From: Tomas H. <th...@ke...> - 2012-10-03 13:10:45
|
On Wed, Oct 3, 2012 at 8:44 AM, Darac Marjal <mai...@da...>wrote: > On Wed, Oct 03, 2012 at 07:23:56AM -0400, Tomas Hajek wrote: > > Hi, > > � I'm new to fail2ban and had to get it up and working quickly. � > > I set it up to ban IP addresses from what appears to be DDOS POST > attacks > > on my httpd server, I'm Running�Oracle Linux Server release 6.3 > (similar > > to RHEL 6.3/CentOS 6.3). �I installed fail2ban from the EPEL repo. > > It seems to be working well but the problem I have is that now > anytime an > > IP address is banned it dumps the message to my console window, > making it > > fairly difficult to do anything on the box. > > The messages are: > > Message from syslogd@drupal at Oct �3 07:21:50 ... > > �\ufffd<28>fail2ban.actions: WARNING [http-post-ddos] Ban > 217.24.244.103 > > Message from syslogd@drupal at Oct �3 07:21:52 ... > > �\ufffd<28>fail2ban.actions: WARNING [http-post-ddos] Ban 41.71.167.3 > > It's probably something simple that I have goofed, hopefully someone > can > > help! > > Thanks, > > -Tomas > > This isn't a fail2ban problem, per se, but rather an issue with your > syslog configuration. I don't know what syslog server you use, so can't > be more specific here... Actually, scratch that, those messages DO say > it's syslogd. In that case, examine your /etc/syslog.conf and look for a > configuration item in there that's sending the data to all uses. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (GNU/Linux) > > iQIcBAEBCgAGBQJQbDMgAAoJEKB7YbRsd8TGFLYP/jbffk6xXJsKV4d7LpIojKkV > kXydaGALend0wtsCBJxDLjyCaWG+5FXzxta8SP2a78toW9ai7c2qpiTN5Ra9odeu > cmDM+jkCy+Ie2S7GZdEXjmnABXgu7Ood89WxZPYuzy1h38PXWWObE4Cp5uhdroat > 3o1VyD3xYq1U/Uzed9w9rgfLzlIY3ttVVaPCiNcUEnRtz99ntzPOeki5mwF1JzF4 > 2vNATc9Z/NAeLZMSloRYrNVDoTphZ0t2prrL6ZcRpm0fbw2tsEAW3v/tuvt42k4r > X0k12HFcysL2/buZQtbbGLPsvHVwPG3Tx3Ak6RCH7W3y0UdB+PyLoinEOwIDkhnx > D8AythkPN45xNVYW4WNdze2Sbz/cf1MVZYb0FfwTV9dfw6PIclN1qtieB208d2x+ > duG0/aVuwxD2YsfDc0YcmS7b1gsDVIJhQXkTldY46PbUiGNHoXwZqd0cGSgtHM3y > g7oxen3cY8KaqfxIkSrmZN3BHJCw8pt43IXsAEV0uoAhF4ynLgOCfGvB555wLdeN > jVfQN31341nwAHmf6WaEVE6RBOze58//kxMGTEkPtKbu6EeprRWGgW+ix2Er+7PO > ZwU+7g9FpkHC1Z/SY8/loN1vFx1Ff5AzI2M9CtLi3IHsUKPGNFb59nnZxBwbONH0 > dWggHO/ZHLWY8b2y/qMl > =M2+X > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Fail2ban-users mailing list > Fai...@li... > https://lists.sourceforge.net/lists/listinfo/fail2ban-users > > I guess I should have specified. I am using rsyslog. One thing I noticed was that my fail2ban.log rotated this morning and after that it's empty. I think that's when I started getting messages to the console (as I wasn't getting them yesterday when I first put fail2ban in place). I did try adding the following to /etc/rsyslog.d/fail2ban.conf :msg, contains, "fail2ban" ~ which I thought would match the messages on fail2ban and discard them but that did seem to help (I did restart rsyslog just in case). thanks, -Tomas |