Working on Fail2ban

[inittux]

I got logwatch installed and working. I've also installed fail to ban and started the service. Still working on configuring it. I found out that I should be able to configure fail2ban to filter and ban per log. I found this in the fail2ban documention : at the bottom

Centos

<strong>Under CentOS / RedHat Enterprise Linux, httpd (Apache) is </strong><strong>not compiled with tcpwrappers support</strong><strong>. As a result the example in jail.conf called "apache-tcpwrapper" does not work since /etc/hosts.deny does not affe</strong>ct apache.

 

Mean that the filter [apache-tcpwrapper] won't work for me. So I did a bit of search and come across centos-fail2ban and seem they are using it there. So I'll just try to use it and configure it and see what the results are. But just strange two documentations saying two different things.

[inittux]

I tried it, didn't seem to work. I also tried letting it use a joomla logfile, but this also had no results. Will keep trying/searching :)

[Dungeon-Dave]

I've used iptables for all of mine - if you want any configs, check my blog.

[inittux]

I've used iptables for all of mine - if you want any configs, check my blog.

 

Where's you blog? Can't find it under your profile?

[Dungeon-Dave]

Erm.. oh.. doh. It used to be on here.

 

I ought to get another up and running, really. I started it, never got around to configuring it.

[inittux]

Erm.. oh.. doh. It used to be on here.

 

I ought to get another up and running, really. I started it, never got around to configuring it.

 

Yeah I know. I've seen your blog a while ago. Strange that it's gone.

It used to be that you could make a blog under your profile settings

somewhere. Might have disappeared since the forum update?

[hybrid]

Yeah, unfortunately, I believe the IP.Blog software is no longer with us on this forum. :(

[inittux]

Yeah, unfortunately, I believe the IP.Blog software is no longer with us on this forum. [img]<___base_url___>//public/style_emoticons/default/sad.png[/img]

 

haha going offtopic on my own topic. Wouldn't it be possible to link external blog software/website to this site?

[inittux]

I figured out what to do. I found some info here Seems like they created the filter [apache-webmail-phish] I think I could probably make my own by doing something like this:

 

Filter:

# Fail2Ban configuration file #

# Author: Jackie Craig Sparks #

# $Revision: 728 $ # [Definition]

#Looks for failed login attempts backend joomla

failregex = [[]client <host>[]] user .*(?:: authentication failure|not found|password mismatch|Invalid password|User does not exist) </host>

ignoreregex =t

hen save it as apache-feedmebits-website.conf

 

Jail:

[apache-feedmebits-website]

enabled = true

filter = apache-feedmebits-website

action = iptables[name=HTTP, port="80,443", protocol=tcp]

logpath = /var/www/htm/htdocs/logs/error.php

maxretry = 0

bantime = 864000

findtime = 3600

Save it restart fail2ban and test. Will try it out later and post my results.

 

I also tried getting my ssh banned, it's activated. It doesn't get banned after x attempts. I found out the problem.

When I goto vi /etc/fail2ban/action.d/iptables , the file is empty so it doesn't know what to do. I checked a few

other files in that action.d folder and they are not empty. So if I tried the above it wouldn't work either because

it doesn't know what to do because iptables action is empty. Will need to figure out/search how I need to configure

that file. Then test.

[inittux]

LOL I wasn't able to get it to work on my website log. when I restart fail2ban I get an error that my failregex isn't correct. I set my own filter to off in jail.conf and I restarted fail2ban and it's running now. On my ssh port too. I was dumb enough to test it out and now I'm locked out of my ssh and I can't get back in LMAO [img]<___base_url___>//public/style_emoticons/default/laugh.png[/img][img]<___base_url___>//public/style_emoticons/default/blink.png[/img]

 

*edit: luckily I put the time on 10min and am able to get in now :P