Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

centos:fail2ban [20.04.2018 10:37. ]
centos:fail2ban [22.07.2019 14:52. ] (aktuell)
Zeile 1: Zeile 1:
 +====== Fail2ban unter CentOS 6.x ======
 +{{:​centos:​fail2ban_logo.png?​nolink&​150 |Fail2ban Logo}} Ähnlich wie das [[http://​www.nagios.org/​|nagios]] Plugin [[http://​exchange.nagios.org/​directory/​Plugins/​Log-Files/​check_logfiles/​details| check_logfiles]] kann mit Hilfe von [[http://​www.fail2ban.org/​wiki/​index.php/​Main_Page|Fail2ban]] ​ diverse Logdateien auf Auffälligkeiten hin überwacht werden. Die Ursache dieser Auffälligkeiten kann nun ein amoklaufender Host, eine [[http://​de.wikipedia.org/​wiki/​Brute-Force-Attacke|Brute-Force-Attacke]],​ oder anderweitigen nicht erwünschten IP-Traffic sein. 
 +
 +Im Gegensatz zum Eingangs angesprochenen nagios-plugins,​ haben wir nun mit **Fail2ban** ein Werkzeug an der Hand, mit dem wir der Ursache oder dem Verursacher entgegentreten können. **Fail2ban** kann je nach Konfiguration,​ eMails-verschicken oder Dienste wie [[https://​www.blocklist.de|www.blocklist.de]] informieren und darüber hinaus über das Paketfilter-regelwerk **[[http://​www.netfilter.org/​projects/​iptables/​|iptables]]** vornehmen, so dass die Verursachen für eine gewisse Zeit, oder auch dauerhaft, geblockt werden.
 +
 +
 +===== Installation =====
 +Im folgendem Abschnitt werden wir nun die aktuelle Release-Version **0.9.0** installieren. **[[http://​www.fail2ban.org/​wiki/​index.php/​FAQ_german#​Wie_interpretiere_ich_die_Versionsnummer_von_Fail2Ban.3F|0.9.0]]** ist zwar eine sog. Entwickler-Version,​ bringt aber wesentliche Neuerungen mit, die wir gerne einsetzen wollen. Hinweise zum aktuellen Release-Stand findet man bei **[[https://​github.com|GitHub]]** [[https://​github.com/​fail2ban/​fail2ban/​releases/​tag/​0.9.0|hier]].
 +
 +Das zugehörige,​ oder besser gesagt, die zugehörigen RPMs findet man im Repository [[http://​repository.nausch.org/​public/​mailserver.guru/​|mailserver.guru]]. Falls noch nicht geschehen, binden wir nun das entsprechende Repository ein. Wie das geht, steht [[https://​dokuwiki.nausch.org/​doku.php/​centos:​mailserver.guru|hier]]. Eine ausführliche Dokumentation der aktuellen Entwicklerversion **0.9.0** findet sich [[https://​media.readthedocs.org/​pdf/​fail2ban/​latest/​fail2ban.pdf|hier.]]
 +
 +Da wir neben der Überwachung der Logfiles auch Aktionen, wie z.B. verschicken von Status-eMails nutzen wollen installieren wir das Paket **fail2ban** aus zuvor erwähnten **[[http://​repository.nausch.org/​public/​mailserver.guru/​|mailserver.guru-Repository]]**. ​
 +
 +<WRAP center round tip >
 +Dank des eingebundenen **[[http://​repository.nausch.org/​public/​mailserver.guru/​|mailserver.guru-Repository]]** könne wir **yum** zum Installieren verwenden, somit werden auch gleich alle weiteren Pakete für eine Basisinstallation als Abhängigkeiten mit installiert!
 +</​WRAP>​
 +
 +Wir starten also den Installationsvorgang.
 +   # yum install fail2ban -y
 +
 +Neben dem Basispaket **fail2ban** werden noch die Pakete **fail2ban-server**,​ **fail2ban-sendmail**,​ **jwois**, **gamin-python** und **python-inotify** installiert. ​
 +
 +Bei Bedraf können wir uns mit Hilfe des Aufrufes ''​rpm -qil''​ jeweils ein Bild davon machen, welche Dateien und Verzeichnisse bei der jeweiligen Paketinstallation neu zum System hinzukamen.
 +
 +   # rpm -qil fail2ban
 +<​code>​Name ​       : fail2ban ​                    ​Relocations:​ (not relocatable)
 +Version ​    : 0.9.0                             ​Vendor:​ django
 +Release ​    : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
 +Install Date: Fri 13 Jun 2014 11:16:39 PM CEST      Build Host: vml010039.intra.nausch.org
 +Group       : Unspecified ​                  ​Source RPM: fail2ban-0.9.0-2.el6.src.rpm
 +Size        : 0                                License: GPLv2+
 +Signature ​  : RSA/SHA1, Fri 13 Jun 2014 11:07:18 PM CEST, Key ID 31b4758f7c65ab27
 +Packager ​   : Django <​django@nausch.org>​
 +URL         : http://​fail2ban.sourceforge.net/​
 +Summary ​    : Daemon to ban hosts that cause multiple authentication errors
 +Description :
 +Fail2Ban scans log files and bans IP addresses that makes too many password
 +failures. It updates firewall rules to reject the IP address. These rules can
 +be defined by the user. Fail2Ban can read multiple log files such as sshd or
 +Apache web server ones.
 +
 +Fail2Ban is able to reduce the rate of incorrect authentications attempts
 +however it cannot eliminate the risk that weak authentication presents.
 +Configure services to use only two factor or public/​private authentication
 +mechanisms if you really want to protect services.
 +
 +This is a meta-package that will install the default configuration. ​ Other
 +sub-packages are available to install support for other actions and
 +configurations.
 +(contains no files)
 +</​code>​
 +
 +   # rpm -qil fail2ban-server
 +<​code>​Name ​       : fail2ban-server ​             Relocations:​ (not relocatable)
 +Version ​    : 0.9.0                             ​Vendor:​ django
 +Release ​    : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
 +Install Date: Fri 13 Jun 2014 11:16:33 PM CEST      Build Host: vml010039.intra.nausch.org
 +Group       : Unspecified ​                  ​Source RPM: fail2ban-0.9.0-2.el6.src.rpm
 +Size        : 1240490 ​                         License: GPLv2+
 +Signature ​  : RSA/SHA1, Fri 13 Jun 2014 11:07:19 PM CEST, Key ID 31b4758f7c65ab27
 +Packager ​   : Django <​django@nausch.org>​
 +URL         : http://​fail2ban.sourceforge.net/​
 +Summary ​    : Core server component for Fail2Ban
 +Description :
 +This package contains the core server components for Fail2Ban with minimal
 +dependencies. ​ You can install this directly if you want to have a small
 +installation and know what you are doing.
 +/​etc/​fail2ban
 +/​etc/​fail2ban/​action.d
 +/​etc/​fail2ban/​action.d/​apf.conf
 +/​etc/​fail2ban/​action.d/​badips.conf
 +/​etc/​fail2ban/​action.d/​badips.py
 +/​etc/​fail2ban/​action.d/​blocklist_de.conf
 +/​etc/​fail2ban/​action.d/​dshield.conf
 +/​etc/​fail2ban/​action.d/​dummy.conf
 +/​etc/​fail2ban/​action.d/​firewallcmd-ipset.conf
 +/​etc/​fail2ban/​action.d/​firewallcmd-new.conf
 +/​etc/​fail2ban/​action.d/​iptables-allports.conf
 +/​etc/​fail2ban/​action.d/​iptables-blocktype.conf
 +/​etc/​fail2ban/​action.d/​iptables-ipset-proto4.conf
 +/​etc/​fail2ban/​action.d/​iptables-ipset-proto6-allports.conf
 +/​etc/​fail2ban/​action.d/​iptables-ipset-proto6.conf
 +/​etc/​fail2ban/​action.d/​iptables-multiport-log.conf
 +/​etc/​fail2ban/​action.d/​iptables-multiport.conf
 +/​etc/​fail2ban/​action.d/​iptables-new.conf
 +/​etc/​fail2ban/​action.d/​iptables-xt_recent-echo.conf
 +/​etc/​fail2ban/​action.d/​iptables.conf
 +/​etc/​fail2ban/​action.d/​mail.conf
 +/​etc/​fail2ban/​action.d/​mynetwatchman.conf
 +/​etc/​fail2ban/​action.d/​route.conf
 +/​etc/​fail2ban/​action.d/​sendmail.conf
 +/​etc/​fail2ban/​action.d/​smtp.py
 +/​etc/​fail2ban/​action.d/​smtp.pyc
 +/​etc/​fail2ban/​action.d/​smtp.pyo
 +/​etc/​fail2ban/​action.d/​xarf-login-attack.conf
 +/​etc/​fail2ban/​fail2ban.conf
 +/​etc/​fail2ban/​fail2ban.d
 +/​etc/​fail2ban/​fail2ban.local
 +/​etc/​fail2ban/​filter.d
 +/​etc/​fail2ban/​filter.d/​3proxy.conf
 +/​etc/​fail2ban/​filter.d/​apache-auth.conf
 +/​etc/​fail2ban/​filter.d/​apache-badbots.conf
 +/​etc/​fail2ban/​filter.d/​apache-botsearch.conf
 +/​etc/​fail2ban/​filter.d/​apache-common.conf
 +/​etc/​fail2ban/​filter.d/​apache-modsecurity.conf
 +/​etc/​fail2ban/​filter.d/​apache-nohome.conf
 +/​etc/​fail2ban/​filter.d/​apache-noscript.conf
 +/​etc/​fail2ban/​filter.d/​apache-overflows.conf
 +/​etc/​fail2ban/​filter.d/​assp.conf
 +/​etc/​fail2ban/​filter.d/​asterisk.conf
 +/​etc/​fail2ban/​filter.d/​common.conf
 +/​etc/​fail2ban/​filter.d/​counter-strike.conf
 +/​etc/​fail2ban/​filter.d/​courier-auth.conf
 +/​etc/​fail2ban/​filter.d/​courier-smtp.conf
 +/​etc/​fail2ban/​filter.d/​cyrus-imap.conf
 +/​etc/​fail2ban/​filter.d/​dovecot.conf
 +/​etc/​fail2ban/​filter.d/​dropbear.conf
 +/​etc/​fail2ban/​filter.d/​ejabberd-auth.conf
 +/​etc/​fail2ban/​filter.d/​exim-common.conf
 +/​etc/​fail2ban/​filter.d/​exim-spam.conf
 +/​etc/​fail2ban/​filter.d/​exim.conf
 +/​etc/​fail2ban/​filter.d/​freeswitch.conf
 +/​etc/​fail2ban/​filter.d/​groupoffice.conf
 +/​etc/​fail2ban/​filter.d/​gssftpd.conf
 +/​etc/​fail2ban/​filter.d/​guacamole.conf
 +/​etc/​fail2ban/​filter.d/​horde.conf
 +/​etc/​fail2ban/​filter.d/​kerio.conf
 +/​etc/​fail2ban/​filter.d/​lighttpd-auth.conf
 +/​etc/​fail2ban/​filter.d/​mysqld-auth.conf
 +/​etc/​fail2ban/​filter.d/​nagios.conf
 +/​etc/​fail2ban/​filter.d/​named-refused.conf
 +/​etc/​fail2ban/​filter.d/​nginx-http-auth.conf
 +/​etc/​fail2ban/​filter.d/​nsd.conf
 +/​etc/​fail2ban/​filter.d/​openwebmail.conf
 +/​etc/​fail2ban/​filter.d/​pam-generic.conf
 +/​etc/​fail2ban/​filter.d/​perdition.conf
 +/​etc/​fail2ban/​filter.d/​php-url-fopen.conf
 +/​etc/​fail2ban/​filter.d/​postfix-sasl.conf
 +/​etc/​fail2ban/​filter.d/​postfix.conf
 +/​etc/​fail2ban/​filter.d/​proftpd.conf
 +/​etc/​fail2ban/​filter.d/​pure-ftpd.conf
 +/​etc/​fail2ban/​filter.d/​qmail.conf
 +/​etc/​fail2ban/​filter.d/​recidive.conf
 +/​etc/​fail2ban/​filter.d/​roundcube-auth.conf
 +/​etc/​fail2ban/​filter.d/​selinux-common.conf
 +/​etc/​fail2ban/​filter.d/​selinux-ssh.conf
 +/​etc/​fail2ban/​filter.d/​sendmail-auth.conf
 +/​etc/​fail2ban/​filter.d/​sendmail-reject.conf
 +/​etc/​fail2ban/​filter.d/​sieve.conf
 +/​etc/​fail2ban/​filter.d/​sogo-auth.conf
 +/​etc/​fail2ban/​filter.d/​solid-pop3d.conf
 +/​etc/​fail2ban/​filter.d/​squid.conf
 +/​etc/​fail2ban/​filter.d/​squirrelmail.conf
 +/​etc/​fail2ban/​filter.d/​sshd-ddos.conf
 +/​etc/​fail2ban/​filter.d/​sshd.conf
 +/​etc/​fail2ban/​filter.d/​stunnel.conf
 +/​etc/​fail2ban/​filter.d/​suhosin.conf
 +/​etc/​fail2ban/​filter.d/​tine20.conf
 +/​etc/​fail2ban/​filter.d/​uwimap-auth.conf
 +/​etc/​fail2ban/​filter.d/​vsftpd.conf
 +/​etc/​fail2ban/​filter.d/​webmin-auth.conf
 +/​etc/​fail2ban/​filter.d/​wuftpd.conf
 +/​etc/​fail2ban/​filter.d/​xinetd-fail.conf
 +/​etc/​fail2ban/​jail.conf
 +/​etc/​fail2ban/​jail.d
 +/​etc/​fail2ban/​jail.local
 +/​etc/​fail2ban/​paths-centos.conf
 +/​etc/​fail2ban/​paths-common.conf
 +/​etc/​logrotate.d/​fail2ban
 +/​etc/​rc.d/​init.d/​fail2ban
 +/​etc/​tmpfiles.d/​fail2ban.conf
 +/​usr/​bin/​fail2ban-client
 +/​usr/​bin/​fail2ban-regex
 +/​usr/​bin/​fail2ban-server
 +/​usr/​bin/​fail2ban-testcases
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban-0.9.0-py2.6.egg-info
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban-0.9.0-py2.6.egg-info/​PKG-INFO
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban-0.9.0-py2.6.egg-info/​SOURCES.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban-0.9.0-py2.6.egg-info/​dependency_links.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban-0.9.0-py2.6.egg-info/​top_level.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​__init__.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​__init__.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​__init__.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​__init__.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​__init__.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​__init__.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​actionreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​actionreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​actionreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​beautifier.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​beautifier.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​beautifier.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configparserinc.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configparserinc.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configparserinc.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configurator.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configurator.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​configurator.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​csocket.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​csocket.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​csocket.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​fail2banreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​fail2banreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​fail2banreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​filterreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​filterreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​filterreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailsreader.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailsreader.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​client/​jailsreader.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​exceptions.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​exceptions.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​exceptions.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​helpers.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​helpers.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​helpers.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​protocol.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​protocol.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​protocol.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​__init__.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​__init__.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​__init__.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​action.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​action.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​action.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​actions.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​actions.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​actions.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​asyncserver.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​asyncserver.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​asyncserver.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​banmanager.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​banmanager.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​banmanager.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​database.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​database.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​database.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datedetector.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datedetector.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datedetector.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datetemplate.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datetemplate.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​datetemplate.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​faildata.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​faildata.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​faildata.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failmanager.