diff -up fail2ban-0.9-d529151/config/jail.conf.logfiles fail2ban-0.9-d529151/config/jail.conf --- fail2ban-0.9-d529151/config/jail.conf.logfiles 2013-07-28 03:43:54.000000000 -0600 +++ fail2ban-0.9-d529151/config/jail.conf 2013-08-08 21:23:41.785950007 -0600 @@ -152,20 +152,18 @@ action = %(action_)s [sshd] port = ssh -logpath = /var/log/auth.log - /var/log/sshd.log +logpath = /var/log/secure [sshd-ddos] port = ssh -logpath = /var/log/auth.log - /var/log/sshd.log +logpath = /var/log/secure [dropbear] port = ssh filter = sshd -logpath = /var/log/dropbear +logpath = /var/log/secure # Generic filter for PAM. Has to be used with action which bans all @@ -175,12 +173,12 @@ logpath = /var/log/dropbear # pam-generic filter can be customized to monitor specific subset of 'tty's banaction = iptables-allports -logpath = /var/log/auth.log +logpath = /var/log/secure [xinetd-fail] banaction = iptables-multiport-log -logpath = /var/log/daemon.log +logpath = /var/log/messages maxretry = 2 # .. custom jails @@ -201,7 +199,7 @@ filter = sshd action = hostsdeny[daemon_list=sshd] sendmail-whois[name=SSH, dest=you@example.com] ignoreregex = for myuser from -logpath = /var/log/sshd.log +logpath = /var/log/secure # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs @@ -210,7 +208,7 @@ logpath = /var/log/sshd.log filter = sshd action = route -logpath = /var/log/sshd.log +logpath = /var/log/secure # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs @@ -221,13 +219,13 @@ logpath = /var/log/sshd.log filter = sshd action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] -logpath = /var/log/sshd.log +logpath = /var/log/secure [sshd-iptables-ipset6] filter = sshd action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] -logpath = /var/log/sshd.log +logpath = /var/log/secure # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines @@ -238,7 +236,7 @@ logpath = /var/log/sshd.log filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=you@example.com] -logpath = /var/log/auth.log +logpath = /var/log/secure ignoreip = 168.192.0.1 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables. @@ -250,7 +248,7 @@ ignoreip = 168.192.0.1 [ssh-bsd-ipfw] filter = sshd action = bsd-ipfw[port=ssh,table=1] -logpath = /var/log/auth.log +logpath = /var/log/secure # # HTTP servers @@ -259,7 +257,7 @@ logpath = /var/log/auth.log [apache-auth] port = http,https -logpath = /var/log/apache*/*error.log +logpath = /var/log/httpd/*error_log # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. @@ -267,21 +265,20 @@ logpath = /var/log/apache*/*error.log [apache-badbots] port = http,https -logpath = /var/log/apache*/*access.log - /var/www/*/logs/access_log +logpath = /var/log/httpd/*access_log bantime = 172800 maxretry = 1 [apache-noscript] port = http,https -logpath = /var/log/apache*/*error.log +logpath = /var/log/httpd/*error_log maxretry = 6 [apache-overflows] port = http,https -logpath = /var/log/apache*/*error.log +logpath = /var/log/httpd/*error_log maxretry = 2 # Ban attackers that try to use PHP's URL-fopen() functionality @@ -291,7 +288,7 @@ maxretry = 2 [php-url-fopen] port = http,https -logpath = /var/www/*/logs/access_log +logpath = /var/log/httpd/*access_log # A simple PHP-fastcgi jail which works with lighttpd. # If you run a lighttpd server, then you probably will @@ -330,7 +327,7 @@ logpath = /var/log/sogo/sogo.log filter = apache-auth action = hostsdeny -logpath = /var/log/apache*/*error.log +logpath = /var/log/httpd/*error_log maxretry = 6 @@ -347,7 +344,7 @@ logpath = /var/log/proftpd/proftpd.log [pure-ftpd] port = ftp,ftp-data,ftps,ftps-data -logpath = /var/log/auth.log +logpath = /var/log/secure maxretry = 6 [vsftpd] @@ -355,7 +352,7 @@ maxretry = 6 port = ftp,ftp-data,ftps,ftps-data logpath = /var/log/vsftpd.log # or overwrite it in jails.local to be -# logpath = /var/log/auth.log +# logpath = /var/log/secure # if you want to rely on PAM failed login attempts # vsftpd's failregex should match both of those formats @@ -384,12 +381,12 @@ maxretry = 6 [courier-smtp] port = smtp,ssmtp,submission -logpath = /var/log/mail.log +logpath = /var/log/maillog [postfix] port = smtp,ssmtp,submission -logpath = /var/log/mail.log +logpath = /var/log/maillog # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. @@ -410,7 +407,7 @@ bantime = 300 [courier-auth] port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s -logpath = /var/log/mail.log +logpath = /var/log/maillog [sasl] @@ -419,12 +416,12 @@ port = smtp,ssmtp,submission,imap2,i # You might consider monitoring /var/log/mail.warn instead if you are # running postfix since it would provide the same log lines at the # "warn" level but overall at the smaller filesize. -logpath = /var/log/mail.log +logpath = /var/log/maillog [dovecot] port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s -logpath = /var/log/mail.log +logpath = /var/log/maillog # # DNS servers @@ -519,7 +516,7 @@ maxretry = 5 enabled=false filter = sshd action = pf -logpath = /var/log/sshd.log +logpath = /var/log/secure maxretry=5 [3proxy]