настраиваю fail2ban
например для защиты proftpd
Вот секция Default конфигурационного файла jails.conf:
[DEFAULT]
ignoreip = 127.0.0.1
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = polling
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = [email protected]
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overriden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
#
# Action shortcuts. To be used to define action parameter
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s",
protocol="%(protocol)s]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s",
protocol="%(protocol)s]
%(mta)s-whois-lines[name=%(__name__)s,
dest="%(destemail)s", logpath=%(logpath)s]
# Choose default action. To change, just override value of 'action'
with the
# interpolation to the chosen action shortcut (e.g. action_mw,
action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
В ней отсутствуют параметры bantime = 600 и maxretry = 3
Но если мы посмотрим в лог cat /var/log/fail2ban.log
То увидим, что именно они и устанавливаются:
2011-11-04 12:18:42,086 fail2ban.jail : INFO Jail 'proftpd' stopped
2011-11-04 12:18:43,084 fail2ban.jail : INFO Jail 'ssh' stopped
2011-11-04 12:18:43,091 fail2ban.server : INFO Exiting Fail2ban
2011-11-04 12:18:43,597 fail2ban.server : INFO Changed logging target
to /var/log/fail2ban.log for Fail2ban v0.8.4-SVN
2011-11-04 12:18:43,599 fail2ban.jail : INFO Creating new jail 'ssh'
2011-11-04 12:18:43,599 fail2ban.jail : INFO Jail 'ssh' uses poller
2011-11-04 12:18:43,632 fail2ban.filter : INFO Added logfile =
/var/log/auth.log
2011-11-04 12:18:43,634 fail2ban.filter : INFO Set maxRetry = 3
2011-11-04 12:18:43,638 fail2ban.filter : INFO Set findtime = 604800
2011-11-04 12:18:43,640 fail2ban.actions: INFO Set banTime = 600
2011-11-04 12:18:43,787 fail2ban.jail : INFO Creating new jail 'proftpd'
2011-11-04 12:18:43,787 fail2ban.jail : INFO Jail 'proftpd' uses poller
2011-11-04 12:18:43,790 fail2ban.filter : INFO Added logfile =
/var/log/proftpd/proftpd.log
2011-11-04 12:18:43,791 fail2ban.filter : INFO Set maxRetry = 3
2011-11-04 12:18:43,796 fail2ban.filter : INFO Set findtime = 604800
2011-11-04 12:18:43,797 fail2ban.actions: INFO Set banTime = 600
2011-11-04 12:18:43,826 fail2ban.jail : INFO Jail 'ssh' started
2011-11-04 12:18:43,831 fail2ban.jail : INFO Jail 'proftpd' started
Даже не смотря на то, что в секциях jail'ов
значения этих параметров совсем другие:
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 4
# one year - 365 days
bantime = 31536000
# 1 week
findtime = 604800
ignoreip = 127.0.0.1 192.168.0.0/24
[proftpd]
enabled = true
port = ftp,ftp-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
# 5 attempts, also add the MaxLoginAttempts 5
parametr to the proftpd.conf
maxretry = 6
# one year - 365 days
# bantime = 31536000
bantime = 100
# 1 week
findtime = 604800
ignoreip = 127.0.0.1 192.168.0.0/24
В /etc/default проверял все чисто
Вопрос: Почему это происходит ?
--
С Уважением,
специалист по техническому и программному обеспечению,
системный администратор
Скубриев Владимир
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Россия, Ростовская область, г. Таганрог
тел. моб: +7 (918) 504 38 20
skype: v.skubriev
icq: 214-800-502
www: skubriev.ru
