mirror of https://github.com/fail2ban/fail2ban
NF: run as different user (disabled by default)
parent
aa4f5cf2b7
commit
de502cf2e4
|
@ -21,3 +21,19 @@
|
||||||
# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
|
# Command line options for Fail2Ban. Refer to "fail2ban-client -h" for
|
||||||
# valid options.
|
# valid options.
|
||||||
FAIL2BAN_OPTS=""
|
FAIL2BAN_OPTS=""
|
||||||
|
|
||||||
|
# Run fail2ban as a different user. If not set, fail2ban
|
||||||
|
# will run as root.
|
||||||
|
#
|
||||||
|
# The user is not created automatically.
|
||||||
|
# The user can be created e.g. with
|
||||||
|
# useradd --system --no-create-home --home-dir / --groups adm fail2ban
|
||||||
|
# Log files are readable by group adm by default. Adding the fail2ban
|
||||||
|
# user to this group allows it to read the logfiles.
|
||||||
|
#
|
||||||
|
# Another manual step that needs to be taken is to allow write access
|
||||||
|
# for fail2ban user to fail2ban log files. The /etc/init.d/fail2ban
|
||||||
|
# script will change the ownership when starting fail2ban. Logrotate
|
||||||
|
# needs to be configured seperately, see /etc/logrotate.d/fail2ban.
|
||||||
|
#
|
||||||
|
# FAIL2BAN_USER="fail2ban"
|
||||||
|
|
|
@ -33,6 +33,9 @@ SOCKFILE=`grep -h '^[^#]*socket *=' /etc/$NAME/$NAME.conf /etc/$NAME/$NAME.local
|
||||||
# Exit if the package is not installed
|
# Exit if the package is not installed
|
||||||
[ -x "$DAEMON" ] || exit 0
|
[ -x "$DAEMON" ] || exit 0
|
||||||
|
|
||||||
|
# Run as root by default.
|
||||||
|
FAIL2BAN_USER=root
|
||||||
|
|
||||||
# Read configuration variable file if it is present
|
# Read configuration variable file if it is present
|
||||||
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
|
||||||
DAEMON_ARGS="$FAIL2BAN_OPTS"
|
DAEMON_ARGS="$FAIL2BAN_OPTS"
|
||||||
|
@ -103,7 +106,17 @@ do_start()
|
||||||
# Assure that /var/run/fail2ban exists
|
# Assure that /var/run/fail2ban exists
|
||||||
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
|
[ -d /var/run/fail2ban ] || mkdir -p /var/run/fail2ban
|
||||||
|
|
||||||
start-stop-daemon --start --quiet --chuid root --exec $DAEMON -- \
|
if [ "$FAIL2BAN_USER" != "root" ]; then
|
||||||
|
# Make the socket directory, IP lists and fail2ban log
|
||||||
|
# files writable by fail2ban
|
||||||
|
chown "$FAIL2BAN_USER" /var/run/fail2ban
|
||||||
|
# Create the logfile if it doesn't exist
|
||||||
|
touch /var/log/fail2ban.log
|
||||||
|
chown "$FAIL2BAN_USER" /var/log/fail2ban.log
|
||||||
|
find /proc/net/xt_recent -name 'fail2ban-*' -exec chown "$FAIL2BAN_USER" {} \;
|
||||||
|
fi
|
||||||
|
|
||||||
|
start-stop-daemon --start --quiet --chuid "$FAIL2BAN_USER" --exec $DAEMON -- \
|
||||||
$DAEMON_ARGS start > /dev/null\
|
$DAEMON_ARGS start > /dev/null\
|
||||||
|| return 2
|
|| return 2
|
||||||
|
|
||||||
|
|
|
@ -9,5 +9,9 @@
|
||||||
postrotate
|
postrotate
|
||||||
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
|
fail2ban-client set logtarget /var/log/fail2ban.log >/dev/null
|
||||||
endscript
|
endscript
|
||||||
|
|
||||||
|
# If fail2ban runs as non-root it still needs to have write access
|
||||||
|
# to logfiles.
|
||||||
|
# create 640 fail2ban adm
|
||||||
create 640 root adm
|
create 640 root adm
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue