> On 21.05.2013 11:22, Aniyan Rajan wrote:
> >> > 1. How can I configure fail2ban for sftp ?
> >> As this goes through sshd, I guess it should be recognized from
> >> the sshd filter you are already using. Maybe you could show use
> >> some corresponding lines from your auth.log.
> > okay. I don't have any attacks in auth.log for sftp. But just thought of
> > enabling the filter for sftp too.
> I am even not sure, if sftp would log something different then
> just a normal ssh login attempt.
It was logging to the common log file. But now I am filtering the sftp logs
to /var/log/sftp.log. Sample follows:
May 20 09:15:20 mx internal-sftp: lstat name "/"
May 20 09:15:21 mx internal-sftp: opendir "/"
May 20 09:15:22 mx internal-sftp: closedir "/"
May 20 09:15:25 mx internal-sftp: session closed for local user
aoeuaoeu from [188.8.131.523]
May 22 03:35:01 mx internal-sftp: session opened for local user
ceupd from [232.444.111.222]
May 22 03:35:01 mx internal-sftp: received client version 3
> Do I have to use the following under the [ssh] in jail.local ?
> > port = ssh,sftp
> Do you have sftp listening on a different port then the standard
> TCP 22 for sshd? Or is this sftp you are talking about something
> else then sftp through sshd, e.g. an other service running?
It is sftp through sshd. sftp is listening on port 22. I am using the
default installation that I got, when I brought my VPS. Didn't make any
change on the ports.
So can I use the following for sftp ? How can I add /var/log/sftp.log too
under [ssh] in jail.local ?
port = ssh,sftp
> Okay, I will enable it. But I am not finding any regex under the
> > [ssh-ddos] in jail.local.
> The regex is in the filter file, e.g. in
> /etc/fail2ban/filter.d/sshd-ddos.conf. Please read the manual
> regarding configuration on the URL I gave you.
Yes there is. So I understand that it is being used by the fail2ban. I
don't have to do anything additional.
>> Check out the postfix filter and configure an additional jail for
> >> it. See URL above for hints on how to do this.
> > There is already a [postfix] in the jail.local. Could you please explain
> > what do you mean by 'additional jail' ?
> I did not check your log file samples with the default postfix
> filter of fail2ban. This can be done with the 'fail2ban-regex'
> utility. But when I have a look at it again, your Postfix is
> rejecting e-mails because of some spam patterns. I guess this is
> because you are using something else in Postfix to reject such
> e-mails on the SMTP level. You probably need to create your own
> regex for this, e.g. with expanding the existing postfix filter
> regex with an additional line (of course in an additional
> /etc/fail2ban/filter.d/postfix.local file). Details about this
> can be found in the manual.
Yes, I am using a reject at the smtp level right now to reject them. But I
just thought of banning them, so that they won't appear in the mail.log.
Not necessary though. Anyway, I will work on your idea. Thanks.