|
|
| Line 6: |
Line 6: |
| | | | |
| | ---- | | ---- |
| − | Fail2ban is one of the best projects I've encountered - I love it! One suggestion: in 0.7+, the iptables.conf action uses pre-ban command" | + | Fail2ban is one of the best projects I've encountered - I love it! One suggestion: in 0.7 , the iptables.conf action uses pre-ban command" |
| | | | |
| | <pre>iptables -L....</pre> | | <pre>iptables -L....</pre> |
| Line 25: |
Line 25: |
| | Thank you. Added in the repository. --[[User:Lostcontrol|Lostcontrol]] 13:21, 14 December 2006 (PST) | | Thank you. Added in the repository. --[[User:Lostcontrol|Lostcontrol]] 13:21, 14 December 2006 (PST) |
| | | | |
| − | === Regexp for vsftp&qpopper/RHEL4 === | + | === Regexp for vsftp |
| − | I hope this is the right place to submit fail2ban regexp, and hope this not too much trivial and wring. Here is the section of fail2ban dedicated to VSFTPD and Qpopper according to a RHEL4 standard config:
| |
| − | <pre>[VSFTPD]
| |
| − | enabled = true
| |
| − | port = ftp
| |
| − | logfile = /var/log/messages
| |
| − | timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
| |
| − | timepattern = %%b %%d %%H:%%M:%%S
| |
| − | failregex = vsftpd.*authentication failure
| |
| − | | |
| − | [qpopper]
| |
| − | enabled = true
| |
| − | port = pop3
| |
| − | logfile = /var/log/secure
| |
| − | timeregex = \S{3}\s{1,2}\d{1,2} \d{2}:\d{2}:\d{2}
| |
| − | timepattern = %%b %%d %%H:%%M:%%S
| |
| − | failregex = FAIL.*pop3
| |
| − | </pre>
| |
| − | -- Vincent
| |
| − | | |
| − | === Details in mail report ===
| |
| − | This would be fine if some details were reported in the mail sent by fail2ban when banning ip's:
| |
| − | *report reverse DNS lookup of the ip attacker
| |
| − | *report the usernames used for the attacks
| |
| − | *report hour and minutes ...
| |
| − | --Vincent
| |
| − | | |
| − | === Misc suggestions ===
| |
| − | *allow some ip (ranges) to fail authentification more than the maxfailures value but with a finite number of auth failures (something between whitelisting (through ignoreip value) with an infinite number of auth failures and the rest)
| |
| − | *when banning an ip because of attacking a service, ban it for all the other services monitored by fail2ban
| |
| − | *wiki pages with fail2ban config section related to various services and linux distributions
| |
| − | | |
| − | --Vincent (cosmotroll ---- yahoo / fr)
| |
| − | | |
| − | | |
| − | ==== RHEL 3.0 Users ==============
| |
| − | | |
| − | fail2ban is a nice product, but it need python 2.4, So only RHEL-4 users can use it. Try to some changes, so that it should work under RHEL-3 using python 2.2.
| |
| − | | |
| − | ==== Banning web spam? ====
| |
| − | | |
| − | I wonder if fail2ban could be used to ban IP addresses for spammers, by defining strings to search for. For instance a lot of spammers try to directly access urls like (on my system) /comment.php (which does not exist, but is a common target)...
| |
| − | | |
| − | I would really like to block them - permanently.
| |
| − | | |
| − | Speaking of perm-ban: how do I permanently ban someone?
| |
User Suggestions
I also love Fail2ban (great work guys), maybe I'm missing something but is there a way to unban an IP using fail2ban-client? If not could you add this feature?
Thank you :) You're right :/ You can't unban an IP address using fail2ban-client. This will be added in the next development branch (0.9). Be patient ;)
--Lostcontrol 23:23, 21 March 2007 (CET)
Fail2ban is one of the best projects I've encountered - I love it! One suggestion: in 0.7 , the iptables.conf action uses pre-ban command"
iptables -L....
Is there a reason for this? Maybe ip spoofing? At any rate, this can cause fail2ban to take forever in implementing its actions if the iptables chains are big, because it causes DNS lookups for each entry. I suggest adding the "n" flag to the command, to speed things up, like this:
iptables -nL....
See:
netfilter FAQ: iptables -L takes a very long time to display the rules
and
Docunext: fail2ban iptable.conf action
Thank you. Added in the repository. --Lostcontrol 13:21, 14 December 2006 (PST)
=== Regexp for vsftp
