I am delighted to have discovered fail2ban. It does exactly what I wanted to
achieve. I have a question however...
I am currently using fail2ban to block failed proxy attempts or attempts to
attack my webserver. I have one quite loose regex which I only want to block
after 3 or more attempts within a 10 minute findtime. I have a jail set up for
this and it works just fine.
I also have however another regex which is a very tight match for a slightly
rarer event. This one I would like to set maxtries=1 and findtime=1 week and
bantime= 2 weeks.
Now, I could very easily create another jail for this regex but I am concerned
that both these jails would be reading the same log file
(/var/log/httpd/error_log). Would this cause any conflict?
Is there a better way to do it?
Any advice or suggestions gratefully received...
From: René Berber <rberber@ca...> - 2009-07-02 17:24:55
Arthur Dent wrote:
> Now, I could very easily create another jail for this regex but I am concerned
> that both these jails would be reading the same log file
> (/var/log/httpd/error_log). Would this cause any conflict?
No, that's the way it works, some servers have separate log files, some
As an example, under Solaris I have 3 jails looking into the same
/var/log/authlog: sshd, sendmail, UW imap (actually pop3 which is the
one that gets attacked more often). Actually is 2, sendmail's
authorization uses sasl which doesn't give enough info in authlog, I had
to use /var/log/syslog for those attacks.
> Is there a better way to do it?
If you really want to use separate log files it can be configured at the
The only advantage I see is in performance, the case of one daemon
producing a lot of output to its log, separating logs will save work for
the other jail(s).