From: Jakub Czajka Date: Sun, 25 Sep 2022 21:04:07 +0000 (+0200) Subject: [fail2ban] Log to `syslog`. X-Git-Url: https://git.ekhem.eu.org/?a=commitdiff_plain;h=b968dd306065e4cef7834670796a9dc2ef685b6d;p=server.git [fail2ban] Log to `syslog`. --- diff --git a/fail2ban/README b/fail2ban/README index d8b8353..5663cb8 100644 --- a/fail2ban/README +++ b/fail2ban/README @@ -10,8 +10,9 @@ Files fail2ban | -|-> fail2ban.local -- /etc/fail2ban/ -`-> jail.local -- /etc/fail2ban/ +|-> paths-common.conf -- /etc/fail2ban/ +|-> fail2ban.local -- /etc/fail2ban/ +`-> jail.local -- /etc/fail2ban/ Install ------- diff --git a/fail2ban/jail.local b/fail2ban/jail.local index cbafa18..d19e172 100644 --- a/fail2ban/jail.local +++ b/fail2ban/jail.local @@ -33,7 +33,7 @@ [INCLUDES] #before = paths-distro.conf -before = paths-debian.conf +before = paths-common.conf # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. @@ -44,6 +44,12 @@ before = paths-debian.conf # MISCELLANEOUS OPTIONS # +syslog_user = /var/log/user.log + +syslog_ftp = /var/log/syslog + +syslog_daemon = /var/log/daemon.log + # "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... #bantime.increment = true diff --git a/fail2ban/paths-common.conf b/fail2ban/paths-common.conf new file mode 100644 index 0000000..1088b6f --- /dev/null +++ b/fail2ban/paths-common.conf @@ -0,0 +1,96 @@ +# Common +# + +[INCLUDES] + +after = paths-overrides.local + +[DEFAULT] + +default_backend = %(default/backend)s + +# Initial common values (to overwrite in path-.conf)... +# There is no sensible generic defaults for syslog log targets, thus +# leaving them empty here (resp. set to mostly used variant) in order +# to avoid errors while parsing/interpolating configs. +# +# Note systemd-backend does not need the logpath at all. +# +syslog_local0 = /var/log/messages + +syslog_authpriv = /var/log/auth.log +syslog_daemon = %(syslog_local0)s +syslog_ftp = %(syslog_local0)s +syslog_mail = +syslog_mail_warn = +syslog_user = %(syslog_local0)s + +# Set the default syslog backend target to default_backend +syslog_backend = %(default_backend)s + +# Default values for several jails: + +sshd_log = %(syslog_authpriv)s +sshd_backend = %(default_backend)s + +dropbear_log = %(syslog_authpriv)s +dropbear_backend = %(default_backend)s + +apache_error_log = /var/log/apache2/*error.log + +apache_access_log = /var/log/apache2/*access.log + +# from /etc/audit/auditd.conf +auditd_log = /var/log/audit/audit.log + +exim_main_log = /var/log/exim/mainlog + +nginx_error_log = /var/log/nginx/*error.log + +nginx_access_log = /var/log/nginx/*access.log + + +lighttpd_error_log = /var/log/lighttpd/error.log + +# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility +# syslog_user is the default. Lighttpd also hooks errors into its log. + +suhosin_log = %(syslog_user)s + %(lighttpd_error_log)s + +# defaults to ftp or local2 if ftp doesn't exist +proftpd_log = %(syslog_ftp)s +proftpd_backend = %(default_backend)s + +# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup +# defaults to ftp but can be overwritten. +pureftpd_log = %(syslog_ftp)s +pureftpd_backend = %(default_backend)s + +# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time +# +wuftpd_log = %(syslog_ftp)s +wuftpd_backend = %(default_backend)s + +# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log +# No distro seems to set it to syslog by default +# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog. +vsftpd_log = /var/log/vsftpd.log + +# Technically syslog_facility in main.cf can overwrite but no-one sane does this. +postfix_log = %(syslog_mail_warn)s +postfix_backend = %(default_backend)s + +dovecot_log = %(syslog_mail_warn)s +dovecot_backend = %(default_backend)s + +# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level +solidpop3d_log = %(syslog_local0)s + +mysql_log = %(syslog_daemon)s +mysql_backend = %(default_backend)s + +roundcube_errors_log = /var/log/roundcube/errors + +# Directory with ignorecommand scripts +ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands