Koozali.org: home of the SME Server

Obsolete Releases => SME 7.x Contribs => Topic started by: Jean-Philippe Pialasse on May 26, 2010, 06:07:52 PM

Title: fail2ban contribs on its way
Post by: Jean-Philippe Pialasse on May 26, 2010, 06:07:52 PM

Hello ,

i am currently working on a fail2ban contribs. I would need some intrusion logs example in order to make some regex rules. Please send them to  tests _at_ pialasse -dot- com.

You can seek for the intrusions in theses files :

- ftp : /var/log/ftp/ or /var/log/proftp
- imaps : /var/log/imaps/current
- pops : /var/log/pops/current
- imap : /var/log/imap/current
- pop : /var/log/pop/current
- qpsmtpd : /var/log/sqpsmtpd/current
- webmail : /var/log/httpd/error_log
- server manager : /var/log/httpd/error_log


i currently have some rules working for apache and php url open, as well as sshd (but denyhosts does it better)


I was also planning to make some esmith db in order to store banned ip during fail2ban restart.

Title: Re: fail2ban contribs on its way
Post by: pwalter on January 04, 2011, 07:47:05 AM

Are we there yet? :-)
Are we there yet? :-)
Are we there yet? :-)

Title: Re: fail2ban contribs on its way
Post by: Jean-Philippe Pialasse on January 05, 2011, 04:48:43 AM

i am still needing some log to train my regex.

but it's good to see that some body is interested at least !

Title: Re: fail2ban contribs on its way
Post by: Franco on January 05, 2011, 06:39:33 PM

Count me in too ;)

I only use fail2ban to protect my asterisk, but it would be good to protect the other services.

Thanks,

Title: Re: fail2ban contribs on its way
Post by: shawnbishop on January 06, 2011, 07:11:57 AM

Good day

I am assuming this would be like the SSH DenyHosts contrib??

What would you be looking for exactley in the log files, maybe I can provide some?

Title: Re: fail2ban contribs on its way
Post by: Jean-Philippe Pialasse on January 06, 2011, 06:17:12 PM

Hello,

i would example of what you think as an intrusion like:
- bad password login attempt with http auth
- bad connexion attempt into asterisk (Franco if you already have some regex for it send it to me too, telling me the kind of installation you have like freepbx or another)


open one of these log and find an intrusion and copy paste it to my email (not in clear here)

- ftp : /var/log/ftp/ or /var/log/proftp
- imaps : /var/log/imaps/current
- pops : /var/log/pops/current
- imap : /var/log/imap/current
- pop : /var/log/pop/current
- qpsmtpd : /var/log/sqpsmtpd/current
- webmail : /var/log/httpd/error_log
- server manager : /var/log/httpd/error_log
or any other log file like the one for asterisk if you have another service you want to be added

Title: Re: fail2ban contribs on its way
Post by: apmuthu on January 26, 2011, 03:31:03 AM

Rudimentary install notes for Fail2Ban on SME7 are at:
http://www.linuxexpert.ro/Linux-Tutorials/installing-fail2ban-on-centos5.html