angemeldet
Mein Hauptproblem, ich sehe nicht ob es am Filter oder aber Action liegt.
Wie kann ich z.B. erkennen ob der Filter funktioniert ?
Normalerweise in /var/log/fail2ban wenn das Loglevel in /etc/fail2ban/fail2ban.conf auf 4 steht.
Auch die debugmeldungen (4) bringen gar nicht's.
Ok...
Nimm die /etc/fail2ban/jail.conf
schalte
[apache-tcpwrapper]
enabled = false
füge einen Abschnitt ein:
[apache]
enabled = true
port = http, https
filter = apache-auth
action = iptables[name=ApacheAuth, port=http, protocol=tcp]
maxretry = 3
Wenn nicht existent, lege den genannten Filter an - /etc/fail2ban/filter.d/apache-auth.conf
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = apache-common.conf
[Definition]
# Option: failregex
# Notes.: regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
# Values: TEXT
#
# Jörg Reinholz: Original war
failregex = ^%(_apache_error_client)s user .* (authentication failure|not found|password mismatch)\s*$
#
# Jörg Reinholz: Zum blockieren wenn Auth via MySQL angepasster Regex
failregex = ^%(_apache_error_client)s (MySQL |)user.*(authentication failure|not found|password mismatch)\s*$
#
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Du brauchst noch die /etc/fail2ban/filter.d/apache-common.conf: (steht hinter before =)
Generic configuration items (to be used as interpolations) in other
apache filters
Author: Yaroslav Halchenko
[INCLUDES]
Load customizations if any available
after = apache-common.local
[DEFAULT]
Common prefix for [error] apache messages which also would include <HOST>
_apache_error_client = [[^]]+] [error] [client <HOST>]
wenn in der jail.conf unter [default] etwas steht wie
banaction = iptables-multiport
dann muss es auch /ect/fail2ban/action.d/iptables-multiport.conf geben:
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#
[INCLUDES]
before = iptables-blocktype.conf
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
[Init]
# Default name of the chain
#
name = default
# Option: port
# Notes.: specifies port to monitor
# Values: [ NUM | STRING ] Default:
#
port = ssh
# Option: protocol
# Notes.: internally used by config reader for interpolations.
# Values: [ tcp | udp | icmp | all ] Default: tcp
#
protocol = tcp
# Option: chain
# Notes specifies the iptables chain to which the fail2ban rules should be
# added
# Values: STRING Default: INPUT
chain = INPUT
Die Kommentare habe ich zum Lernen drin gelassen.
Jörg Reinholz