github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

small review, added to howtos in sidebar

master
sebres 2016-11-14 20:28:46 +01:00
parent 612e9ae3a8
commit 765c5da453
2 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
How-to-ban-something-other-as-host-(IP-address),-like-user-or-e-mail,-etc..md → How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc..md

@ -73,9 +73,17 @@ fail2ban-regex --raw /var/log/auth.log '^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)
**[Q]** I don't have any failure-ID in the log-entry, can I nevertheless configure the fail2ban, that it should simply execute some command if some message will be found in observed log-file<br/> **[Q]** I don't have any failure-ID in the log-entry, can I nevertheless configure the fail2ban, that it should simply execute some command if some message will be found in observed log-file<br/>
**[A]** Yes, if you've no failure-id at all (no user-id, e-mail or something other), but you'll that fail2ban execute some shell script after failure occurrence, you should additionally: **[A]** Yes, if you've no failure-id at all (no user-id, e-mail or something other), but you'll that fail2ban execute some shell script after failure occurrence, you should additionally:
* set empty or something other as match for failure-id (still `<host>` in 0.9th-branch) in `failregex`; * set empty or something other as match for failure-id (still `<host>` in 0.9th-branch) in `failregex`, example:
``` bash
# DDOS resp. "too many IPs" will be used as failure-ID:
failregex = ^<F-ID>DDOS</F-ID> attack detected$
^IDS raises alarm: <F-ID>too many IPs</F-ID> in stack$
```
* set `maxretry = 1` and `findtime = 1` (ban after first occurrence in 1 seconds); * set `maxretry = 1` and `findtime = 1` (ban after first occurrence in 1 seconds);
* set small `bantime` (e. g. 1 second) to this "jail" (otherwise no "ban" action will be executed in this time, because "already banned" occurs), e. g. `bantime = 1` * set small `bantime` (e. g. 1 second) to this "jail" (otherwise no "ban" action will be executed in this time, because "already banned" occurs), e. g. `bantime = 1`
* you need to specify only `actionban` parameter in your custom action file (`actionban = /user/bin/command.sh`); * you need to specify only `actionban` parameter in your custom action file:
```bash
actionban = /user/bin/ids-attack.sh '<fid>'
```
* `actionban` script will be executed as root (or with user, fail2ban running), so use `su` if other/restricted user needed; * `actionban` script will be executed as root (or with user, fail2ban running), so use `su` if other/restricted user needed;
- set `usedns`, `ignoreip`, `ignorecommand` as suggested above, otherwise you can get error by comparison with empty/illegal host (that will be found by "failure"); - set `usedns`, `ignoreip`, `ignorecommand` as suggested above, otherwise you can get error by comparison with empty/illegal host (that will be found by "failure");

1
_Sidebar.md

@ -1,6 +1,7 @@
<h2>HowTo's</h2> <h2>HowTo's</h2>
* [Test newer fail2ban version](How-to-test-newer-fail2ban-version-resp.-use-fail2ban-standalone-instance) * [Test newer fail2ban version](How-to-test-newer-fail2ban-version-resp.-use-fail2ban-standalone-instance)
* [Create standalone instance](How-to-test-newer-fail2ban-version-resp.-use-fail2ban-standalone-instance) * [Create standalone instance](How-to-test-newer-fail2ban-version-resp.-use-fail2ban-standalone-instance)
* [Ban something other as host/IP, like user or e-mail](How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc.)
--- ---
<h2>FAQ</h2> <h2>FAQ</h2>