Fail2ban
Re: Fail2ban
i use it in mine. historically i used to use fail2ban with all kinds of postfix regex's i wrote, but as time has passed and moved from system to system, many of them needed rewites or were becoming irrelevant. now i just use the pre-written postfix-sasl jail. here is a script i use to prep an EFA install with fail2ban's postfix-sasl jail:
#!/bin/bash
yum install -y fail2ban
chkconfig fail2ban on
touch /etc/fail2ban/jail.d/local.conf
cat << EOF > /etc/fail2ban/jail.d/local.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 608400
findtime = 30
maxretry = 1
backend = auto
usedns = warn
[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
logpath = /var/log/maillog
EOF
service iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start
#!/bin/bash
yum install -y fail2ban
chkconfig fail2ban on
touch /etc/fail2ban/jail.d/local.conf
cat << EOF > /etc/fail2ban/jail.d/local.conf
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 608400
findtime = 30
maxretry = 1
backend = auto
usedns = warn
[postfix-sasl]
enabled = true
filter = postfix-sasl
action = iptables[name=POSTFIX-SASL, port=smtp, protocol=tcp]
logpath = /var/log/maillog
EOF
service iptables save
/etc/init.d/iptables restart
/etc/init.d/fail2ban start
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
-
- Posts: 28
- Joined: 31 May 2015 20:37
Re: Fail2ban
thank you very much.
how could I enable the fail2ban.log ?
how could I enable the fail2ban.log ?
Re: Fail2ban
thank you for your return, I will test to see if it corresponds to my config
Re: Fail2ban
to enable mail report you can configure on /etc/fail2ban/jail.conf
destemail = your email destination
sender = your sender address
mta = sendmail
by default the log for postfix is /var/log/maillog or /var/log/messages
destemail = your email destination
sender = your sender address
mta = sendmail
by default the log for postfix is /var/log/maillog or /var/log/messages
Re: Fail2ban
Hi guys,
i know this a old post.
i just want to share i just configured this on the latest version of the EFA 4/16/2018 ) EFA-3.0.2.6. of today and it does works.
i want to configure the log /etc/fail2ban/jail.conf
Can we config the fail2ban to block the https too when they try to access the EFA over the https ?
i know this a old post.
i just want to share i just configured this on the latest version of the EFA 4/16/2018 ) EFA-3.0.2.6. of today and it does works.
i want to configure the log /etc/fail2ban/jail.conf
Can we config the fail2ban to block the https too when they try to access the EFA over the https ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
Sure, why not?
Or are you looking for what rule to implement to make this happen?
Or are you looking for what rule to implement to make this happen?
Re: Fail2ban
Hi Paul,
Our EFA has a https over the internet so the users on the go can release their emails.
so the https://efa.domain.com is open on the internet i want to include the fail2ban to block the brute force ip over the internet.
is this possible to configure with fail2ban ?
Our EFA has a https over the internet so the users on the go can release their emails.
so the https://efa.domain.com is open on the internet i want to include the fail2ban to block the brute force ip over the internet.
is this possible to configure with fail2ban ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
Sure.
Assuming that there is a recognizable pattern in some log files, you can configure Fail2Ban to watch for it and block appropriately.
The first question to ask yourself, is how do you know you are being brute forced? (i.e. does that show up in the log files in a recognizable pattern). Once you know, configuring fail2ban is relatively straight forward.
Assuming that there is a recognizable pattern in some log files, you can configure Fail2Ban to watch for it and block appropriately.
The first question to ask yourself, is how do you know you are being brute forced? (i.e. does that show up in the log files in a recognizable pattern). Once you know, configuring fail2ban is relatively straight forward.
Re: Fail2ban
Thank you for the answer Paul.pdwalker wrote: ↑24 Apr 2018 02:17 Sure.
Assuming that there is a recognizable pattern in some log files, you can configure Fail2Ban to watch for it and block appropriately.
The first question to ask yourself, is how do you know you are being brute forced? (i.e. does that show up in the log files in a recognizable pattern). Once you know, configuring fail2ban is relatively straight forward.
can't seem to find any tutorial how to configure the fail2ban over the https.
in the mean while i have configure it fail2ban for the smtp.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
The first question is: can you see from your apache access logs, or error log or any log something that you could define as a brute force attack?
