-
-
Notifications
You must be signed in to change notification settings - Fork 102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
custom_jail overrides default filters or correct way to change just logpath in default jail #157
Comments
I'm having this issue, too. EG. I want to change logpath to a glob and affect the bantime for my HTTP(S) service to be different than my SSHD bantime. Further, polling mode works with less complaints than journalmatch for that filter, so I want to use that mode but systemd for sshd. fail2ban::custom_jails:
'nginx-botsearch':
enabled: true
backend: polling
bantime: 3600
port: http,https
logpath: '/var/log/nginx/*error.log' However, this destroys the regex data in fail2ban::custom_jails:
'10-nginx-botsearch':
enabled: true
backend: polling
bantime: 3600
port: http,https
filter: nginx-botsearch
logpath: '/var/log/nginx/*error.log' This is kludgy as is creates an unused filter file, but the jail doesn't load it, rather the desired filter and I am able to function. Alternatively, I can the regex data in YAML, but will note that there are a few problems with this:
EG fail2ban::custom_jails:
'nginx-botsearch':
enabled: true
backend: polling
bantime: 3600
port: http,https
filter: nginx-botsearch
# yamllint disable rule:line-length
filter_datepattern: "{^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\\s*%%z)?\n ^[^\\[]*\\[({DATE})\n {^LN-BEG}"
filter_failregex: "^<HOST> \\- \\S+ \\[\\] \\\"(GET|POST|HEAD) \\/<block> \\S+\\\" 404 .+$\n ^ \\[error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\\"\\S+\\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: <HOST>\\, server\\: \\S*\\, request: \\\"(GET|POST|HEAD) \\/<block> \\S+\\\"\\, .*?$"
logpath: '/var/log/nginx/*error.log' I will point out that I stumbled upon all of this trying to load RedHat sshd-ddos which now has modes for SSH, and no longer ships with a specific sshd-ddos filter. My solution, as advised by the packaged-provided commentary: fail2ban::custom_jails:
'01-sshd-ddos':
enabled: true
backend: systemd
port: 'ssh'
logpath: '%(sshd_log)s'
filter: 'sshd[mode=ddos]' My opinion is that defined type at https://github.com/voxpupuli/puppet-fail2ban/blob/master/manifests/jail.pp has some assumptions that create these problems and can be corrected. My suggestion is to:
While I am here, I will also mention that I think I am willing to do a PR if you all agree with the logic. |
I realized some very quick-n-dirty edits address at least 80% of what's discussed here, so created #161 |
Hi,
I want to configure a ssh jail in my system. The only parameter I need to change from default configuration is the logpath and the action. What is the correct way to do it?
If I use a
custom_jail
like:then all predefined filters for sshd are deleted.
And I wouldn't like to duplicate the default ssh filters in my hiera.
Where is the correct way to do this? Is it possible?
The text was updated successfully, but these errors were encountered: