Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

pamamolf · Sep 5, 2017

Do i need a better cleanup or it needs another fix?

I just delete the /root/tools/centminmod-fail2ban folder and then i reinstall and i got:

fatal: destination path 'fail2ban' already exists and is not an empty directory.
Click to expand...

cp: cannot stat ‘centos/fail2ban.service’: No such file or directory
cp: cannot stat ‘centos/fail2ban-tmpfiles.conf’: No such file or directory
cp: cannot stat ‘centos/fail2ban-logrotate’: No such file or directory
Click to expand...

and

Failed to stop fail2ban.service: Unit fail2ban.service not loaded.
Failed to start fail2ban.service: Unit not found.
Failed to execute operation: No such file or directory

Unit fail2ban.service could not be found.

Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
Click to expand...

eva2000 · Sep 5, 2017

output for

Code (Text):

ls -lah /root/tools/centminmod-fail2ban
ls -lah /root/tools/centminmod-fail2ban/centos

pamamolf · Sep 5, 2017

ls -lah /root/tools/centminmod-fail2ban
Click to expand...

total 104K
drwxr-xr-x 7 root root 4.0K Sep 4 22:30 .
drwxr-xr-x 4 root root 4.0K Sep 4 22:30 ..
drwxr-xr-x 2 root root 4.0K Sep 4 22:30 action.d
drwxr-xr-x 2 root root 4.0K Sep 4 22:30 centos
-rwxr-xr-x 1 root root 15K Sep 4 22:30 fail2ban.sh
drwxr-xr-x 2 root root 4.0K Sep 4 22:30 filter.d
drwxr-xr-x 8 root root 4.0K Sep 4 22:30 .git
-rw-r--r-- 1 root root 9 Sep 4 22:30 .gitignore
-rw-r--r-- 1 root root 7.5K Sep 4 22:30 jail.local
-rw-r--r-- 1 root root 46K Sep 4 22:30 readme.md
drwxr-xr-x 4 root root 4.0K Sep 4 22:30 screenshots
Click to expand...

ls -lah /root/tools/centminmod-fail2ban/centos
Click to expand...

total 24K
drwxr-xr-x 2 root root 4.0K Sep 4 22:30 .
drwxr-xr-x 7 root root 4.0K Sep 4 22:30 ..
-rw-r--r-- 1 root root 363 Sep 4 22:30 fail2ban-logrotate
-rw-r--r-- 1 root root 658 Sep 4 22:30 fail2ban.service
-rw-r--r-- 1 root root 36 Sep 4 22:30 fail2ban-tmpfiles.conf
-rw-r--r-- 1 root root 2.1K Sep 4 22:30 redhat-initd
Click to expand...

eva2000 · Sep 5, 2017

ok 2nd fix fix fail2ban startup file routine · centminmod/centminmod-fail2ban@cc807ed · GitHub

pamamolf · Sep 5, 2017

That one did the trick

I got only:

fatal: destination path 'fail2ban' already exists and is not an empty directory.
Click to expand...

But it works Don't know if you want to do anything related to the above message ....

Thank you !

pamamolf · Sep 5, 2017

Is that the wrong syntax to remove an ip?
Code:
fail2ban-client set nginx-conn-limit unban 123.456.789.000
the result is:

NOK: ("Invalid command 'unban' (no set action or not yet implemented)",)
Invalid command 'unban' (no set action or not yet implemented)
Click to expand...

But using this it works great:

fail2ban-client unban 123.456.789.000
Click to expand...

Just wondering

eva2000 · Sep 5, 2017

use the latter

pamamolf said: ↑

That one did the trick

I got only:

But it works Don't know if you want to do anything related to the above message ....

Thank you !
Click to expand...

should be fine

pamamolf · Sep 7, 2017

At jail.local i can see that:

logpath = /usr/local/nginx/logs/*error*.log
Click to expand...

but on that path we have always access.log and error.log only.

So there is no reason to use the * in front or at the back of "error" name...

For me it will be better to use:
Code:
logpath = /usr/local/nginx/logs/access.log
          /usr/local/nginx/logs/error.log
or just keep the direct link to error.log only if you want to check only this file...

Can you please verify George and add that as default ?

Thank you !

eva2000 · Sep 7, 2017

See Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS jail for main hostname's nginx vhost detects log file names different from normal vhost generated nginx vhosts.

The default main Nginx vhost config file has log file paths different from normal generated Nginx vhost log paths as they are located at /var/log/nginx with naming format of prefixed with localhost in front so access_log is at /var/log/nginx/localhost.access.log and error_log is at /var/log/nginx/localhost.error.log.

Click to expand...

