Hi Ross, I'm abroad at the moment so I don't have enough time to look at all the questions in details - I will get back to it asap (or as soon as there is no beer on the table, whichever is the first), but regarding parameters definitions within each section - they can be redefined for each section with no problem
As for log files for apache2 -- are you suggesting to create a separate section for apache2 and have proper path setup? -- Yarik On Mon, Dec 05, 2005 at 11:49:33AM -0800, Ross Boylan wrote: > Package: fail2ban > Version: 0.6.0-1 > Severity: wishlist > You might note that the log file location needs to be changed for > Apache2. Although it's pretty obvious, I managed to miss it at first! > Probably a comment right after the Apache header in the config file > would be best. > It may be the case that the failure patterns for Apache2 differ from > those for Apache (v 1). If so, it would be good to provide them. > I notice a lot of probes that show up in error.log but not > access.log. They look like this: > ------------------------------------------ > [Sun Nov 27 07:58:26 2005] [error] [client 219.140.132.121] File does not > exist: /var/www/sfgc/cgi-bin, referer: http://www.lookquick.net/search.php > [Sun Nov 27 07:59:59 2005] [error] [client 219.140.132.121] File does not > exist: /var/www/sfgc/xml.php, referer: http://www.lookquick.net > [Sun Nov 27 08:03:45 2005] [error] [client 219.140.132.121] File does not > exist: /var/www/sfgc/cgi-bin, referer: http://orseek.com > [Sun Nov 27 08:04:14 2005] [error] [client 219.140.132.121] File does not > exist: /var/www/sfgc/xml.php, referer: http://lookquick.net/search.php > [Sun Nov 27 08:05:44 2005] [error] [client 219.140.132.121] File does not > exist: /var/www/sfgc/cgi-bin, referer: http://orseek.com > ------------------------------------------ > To be honest, I'm not sure if these are fairly routine indexing by > search engines, but they seemed suspicious to me. If appropriate, it > would be nice to ban on this basis too. > Finally, it seems desirable to have maxfailures and other paramaters > differ for the different sections. It's hard to tell whether this is > possible already. If it is, perhaps modify > --------------------------------------------- > # password failure. Each section has to define the following > # options: logfile, fwban, fwunban, timeregex, timepattern, > # failregex. > -------------------------------------------------- > in fail2ban.conf. After "password failure." add "Each section may > also redefine any of the parameters given above. The redefinition > affects that section only." Note this wording implies both [DEFAULT] > and [MAIL] parameters can be redefined, which seems best. If it's > only one, adjust accordingly. > If this feature doesn't exist, it would be nice to add it. > -- System Information: > Debian Release: testing/unstable > APT prefers testing > APT policy: (990, 'testing'), (990, 'stable'), (50, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.4.27advncdfs > Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) > Versions of packages fail2ban depends on: > ii iptables 1.3.3-2 Linux kernel 2.4+ iptables > adminis > ii python 2.3.5-3 An interactive high-level > object-o > fail2ban recommends no packages. > -- no debconf information -- .-. =------------------------------ /v\ ----------------------------= Keep in touch // \\ (yoh@|www.)onerussian.com Yaroslav Halchenko /( )\ ICQ#: 60653192 Linux User ^^-^^ [175555]
pgpAY9kdATWS0.pgp
Description: PGP signature