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failmanager.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failmanager.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failregex.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failregex.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​failregex.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filter.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filter.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filter.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtergamin.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtergamin.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtergamin.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpoll.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpoll.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpoll.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpyinotify.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpyinotify.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filterpyinotify.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtersystemd.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtersystemd.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​filtersystemd.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jail.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jail.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jail.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jails.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jails.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jails.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jailthread.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jailthread.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​jailthread.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​mytime.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​mytime.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​mytime.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​server.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​server.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​server.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​strptime.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​strptime.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​strptime.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​ticket.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​ticket.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​ticket.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​transmitter.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​transmitter.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​server/​transmitter.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​__init__.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​__init__.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​__init__.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​__init__.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​__init__.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​__init__.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_badips.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_badips.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_badips.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_smtp.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_smtp.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​action_d/​test_smtp.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actionstestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actionstestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actionstestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actiontestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actiontestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​actiontestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​banmanagertestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​banmanagertestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​banmanagertestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​clientreadertestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​clientreadertestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​clientreadertestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​action.d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​action.d/​brokenaction.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​fail2ban.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​filter.d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​filter.d/​simple.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​config/​jail.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​databasetestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​databasetestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​databasetestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​datedetectortestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​datedetectortestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​datedetectortestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​dummyjail.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​dummyjail.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​dummyjail.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​failmanagertestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​failmanagertestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​failmanagertestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_errors.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_errors.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_errors.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_noAction.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_noAction.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_noAction.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_nomethod.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_nomethod.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​action.d/​action_nomethod.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​README
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​authz_owner
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​authz_owner/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​authz_owner/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​authz_owner/​cant_get_me.html
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​file
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​file/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​basic/​file/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_anon
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_anon/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_anon/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_time
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_time/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_time/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_wrongrelm
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_wrongrelm/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​digest_wrongrelm/​.htpasswd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​noentry
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​config/​apache-auth/​noentry/​.htaccess
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​database_v1.db
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​filter.d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​filter.d/​substition.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​filter.d/​testcase-common.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​filter.d/​testcase01.conf
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​ignorecommand.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​ignorecommand.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​ignorecommand.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​3proxy
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-badbots
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-botsearch
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-modsecurity
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-nohome
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-noscript
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​apache-overflows
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​assp
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​asterisk
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​bsd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​bsd/​syslog-plain.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​bsd/​syslog-v.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​bsd/​syslog-vv.txt
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​counter-strike
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​courier-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​courier-smtp
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​cyrus-imap
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​dovecot
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​dropbear
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​ejabberd-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​exim
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​exim-spam
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​freeswitch
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​groupoffice
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​gssftpd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​guacamole
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​horde
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​kerio
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​lighttpd-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​mysqld-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​nagios
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​named-refused
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​nginx-http-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​nsd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​openwebmail
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​pam-generic
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​perdition
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​php-url-fopen
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​postfix
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​postfix-sasl
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​proftpd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​pure-ftpd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​qmail
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​recidive
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​roundcube-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​selinux-ssh
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sendmail-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sendmail-reject
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sieve
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sogo-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​solid-pop3d
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​squid
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​squirrelmail
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sshd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​sshd-ddos
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​stunnel
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​suhosin
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​tine20
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​uwimap-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​vsftpd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​webmin-auth
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​wuftpd
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​logs/​xinetd-fail
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase-journal.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase-multiline.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase-usedns.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase01.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase02.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase03.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​files/​testcase04.log
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​filtertestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​filtertestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​filtertestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​misctestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​misctestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​misctestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​samplestestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​samplestestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​samplestestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​servertestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​servertestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​servertestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​sockettestcase.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​sockettestcase.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​sockettestcase.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​utils.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​utils.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​tests/​utils.pyo
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​version.py
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​version.pyc
 +/​usr/​lib/​python2.6/​site-packages/​fail2ban/​version.pyo
 +/​usr/​share/​doc/​fail2ban-server-0.9.0
 +/​usr/​share/​doc/​fail2ban-server-0.9.0/​COPYING
 +/​usr/​share/​doc/​fail2ban-server-0.9.0/​ChangeLog
 +/​usr/​share/​doc/​fail2ban-server-0.9.0/​README.md
 +/​usr/​share/​doc/​fail2ban-server-0.9.0/​TODO
 +/​usr/​share/​doc/​fail2ban-server-0.9.0/​run-rootless.txt
 +/​usr/​share/​man/​man1/​fail2ban-client.1.gz
 +/​usr/​share/​man/​man1/​fail2ban-regex.1.gz
 +/​usr/​share/​man/​man1/​fail2ban-server.1.gz
 +/​usr/​share/​man/​man1/​fail2ban.1.gz
 +/​usr/​share/​man/​man5/​jail.conf.5.gz
 +/​var/​lib/​fail2ban
 +/​var/​run/​fail2ban
 +</​code>​
 +
 +   # rpm -qil fail2ban-sendmail
 +<​code>​Name ​       : fail2ban-sendmail ​           Relocations:​ (not relocatable)
 +Version ​    : 0.9.0                             ​Vendor:​ django
 +Release ​    : 2.el6                         Build Date: Fri 13 Jun 2014 11:07:17 PM CEST
 +Install Date: Fri 13 Jun 2014 11:16:38 PM CEST      Build Host: vml010039.intra.nausch.org
 +Group       : Unspecified ​                  ​Source RPM: fail2ban-0.9.0-2.el6.src.rpm
 +Size        : 9564                             ​License:​ GPLv2+
 +Signature ​  : RSA/SHA1, Fri 13 Jun 2014 11:07:21 PM CEST, Key ID 31b4758f7c65ab27
 +Packager ​   : Django <​django@nausch.org>​
 +URL         : http://​fail2ban.sourceforge.net/​
 +Summary ​    : Sendmail actions for Fail2Ban
 +Description :
 +This package installs Fail2Ban'​s sendmail actions. ​ This is the default
 +mail actions for Fail2Ban.
