Hi, I noticed some problems with fail2ban version 0.8.13 that is installed after following the perfect server installation documents. One of the problems was for creating a jail for sshd as apparently openssh have the nasty ability to change the way the write to the logfiles. The solution for that was actuall installing fail2ban 0.10 from source and i have it running perfectly now after some tweaking. This newer version of fail2ban also has the ability to check on multiple log files/log paths for applications. By default for nginx and apache2 it checks for *error.log and *access.log in the main log folder (in my case /var/log/nginx). Currently all vhost log files are written to their respective client folders, which is a good solution as clients can check their own logs. However it's not a so good solution if i want to use fail2ban to check for script bots, URL_fopen() and that kind of stuff. What i would like to see in a future release is that all the log files get symlinked into /var/log/nginx/ or /var/log/apache2/ in the form of something like [domain_name]-error.log and [domain_name]-access.log. Even for sysadmins that don't use fail2ban this would be a good solution for easier check of multiple logs against unwanted activities.
You don't mention what OS you have, but by default on debian jessie, there are no nginx or apache logs checked at all (enabled = false for almost every jail). The log layout you propose with symlinks is unnecessary, as ispconfig already sets up something similar via bind mounts; each website has the real logs under /var/log/ispconfig/httpd/domain.tld/ and each website bind-mounts the relevant directory to make a copy of the logs available for the client. Just monitor /var/log/ispconfig/httpd/*/access.log and /var/log/ispconfig/httpd/*/error.log.
Thank you very much for your answer, yes i indeed forgot to mention OS and it actually is Debian Jessie in this case. I know the the nginx or apache jails are not enabled by default, what i meant to say was their default definitions that exists in fail2ban . It is something however that i want to enable to do additional checks for things like SQL injections and script vulnarabilities. It's something that i would like to do by default. So i can enable these checks myself. I did see the logs are setup with bind mounts, yet they still have their own subfolders. Within the newer version of fail2ban i have not seen an option that i can go recursivly through folders but i guess the wildcard for the subfolders might work as well. So i am going to try it out with the paths as you mentioned. I still consider myself to be a linux n00b, but with years of experience on both systems management on windows and networking management on various platforms, i am learning linux on the go. I guess this topic therefore does NOT belong to the Feature Request forum anymore, probably should have asked first in one of the other forums