If yes, then we can make a fail2ban rule to block the attempts. If not, then fail2ban won't help.
If you can show me some examples errors, I can help you create the rule.
If yes, then we can make a fail2ban rule to block the attempts. If not, then fail2ban won't help.
If you can show me some examples errors, I can help you create the rule.
Re: Fail2ban
Hi Paul,pdwalker wrote: ↑02 May 2018 03:24 The first question is: can you see from your apache access logs, or error log or any log something that you could define as a brute force attack?
If yes, then we can make a fail2ban rule to block the attempts. If not, then fail2ban won't help.
If you can show me some examples errors, I can help you create the rule.
i've been looking arround on the webmin but can't seem to find a log for the attemp of loging to the http/s.
do you maybe happens to know where i can find this ? like of the last 24 hr ?
we are using now a IDS in front of the EFA in order to get some countries blocked.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
I do everything from the command line.
The apache logs are in /var/log/httpd and are called ssl_access_log and ssl_error_log
You can access this log file from webmin via Others, File Manager, and then browse your way down to /var/log/httpd/
The apache logs are in /var/log/httpd and are called ssl_access_log and ssl_error_log
You can access this log file from webmin via Others, File Manager, and then browse your way down to /var/log/httpd/
Re: Fail2ban
i've got Paul.
mine seems clean after the IDS.
SSL ERROR LOG
SSL ACCESS LOG
mine seems clean after the IDS.
SSL ERROR LOG
- [Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/000000000000.cfg
[Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/polycom
[Mon Apr 30 18:53:38 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/cfg
[Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/PlcmSpip
[Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/wisdom-tree
[Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/qualit-partnr
[Mon Apr 30 18:53:39 2018] [error] [client 142.0.36.250] File does not exist: /var/www/html/prov
[Tue May 01 00:21:16 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
[Tue May 01 00:36:22 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
[Tue May 01 01:54:25 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/status.php
[Tue May 01 02:41:38 2018] [warn] [client 192.168.4.9] PHP Warning: ini_set(): A session is active. You cannot change the session module's ini settings at this time in /var/www/html/mailscanner/logout.php on line 40, referer: https://filter.darks.com/mailscanner/de ... 0065.A6344
[Wed May 02 01:39:43 2018] [error] [client 151.106.13.158] File does not exist: /var/www/html/a2billing
[Wed May 02 01:39:43 2018] [error] [client 151.106.13.158] File does not exist: /var/www/html/recordings
[Wed May 02 02:30:35 2018] [error] [client 138.246.253.19] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /
[Wed May 02 14:54:10 2018] [error] [client 94.75.249.3] File does not exist: /var/www/html/recordings
[Wed May 02 14:54:11 2018] [error] [client 94.75.249.3] File does not exist: /var/www/html/cgi
SSL ACCESS LOG
- 139.162.78.135 - - [29/Apr/2018:06:32:38 +0200] "GET / HTTP/1.1" 200 155
216.218.206.69 - - [29/Apr/2018:17:33:33 +0200] "GET / HTTP/1.1" 200 155
192.168.4.9 - - [30/Apr/2018:17:15:25 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [30/Apr/2018:17:15:26 +0200] "GET /mailscanner/style.css HTTP/1.1" 304 -
192.168.4.9 - - [30/Apr/2018:17:15:26 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [30/Apr/2018:17:15:27 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33818
192.168.4.9 - - [30/Apr/2018:17:15:33 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9203
216.218.206.69 - - [30/Apr/2018:18:01:02 +0200] "GET / HTTP/1.1" 200 155
142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /000000000000.cfg HTTP/1.1" 404 214
142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /polycom/000000000000.cfg HTTP/1.1" 404 222
142.0.36.250 - - [30/Apr/2018:18:53:38 +0200] "GET /cfg/000000000000.cfg HTTP/1.1" 404 218
142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /PlcmSpip/000000000000.cfg HTTP/1.1" 404 223
142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /wisdom-tree/000000000000.cfg HTTP/1.1" 404 226
142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /qualit-partnr/000000000000.cfg HTTP/1.1" 404 228
142.0.36.250 - - [30/Apr/2018:18:53:39 +0200] "GET /prov/polycom/000000000000.cfg HTTP/1.1" 404 227
77.72.85.108 - - [30/Apr/2018:21:42:11 +0200] "GET / HTTP/1.1" 200 155
192.168.4.9 - - [30/Apr/2018:23:57:17 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [30/Apr/2018:23:57:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
192.168.4.9 - - [30/Apr/2018:23:57:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
192.168.4.9 - - [30/Apr/2018:23:58:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
192.168.4.9 - - [30/Apr/2018:23:58:32 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
192.168.4.9 - - [30/Apr/2018:23:58:32 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [30/Apr/2018:23:58:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33350
192.168.4.9 - - [30/Apr/2018:23:58:33 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [30/Apr/2018:23:58:48 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33306
192.168.4.9 - - [30/Apr/2018:23:58:48 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [30/Apr/2018:23:58:49 +0200] "GET /mailscanner/images/info-circle-hover.png HTTP/1.1" 200 275