 +/​etc/​fail2ban/​action.d/​sendmail-buffered.conf
 +/​etc/​fail2ban/​action.d/​sendmail-common.conf
 +/​etc/​fail2ban/​action.d/​sendmail-whois-ipjailmatches.conf
 +/​etc/​fail2ban/​action.d/​sendmail-whois-ipmatches.conf
 +/​etc/​fail2ban/​action.d/​sendmail-whois-lines.conf
 +/​etc/​fail2ban/​action.d/​sendmail-whois-matches.conf
 +/​etc/​fail2ban/​action.d/​sendmail-whois.conf
 +</​code>​
 +
 +   rpm -qil gamin-python
 +<​code>​Name ​       : gamin-python ​                ​Relocations:​ (not relocatable)
 +Version ​    : 0.1.10 ​                           Vendor: CentOS
 +Release ​    : 9.el6                         Build Date: Thu 11 Nov 2010 09:03:58 AM CET
 +Install Date: Fri 13 Jun 2014 11:16:30 PM CEST      Build Host: c6b5.bsys.dev.centos.org
 +Group       : Development/​Libraries ​        ​Source RPM: gamin-0.1.10-9.el6.src.rpm
 +Size        : 89039                            License: LGPLv2
 +Signature ​  : RSA/8, Sun 03 Jul 2011 06:15:40 AM CEST, Key ID 0946fca2c105b9de
 +Packager ​   : CentOS BuildSystem <​http://​bugs.centos.org>​
 +URL         : http://​www.gnome.org/​~veillard/​gamin/​
 +Summary ​    : Python bindings for the gamin library
 +Description :
 +The gamin-python package contains a module that allow monitoring of
 +files and directories from the Python language based on the support
 +of the gamin package.
 +/​usr/​lib64/​python2.6/​site-packages/​_gamin.so
 +/​usr/​lib64/​python2.6/​site-packages/​gamin.py
 +/​usr/​lib64/​python2.6/​site-packages/​gamin.pyc
 +/​usr/​lib64/​python2.6/​site-packages/​gamin.pyo
 +/​usr/​share/​doc/​gamin-python-0.1.10
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic2.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic3.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic4.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic5.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​basic6.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​bigfile.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify10.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify11.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify12.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify13.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify15.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify2.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify3.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify4.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify5.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify6.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify7.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify8.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​dnotify9.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​flood.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​flood2.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​flood3.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​flood4.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​level.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​multiple.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​multiple2.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​multiple3.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​noexists.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​nokernel.py
 +/​usr/​share/​doc/​gamin-python-0.1.10/​python.html
 +/​usr/​share/​doc/​gamin-python-0.1.10/​readonly.py
 +</​code>​
 +
 +   # rpm -qil python-inotify
 +<​code>​Name ​       : python-inotify ​              ​Relocations:​ (not relocatable)
 +Version ​    : 0.9.1                             ​Vendor:​ ATrpms.net
 +Release ​    : 1.1.el6 ​                      Build Date: Sat 09 Apr 2011 09:15:37 PM CEST
 +Install Date: Fri 13 Jun 2014 11:16:31 PM CEST      Build Host: flocki.atrpms.net
 +Group       : Development/​Libraries ​        ​Source RPM: python-inotify-0.9.1-1.1.el6.src.rpm
 +Size        : 264165 ​                          ​License:​ MIT
 +Signature ​  : DSA/SHA1, Sat 09 Apr 2011 09:15:38 PM CEST, Key ID 508ce5e666534c2b
 +Packager ​   : ATrpms <​http://​ATrpms.net/>​
 +URL         : https://​github.com/​seb-m/​pyinotify
 +Summary ​    : Monitor filesystem events with Python under Linux
 +Description :
 +This is a Python module for watching filesystems changes. pyinotify
 +can be used for various kind of fs monitoring. pyinotify relies on a
 +recent Linux Kernel feature (merged in kernel 2.6.13) called
 +inotify. inotify is an event-driven notifier, its notifications are
 +exported from kernel space to user space.
 +/​usr/​bin/​pyinotify
 +/​usr/​lib/​python2.6/​site-packages/​pyinotify-0.9.1-py2.6.egg-info
 +/​usr/​lib/​python2.6/​site-packages/​pyinotify.py
 +/​usr/​lib/​python2.6/​site-packages/​pyinotify.pyc
 +/​usr/​lib/​python2.6/​site-packages/​pyinotify.pyo
 +/​usr/​share/​doc/​python-inotify-0.9.1
 +/​usr/​share/​doc/​python-inotify-0.9.1/​ACKS
 +/​usr/​share/​doc/​python-inotify-0.9.1/​COPYING
 +/​usr/​share/​doc/​python-inotify-0.9.1/​ChangeLog_old
 +/​usr/​share/​doc/​python-inotify-0.9.1/​NEWS_old
 +</​code>​
 +
 +===== Dokumentation und Beschreibungen =====
 +<WRAP center round info >
 +Die Beschreibung der einzelnen Bestandteile von fail2ban, stammt in wesentlichen Teilen aus der originalen englischen [[http://​www.fail2ban.org/​wiki/​index.php/​MANUAL_0_8#​Usage|Beschreibung vom Release-Version 0.8]] und wurde sinngemäß ins Deutsche übertragen!
 +</​WRAP>​
 +
 +==== Definitionen ====
 +Folgende Berifflichkeiten in der nachfolgenden Beschreibung werden verwandt. ​
 +
 +  * **filter** : Ein Filter definiert einen regulären Ausdruck, mit Hilfe dessen eine bestimmte Zeichenfolge (Muster) in einer Log-Datei erkannt werden kann. 
 +  * **action** : Eine Aktion definiert einen oder auch mehrere Befehle, die getriggert von einem **filter** zu einem definiertem Zeitpunkt ausgeführt werden.
 +  * **jail** : Ein **jail** ist eine Kombination aus einem Filter und einem oder mehreren **actions**,​ die fail2ban kann dabei meherer **jails** gleichzeitig verarbeiten. ​
 +  * **client** : Bezeichnet bzw. verweist aus das Skript - **fail2ban-client**. ​
 +  * **server** : Bezeichnet bzw. verweist aus das Skript - **fail2ban-server**. ​
 +
 +==== fail2ban-Server ====
 +**Fail2ban** besteht aus zwei Teilen, dem **server** und dem **client**. Der **server** kann aus einem oder auch mehreren Prozessen bestehen und lauscht auf einem unix-socket auf eingehende Befehle. Beim Starten des **server** befindet sich dieser in einer Art Standard-Modus. Hierbei verfügt der **server** über keine Definitionen der einzelnen **jail**s.
 +Nachfolgende Optionen sind für **fail2ban-server** verfügbar:
 +   # fail2ban-server --help
 +<​code>​Usage:​ /​usr/​bin/​fail2ban-server [OPTIONS]
 +
 +Fail2Ban v0.9.0 reads log file that contains password failure report
 +and bans the corresponding IP addresses using firewall rules.
 +
 +Only use this command for debugging purpose. Start the server with
 +fail2ban-client instead. The default behaviour is to start the server
 +in background.
