#49026: update of fail2ban to v0.9.3

Francois Claire fclaire at free.fr
Tue Oct 13 22:52:23 PDT 2015


Le 09/10/2015 16:49, Rainer Müller a écrit :
> Thanks for your work in porting and patching fail2ban!
You welcome. Thanks to you and other macports developpers for having 
carefully checked and committed it.
>
> I noticed some things while trying to set this up. I don't know if these
> were introduced with fail2ban 0.9.x, so I am just listing them here for
> discussion.
>
> jail.conf:
>    banaction = iptables-multiport
>
> This will never work on OS X because we do not have iptables, right?
> It would probably make sense to provide a better default (pfctl?).
> iptables appears in multiple places in this file.
Indeed. In fact each user shall make his own 
${prefix}/etc/fail2ban/jail.local where he can enable jails and 
associate the appropriate action to do. Here's mine:

$ cat /opt/local/etc/fail2ban/jail.local
[DEFAULT]
bantime = 36000

[sshd]
enabled = true
action = pf-icefloor

I'm using pf firewall rules set by icefloor so I'm using the bruteforce 
table to block scanners. There's other actions to use under OSX like 
osx-afctl which is using the adaptative firewall. All actions can be 
found and tuned under ${prefix}/etc/fail2ban/action.d/

>
> fail2ban.conf:
>    dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3
>
> Persistent files are usually stored in ${prefix}/var/lib/ or
> ${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to
> hold volatile files (for example, the PID of the running daemon).
Indeed this db file might not be at the best place in the file system. 
Although it might be considered as volatile: if it doesn't exist 
fail2ban just creates a new one.

Which place would be better ?
>
> paths-osx.conf:
>    apache_error_log = /private/var/log/apache2/error_log
>    apache_access_log = /private/var/log/apache2/access_log
>
> Would it make sense to point these to apache2 from MacPorts? That would
> probably be something in ${prefix}/apache2/logs/.
I'm using fail2ban on my mac mini with OSX server so that's the path for 
apache included in the apple server app. These settings can be overriden 
in fail2ban.local or jail.local.


Francois.


More information about the macports-dev mailing list