192.168.4.9 - - [30/Apr/2018:23:58:50 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=09B7440065.A9CFC HTTP/1.1" 200 15635
192.168.4.9 - - [01/May/2018:00:05:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
192.168.4.9 - - [01/May/2018:00:06:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
192.168.4.9 - - [01/May/2018:00:06:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
192.168.4.9 - - [01/May/2018:00:07:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33169
192.168.4.9 - - [01/May/2018:00:07:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33177
192.168.4.9 - - [01/May/2018:00:07:22 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:00:07:32 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33177
192.168.4.9 - - [01/May/2018:00:07:32 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:00:07:33 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:07:33 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:00:07:35 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=512FF40065.A6390 HTTP/1.1" 200 15765
192.168.4.9 - - [01/May/2018:00:10:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:10:59 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:11:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:11:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:11:02 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:11:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33100
192.168.4.9 - - [01/May/2018:00:11:05 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:11:09 +0200] "GET /mailscanner/detail.php?token=af1b64617b7bcf11788e6182753833b96c9d3b49fd32a68e8f1032c5792b4d1d&id=81A0140065.A5DB8 HTTP/1.1" 200 15766
192.168.4.9 - - [01/May/2018:00:11:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:11:43 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:12:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:12:43 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:13:13 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:13:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:14:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:14:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:15:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:15:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:16:14 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:16:44 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:17:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:17:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:18:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:18:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33038
192.168.4.9 - - [01/May/2018:00:19:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:19:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:20:15 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:20:46 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:21:16 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
192.168.4.9 - - [01/May/2018:00:26:20 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:26:20 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:26:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:26:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:27:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:27:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:28:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:28:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:29:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:29:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:30:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:30:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:31:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:31:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:32:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:32:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:33:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:33:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:34:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:34:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:35:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:35:52 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33037
192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:00:36:22 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
192.168.4.9 - - [01/May/2018:01:43:58 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [01/May/2018:01:44:00 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:01:44:00 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:01:44:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
192.168.4.9 - - [01/May/2018:01:44:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
192.168.4.9 - - [01/May/2018:01:45:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
192.168.4.9 - - [01/May/2018:01:45:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33495
192.168.4.9 - - [01/May/2018:01:46:00 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:46:30 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:47:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:47:03 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:47:03 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:01:47:04 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:47:04 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:01:47:34 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:48:04 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:48:35 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:49:05 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:49:23 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:49:23 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:01:49:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:49:24 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:01:49:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:50:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:50:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:51:24 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:51:54 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:52:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:52:55 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:53:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:53:55 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:01:54:25 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
192.168.4.9 - - [01/May/2018:02:00:29 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:00:29 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:00:29 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:00:31 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:00:31 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:06 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:06 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:09 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:09 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:10 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:11 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:12 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:12 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:26 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:27 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:39 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:40 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:01:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:01:51 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:02:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33532
192.168.4.9 - - [01/May/2018:02:02:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:03:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:03:51 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:04:21 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:04:36 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:04:36 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
192.168.4.9 - - [01/May/2018:02:05:06 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:05:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:06:07 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33530
192.168.4.9 - - [01/May/2018:02:06:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
192.168.4.9 - - [01/May/2018:02:07:07 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
192.168.4.9 - - [01/May/2018:02:07:37 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
192.168.4.9 - - [01/May/2018:02:07:39 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=231E940065.AB9C1 HTTP/1.1" 200 16754
192.168.4.9 - - [01/May/2018:02:08:08 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
192.168.4.9 - - [01/May/2018:02:08:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33533
192.168.4.9 - - [01/May/2018:02:09:08 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
192.168.4.9 - - [01/May/2018:02:09:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
192.168.4.9 - - [01/May/2018:02:09:41 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=EF7E440065.A9480 HTTP/1.1" 200 15837
192.168.4.9 - - [01/May/2018:02:09:45 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
192.168.4.9 - - [01/May/2018:02:09:47 +0200] "GET /mailscanner/detail.php?token=9f0954e7d7e2d39008e9928d099aec132e04558226713f647598906cfd0cac60&id=289CC40089.A8F16 HTTP/1.1" 200 15529
192.168.4.9 - - [01/May/2018:02:09:50 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33454
192.168.4.9 - - [01/May/2018:02:22:06 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [01/May/2018:02:22:09 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:22:09 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:22:09 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33270
192.168.4.9 - - [01/May/2018:02:22:11 +0200] "GET /mailscanner/detail.php?token=d1b92c452d6d706798798daf1032033bec618f8edb552a715523bc4915bb699b&id=4C86640065.A6344 HTTP/1.1" 200 15675
192.168.4.9 - - [01/May/2018:02:23:06 +0200] "-" 408 -
192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/logout.php?error=timeout HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:41:38 +0200] "GET /mailscanner/login.php?error=timeout HTTP/1.1" 200 2147
192.168.4.9 - - [01/May/2018:02:41:40 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:41:40 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [01/May/2018:02:41:40 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33270
192.168.4.9 - - [01/May/2018:02:41:46 +0200] "GET /mailscanner/detail.php?token=88a36ce50e42322a4c87def10609a044c769738293658210c76c24b72a694c1f&id=4C86640065.A6344 HTTP/1.1" 200 15675
192.168.4.9 - - [01/May/2018:02:41:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
192.168.4.9 - - [01/May/2018:02:42:19 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
192.168.4.9 - - [01/May/2018:02:42:49 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
192.168.4.9 - - [01/May/2018:02:43:20 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33224
192.168.4.9 - - [01/May/2018:02:43:30 +0200] "GET /mailscanner/lists.php HTTP/1.1" 200 9391
