Package: fail2ban Version: 0.6.0-1 Severity: wishlist You might note that the log file location needs to be changed for Apache2. Although it's pretty obvious, I managed to miss it at first! Probably a comment right after the Apache header in the config file would be best.
It may be the case that the failure patterns for Apache2 differ from those for Apache (v 1). If so, it would be good to provide them. I notice a lot of probes that show up in error.log but not access.log. They look like this: ------------------------------------------ [Sun Nov 27 07:58:26 2005] [error] [client 219.140.132.121] File does not exist: /var/www/sfgc/cgi-bin, referer: http://www.lookquick.net/search.php [Sun Nov 27 07:59:59 2005] [error] [client 219.140.132.121] File does not exist: /var/www/sfgc/xml.php, referer: http://www.lookquick.net [Sun Nov 27 08:03:45 2005] [error] [client 219.140.132.121] File does not exist: /var/www/sfgc/cgi-bin, referer: http://orseek.com [Sun Nov 27 08:04:14 2005] [error] [client 219.140.132.121] File does not exist: /var/www/sfgc/xml.php, referer: http://lookquick.net/search.php [Sun Nov 27 08:05:44 2005] [error] [client 219.140.132.121] File does not exist: /var/www/sfgc/cgi-bin, referer: http://orseek.com ------------------------------------------ To be honest, I'm not sure if these are fairly routine indexing by search engines, but they seemed suspicious to me. If appropriate, it would be nice to ban on this basis too. Finally, it seems desirable to have maxfailures and other paramaters differ for the different sections. It's hard to tell whether this is possible already. If it is, perhaps modify --------------------------------------------- # password failure. Each section has to define the following # options: logfile, fwban, fwunban, timeregex, timepattern, # failregex. -------------------------------------------------- in fail2ban.conf. After "password failure." add "Each section may also redefine any of the parameters given above. The redefinition affects that section only." Note this wording implies both [DEFAULT] and [MAIL] parameters can be redefined, which seems best. If it's only one, adjust accordingly. If this feature doesn't exist, it would be nice to add it. -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.4.27advncdfs Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages fail2ban depends on: ii iptables 1.3.3-2 Linux kernel 2.4+ iptables adminis ii python 2.3.5-3 An interactive high-level object-o fail2ban recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
