On 2015-10-14 07:52, Francois Claire wrote: > Le 09/10/2015 16:49, Rainer Müller a écrit : >> I noticed some things while trying to set this up. I don't know if these >> were introduced with fail2ban 0.9.x, so I am just listing them here for >> discussion. >> >> jail.conf: >> banaction = iptables-multiport >> >> This will never work on OS X because we do not have iptables, right? >> It would probably make sense to provide a better default (pfctl?). >> iptables appears in multiple places in this file. > Indeed. In fact each user shall make his own > ${prefix}/etc/fail2ban/jail.local where he can enable jails and > associate the appropriate action to do. Here's mine: > > $ cat /opt/local/etc/fail2ban/jail.local > [DEFAULT] > bantime = 36000 > > [sshd] > enabled = true > action = pf-icefloor > > I'm using pf firewall rules set by icefloor so I'm using the bruteforce > table to block scanners. There's other actions to use under OSX like > osx-afctl which is using the adaptative firewall. All actions can be > found and tuned under ${prefix}/etc/fail2ban/action.d/
Thanks for the example. I just meant it would make sense to set it to a patch in a default that actually works. >> >> fail2ban.conf: >> dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3 >> >> Persistent files are usually stored in ${prefix}/var/lib/ or >> ${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to >> hold volatile files (for example, the PID of the running daemon). > Indeed this db file might not be at the best place in the file system. > Although it might be considered as volatile: if it doesn't exist > fail2ban just creates a new one. > > Which place would be better ? I would have expected ${prefix}/var/db/fail2ban/fail2ban.sqlite3 ^^ See also 'man porthier' for the prefix layout. >> paths-osx.conf: >> apache_error_log = /private/var/log/apache2/error_log >> apache_access_log = /private/var/log/apache2/access_log >> >> Would it make sense to point these to apache2 from MacPorts? That would >> probably be something in ${prefix}/apache2/logs/. > I'm using fail2ban on my mac mini with OSX server so that's the path for > apache included in the apple server app. These settings can be overriden > in fail2ban.local or jail.local. Ah, I did not think of OS X server. Sounds reasonable. Rainer _______________________________________________ macports-dev mailing list macports-dev@lists.macosforge.org https://lists.macosforge.org/mailman/listinfo/macports-dev