How to configure Fail2Ban?

n00b_noob · 01-12-2021, 06:02 AM

Hello,
I found a tutorial to protect some services with Fail2Ban:

Quote:

# nano /etc/fail2ban/jail.local
Add the following lines at the end of the file:

Code:

[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

What is "[apache-auth]"? Is it a predefined rule for Fail2Ban and is under the "filter.d" directory? I mean is that "[apache-auth]" refer to the "apache-auth.conf" file:

Code:

# ls filter.d/
3proxy.conf                exim-spam.conf             proftpd.conf
apache-auth.conf           freeswitch.conf            pure-ftpd.conf
apache-badbots.conf        froxlor-auth.conf          qmail.conf
apache-botsearch.conf      groupoffice.conf           recidive.conf
apache-common.conf         gssftpd.conf               roundcube-auth.conf
apache-fakegooglebot.conf  guacamole.conf             screensharingd.conf
apache-modsecurity.conf    haproxy-http-auth.conf     selinux-common.conf
apache-nohome.conf         horde.conf                 selinux-ssh.conf
apache-noscript.conf       ignorecommands/            sendmail-auth.conf
apache-overflows.conf      kerio.conf                 sendmail-reject.conf
apache-pass.conf           lighttpd-auth.conf         sieve.conf
apache-shellshock.conf     mongodb-auth.conf          slapd.conf
assp.conf                  monit.conf                 sogo-auth.conf
asterisk.conf              murmur.conf                solid-pop3d.conf
bitwarden.conf             mysqld-auth.conf           squid.conf
botsearch-common.conf      nagios.conf                squirrelmail.conf
centreon.conf              named-refused.conf         sshd.conf
common.conf                nginx-botsearch.conf       stunnel.conf
counter-strike.conf        nginx-http-auth.conf       suhosin.conf
courier-auth.conf          nginx-limit-req.conf       tine20.conf
courier-smtp.conf          nsd.conf                   traefik-auth.conf
cyrus-imap.conf            openhab.conf               uwimap-auth.conf
directadmin.conf           openwebmail.conf           vsftpd.conf
domino-smtp.conf           oracleims.conf             webmin-auth.conf
dovecot.conf               pam-generic.conf           wuftpd.conf
dropbear.conf              perdition.conf             xinetd-fail.conf
drupal-auth.conf           phpmyadmin-syslog.conf     znc-adminlog.conf
ejabberd-auth.conf         php-url-fopen.conf         zoneminder.conf
exim-common.conf           portsentry.conf            
exim.conf                  postfix.conf

Apache logs are:

Code:

# ls /var/log/httpd/
access_log        error_log         modsec_audit.log  modsec_debug.log

But "logpath = %(apache_error_log)s" !!! The "apache_error_log" must be change to "error_log" ?

Thank you.

wpeckham · 01-12-2021, 07:56 AM

Did you check the how-to documents on the failtoban project pages? https://www.fail2ban.org/wiki/index.php/HOWTOs

Keep in mind also that APACHE changes often, and you might have to adjust for those changes.

TB0ne · 01-12-2021, 08:06 AM

Quote:

Originally Posted by n00b_noob

Hello,
I found a tutorial to protect some services with Fail2Ban:

Code:

# nano /etc/fail2ban/jail.local
Add the following lines at the end of the file:
Code:
[apache-auth]
enabled = true
port    = http,https
logpath = %(apache_error_log)s

[apache-badbots]
enabled = true
port    = http,https
logpath = %(apache_access_log)s
bantime = 48h
maxretry = 1

[apache-noscript]
enabled = true
port    = http,https
logpath = %(apache_error_log)

Great....and if you told us WHICH tutorial you followed, for what version/distro of Linux, we'd have some ideas what you've done/tried. But you haven't.

Quote:

What is "[apache-auth]"? Is it a predefined rule for Fail2Ban and is under the "filter.d" directory? I mean is that "[apache-auth]" refer to the "apache-auth.conf" file:

Code:

# ls filter.d/
3proxy.conf                exim-spam.conf             proftpd.conf
apache-auth.conf           freeswitch.conf            pure-ftpd.conf
apache-badbots.conf        froxlor-auth.conf          qmail.conf
apache-botsearch.conf      groupoffice.conf           recidive.conf
apache-common.conf         gssftpd.conf               roundcube-auth.conf
apache-fakegooglebot.conf  guacamole.conf             screensharingd.conf
apache-modsecurity.conf    haproxy-http-auth.conf     selinux-common.conf
apache-nohome.conf         horde.conf                 selinux-ssh.conf
apache-noscript.conf       ignorecommands/            sendmail-auth.conf
apache-overflows.conf      kerio.conf                 sendmail-reject.conf
apache-pass.conf           lighttpd-auth.conf         sieve.conf
apache-shellshock.conf     mongodb-auth.conf          slapd.conf
assp.conf                  monit.conf                 sogo-auth.conf
asterisk.conf              murmur.conf                solid-pop3d.conf
bitwarden.conf             mysqld-auth.conf           squid.conf
botsearch-common.conf      nagios.conf                squirrelmail.conf
centreon.conf              named-refused.conf         sshd.conf
common.conf                nginx-botsearch.conf       stunnel.conf
counter-strike.conf        nginx-http-auth.conf       suhosin.conf
courier-auth.conf          nginx-limit-req.conf       tine20.conf
courier-smtp.conf          nsd.conf                   traefik-auth.conf
cyrus-imap.conf            openhab.conf               uwimap-auth.conf
directadmin.conf           openwebmail.conf           vsftpd.conf
domino-smtp.conf           oracleims.conf             webmin-auth.conf
dovecot.conf               pam-generic.conf           wuftpd.conf
dropbear.conf              perdition.conf             xinetd-fail.conf
drupal-auth.conf           phpmyadmin-syslog.conf     znc-adminlog.conf
ejabberd-auth.conf         php-url-fopen.conf         zoneminder.conf
exim-common.conf           portsentry.conf            
exim.conf                  postfix.conf

Apache logs are:

Code:

# ls /var/log/httpd/access_log        error_log         modsec_audit.log  modsec_debug.log

But "logpath = %(apache_error_log)s" !!! The "apache_error_log" must be change to "error_log" ?Thank you.

Did you try reading the fail2ban documentation?
https://www.fail2ban.org/wiki/index.php/MANUAL_0_8

....because that file is mentioned in there. Did you try to do basic research about fail2ban and what that directive does? Because there is a LOT of it available with a brief Google search. And again, these seem to be homework questions....so show us your efforts.

ondoho · 01-13-2021, 01:24 AM

I am now starting to report this user's threads indicriminately. 69 in 4 months, about the same basic 2-3 topics, that's just insane.

descendant_command · 01-13-2021, 02:25 AM

Add them to the number clocked up as hack3rcon

shruggy · 01-13-2021, 08:11 AM

And not only here on LQ: https://forums.centos.org/search.php...uthor_id=92983

jeremy · 01-13-2021, 08:25 AM

n00b_noob,

Please read https://www.linuxquestions.org/quest...#faq_lqwelcome and keep it in mind in your future participation at LQ. Thanks.

--jeremy