| Using tools like fail2ban [message #28974] |
Wed, 02 April 2008 17:14  |
joelee
Messages: 63
Registered: April 2006
|
Member |
|
|
Hi All,
I am using a tool like fail2ban which automatically monitors logs and blocks IP addresses doing brute force attacks. Currently, I install this tool on a per-vps basis.
Fail2ban info can be found here: http://fail2ban.org/wiki/index.php/Main_Page
I wanted to see about using this on the OpenVZ Host Node so that I do not have to install and config on each vps. I wanted to see how others are using tools like this and what approach is being used.
From what I gather, installing this on HN will one keep the config files away from the users of VPS and only openvz HN admin would be able to view and monitor logs. Plus, nothing prevents the user of the vps to install a separate install in there vps as well.
I know it's not advised to install these types of apps on the HN but this is the most efficient. Would appreciate any comments/suggestions.
Joe
[Updated on: Wed, 02 April 2008 17:16] Report message to a moderator |
|
|
|
| fail2ban for all containers [message #41275 is a reply to message #28974] |
Mon, 20 December 2010 22:37  |
narcisgarcia
Messages: 41
Registered: May 2009
|
Member |
|
|
I've tested the following and works configured on the hardware node (host):
/etc/fail2ban/jail.local
[ssh-container-777]
enabled = true
filter = sshd
logpath = /vz/private/777/var/log/auth.log
maxretry = 6
action = route
/etc/fail2ban/action.d/route.conf
# Fail2Ban configuration file
#
# Author: Narcis Garcia, based on FAQforge admin idea.
#
# $Revision: 1 $
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = ip route add prohibit <ip>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionunban = ip route del prohibit <ip>
[Init]
# Defaut variable values
#
name = default
Narcis Garcia
|
|
|
|
| Re: Using tools like fail2ban [message #41276 is a reply to message #28974] |
Mon, 20 December 2010 22:41 |
narcisgarcia
Messages: 41
Registered: May 2009
|
Member |
|
|
I've also specified:
logpath = /vz/private/*/var/log/auth.log
and fail2ban loads all the "auth.log" files, but aren't procesed well. I suppose there is a date&time sort problem for the text lines.
I don't know how to sort properly by date and time this:
cat /vz/private/*/var/log/auth.log
Narcis Garcia
|
|
|
|
|
|
OpenVZ Forum
Members
Search
Help
Register
Login
Home