192.168.4.9 - - [01/May/2018:02:43:31 +0200] "GET /mailscanner/quarantine.php HTTP/1.1" 200 13746
192.168.4.9 - - [01/May/2018:02:43:32 +0200] "GET /mailscanner/quarantine.php?token=88a36ce50e42322a4c87def10609a044c769738293658210c76c24b72a694c1f&dir=20180501 HTTP/1.1" 200 7943
192.168.4.9 - - [01/May/2018:02:43:34 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/rep_top_viruses.php HTTP/1.1" 200 8636
192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/lib/pieConfig.js HTTP/1.1" 200 4192
192.168.4.9 - - [01/May/2018:02:43:40 +0200] "GET /mailscanner/lib/Chart.js/Chart.min.js HTTP/1.1" 200 150284
192.168.4.9 - - [01/May/2018:02:43:47 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
192.168.4.9 - - [01/May/2018:02:43:50 +0200] "GET /mailscanner/rep_top_senders_by_quantity.php HTTP/1.1" 200 9641
192.168.4.9 - - [01/May/2018:02:44:09 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
192.168.4.9 - - [01/May/2018:02:44:12 +0200] "GET /mailscanner/rep_sa_score_dist.php HTTP/1.1" 200 11561
192.168.4.9 - - [01/May/2018:02:44:18 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
192.168.4.9 - - [01/May/2018:02:44:21 +0200] "GET /mailscanner/rep_sa_rule_hits.php HTTP/1.1" 200 111456
192.168.4.9 - - [01/May/2018:02:44:25 +0200] "GET /mailscanner/reports.php HTTP/1.1" 200 13273
192.168.4.9 - - [01/May/2018:02:44:34 +0200] "GET /mailscanner/rep_top_mail_relays.php HTTP/1.1" 200 10591
192.168.4.9 - - [01/May/2018:02:44:59 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9202
74.82.47.4 - - [01/May/2018:17:53:12 +0200] "GET / HTTP/1.1" 200 155
62.233.65.182 - - [01/May/2018:18:55:00 +0200] "GET / HTTP/1.1" 200 155
117.50.7.159 - - [01/May/2018:22:32:44 +0200] "GET / HTTP/1.0" 200 155
106.75.2.81 - - [01/May/2018:22:32:46 +0200] "GET / HTTP/1.1" 200 155
209.126.136.7 - - [01/May/2018:22:37:06 +0200] "GET / HTTP/1.1" 200 155
122.224.129.234 - - [02/May/2018:01:16:05 +0200] "GET / HTTP/1.0" 200 155
183.129.174.250 - - [02/May/2018:01:16:37 +0200] "-" 408 -
151.106.13.158 - - [02/May/2018:01:39:43 +0200] "GET /a2billing/admin/Public/index.php HTTP/1.1" 404 230
151.106.13.158 - - [02/May/2018:01:39:43 +0200] "GET /recordings/ HTTP/1.1" 404 209
138.246.253.19 - - [02/May/2018:02:30:35 +0200] "HEAD / HTTP/1.1" 400 -
107.170.193.62 - - [02/May/2018:03:57:18 +0200] "GET / HTTP/1.1" 200 155
139.162.78.135 - - [02/May/2018:09:57:58 +0200] "GET / HTTP/1.1" 200 155
178.73.215.171 - - [02/May/2018:10:21:12 +0200] "GET / HTTP/1.0" 200 155
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET / HTTP/1.1" 200 155
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /favicon.ico HTTP/1.1" 200 1150
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/ HTTP/1.1" 302 -
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/style.css HTTP/1.1" 200 18314
192.168.4.5 - - [02/May/2018:12:32:58 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET / HTTP/1.1" 200 155
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/ HTTP/1.1" 302 -
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /favicon.ico HTTP/1.1" 200 1150
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/status.php HTTP/1.1" 302 -
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/images/mailwatch-logo.png HTTP/1.1" 200 15657
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/style.css HTTP/1.1" 200 18314
217.100.225.34 - - [02/May/2018:12:45:01 +0200] "GET /mailscanner/images/favicon.png HTTP/1.1" 200 1150
94.75.249.3 - - [02/May/2018:14:54:08 +0200] "GET /" 400 474
94.75.249.3 - - [02/May/2018:14:54:08 +0200] "GET /" 400 474
94.75.249.3 - - [02/May/2018:14:54:10 +0200] "GET /recordings/ HTTP/1.1" 404 209
94.75.249.3 - - [02/May/2018:14:54:11 +0200] "GET /cgi/webcgi HTTP/1.1" 404 208
184.105.247.252 - - [02/May/2018:15:39:03 +0200] "GET / HTTP/1.1" 200 155
51.38.12.13 - - [02/May/2018:18:15:36 +0200] "GET / HTTP/1.1" 200 155
71.6.202.205 - - [03/May/2018:04:59:22 +0200] "GET / HTTP/1.1" 200 155
192.168.4.9 - - [03/May/2018:11:53:10 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [03/May/2018:11:53:12 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [03/May/2018:11:53:12 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [03/May/2018:11:53:12 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33195
192.168.4.9 - - [03/May/2018:11:53:15 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9205
192.168.4.9 - - [03/May/2018:12:02:36 +0200] "GET /mailscanner/login.php HTTP/1.1" 200 2081
192.168.4.9 - - [03/May/2018:12:02:38 +0200] "POST /mailscanner/checklogin.php HTTP/1.1" 302 -
192.168.4.9 - - [03/May/2018:12:02:38 +0200] "GET /mailscanner/index.php HTTP/1.1" 302 -
192.168.4.9 - - [03/May/2018:12:02:38 +0200] "GET /mailscanner/status.php HTTP/1.1" 200 33029
192.168.4.9 - - [03/May/2018:12:02:45 +0200] "GET /mailscanner/other.php HTTP/1.1" 200 9205
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
Look at the older log files and see if you can find an attack pattern there.
Re: Fail2ban
Hi Paul,
what does the log shows exactly ? so i won't have to read a 1000 line
Thank you
what does the log shows exactly ? so i won't have to read a 1000 line
Thank you
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
hi jamerson,
That's the problem. I don't know what it shows until I see it. If I knew what you considered an attack from the log files, then we could come up with a fail2ban rule to help protect you.
Basically, you would need to browse back in time to when your last attack was happening, then look for the log file entries around that time to see if you can discern a pattern.
