Fail2Ban not working with symlinks ?

Discussion in 'Server Operation' started by cRUSH3r, Dec 6, 2013.

  1. cRUSH3r

    cRUSH3r New Member

    Hey there.

    I'm using ISPConfig 3.0.5.3 on Ubuntu 12.04.1 x64 and Fail2Ban 0.8.6

    I've created a filter to block some China IP's that are concurrently downloading some zip files hosted a Wordpress blog.

    ISPConfig creates in the log folder for every client a log file like 20131206-access.log and a symlink to this file named access.log

    In my Fail2Ban filter if I use access.log, i can see in the verbose log ( loglevel=4 in /etc/fail2ban/fail2ban.conf) that fail2ban.filter only detects changes at about 5 minutes in this file.

    If I use the full path in jail.local :

    logpath = /var/www/clients/client10/web13/log/20131206-access.log

    then the changes are immediately sensed by Fail2ban.

    I've tried creating softlinks and hardlinks but the result is the same.
    The temporary solution that i found is to use a wildcard:

    logpath = /var/www/clients/client10/web13/log/*-access.log

    that matches today, yesterday and two days ago. The other log files are zipped.

    My fail2ban filter : /etc/fail2ban/jail.local

    Code:
    [http-get-dos]
enabled  = true
port     = http
filter   = http-get-dos
logpath  = /var/www/evilbox.ro/log/201312*.log
maxretry = 3
    In /etc/fail2ban/filter.d/http-get-dos.conf i have :

    Code:
    # Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]
 
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
 
failregex = ^ -.*"\GET.*.zip.*
 
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
    If i use access.log in
    logpath = /var/www/clients/client10/web13/log/access.log
    I get in Fail2Ban log file (when the file is not processed realtime):

    Code:
    2013-12-06 15:10:02,970 fail2ban.filter : DEBUG  Got event: 1 for /var/log/apache2/access.log
2013-12-06 15:10:02,970 fail2ban.filter : DEBUG  File changed: /var/log/apache2/access.log
2013-12-06 15:15:03,283 fail2ban.filter : DEBUG  Got event: 1 for /var/log/apache2/access.log
2013-12-06 15:15:03,283 fail2ban.filter : DEBUG  File changed: /var/log/apache2/access.log
2013-12-06 15:16:30,374 fail2ban.filter : DEBUG  Got event: 1 for /var/log/apache2/access.log
2013-12-06 15:16:30,374 fail2ban.filter : DEBUG  File changed: /var/log/apache2/access.log
2013-12-06 15:20:03,598 fail2ban.filter : DEBUG  Got event: 1 for /var/log/apache2/access.log
2013-12-06 15:20:03,598 fail2ban.filter : DEBUG  File changed: /var/log/apache2/access.log
2013-12-06 15:25:03,883 fail2ban.filter : DEBUG  Got event: 1 for /var/log/apache2/access.log
2013-12-06 15:25:03,883 fail2ban.filter : DEBUG  File changed: /var/log/apache2/access.log
    And if use the today's log file (IT WORKS) and I get the following in Fail2Ban's log file :

    Any advices ?

    Thanks
     
    cRUSH3r, Dec 6, 2013
    #1

Share This Page