github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

DOC: a bit extended and reordered run-rootless.txt

pull/16/merge
Yaroslav Halchenko 2012-01-07 19:43:15 -05:00
parent 959146128f
commit f3f80d49ce
1 changed files with 33 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
doc/run-rootless.txt
View File

@ -48,28 +48,45 @@ without the ability to mess up other iptables rules.
The xt_recent-echo jail can be used under the root user without
further configuration. To run not as root, futher setup is necessary:
- add user fail2ban who can read /var/log/auth.log and other
necessary log files. Log files are owned by group 'adm', so
it is enough if this user belongs to this group.
The user can be created e.g. with
useradd --system --no-create-home --home-dir / --groups adm fail2ban
- put a rule to check the xt_recent list in the static firewall
initialization script, with a name like fail2ban-ssh.
Sample invocation might be
iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
with <name> suitably replaced.
- Create user:
- set FAIL2BAN_USER in /etc/default/fail2ban.
This probably should be fail2ban.
- make sure that logfiles of fail2ban itself are writable by the
fail2ban user. /etc/init.d/fail2ban will change the ownership at
startup, but it is also necessary to modify
/etc/logrotate.d/fail2ban.
- add user fail2ban who can read /var/log/auth.log and other
necessary log files. Log files are owned by group 'adm', so
it is enough if this user belongs to this group.
The user can be created e.g. with
useradd --system --no-create-home --home-dir / --groups adm fail2ban
- Statically initialize chains firewall:
- put a rule to check the xt_recent list in the static firewall initialization
script, with names like fail2ban-ssh (action uses separate chains per each
jail, so define here the ones you need 1-per-jail)
Sample invocation might be
iptables -I INPUT -m recent --update --seconds 3600 --name fail2ban-<name> -j DROP
with <name> suitably replaced.
- suppress actionstart for iptables-xt_recent-echo action by creating an override file
iptables-xt_recent-echo.local to accompany iptables-xt_recent-echo.conf with
[Definition]
actionstart =
- Permissions:
make sure that configuration files under /etc/fail2ban are readable by
fail2ban user. Make sure that logfiles of fail2ban itself are writable
by the fail2ban user. /etc/init.d/fail2ban will change the ownership at
startup, but it is also necessary to modify /etc/logrotate.d/fail2ban.
The simplest way is to replace '# create ...' with the following
# create 640 fail2ban adm