 +
 +Options:
 +    -b                   start in background
 +    -f                   start in foreground
 +    -s <​FILE> ​           socket path
 +    -p <​FILE> ​           pidfile path
 +    -x                   force execution of the server (remove socket file)
 +    -h, --help ​          ​display this help message
 +    -V, --version ​       print the version
 +
 +Report bugs to https://​github.com/​fail2ban/​fail2ban/​issues
 +</​code>​
 +
 +Vom Anwender selbst sollte der **fail2ban-server**,​ außer im debugModus, nicht angesprochen werden! Die Option **-s** ist dabei wohl die interessanteste Option, da damit der Unix-Socket-Pfad definiert werden kann. Somit könenn meherer Fail2ban-Instanzen mit je einem eigenen Socket betrieben werden. Aber auch dieser theoretische Anwendungsfall wird i.d.R. nicht benötigt, da Fail2ban mehrere **jail**s parallel abarbeiten kann.Gefängnisse gleichzeitig ausgeführt werden.
 +
 +Sollte widererwarten der **fail2ban-server** einmal tatsächlich abstürzen und den UNIX-Socket dabei nicht gelöscht werden konnte, kann man mit der Option **-x** Fail2ban anweisen, beim Starten einen etwaigen toten Socket zu löschen. Es wird dringend geraten diesen Socket im Betrieb niemals manuell zu löschen, da dann keine Kommunikation des **fail2ban-client** mit dem **fail2ban-server** mehr möglich ist.
 +
 +Der Server verarbeitet die Signale //SIGTERM// und //SIGINT//. Beim Empfang eines dieser Signale wird **fail2ban-server** sauber beendet. ​
 +
 +Weitere nützliche informationen findet man auf der //​**man-page**//​ von **fail2ban-server**.
 +
 +<​code>​FAIL2BAN-SERVER(1) ​              User Commands ​             FAIL2BAN-SERVER(1)
 +
 +NAME
 +       ​fail2ban-server - start the server
 +
 +SYNOPSIS
 +       ​fail2ban-server [OPTIONS]
 +
 +DESCRIPTION
 +       ​Fail2Ban ​ v0.9.0 ​ reads  log  file  that  contains ​ password failure report and bans the corresponding IP
 +       ​addresses using firewall rules.
 +
 +       Only use this command for debugging purpose. Start the server with fail2ban-client instead. ​ The  default
 +       ​behaviour is to start the server in background.
 +
 +OPTIONS
 +       ​-b ​    start in background
 +
 +       ​-f ​    start in foreground
 +
 +       -s <​FILE>​
 +              socket path
 +
 +       -p <​FILE>​
 +              pidfile path
 +
 +       ​-x ​    force execution of the server (remove socket file)
 +
 +       -h, --help
 +              display this help message
 +
 +       -V, --version
 +              print the version
 +
 +AUTHOR
 +       ​Written ​ by  Cyril  Jaquier ​ <​cyril.jaquier@fail2ban.org>​. ​  ​Many ​ contributions by Yaroslav O. Halchenko
 +       <​debian@onerussian.com>​.
 +
 +REPORTING BUGS
 +       ​Report bugs to https://​github.com/​fail2ban/​fail2ban/​issues
 +
 +COPYRIGHT
 +       ​Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
 +       ​Copyright of modifications held by their respective authors. ​  ​Licensed ​ under  the  GNU  General ​ Public
 +       ​License v2 (GPL).
 +
 +SEE ALSO
 +       ​fail2ban-client(1)
 +
 +fail2ban-server v0.9.0 ​           March 2014                FAIL2BAN-SERVER(1)
 +</​code>​
 +==== fail2ban-Client ====
 +**fail2ban-client** ist das Frontend von Fail2ban. Dieser verbindet sich mit dem Socket des **fail2ban-server** und sendet entsprechende Befehle zur Konfiguration und Steuerung des Servers. ​
 +Neben dem Einlesen der Konfigurationsdateien wird der **fail2ban-server** zur Steuerung des Servers verwendet. Dieser kann z.B. den **fail2ban-server** starten oder auch beenden.
 +Folgenden Optionen stehen für fail2ban-Client zur Verfügung.
 +   # fail2ban-client --help
 +<​code>​Usage:​ /​usr/​bin/​fail2ban-client [OPTIONS] <​COMMAND>​
 +
 +Fail2Ban v0.9.0 reads log file that contains password failure report
 +and bans the corresponding IP addresses using firewall rules.
 +
 +Options:
 +    -c <​DIR> ​               configuration directory
 +    -s <​FILE> ​              ​socket path
 +    -p <​FILE> ​              ​pidfile path
 +    -d                      dump configuration. For debugging
 +    -i                      interactive mode
 +    -v                      increase verbosity
 +    -q                      decrease verbosity
 +    -x                      force execution of the server (remove socket file)
 +    -h, --help ​             display this help message
 +    -V, --version ​          print the version
 +</​code>​
 +
 +Wie auch schon beim **fail2ban-server** wird auch beim **fail2ban-client** die Option **-s <​FILE>​** für die festlegung des Unix-Datei_Socketnamens verwendet. Setzt man diesen auf der Kommandozeile,​ wird dadurch die Definition des Konfigurationsdatei **fail2ban.conf** überschrieben. Möchte man das Standardkonfigurationsverzeichnis //​**/​etc/​fail2ban**//​ anders setzen, verwendet man die Option **-c <​DIR>​**. Zum starten des Servers wir die Option **-x** einfach an den **fail2ban-server** über den UNIX-Socket weitergeleitet. ​
 +
 +Eine sehr hilfreiche Option zu Debugzwecken ist die Option **-d**. Beim Aufruf von ''​fail2ban-client -d''​ leist z.B. die komplette Konfiguration ein, parst diese und gibt die Informationen, ​
 +die der **fail2ban-client** an den **fail2ban-server** sendet, auf der Konsole aus.
 +
 +Beispiel:
 +   # fail2ban-client -d
 +<​code>​['​set',​ '​logtarget',​ '/​var/​log/​fail2ban.log'​]
 +['​set',​ '​loglevel',​ '​INFO'​]
 +['​set',​ '​dbpurgeage',​ 86400]
 +['​set',​ '​dbfile',​ '/​var/​lib/​fail2ban/​fail2ban.sqlite3'​]
 +['​add',​ '​sshd-ddos',​ '​auto'​]
 +['​set',​ '​sshd-ddos',​ '​usedns',​ '​warn'​]
 +['​set',​ '​sshd-ddos',​ '​addlogpath',​ '/​var/​log/​secure',​ '​head'​]
 +['​set',​ '​sshd-ddos',​ '​maxretry',​ 5]
 +['​set',​ '​sshd-ddos',​ '​addignoreip',​ '​127.0.0.1/​8'​]
 +['​set',​ '​sshd-ddos',​ '​logencoding',​ '​auto'​]
 +['​set',​ '​sshd-ddos',​ '​bantime',​ 600]
 +['​set',​ '​sshd-ddos',​ '​ignorecommand',​ ''​]
 +['​set',​ '​sshd-ddos',​ '​findtime',​ 600]
 +['​set',​ '​sshd-ddos',​ '​maxlines',​ '​10'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*(?:​error:​ PAM: )?​[aA]uthentication (?:​failure|error) for .* from <​HOST>​( via \\S+)?​\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*(?:​error:​ PAM: )?User not known to the underlying authentication module for .* from <​HOST>​\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*Failed \\S+ for .*? from <​HOST>​(?:​ port \\d*)?(?: ssh\\d*)?(: (ruser .*|(\\S+ ID \\S+ \\(serial \\d+\\) CA )?\\S+ (?:​[\\da-f]{2}:​){15}[\\da-f]{2}(,​ client user "​.*",​ client host "​.*"​)?​))?​\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*ROOT LOGIN REFUSED.* FROM <​HOST>​\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*[iI](?:​llegal|nvalid) user .* from <​HOST>​\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*User .+ from <​HOST>​ not allowed because not listed in AllowUsers\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*User .+ from <​HOST>​ not allowed because listed in DenyUsers\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*User .+ from <​HOST>​ not allowed because not in any group\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*refused connect from \\S+ \\(<​HOST>​\\)\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*Received disconnect from <​HOST>:​ 3: \\S+: Auth fail$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*User .+ from <​HOST>​ not allowed because a group is listed in DenyGroups\\s*$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ "​^\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*User .+ from <​HOST>​ not allowed because none of user's groups are listed in AllowGroups\\s*$"​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^(?​P<​__prefix>​\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*)User .+ not allowed because account is locked<​SKIPLINES>​(?​P=__prefix)(?:​error:​ )?Received disconnect from <​HOST>:​ 11: Bye Bye \\[preauth\\]$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^(?​P<​__prefix>​\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*)Disconnecting:​ Too many authentication failures for .+? \\[preauth\\]<​SKIPLINES>​(?​P=__prefix)(?:​error:​ )?​Connection closed by <​HOST>​ \\[preauth\\]$'​]
 +['​set',​ '​sshd-ddos',​ '​addfailregex',​ '​^(?​P<​__prefix>​\\s*(<​[^.]+\\.[^.]+>​)?​\\s*(?:​\\S+ )?​(?:​kernel:​ \\[ *\\d+\\.\\d+\\] )?​(?:​@vserver_\\S+ )?​(?:​(?:​\\[\\d+\\])?:​\\s+[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​|[\\[\\(]?​sshd(?:​\\(\\S+\\))?​[\\]\\)]?:?​(?:​\\[\\d+\\])?:?​)?​\\s(?:​\\[ID \\d+ \\S+\\])?​\\s*)Connection from <​HOST>​ port \\d+<​SKIPLINES>​(?​P=__prefix)Disconnecting:​ Too many authentication failures for .+? \\[preauth\\]$'​]
 +['​set',​ '​sshd-ddos',​ '​addjournalmatch',​ '​_SYSTEMD_UNIT=sshd.service',​ '​+',​ '​_COMM=sshd'​]
 +['​set',​ '​sshd-ddos',​ '​addaction',​ '​iptables-multiport'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​actionban',​ '​iptables -I f2b-<​name>​ 1 -s <ip> -j <​blocktype>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​actionstop',​ '​iptables -D <​chain>​ -p <​protocol>​ -m multiport --dports <​port>​ -j f2b-<​name>​\niptables -F f2b-<​name>​\niptables -X f2b-<​name>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​actionstart',​ '​iptables -N f2b-<​name>​\niptables -A f2b-<​name>​ -j RETURN\niptables -I <​chain>​ -p <​protocol>​ -m multiport --dports <​port>​ -j f2b-<​name>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​actionunban',​ '​iptables -D f2b-<​name>​ -s <ip> -j <​blocktype>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​actioncheck',​ "​iptables -n -L <​chain>​ | grep -q '​f2b-<​name>​[ \\t]'"​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​blocktype',​ '​REJECT --reject-with icmp-port-unreachable'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​protocol',​ '​tcp'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​name',​ '​sshd-ddos'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​chain',​ '​INPUT'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​iptables-multiport',​ '​port',​ '​9999'​]
 +['​set',​ '​sshd-ddos',​ '​addaction',​ '​sendmail-whois-lines'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​actionban',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<​failures>​ attempts against <​name>​.\\n\\n\nHere is more information about <​ip>:​\\n\n`/​usr/​bin/​whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<​ip>​ in <​logpath>​\\n\n`grep \'​[^0-9]<​ip>​[^0-9]\'​ <​logpath>​`\\n\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​actionstop',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe jail <​name>​ has been stopped.\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​actionstart',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe jail <​name>​ has been started successfully.\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​actionunban',​ ''​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​actioncheck',​ ''​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​name',​ '​sshd-ddos'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​chain',​ '​INPUT'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​dest',​ '​django@nausch.org'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​logpath',​ '/​var/​log/​secure'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​sendername',​ '​Fail2Ban'​]
 +['​set',​ '​sshd-ddos',​ '​action',​ '​sendmail-whois-lines',​ '​sender',​ '​fail2ban'​]
 +['​start',​ '​sshd-ddos'​]
 +</​code>​
 +
 +Weiteres Beispiel:
 +Mit dem Aufruf folgender Zeile, kann man einfach den Loglevel verändern:
 +   $ fail2ban-client set loglevel DEBUG
 +
 +   ​Current logging level is '​DEBUG'​
 +
 +So kann jede einzelne Definition aus den Konfigurationsdateien überschrieben werden. Ein erneuter aufruf von ''​fail2ban -d''​ liest dann wieder Konfigurationsdateien ein!
