Re: #49026: update of fail2ban to v0.9.3
On 2015-10-14 07:52, Francois Claire wrote:
> Le 09/10/2015 16:49, Rainer Müller a écrit :
>> I noticed some things while trying to set this up. I don't know if these
>> were introduced with fail2ban 0.9.x, so I am just listing them here for
>> discussion.
>>
>> jail.conf:
>>banaction = iptables-multiport
>>
>> This will never work on OS X because we do not have iptables, right?
>> It would probably make sense to provide a better default (pfctl?).
>> iptables appears in multiple places in this file.
> Indeed. In fact each user shall make his own
> ${prefix}/etc/fail2ban/jail.local where he can enable jails and
> associate the appropriate action to do. Here's mine:
>
> $ cat /opt/local/etc/fail2ban/jail.local
> [DEFAULT]
> bantime = 36000
>
> [sshd]
> enabled = true
> action = pf-icefloor
>
> I'm using pf firewall rules set by icefloor so I'm using the bruteforce
> table to block scanners. There's other actions to use under OSX like
> osx-afctl which is using the adaptative firewall. All actions can be
> found and tuned under ${prefix}/etc/fail2ban/action.d/
Thanks for the example. I just meant it would make sense to set it to a
patch in a default that actually works.
>>
>> fail2ban.conf:
>>dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3
>>
>> Persistent files are usually stored in ${prefix}/var/lib/ or
>> ${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to
>> hold volatile files (for example, the PID of the running daemon).
> Indeed this db file might not be at the best place in the file system.
> Although it might be considered as volatile: if it doesn't exist
> fail2ban just creates a new one.
>
> Which place would be better ?
I would have expected ${prefix}/var/db/fail2ban/fail2ban.sqlite3
^^
See also 'man porthier' for the prefix layout.
>> paths-osx.conf:
>>apache_error_log = /private/var/log/apache2/error_log
>>apache_access_log = /private/var/log/apache2/access_log
>>
>> Would it make sense to point these to apache2 from MacPorts? That would
>> probably be something in ${prefix}/apache2/logs/.
> I'm using fail2ban on my mac mini with OSX server so that's the path for
> apache included in the apple server app. These settings can be overriden
> in fail2ban.local or jail.local.
Ah, I did not think of OS X server. Sounds reasonable.
Rainer
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev
Re: #49026: update of fail2ban to v0.9.3
Le 09/10/2015 16:49, Rainer Müller a écrit :
Thanks for your work in porting and patching fail2ban!
You welcome. Thanks to you and other macports developpers for having
carefully checked and committed it.
I noticed some things while trying to set this up. I don't know if these
were introduced with fail2ban 0.9.x, so I am just listing them here for
discussion.
jail.conf:
banaction = iptables-multiport
This will never work on OS X because we do not have iptables, right?
It would probably make sense to provide a better default (pfctl?).
iptables appears in multiple places in this file.
Indeed. In fact each user shall make his own
${prefix}/etc/fail2ban/jail.local where he can enable jails and
associate the appropriate action to do. Here's mine:
$ cat /opt/local/etc/fail2ban/jail.local
[DEFAULT]
bantime = 36000
[sshd]
enabled = true
action = pf-icefloor
I'm using pf firewall rules set by icefloor so I'm using the bruteforce
table to block scanners. There's other actions to use under OSX like
osx-afctl which is using the adaptative firewall. All actions can be
found and tuned under ${prefix}/etc/fail2ban/action.d/
fail2ban.conf:
dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3
Persistent files are usually stored in ${prefix}/var/lib/ or
${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to
hold volatile files (for example, the PID of the running daemon).
Indeed this db file might not be at the best place in the file system.
Although it might be considered as volatile: if it doesn't exist
fail2ban just creates a new one.
Which place would be better ?
paths-osx.conf:
apache_error_log = /private/var/log/apache2/error_log
apache_access_log = /private/var/log/apache2/access_log
Would it make sense to point these to apache2 from MacPorts? That would
probably be something in ${prefix}/apache2/logs/.
I'm using fail2ban on my mac mini with OSX server so that's the path for
apache included in the apple server app. These settings can be overriden
in fail2ban.local or jail.local.
Francois.
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev
Re: #49026: update of fail2ban to v0.9.3
Hello Francois,
On 2015-10-05 09:04, Francois Claire wrote:
> Could someone please check and commit this one?
>
> https://trac.macports.org/ticket/49026
Thanks for your work in porting and patching fail2ban!
I noticed some things while trying to set this up. I don't know if these
were introduced with fail2ban 0.9.x, so I am just listing them here for
discussion.
jail.conf:
banaction = iptables-multiport
This will never work on OS X because we do not have iptables, right?
It would probably make sense to provide a better default (pfctl?).
iptables appears in multiple places in this file.
fail2ban.conf:
dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3
Persistent files are usually stored in ${prefix}/var/lib/ or
${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to
hold volatile files (for example, the PID of the running daemon).
paths-osx.conf:
apache_error_log = /private/var/log/apache2/error_log
apache_access_log = /private/var/log/apache2/access_log
Would it make sense to point these to apache2 from MacPorts? That would
probably be something in ${prefix}/apache2/logs/.
Rainer
___
macports-dev mailing list
macports-dev@lists.macosforge.org
https://lists.macosforge.org/mailman/listinfo/macports-dev
