Welcome to Centmin Mod Community
Become a Member

Security fail2ban for Centmin Mod + CSF Firewall / Cloudflare API

Discussion in 'System Administration' started by eva2000, May 12, 2017.

  1. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Do i need a better cleanup or it needs another fix?

    I just delete the /root/tools/centminmod-fail2ban folder and then i reinstall and i got:

    and

     
  2. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    output for
    Code (Text):
    ls -lah /root/tools/centminmod-fail2ban
    ls -lah /root/tools/centminmod-fail2ban/centos
    
     
  3. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x

     
  4. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  5. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    That one did the trick :)

    I got only:

    But it works :) Don't know if you want to do anything related to the above message ....

    Thank you !
     
  6. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Is that the wrong syntax to remove an ip?

    Code:
    fail2ban-client set nginx-conn-limit unban 123.456.789.000
    the result is:

    But using this it works great:

    Just wondering :)
     
  7. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    use the latter ;)
    should be fine
     
  8. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    At jail.local i can see that:

    but on that path we have always access.log and error.log only.

    So there is no reason to use the * in front or at the back of "error" name...

    For me it will be better to use:

    Code:
    logpath = /usr/local/nginx/logs/access.log
              /usr/local/nginx/logs/error.log

    or just keep the direct link to error.log only if you want to check only this file...

    Can you please verify George and add that as default ?

    Thank you !
     
  9. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    See Centmin Mod Configuration Files - CentminMod.com LEMP Nginx web stack for CentOS jail for main hostname's nginx vhost detects log file names different from normal vhost generated nginx vhosts.
    In fact fail2ban's jail for main vhost has incomplete path for
    Code (Text):
    logpath = /usr/local/nginx/logs/*error*.log
    

    there should be an additional path to account for /var/log/nginx/localhost.error.log i.e. /var/log/nginx/*.error.log

    so needs fixing just not the way you assumed :)

    edit: updated fail2ban jails for missing default main vhost logpaths add missing logpath for default main vhost · centminmod/centminmod-fail2ban@4144fbe · GitHub

    so jails pick up the /var/log/nginx paths now
    Code (Text):
    ---------------------------------------
    nginx-req-limit-main parameters:
    maxretry: 5 findtime: 600 bantime: 7200
    allow rate: 576 hits/day
    filter last modified: Thu Sep  7 01:28:08 UTC 2017
    Status for the jail: nginx-req-limit-main
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /var/log/nginx/localhost.error.log /usr/local/nginx/logs/error.log /var/log/nginx/localhost_ssl.error.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    

    Code (Text):
    ---------------------------------------
    wordpress-auth parameters:
    maxretry: 3 findtime: 60 bantime: 600
    allow rate: 2880 hits/day
    filter last modified: Thu Sep  7 01:28:17 UTC 2017
    Status for the jail: wordpress-auth
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- File list:        /usr/local/nginx/logs/access.log /var/log/nginx/localhost.access.log /var/log/nginx/localhost_ssl.access.log /home/nginx/domains/demodomain.com/log/access.log
    `- Actions
       |- Currently banned: 0
       |- Total banned:     0
       `- Banned IP list:
    
     
    Last edited: Sep 7, 2017
  10. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    The above are correct but only for the path:
    But I am talking for the path:
    If you check any of your servers you will see that there are only:

    So we can point to them directly without any *
     
  11. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    I see what you mean. For now should be fine.
     
  12. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    actually it's already done for where it counts for vhost logs i.e.

    /home/nginx/domains/*/log/access.log

    for /usr/local/nginx/logs/ there's other logs that can go in there but it was for /var/log/nginx really the wildcards as they're prefixed with localhost. and phpmyadmin logs have local_ssl. prefix too i.e. /var/log/nginx/localhost.access.log and /var/log/nginx/localhost_ssl.access.log
     
  13. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    That's a nice fix but i think is better to do this:

    Code:
    logpath = /home/nginx/domains/*/log/access.log
                   /usr/local/nginx/logs/*access*.log
                   /var/log/nginx/*.access.log

    change to:

    Code:
    logpath = /home/nginx/domains/*/log/access.log
                   /home/nginx/domains/*/log/error.log
                   /usr/local/nginx/logs/access.log
                   /usr/local/nginx/logs/error.log
                  /var/log/nginx/*.access.log
                 /var/log/nginx/*.error.log
    Don't know if all entries needed but i think that's better format to use.....

    What do you think?
     
  14. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    no you do not need all error and access logs, only what the specific fail2ban jail needs to read whether it's access or error log related.
     
  15. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok then only that one can be a direct link:

    Code:
    /usr/local/nginx/logs/access.log
    As at that folder there will be always only the access.log and error.log and nothing related....

    and use the * at /var/log/nginx/ as needed there.... ?

    It's not an issue if you want to leave it as *access*.log as it will work but i think is not needed :)

    No problem do what you think is better :)
     
  16. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    well yes technically for /usr/local/nginx/logs/*access*.log can be /usr/local/nginx/logs/access.log
     
  17. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  18. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    No update function so i have to do the edits myself? :)
     
  19. eva2000

    eva2000 Administrator Staff Member

    44,527
    10,170
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,742
    Local Time:
    2:56 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    re-running fail2ban.sh install will update everything
     
  20. pamamolf

    pamamolf Premium Member Premium Member

    3,811
    369
    83
    May 31, 2014
    Ratings:
    +711
    Local Time:
    7:56 PM
    Nginx-1.17.x
    MariaDB 10.3.x
    Ok two more fixes please :)
    Code:
     action = csfdeny[name=nginx-common]
     #action   = cloudflare
     logpath = /home/nginx/domains/*/log/access.log
                    /usr/local/nginx/logs/access.log
                   /var/log/nginx/*.access.log
                  /var/log/nginx/localhost_ssl.access.log
    and
    That line is not needed on the above:

    as it is covered by the:

    Code:
    /var/log/nginx/*.access.log
    Thank you