 +
 +Auf zwei Kommandos von fail2ban wollen wir noch kurz ausführlicher eingehen.
 +  - ''​fail2ban-client start''​ \\ Als erstes wird der **fail2ban-server** gestartet; der **fail2ban-client** wartet dann bis die Kommunikation mit dem Server über den UNIX-SOCKET steht. Sobald dieser Kommunikationskanal steht, liest **fail2ban-client** die Konfigurationsdateien ein, parst diese und schockt das Ergebnis als Steuerbefehle zum **fail2ban-server**.
 +  - ''​fail2ban-client reload''​ \\ Der **fail2ban-client** weist als erstes dden **fail2ban-server** an, alle **jails** zu stoppen. Anschließend werden die Konfigurationsdateien eingelesen, verarbeitet und das Ergebnis als Steuerbefehle zum **fail2ban-server** gesendet. Somit kann sehr leicht und einfach die Konfiguration neu geladen werden, ohne den Daemon neu durchstarten zu müssen! \\ Dies ist auch sehr nützlich beim Debuggen des Servers. So ist es möglich, den Server mit ''​fail2ban-server -f''​ in einem Terminal zu starten und in einem weiteren Terminal die Konfiguration mit ''​fail2ban-client reload''​ einzulesen. Somit hat man auf dem ersten terminal, die Ausgaben des **fail2ban-server** und auf dem zweiten die des **fail2ban-client**.
 +
 +Ruf man ''​fail2ban-client status [jail]''​ auf, wird der Status des betrffenden **jail** ausgegeben.
 +   # fail2ban-client status postfix-sasl
 +<​code>​Status for the jail: postfix-sasl
 +|- Filter
 +|  |- Currently failed: 2
 +|  |- Total failed: 41
 +|  `- File list:​ /​var/​log/​maillog
 +`- Actions
 +   |- Currently banned: 1
 +   |- Total banned: 3
 +   `- Banned IP list:​ 203.195.219.103
 +</​code>​
 +
 +Auf Seiten des Paketfilters **iptables** kann man dann die erfogreiche Sperrung der gelisteten IP-Adresse einsehen:
 +   # iptables -nvL
 +<​code>​Chain f2b-postfix-sasl (1 references)
 + pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination ​        
 +   ​39 ​ 1972 REJECT ​    ​all ​ --  *      *       ​203.195.219.103 ​     0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +50498   15M RETURN ​    ​all ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/0
 +</​code>​
 +
 +Ohne Angabe eines einzelnen **jail** wird der globale Status des Server ausgegeben.
 +   # fail2ban-client status ​
 +<​code>​Status
 +|- Number of jail: 2
 +`- Jail list:​ postfix-sasl,​ sshd-ddos
 +</​code>​
 +
 +Nachfolgend sind alle Befehle des **fail2ban-client** aufgelistet.
 +   # fail2ban-client --help
 +<​code>​Command:​
 +                                             BASIC
 +    start                                    starts the server and the jails
 +    reload ​                                  ​reloads the configuration
 +    reload <​JAIL> ​                           reloads the jail <​JAIL>​
 +    stop                                     stops all jails and terminate the
 +                                             ​server
 +    status ​                                  gets the current status of the
 +                                             ​server
 +    ping                                     tests if the server is alive
 +    help                                     ​return this output
 +
 +                                             ​LOGGING
 +    set loglevel <​LEVEL> ​                    sets logging level to <​LEVEL>​.
 +                                             ​Levels:​ CRITICAL, ERROR, WARNING,
 +                                             ​NOTICE,​ INFO, DEBUG
 +    get loglevel ​                            gets the logging level
 +    set logtarget <​TARGET> ​                  sets logging target to <​TARGET>​.
 +                                             Can be STDOUT, STDERR, SYSLOG or a
 +                                             file
 +    get logtarget ​                           gets logging target
 +    flushlogs ​                               flushes the logtarget if a file
 +                                             and reopens it. For log rotation.
 +
 +                                             ​DATABASE
 +    set dbfile <​FILE> ​                       set the location of fail2ban
 +                                             ​persistent datastore. Set to
 +                                             "​None"​ to disable
 +    get dbfile ​                              get the location of fail2ban
 +                                             ​persistent datastore
 +    set dbpurgeage <​SECONDS> ​                sets the max age in <​SECONDS>​ that
 +                                             ​history of bans will be kept
 +    get dbpurgeage ​                          gets the max age in seconds that
 +                                             ​history of bans will be kept
 +
 +                                             JAIL CONTROL
 +    add <​JAIL>​ <​BACKEND> ​                    ​creates <​JAIL>​ using <​BACKEND>​
 +    start <​JAIL> ​                            ​starts the jail <​JAIL>​
 +    stop <​JAIL> ​                             stops the jail <​JAIL>​. The jail is
 +                                             ​removed
 +    status <​JAIL> ​                           gets the current status of <​JAIL>​
 +
 +                                             JAIL CONFIGURATION
 +    set <​JAIL>​ idle on|off ​                  sets the idle state of <​JAIL>​
 +    set <​JAIL>​ addignoreip <​IP> ​             adds <IP> to the ignore list of
 +                                             <​JAIL>​
 +    set <​JAIL>​ delignoreip <​IP> ​             removes <IP> from the ignore list
 +                                             of <​JAIL>​
 +    set <​JAIL>​ addlogpath <​FILE>​ ['​tail'​] ​   adds <​FILE>​ to the monitoring list
 +                                             of <​JAIL>,​ optionally starting at
 +                                             the '​tail'​ of the file (default
 +                                             '​head'​).
