DOC: move named and mysql instructions into the filters from jail.conf

2013-10-30 21:12:16 +11:00 · 2013-10-30 21:12:16 +11:00 · de9977441a
parent 7ab909d056
commit de9977441a
3 changed files with 24 additions and 21 deletions
--- a/config/filter.d/mysqld-auth.conf
+++ b/config/filter.d/mysqld-auth.conf
@ -3,6 +3,11 @@
 # Authors: Artur Penttinen
 #          Yaroslav O. Halchenko
 #
+# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld]:
+# log-error=/var/log/mysqld.log
+# log-warning = 2
+#
+# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf

 [INCLUDES]

--- a/config/filter.d/named-refused.conf
+++ b/config/filter.d/named-refused.conf
@ -4,7 +4,23 @@
 #
 # Author: Yaroslav Halchenko
 #
+# This filter blocks attacks against named (bind9).
 #
+# By default, logging is off
+# with bind9 installation. You will need something like this:
+#
+# logging {
+#     channel security_file {
+#         file "/var/log/named/security.log" versions 3 size 30m;
+#         severity dynamic;
+#         print-time yes;
+#     };
+#     category security {
+#         security_file;
+#     };
+# };
+#
+# in your named.conf to provide proper logging.

 [Definition]

--- a/config/jail.conf
+++ b/config/jail.conf
@ -306,23 +306,6 @@ logpath  = /var/log/auth.log
 ignoreip = 168.192.0.1


-# These jails block attacks against named (bind9). By default, logging is off
-# with bind9 installation. You will need something like this:
-#
-# logging {
-#     channel security_file {
-#         file "/var/log/named/security.log" versions 3 size 30m;
-#         severity dynamic;
-#         print-time yes;
-#     };
-#     category security {
-#         security_file;
-#     };
-# };
-#
-# in your named.conf to provide proper logging.
-# This jail blocks UDP traffic for DNS requests.
-
 # !!! WARNING !!!
 #   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
@ -331,6 +314,8 @@ ignoreip = 168.192.0.1
 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 #   Please DO NOT USE this jail unless you know what you are doing.
 #
+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
+# This jail blocks UDP traffic for DNS requests.
 # [named-refused-udp]
 #
 # enabled  = false
@ -340,6 +325,7 @@ ignoreip = 168.192.0.1
 # logpath  = /var/log/named/security.log
 # ignoreip = 168.192.0.1

+# IMPORTANT: see filter.d/named-refused for instructions to enable logging
 # This jail blocks TCP traffic for DNS requests.
 [named-refused-tcp]

@ -385,9 +371,6 @@ logpath  = /var/log/asterisk/messages
 maxretry = 10


-# To log wrong MySQL access attempts add to /etc/my.cnf:
-# log-error=/var/log/mysqld.log
-# log-warning = 2
 [mysqld-iptables]

 enabled  = false
@ -398,7 +381,6 @@ logpath  = /var/log/mysqld.log
 maxretry = 5


-# If using mysql syslog [mysql_safe] has syslog in /etc/my.cnf
 [mysqld-syslog-iptables]

 enabled  = false