github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

DOC: a bit extended and reordered run-rootless.txt

pull/16/merge
Yaroslav Halchenko 2012-01-07 19:43:15 -05:00
parent 959146128f
commit f3f80d49ce
1 changed files with 33 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
doc/run-rootless.txt
View File

@ -48,28 +48,45 @@ without the ability to mess up other iptables rules.
The xt_recent-echo jail can be used under the root user without The xt_recent-echo jail can be used under the root user without
further configuration. To run not as root, futher setup is necessary: further configuration. To run not as root, futher setup is necessary:
- add user fail2ban who can read /var/log/auth.log and other - Create user:
- set FAIL2BAN_USER in /etc/default/fail2ban.
This probably should be fail2ban.
- add user fail2ban who can read /var/log/auth.log and other
necessary log files. Log files are owned by group 'adm', so necessary log files. Log files are owned by group 'adm', so
it is enough if this user belongs to this group. it is enough if this user belongs to this group.
The user can be created e.g. with The user can be created e.g. with
useradd --system --no-create-home --home-dir / --groups adm fail2ban useradd --system --no-create-home --home-dir / --groups adm fail2ban
- put a rule to check the xt_recent list in the static firewall - Statically initialize chains firewall:
initialization script, with a name like fail2ban-ssh.
- put a rule to check the xt_recent list in the static firewall initialization
script, with names like fail2ban-ssh (action uses separate chains per each
jail, so define here the ones you need 1-per-jail)
Sample invocation might be Sample invocation might be
iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
with <name> suitably replaced. with <name> suitably replaced.
- set FAIL2BAN_USER in /etc/default/fail2ban. - suppress actionstart for iptables-xt_recent-echo action by creating an override file
iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with
This probably should be fail2ban. [Definition]
actionstart =
- make sure that logfiles of fail2ban itself are writable by the - Permissions:
fail2ban user. /etc/init.d/fail2ban will change the ownership at
startup, but it is also necessary to modify make sure that configuration files under /etc/fail2ban are readable by
/etc/logrotate.d/fail2ban. fail2ban user. Make sure that logfiles of fail2ban itself are writable
by the fail2ban user. /etc/init.d/fail2ban will change the ownership at
startup, but it is also necessary to modify /etc/logrotate.d/fail2ban.
The simplest way is to replace '# create ...' with the following The simplest way is to replace '# create ...' with the following
# create 640 fail2ban adm # create 640 fail2ban adm