 +    set <​JAIL>​ dellogpath <​FILE> ​            ​removes <​FILE>​ from the monitoring
 +                                             list of <​JAIL>​
 +    set <​JAIL>​ logencoding <​ENCODING> ​       sets the <​ENCODING>​ of the log
 +                                             files for <​JAIL>​
 +    set <​JAIL>​ addjournalmatch <​MATCH> ​      adds <​MATCH>​ to the journal filter
 +                                             of <​JAIL>​
 +    set <​JAIL>​ deljournalmatch <​MATCH> ​      ​removes <​MATCH>​ from the journal
 +                                             ​filter of <​JAIL>​
 +    set <​JAIL>​ addfailregex <​REGEX> ​         adds the regular expression
 +                                             <​REGEX>​ which must match failures
 +                                             for <​JAIL>​
 +    set <​JAIL>​ delfailregex <​INDEX> ​         removes the regular expression at
 +                                             <​INDEX>​ for failregex
 +    set <​JAIL>​ ignorecommand <​VALUE> ​        sets ignorecommand of <​JAIL>​
 +    set <​JAIL>​ addignoreregex <​REGEX> ​       adds the regular expression
 +                                             <​REGEX>​ which should match pattern
 +                                             to exclude for <​JAIL>​
 +    set <​JAIL>​ delignoreregex <​INDEX> ​       removes the regular expression at
 +                                             <​INDEX>​ for ignoreregex
 +    set <​JAIL>​ findtime <​TIME> ​              sets the number of seconds <​TIME>​
 +                                             for which the filter will look
 +                                             back for <​JAIL>​
 +    set <​JAIL>​ bantime <​TIME> ​               sets the number of seconds <​TIME>​
 +                                             a host will be banned for <​JAIL>​
 +    set <​JAIL>​ datepattern <​PATTERN> ​        sets the <​PATTERN>​ used to match
 +                                             ​date/​times for <​JAIL>​
 +    set <​JAIL>​ usedns <​VALUE> ​               sets the usedns mode for <​JAIL>​
 +    set <​JAIL>​ banip <​IP> ​                   manually Ban <IP> for <​JAIL>​
 +    set <​JAIL>​ unbanip <​IP> ​                 manually Unban <IP> in <​JAIL>​
 +    set <​JAIL>​ maxretry <​RETRY> ​             sets the number of failures
 +                                             <​RETRY>​ before banning the host
 +                                             for <​JAIL>​
 +    set <​JAIL>​ maxlines <​LINES> ​             sets the number of <​LINES>​ to
 +                                             ​buffer for regex search for <​JAIL>​
 +    set <​JAIL>​ addaction <​ACT>​[ <​PYTHONFILE>​ <​JSONKWARGS>​]
 +                                             adds a new action named <​NAME>​ for
 +                                             <​JAIL>​. Optionally for a Python
 +                                             based action, a <​PYTHONFILE>​ and
 +                                             <​JSONKWARGS>​ can be specified,
 +                                             else will be a Command Action
 +    set <​JAIL>​ delaction <​ACT> ​              ​removes the action <ACT> from
 +                                             <​JAIL>​
 +
 +                                             ​COMMAND ACTION CONFIGURATION
 +    set <​JAIL>​ action <ACT> actionstart <CMD>
 +                                             sets the start command <CMD> of
 +                                             the action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> actionstop <CMD> sets the stop command <CMD> of the
 +                                             ​action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> actioncheck <CMD>
 +                                             sets the check command <CMD> of
 +                                             the action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> actionban <​CMD> ​ sets the ban command <CMD> of the
 +                                             ​action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> actionunban <CMD>
 +                                             sets the unban command <CMD> of
 +                                             the action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> timeout <​TIMEOUT>​
 +                                             sets <​TIMEOUT>​ as the command
 +                                             ​timeout in seconds for the action
 +                                             <​ACT>​ for <​JAIL>​
 +
 +                                             ​GENERAL ACTION CONFIGURATION
 +    set <​JAIL>​ action <ACT> <​PROPERTY>​ <​VALUE>​
 +                                             sets the <​VALUE>​ of <​PROPERTY>​ for
 +                                             the action <ACT> for <​JAIL>​
 +    set <​JAIL>​ action <ACT> <​METHOD>​[ <​JSONKWARGS>​]
 +                                             calls the <​METHOD>​ with
 +                                             <​JSONKWARGS>​ for the action <ACT>
 +                                             for <​JAIL>​
 +
 +                                             JAIL INFORMATION
 +    get <​JAIL>​ logpath ​                      gets the list of the monitored
 +                                             files for <​JAIL>​
 +    get <​JAIL>​ logencoding ​                  gets the encoding of the log files
 +                                             for <​JAIL>​
 +    get <​JAIL>​ journalmatch ​                 gets the journal filter match for
 +                                             <​JAIL>​
 +    get <​JAIL>​ ignoreip ​                     gets the list of ignored IP
 +                                             ​addresses for <​JAIL>​
 +    get <​JAIL>​ ignorecommand ​                gets ignorecommand of <​JAIL>​
 +    get <​JAIL>​ failregex ​                    gets the list of regular
 +                                             ​expressions which matches the
 +                                             ​failures for <​JAIL>​
 +    get <​JAIL>​ ignoreregex ​                  gets the list of regular
 +                                             ​expressions which matches patterns
 +                                             to ignore for <​JAIL>​
 +    get <​JAIL>​ findtime ​                     gets the time for which the filter
 +                                             will look back for failures for
 +                                             <​JAIL>​
 +    get <​JAIL>​ bantime ​                      gets the time a host is banned for
 +                                             <​JAIL>​
 +    get <​JAIL>​ datepattern ​                  gets the patern used to match
 +                                             ​date/​times for <​JAIL>​
 +    get <​JAIL>​ usedns ​                       gets the usedns setting for <​JAIL>​
 +    get <​JAIL>​ maxretry ​                     gets the number of failures
 +                                             ​allowed for <​JAIL>​
 +    get <​JAIL>​ maxlines ​                     gets the number of lines to buffer
 +                                             for <​JAIL>​
 +    get <​JAIL>​ actions ​                      gets a list of actions for <​JAIL>​
 +
 +                                             ​COMMAND ACTION INFORMATION
 +    get <​JAIL>​ action <ACT> actionstart ​     gets the start command for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> actionstop ​      gets the stop command for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> actioncheck ​     gets the check command for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> actionban ​       gets the ban command for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> actionunban ​     gets the unban command for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> timeout ​         gets the command timeout in
 +                                             ​seconds for the action <ACT> for
 +                                             <​JAIL>​
 +
 +                                             ​GENERAL ACTION INFORMATION
 +    get <​JAIL>​ actionproperties <​ACT> ​       gets a list of properties for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ actionmethods <​ACT> ​          gets a list of methods for the
 +                                             ​action <ACT> for <​JAIL>​
 +    get <​JAIL>​ action <ACT> <​PROPERTY> ​      gets the value of <​PROPERTY>​ for
 +                                             the action <ACT> for <​JAIL>​
 +
 +Report bugs to https://​github.com/​fail2ban/​fail2ban/​issues
 +</​code>​
 +
 +Weitere nützliche Informationen findet man auf der //​**manpage**//​ von **fail2ban-client**. ​
 +<​code>​FAIL2BAN-CLIENT(1) ​              User Commands ​             FAIL2BAN-CLIENT(1)
 +
 +NAME
 +       ​fail2ban-client - configure and control the server
 +
 +SYNOPSIS
 +       ​fail2ban-client [OPTIONS] <​COMMAND>​
 +
 +DESCRIPTION
 +       ​Fail2Ban ​ v0.9.0 ​ reads  log  file  that  contains ​ password failure report and bans the corresponding IP
 +       ​addresses using firewall rules.
 +
 +OPTIONS
 +       -c <DIR>
 +              configuration directory
 +
 +       -s <​FILE>​
 +              socket path
 +
 +       -p <​FILE>​
 +              pidfile path
 +
 +       ​-d ​    dump configuration. For debugging
 +
 +       ​-i ​    ​interactive mode
 +
 +       ​-v ​    ​increase verbosity
 +
 +       ​-q ​    ​decrease verbosity
 +
 +       ​-x ​    force execution of the server (remove socket file)
 +
 +       -h, --help
 +              display this help message
 +
 +       -V, --version
 +              print the version
 +
 +COMMAND
 +              BASIC
 +
 +       ​start ​ starts the server and the jails
 +
 +       ​reload reloads the configuration
 +
 +       ​reload <​JAIL>​
 +              reloads the jail <​JAIL>​
 +
 +       ​stop ​  stops all jails and terminate the server
 +
 +       ​status gets the current status of the server
 +
 +       ​ping ​  tests if the server is alive
 +
 +       ​help ​  ​return this output
 +
 +              LOGGING
 +
 +       set loglevel <​LEVEL>​
 +              sets logging level to <​LEVEL>​. ​ Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
 +
 +       get loglevel
 +              gets the logging level
 +
 +       set logtarget <​TARGET>​
 +              sets logging target to <​TARGET>​. ​ Can be STDOUT, STDERR, SYSLOG or a file
 +
 +       get logtarget
 +              gets logging target
 +
 +       ​flushlogs
 +              flushes the logtarget if a file and reopens it. For log rotation.
 +
 +              DATABASE
 +
 +       set dbfile <​FILE>​
 +              set the location of fail2ban persistent datastore. Set to "​None"​ to disable
 +
 +       get dbfile
 +              get the location of fail2ban persistent datastore
 +
 +       set dbpurgeage <​SECONDS>​
 +              sets the max age in <​SECONDS>​ that history of bans will be kept
 +
 +       get dbpurgeage
 +              gets the max age in seconds that history of bans will be kept
 +
 +              JAIL CONTROL
 +
 +       add <​JAIL>​ <​BACKEND>​
 +              creates <​JAIL>​ using <​BACKEND>​
 +
 +       start <​JAIL>​
 +              starts the jail <​JAIL>​
 +
 +       stop <​JAIL>​
 +              stops the jail <​JAIL>​. The jail is removed
 +
 +       ​status <​JAIL>​
 +              gets the current status of <​JAIL>​
 +
 +              JAIL CONFIGURATION
 +
 +       set <​JAIL>​ idle on|off
 +              sets the idle state of <​JAIL>​
 +
 +       set <​JAIL>​ addignoreip <IP>
 +              adds <IP> to the ignore list of <​JAIL>​
 +
 +       set <​JAIL>​ delignoreip <IP>
 +              removes <IP> from the ignore list of <​JAIL>​
 +
 +       set <​JAIL>​ addlogpath <​FILE>​ [’tail’]
 +              adds <​FILE>​ to the monitoring list of <​JAIL>,​ optionally ​ starting ​ at  the  ’tail’ ​ of  the  file
 +              (default ’head’).