Can you describe or say anything about the attacks you were receiving?
That's the problem. I don't know what it shows until I see it. If I knew what you considered an attack from the log files, then we could come up with a fail2ban rule to help protect you.
Basically, you would need to browse back in time to when your last attack was happening, then look for the log file entries around that time to see if you can discern a pattern.
Can you describe or say anything about the attacks you were receiving?
Re: Fail2ban
Thank you Paul,pdwalker wrote: ↑04 May 2018 05:20 hi jamerson,
That's the problem. I don't know what it shows until I see it. If I knew what you considered an attack from the log files, then we could come up with a fail2ban rule to help protect you.
Basically, you would need to browse back in time to when your last attack was happening, then look for the log file entries around that time to see if you can discern a pattern.
Can you describe or say anything about the attacks you were receiving?
the EFA behaive crazy and alot of smtp handshake request and the CPU was running 99%.
after the ids in front some this to be less.
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
So if it was smtp connections, you’d find the patterns in /var/log/maillog.
Re: Fail2ban
you can activate pattern for http code response like 403 : access denied or 404 : page not found.
Or for example if a ip address request the web page a big number of time over a short time.
For example if you have the same ip address with "get" on 500 line request the same page during 1minutes it seems to be an abnormal use of resources and this can overload the server.
You can also activate on failed authentication
with this :
/etc/fail2ban/jail.local
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
all this config will use additional resources on the server
Or for example if a ip address request the web page a big number of time over a short time.
For example if you have the same ip address with "get" on 500 line request the same page during 1minutes it seems to be an abnormal use of resources and this can overload the server.
You can also activate on failed authentication
with this :
/etc/fail2ban/jail.local
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
all this config will use additional resources on the server
Re: Fail2ban
Thank you for your answer.wilbourne wrote: ↑15 Jun 2018 20:45 you can activate pattern for http code response like 403 : access denied or 404 : page not found.
Or for example if a ip address request the web page a big number of time over a short time.
For example if you have the same ip address with "get" on 500 line request the same page during 1minutes it seems to be an abnormal use of resources and this can overload the server.
You can also activate on failed authentication
with this :
/etc/fail2ban/jail.local
[apache]
enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
all this config will use additional resources on the server
is there is a way to test this and know it does the job ?
Version eFa 4.0.0 RC1 now available in testing repo. Come join us in advancing eFa!
Re: Fail2ban
you can test the 404 apache for example.
copy the below line into the /etc/fail2ban/jail.conf
after create file apache-404.conf into /etc/fail2ban/filter.d/ and copy below line :
Restart fail2ban
After you can test your rule with this command to make sur the pattern match :
to have the status of your rule:
for all rule :
i'm not sur but with the version 3.0.2.6 of EFA the mod-security is activate and I think is not necessary use the jail of fail2ban.
Maybe i'm wrong
copy the below line into the /etc/fail2ban/jail.conf
Code: Select all
[apache-404]
enabled = true
port = http
filter = apache-404
logpath = /var/log/apache*/error*.log
maxretry = 6
Code: Select all
#
[Definition]
# Option: failregex
# Notes.: regex to match the 404 failure messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P[\w\-.^_]+)
# Values: TEXT
#
failregex = [[]client <HOST>[]] File does not exist: .*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Code: Select all
service fail2ban restart
Code: Select all
/usr/bin/fail2ban-regex /var/log/apache2/error*.log /etc/fail2ban/filter.d/apache-404.conf
to have the status of your rule:
Code: Select all
/usr/bin/fail2ban-client status apache-404
Code: Select all
/usr/bin/fail2ban-client status
Maybe i'm wrong
Re: Fail2ban
I had Fail2Ban implemented in my v3 configuration. Is it still useful in v4? I noticed from watching my maillogs for a bit that I was getting a lot of repeat/denied traffic from spammers. It's been a long time since I setup my v3 server, but my recollection was that it scanned logs and implemented blocking pre-SMTP which would further reduce the impact of bad actors on your systems/logs/etc.
I noticed that it was on the pending features list for v4. Is that a confirmation that it is still useful? Would it be problematic for me to manually implement in my v4?
I noticed that it was on the pending features list for v4. Is that a confirmation that it is still useful? Would it be problematic for me to manually implement in my v4?