#49026: update of fail2ban to v0.9.3

Rainer Müller raimue at macports.org
Wed Oct 14 03:59:20 PDT 2015 

On 2015-10-14 07:52, Francois Claire wrote:
> Le 09/10/2015 16:49, Rainer Müller a écrit :
>> I noticed some things while trying to set this up. I don't know if these
>> were introduced with fail2ban 0.9.x, so I am just listing them here for
>> discussion.
>>
>> jail.conf:
>>    banaction = iptables-multiport
>>
>> This will never work on OS X because we do not have iptables, right?
>> It would probably make sense to provide a better default (pfctl?).
>> iptables appears in multiple places in this file.
> Indeed. In fact each user shall make his own
> ${prefix}/etc/fail2ban/jail.local where he can enable jails and
> associate the appropriate action to do. Here's mine:
> 
> $ cat /opt/local/etc/fail2ban/jail.local
> [DEFAULT]
> bantime = 36000
> 
> [sshd]
> enabled = true
> action = pf-icefloor
> 
> I'm using pf firewall rules set by icefloor so I'm using the bruteforce
> table to block scanners. There's other actions to use under OSX like
> osx-afctl which is using the adaptative firewall. All actions can be
> found and tuned under ${prefix}/etc/fail2ban/action.d/

Thanks for the example. I just meant it would make sense to set it to a
patch in a default that actually works.

>>
>> fail2ban.conf:
>>    dbfile = /opt/local/var/run/fail2ban/fail2ban.sqlite3
>>
>> Persistent files are usually stored in ${prefix}/var/lib/ or
>> ${prefix}/var/db/ and not ${prefix}/var/run/. The latter is meant to
>> hold volatile files (for example, the PID of the running daemon).
> Indeed this db file might not be at the best place in the file system.
> Although it might be considered as volatile: if it doesn't exist
> fail2ban just creates a new one.
> 
> Which place would be better ?

I would have expected ${prefix}/var/db/fail2ban/fail2ban.sqlite3
                                    ^^
See also 'man porthier' for the prefix layout.

>> paths-osx.conf:
>>    apache_error_log = /private/var/log/apache2/error_log
>>    apache_access_log = /private/var/log/apache2/access_log
>>
>> Would it make sense to point these to apache2 from MacPorts? That would
>> probably be something in ${prefix}/apache2/logs/.
> I'm using fail2ban on my mac mini with OSX server so that's the path for
> apache included in the apple server app. These settings can be overriden
> in fail2ban.local or jail.local.

Ah, I did not think of OS X server. Sounds reasonable.

Rainer

More information about the macports-dev mailing list