 +
 +       set <​JAIL>​ dellogpath <​FILE>​
 +              removes <​FILE>​ from the monitoring list of <​JAIL>​
 +
 +       set <​JAIL>​ logencoding <​ENCODING>​
 +              sets the <​ENCODING>​ of the log files for <​JAIL>​
 +
 +       set <​JAIL>​ addjournalmatch <​MATCH>​
 +              adds <​MATCH>​ to the journal filter of <​JAIL>​
 +
 +       set <​JAIL>​ deljournalmatch <​MATCH>​
 +              removes <​MATCH>​ from the journal filter of <​JAIL>​
 +
 +       set <​JAIL>​ addfailregex <​REGEX>​
 +              adds the regular expression <​REGEX>​ which must match failures for <​JAIL>​
 +
 +       set <​JAIL>​ delfailregex <​INDEX>​
 +              removes the regular expression at <​INDEX>​ for failregex
 +
 +       set <​JAIL>​ ignorecommand <​VALUE>​
 +              sets ignorecommand of <​JAIL>​
 +
 +       set <​JAIL>​ addignoreregex <​REGEX>​
 +              adds the regular expression <​REGEX>​ which should match pattern to exclude for <​JAIL>​
 +
 +       set <​JAIL>​ delignoreregex <​INDEX>​
 +              removes the regular expression at <​INDEX>​ for ignoreregex
 +
 +       set <​JAIL>​ findtime <​TIME>​
 +              sets the number of seconds <​TIME>​ for which the filter will look back for <​JAIL>​
 +
 +       set <​JAIL>​ bantime <​TIME>​
 +              sets the number of seconds <​TIME>​ a host will be banned for <​JAIL>​
 +
 +       set <​JAIL>​ datepattern <​PATTERN>​
 +              sets the <​PATTERN>​ used to match date/times for <​JAIL>​
 +
 +       set <​JAIL>​ usedns <​VALUE>​
 +              sets the usedns mode for <​JAIL>​
 +
 +       set <​JAIL>​ banip <IP>
 +              manually Ban <IP> for <​JAIL>​
 +
 +       set <​JAIL>​ unbanip <IP>
 +              manually Unban <IP> in <​JAIL>​
 +
 +       set <​JAIL>​ maxretry <​RETRY>​
 +              sets the number of failures <​RETRY>​ before banning the host for <​JAIL>​
 +
 +       set <​JAIL>​ maxlines <​LINES>​
 +              sets the number of <​LINES>​ to buffer for regex search for <​JAIL>​
 +
 +              set <​JAIL>​ addaction <​ACT>​[ <​PYTHONFILE>​ <​JSONKWARGS>​]
 +
 +              adds  a  new  action named <​NAME>​ for <​JAIL>​. Optionally for a Python based action, a <​PYTHONFILE>​
 +              and <​JSONKWARGS>​ can be specified, else will be a Command Action
 +
 +       set <​JAIL>​ delaction <ACT>
 +              removes the action <ACT> from <​JAIL>​
 +
 +              COMMAND ACTION CONFIGURATION
 +
 +              set <​JAIL>​ action <ACT> actionstart <CMD>
 +
 +              sets the start command <CMD> of the action <ACT> for <​JAIL>​
 +
 +              set <​JAIL>​ action <ACT> actionstop <CMD> sets the stop command <CMD> of the
 +
 +              action <ACT> for <​JAIL>​
 +
 +              set <​JAIL>​ action <ACT> actioncheck <CMD>
 +
 +              sets the check command <CMD> of the action <ACT> for <​JAIL>​
 +
 +       set <​JAIL>​ action <ACT> actionban <CMD>
 +              sets the ban command <CMD> of the action <ACT> for <​JAIL>​
 +
 +              set <​JAIL>​ action <ACT> actionunban <CMD>
 +
 +              sets the unban command <CMD> of the action <ACT> for <​JAIL>​
 +
 +              set <​JAIL>​ action <ACT> timeout <​TIMEOUT>​
 +
 +              sets <​TIMEOUT>​ as the command timeout in seconds for the action <ACT> for <​JAIL>​
 +
 +              GENERAL ACTION CONFIGURATION
 +
 +              set <​JAIL>​ action <ACT> <​PROPERTY>​ <​VALUE>​
 +
 +              sets the <​VALUE>​ of <​PROPERTY>​ for the action <ACT> for <​JAIL>​
 +
 +              set <​JAIL>​ action <ACT> <​METHOD>​[ <​JSONKWARGS>​]
 +
 +              calls the <​METHOD>​ with <​JSONKWARGS>​ for the action <ACT> for <​JAIL>​
 +
 +              JAIL INFORMATION
 +
 +       get <​JAIL>​ logpath
 +              gets the list of the monitored files for <​JAIL>​
 +
 +       get <​JAIL>​ logencoding
 +              gets the encoding of the log files for <​JAIL>​
 +
 +       get <​JAIL>​ journalmatch
 +              gets the journal filter match for <​JAIL>​
 +
 +       get <​JAIL>​ ignoreip
 +              gets the list of ignored IP addresses for <​JAIL>​
 +
 +       get <​JAIL>​ ignorecommand
 +              gets ignorecommand of <​JAIL>​
 +
 +       get <​JAIL>​ failregex
 +              gets the list of regular expressions which matches the failures for <​JAIL>​
 +
 +       get <​JAIL>​ ignoreregex
 +              gets the list of regular expressions which matches patterns to ignore for <​JAIL>​
 +
 +       get <​JAIL>​ findtime
 +              gets the time for which the filter will look back for failures for <​JAIL>​
 +
 +       get <​JAIL>​ bantime
 +              gets the time a host is banned for <​JAIL>​
 +
 +       get <​JAIL>​ datepattern
 +              gets the patern used to match date/times for <​JAIL>​
 +
 +       get <​JAIL>​ usedns
 +              gets the usedns setting for <​JAIL>​
 +
 +       get <​JAIL>​ maxretry
 +              gets the number of failures allowed for <​JAIL>​
 +
 +       get <​JAIL>​ maxlines
 +              gets the number of lines to buffer for <​JAIL>​
 +
 +       get <​JAIL>​ actions
 +              gets a list of actions for <​JAIL>​
 +
 +              COMMAND ACTION INFORMATION
 +
 +       get <​JAIL>​ action <ACT> actionstart
 +              gets the start command for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ action <ACT> actionstop
 +              gets the stop command for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ action <ACT> actioncheck
 +              gets the check command for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ action <ACT> actionban
 +              gets the unban command for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ action <ACT> timeout
 +              gets the command timeout in seconds for the action <ACT> for <​JAIL>​
 +
 +              GENERAL ACTION INFORMATION
 +
 +       get <​JAIL>​ actionproperties <ACT>
 +              gets a list of properties for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ actionmethods <ACT>
 +              gets a list of methods for the action <ACT> for <​JAIL>​
 +
 +       get <​JAIL>​ action <ACT> <​PROPERTY>​
 +              gets the value of <​PROPERTY>​ for the action <ACT> for <​JAIL>​
 +
 +FILES
 +       /​etc/​fail2ban/​*
 +
 +AUTHOR
 +       ​Written by Cyril Jaquier <​cyril.jaquier@fail2ban.org>​. ​  ​Many ​ contributions ​ by  Yaroslav ​ O.  Halchenko
 +       <​debian@onerussian.com>​.
 +
 +REPORTING BUGS
 +       ​Report bugs to https://​github.com/​fail2ban/​fail2ban/​issues
 +
 +COPYRIGHT
 +       ​Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
 +       ​Copyright ​ of  modifications ​ held  by  their  respective authors. ​ Licensed under the GNU General Public
 +       ​License v2 (GPL).
 +
 +SEE ALSO
 +       ​fail2ban-server(1) jail.conf(5)
 +
 +fail2ban-client v0.9.0 ​           March 2014                FAIL2BAN-CLIENT(1)
 +</​code>​
 +
 +==== fail2ban-regex ====
 +Mit will fail2ban-regex hat man ein Werkzeug in der Hand um einzelne regex-Ausdrücke in Verbindung mit (s)einen Logdateien testen kann.
 +
 +Beispiel:
 +  * **einzelne Logzeile**: \\ Zum Bewerten der folgenden Logzeile <​code>​Jun 16 12:45:22 vml000080 postfix/​smtpd[21888]:​ warning: unknown[203.195.219.103]:​ SASL LOGIN authentication failed: UGFzc3dvcmQ6</​code>​ ist diese in Anführungszeichen zu setzen! \\ <​code>#​ fail2ban-regex "Jun 16 12:45:22 vml000080 postfix/​smtpd[21888]:​ warning: unknown[203.195.219.103]:​ SASL LOGIN authentication failed: UGFzc3dvcmQ6"​ /​etc/​fail2ban/​filter.d/​postfix-sasl.conf</​code>​ <​code>​Running tests
 +=============
 +
 +Use   ​failregex file : /​etc/​fail2ban/​filter.d/​postfix-sasl.conf
 +Use      single line : Jun 16 12:45:22 vml000080 postfix/​smtpd[21888]:​ wa...
 +
 +
 +Results
 +=======
 +
 +Failregex: 1 total
 +|-  #) [# of hits] regular expression
 +|   1) [1] ^\s*(<​[^.]+\.[^.]+>​)?​\s*(?:​\S+ )?​(?:​kernel:​ \[ *\d+\.\d+\] )?​(?:​@vserver_\S+ )?​(?:​(?:​\[\d+\])?:​\s+[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​|[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​(?:​\[\d+\])?:?​)?​\s(?:​\[ID \d+ \S+\])?​\s*warning:​ [-._\w]+\[<​HOST>​\]:​ SASL (?:​LOGIN|PLAIN|(?:​CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/​]*={0,​2})?​\s*$
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [1] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 1 lines, 0 ignored, 1 matched, 0 missed
 +
 +
 +Running tests
 +=============
 +
 +Use   ​failregex file : /​etc/​fail2ban/​filter.d/​postfix-sasl.conf
 +Use      single line : Jun 16 12:45:22 vml000080 postfix/​smtpd[21888]:​ wa...
