Difference between revisions of "Talk:Fail2ban"

From SME Server
Jump to navigationJump to search
m
(Replaced content with "Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in t...")
Line 1: Line 1:
{{Note box|Please do not edit the main how-to directly if you want to provide feedback or experiences. The blog style (first person) writing is not consistent with the 'documentation' style of the main how-to. The owner of the page or someone from the doc team can format your information if it's invalided.}}
+
Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.
 
 
 
 
'''With many thanks to the author for his work''' templating the install of Fail2Ban into SME8/9 here are some notes for introduction:
 
 
 
* F2B adds to SMEserver's own high security after SME has already reported forbidden access, file not found or a relaying denied error. F2B filters read appropriate logs and associated jails implement timed bans (by dropping all packets arriving from the culprit IP). Another F2B action sends a notifying email.
 
 
 
* Restarting the contrib clears existing bans but a suitable 'findtime' results in a reban. Be aware that the restart delay can be unexpectedly lengthy, I've noticed a variation of between a few seconds to one that extended to nearly 40 minutes! YMMV
 
 
 
* The 'out of the box' install's given filters are *already* completely capable of detecting most problems without any user templating being necessary.
 
 
 
* Parameters are passed using db commands. On my SME8.1 and with only www & email expectations (no SSH) I used:
 
 
 
db configuration setprop qpsmtpd Fail2Ban enabled
 
 
 
db configuration setprop httpd-e-smith Fail2Ban enabled
 
 
 
config setprop fail2ban MailRecipient root
 
 
 
config setprop fail2ban FindTime 1200
 
 
 
config setprop fail2ban BanTime 604800
 
 
 
config setprop fail2ban MaxRetry 1
 
 
 
signal-event fail2ban-conf
 
 
 
* don't use MaxTry=0 (apparently it is a special Perl value)
 
 
 
* required www triggers need to have appeared in /var/log/httpd/error_log
 
 
 
* required email triggers need to have appeared in /var/log/*qpsmtpd/current
 
 
 
I broke the master template by making the internal multipliers ($MaxRetry/$max) equivalent to unity. <br />
 
The expanded jail.conf then showed only my own db command value for MaxRetry=1: <br />
 
see /etc/e-smith/templates/ect/fail2ban/jail.conf/*
 
 
 
On installation and eventual configuration I have observed automatic immediate bans <br />
 
for all 'relaying denied' email and iterations of semalt referer spam within 'findtime':-)
 

Revision as of 17:19, 21 September 2014

Fine. Usually I'm told to put forum stuff into the wiki. Bound to happen the other way around. Have appended to the thread that 'tried' to point to the unwanted piece in the wiki.