In fact fail2ban's jail for main vhost has incomplete path for
Code (Text):
logpath = /usr/local/nginx/logs/*error*.log
there should be an additional path to account for /var/log/nginx/localhost.error.log i.e. /var/log/nginx/*.error.log

so needs fixing just not the way you assumed

edit: updated fail2ban jails for missing default main vhost logpaths add missing logpath for default main vhost · centminmod/centminmod-fail2ban@4144fbe · GitHub

so jails pick up the /var/log/nginx paths now
Code (Text):
---------------------------------------
nginx-req-limit-main parameters:
maxretry: 5 findtime: 600 bantime: 7200
allow rate: 576 hits/day
filter last modified: Thu Sep  7 01:28:08 UTC 2017
Status for the jail: nginx-req-limit-main
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /var/log/nginx/localhost.error.log /usr/local/nginx/logs/error.log /var/log/nginx/localhost_ssl.error.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:
Code (Text):
---------------------------------------
wordpress-auth parameters:
maxretry: 3 findtime: 60 bantime: 600
allow rate: 2880 hits/day
filter last modified: Thu Sep  7 01:28:17 UTC 2017
Status for the jail: wordpress-auth
|- Filter
|  |- Currently failed: 0
|  |- Total failed:     0
|  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost.access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/demodomain.com/log/access.log
`- Actions
   |- Currently banned: 0
   |- Total banned:     0
   `- Banned IP list:

pamamolf · Sep 7, 2017

The above are correct but only for the path:

/var/log/nginx/
Click to expand...

But I am talking for the path:

/usr/local/nginx/logs/
Click to expand...

If you check any of your servers you will see that there are only:

access.log
error.log
Click to expand...

So we can point to them directly without any *

eva2000 · Sep 7, 2017

I see what you mean. For now should be fine.

eva2000 · Sep 7, 2017

actually it's already done for where it counts for vhost logs i.e.

/home/nginx/domains/*/log/access.log

for /usr/local/nginx/logs/ there's other logs that can go in there but it was for /var/log/nginx really the wildcards as they're prefixed with localhost. and phpmyadmin logs have local_ssl. prefix too i.e. /var/log/nginx/localhost.access.log and /var/log/nginx/localhost_ssl.access.log

pamamolf · Sep 7, 2017

That's a nice fix but i think is better to do this:

Code:

logpath = /home/nginx/domains/*/log/access.log
               /usr/local/nginx/logs/*access*.log
               /var/log/nginx/*.access.log

change to:

Code:

logpath = /home/nginx/domains/*/log/access.log
               /home/nginx/domains/*/log/error.log
               /usr/local/nginx/logs/access.log
               /usr/local/nginx/logs/error.log
              /var/log/nginx/*.access.log
             /var/log/nginx/*.error.log

Don't know if all entries needed but i think that's better format to use.....

What do you think?

eva2000 · Sep 7, 2017

no you do not need all error and access logs, only what the specific fail2ban jail needs to read whether it's access or error log related.

pamamolf · Sep 7, 2017

Ok then only that one can be a direct link:
Code:
/usr/local/nginx/logs/access.log
As at that folder there will be always only the access.log and error.log and nothing related....

and use the * at /var/log/nginx/ as needed there.... ?

It's not an issue if you want to leave it as *access*.log as it will work but i think is not needed

No problem do what you think is better

eva2000 · Sep 7, 2017

well yes technically for /usr/local/nginx/logs/*access*.log can be /usr/local/nginx/logs/access.log

eva2000 · Sep 7, 2017

fixed fix logpaths · centminmod/centminmod-fail2ban@89533df · GitHub

pamamolf · Sep 7, 2017

No update function so i have to do the edits myself?

eva2000 · Sep 7, 2017

re-running fail2ban.sh install will update everything

pamamolf · Sep 7, 2017

Ok two more fixes please
Code:
 action = csfdeny[name=nginx-common]
 #action   = cloudflare
 logpath = /home/nginx/domains/*/log/access.log
                /usr/local/nginx/logs/access.log
               /var/log/nginx/*.access.log
              /var/log/nginx/localhost_ssl.access.log
and

action = csfdeny[name=shells]
#action = cloudflare
logpath = /home/nginx/domains/*/log/access.log
/usr/local/nginx/logs/access.log
/var/log/nginx/localhost_ssl.access.log
/var/log/nginx/*.access.log
Click to expand...

That line is not needed on the above:

/var/log/nginx/localhost_ssl.access.log
Click to expand...

as it is covered by the:
Code:
/var/log/nginx/*.access.log
Thank you

Log in / Register

Forums

Want to subscribe to topics you're interested in?

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

.

Log in / Register

Useful Searches

Want to subscribe to topics you're interested in?

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

eva2000 Administrator Staff Member

pamamolf Well-Known Member

.