Difference between revisions of "Fail2ban:Community Portal"
| Line 30: | Line 30: | ||
failregex = vsftpd.*authentication failure</pre> | failregex = vsftpd.*authentication failure</pre> | ||
-- Vincent | -- Vincent | ||
| + | |||
| + | === Details in mail report === | ||
| + | This would be fine if some details were reported in the mail sent by fail2ban when banning ip's: | ||
| + | *report reverse DNS lookup of the ip attacker | ||
| + | *report the usernames used for the attacks | ||
| + | *report hour and minutes ... | ||
| + | --Vincent | ||
Revision as of 14:05, 27 December 2006
User Suggestions
Fail2ban is one of the best projects I've encountered - I love it! One suggestion: in 0.7+, the iptables.conf action uses pre-ban command"
iptables -L....
Is there a reason for this? Maybe ip spoofing? At any rate, this can cause fail2ban to take forever in implementing its actions if the iptables chains are big, because it causes DNS lookups for each entry. I suggest adding the "n" flag to the command, to speed things up, like this:
iptables -nL....
See:
netfilter FAQ: iptables -L takes a very long time to display the rules
and
Docunext: fail2ban iptable.conf action
Thank you. Added in the repository. --Lostcontrol 13:21, 14 December 2006 (PST)
Regexp for vsftp/RHEL4
I hope this is the right place to submit fail2ban regexp. Here is the section of fail2ban dedicated to VSFTPD according to a RHEL4 standard config:
[VSFTPD]
enabled = true
port = ftp
logfile = /var/log/messages
timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
timepattern = %%b %%d %%H:%%M:%%S
failregex = vsftpd.*authentication failure
-- Vincent
Details in mail report
This would be fine if some details were reported in the mail sent by fail2ban when banning ip's:
- report reverse DNS lookup of the ip attacker
- report the usernames used for the attacks
- report hour and minutes ...
--Vincent