 +
 +
 +Results
 +=======
 +
 +Failregex: 1 total
 +|-  #) [# of hits] regular expression
 +|   1) [1] ^\s*(<​[^.]+\.[^.]+>​)?​\s*(?:​\S+ )?​(?:​kernel:​ \[ *\d+\.\d+\] )?​(?:​@vserver_\S+ )?​(?:​(?:​\[\d+\])?:​\s+[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​|[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​(?:​\[\d+\])?:?​)?​\s(?:​\[ID \d+ \S+\])?​\s*warning:​ [-._\w]+\[<​HOST>​\]:​ SASL (?:​LOGIN|PLAIN|(?:​CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/​]*={0,​2})?​\s*$
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [1] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 1 lines, 0 ignored, 1 matched, 0 missed
 +</​code>​
 +  * **ganze Logdatei**: \\ Zum Bewerten einer ganzen Logdatei, wie z.B. **/​var/​log/​maillog** verwendet man folgenden Aufruf. <​code>#​ fail2ban-regex /​var/​log/​maillog /​etc/​fail2ban/​filter.d/​postfix-sasl.conf</​code>​ <​code>​Running tests
 +=============
 +
 +Use   ​failregex file : /​etc/​fail2ban/​filter.d/​postfix-sasl.conf
 +Use         log file : /​var/​log/​maillog
 +Use         ​encoding : UTF-8
 +
 +
 +Results
 +=======
 +
 +Failregex: 43 total
 +|-  #) [# of hits] regular expression
 +|   1) [43] ^\s*(<​[^.]+\.[^.]+>​)?​\s*(?:​\S+ )?​(?:​kernel:​ \[ *\d+\.\d+\] )?​(?:​@vserver_\S+ )?​(?:​(?:​\[\d+\])?:​\s+[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​|[\[\(]?​postfix/​smtpd(?:​\(\S+\))?​[\]\)]?:?​(?:​\[\d+\])?:?​)?​\s(?:​\[ID \d+ \S+\])?​\s*warning:​ [-._\w]+\[<​HOST>​\]:​ SASL (?:​LOGIN|PLAIN|(?:​CRAM|DIGEST)-MD5) authentication failed(: [ A-Za-z0-9+/​]*={0,​2})?​\s*$
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [29628] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 29628 lines, 0 ignored, 43 matched, 29585 missed
 +Missed line(s): too many to print. ​ Use --print-all-missed to print all 29585 lines
 +</​code>​
 +
 +Weiterführende Informationen findet man in der **man-üage** von **fail2ban-regex**.
 +
 +<​code>​FAIL2BAN-REGEX(1) ​               User Commands ​              ​FAIL2BAN-REGEX(1)
 +
 +NAME
 +       ​fail2ban-regex - test Fail2ban "​failregex"​ option
 +
 +SYNOPSIS
 +       ​fail2ban-regex [OPTIONS] <LOG> <​REGEX>​ [IGNOREREGEX]
 +
 +DESCRIPTION
 +       ​Fail2Ban ​  ​reads ​ log  file that contains password failure report and bans the corresponding IP addresses
 +       using firewall rules.
 +
 +       This tools can test regular expressions for "​fail2ban"​.
 +
 +   LOG:
 +       ​string a string representing a log line
 +
 +       ​filename
 +              path to a log file (/​var/​log/​auth.log)
 +
 +       "​systemd-journal"​
 +              search systemd journal (systemd-python required)
 +
 +   ​REGEX:​
 +       ​string a string representing a ’failregex’
 +
 +       ​filename
 +              path to a filter file (filter.d/​sshd.conf)
 +
 +   ​IGNOREREGEX:​
 +       ​string a string representing an ’ignoreregex’
 +
 +       ​filename
 +              path to a filter file (filter.d/​sshd.conf)
 +
 +OPTIONS
 +       ​--version
 +              show program’s version number and exit
 +       -h, --help
 +              show this help message and exit
 +
 +       -d DATEPATTERN,​ --datepattern=DATEPATTERN
 +              set custom pattern used to match date/times
 +
 +       -e ENCODING, --encoding=ENCODING
 +              File encoding. Default: system locale
 +
 +       -L MAXLINES, --maxlines=MAXLINES
 +              maxlines for multi-line regex
 +
 +       -m JOURNALMATCH,​ --journalmatch=JOURNALMATCH
 +              journalctl style matches overriding filter file.  "​systemd-journal"​ only
 +
 +       -l LOG_LEVEL, --log-level=LOG_LEVEL
 +              Log level for the Fail2Ban logger to use
 +
 +       -v, --verbose
 +              Be verbose in output
 +
 +       -D, --debuggex
 +              Produce debuggex.com urls for debugging there
 +
 +       ​--print-no-missed
 +              Do not print any missed lines
 +
 +       ​--print-no-ignored
 +              Do not print any ignored lines
 +
 +       ​--print-all-missed
 +              Print all missed lines, no matter how many
 +
 +       ​--print-all-ignored
 +              Print all ignored lines, no matter how many
 +
 +       -t, --log-traceback
 +              Enrich log-messages with compressed tracebacks
 +
 +       ​--full-traceback
 +              Either to make the tracebacks full, not compressed (as by default)
 +
 +AUTHOR
 +       ​Written by Cyril Jaquier <​cyril.jaquier@fail2ban.org>​. ​ Many contributions by Yaroslav O.  Halchenko ​ and
 +       ​Steven Hiscocks.
 +
 +REPORTING BUGS
 +       ​Report bugs to https://​github.com/​fail2ban/​fail2ban/​issues
 +
 +COPYRIGHT
 +       ​Copyright © 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
 +       ​Copyright ​ of  modifications ​ held  by  their  respective authors. ​ Licensed under the GNU General Public
 +       ​License v2 (GPL).
 +
 +SEE ALSO
 +       ​fail2ban-client(1) fail2ban-server(1)
 +
 +fail2ban-regex 0.9.0              March 2014                 ​FAIL2BAN-REGEX(1)
 +</​code>​
 +
 +
 +==== fail2ban-testcases ====
 +Der Form halber gehen wir noch kurz auf die Möglichkeit ein, den Programmcode mit Hilfe von **fail2ban-testcases** zu testen. ​
 +Im normalen Betrieb wird diese Option i.d.R. nicht verwendet und wird z.B. beim Bau des RPM-Paketes aufgerufen. ​
 +Einen sehr ausführlichen Bericht bekommt ein entwickler z.B. bei folgendem Aufruf.
 +   # fail2ban-testcases --no-network --log-level=heavydebug
 +
 +Dem Normalsterblichen wird sich sicherlich keine tiefergehnde information offenbaren. :-P
 +
 +Die einzelnen Optionen von **fail2ban-testcases** kann man mit Aufruf der Option **%%--help%%** abrufen.
 +
 +   # fail2ban-testcases --help
 +<​code>​Usage:​ /​usr/​bin/​fail2ban-testcases [OPTIONS] [regexps]
 +Script to run Fail2Ban tests battery
 +
 +
 +Options:
 +  --version ​            show program'​s version number and exit
 +  -h, --help ​           show this help message and exit
 +  -l LOG_LEVEL, --log-level=LOG_LEVEL
 +                        Log level for the logger to use during running tests
 +  -n, --no-network ​     Do not run tests that require the network
 +  -t, --log-traceback ​  ​Enrich log-messages with compressed tracebacks
 +  --full-traceback ​     Either to make the tracebacks full, not compressed (as
 +                        by default)
 +</​code>​
 +
 +   $ fail2ban-testcases
 +<​code>​Fail2ban 0.9.0 test suite. Python 2.7.5 (default, Jun 17 2014, 18:11:42) [GCC 4.8.2 20140120 (Red Hat 4.8.2-16)]. Please wait...
 +.....................................................................................s.....................................................................................................................................................
 +----------------------------------------------------------------------
 +Ran 235 tests in 91.004s
 +
 +OK (skipped=1)
 +</​code>​
 +
 +
 +
 +===== Grund-Konfiguration =====
 +<WRAP center round tip>
 +Bei der Konfiguration von **fail2ban** wird von Seiten der Entwickler empfohlen, nicht die defaultconfig-Dateien zu bearbeiten, sondern sich lokale Kopieen zu erzeugen. ​
 +Der Maintainer des **RPM**s hat dies schon berücksichtigt und sowohl von der **fail2ban.conf** eine **fail2ban.local** und von der **jail.conf** eine **//​jail.local//​** angelegt.
 +</​WRAP>​
 +
 +==== allg. Einstellungen ====
 +
 +Der Standardpfad für die Konfiguration von **fail2ban** ist //​**/​etc/​fail2ban**//​. Mit der Option **-c** beim straten des **fail2ban-client** kann dieser Pfad gesetzt werde. Bei einer typischen Konfiguration sieht so aus:
 +<​code>/​etc/​fail2ban/​
 +├── action.d
 +│   ​├── apf.conf
 +│   ​├── badips.conf
 +│   ​├── badips.py
 +│   ​├── blocklist_de.conf
 +│   ​├── dshield.conf
 +│   ​├── dummy.conf
 +│   ​├── firewallcmd-ipset.conf
 +│   ​├── firewallcmd-new.conf
 +│   ​├── iptables-allports.conf
 +│   ​├── iptables-blocktype.conf
 +│   ​├── iptables.conf
 +│   ​├── iptables-ipset-proto4.conf
 +│   ​├── iptables-ipset-proto6-allports.conf
 +│   ​├── iptables-ipset-proto6.conf
 +│   ​├── iptables-multiport.conf
 +│   ​├── iptables-multiport-log.conf
 +│   ​├── iptables-new.conf
 +│   ​├── iptables-xt_recent-echo.conf
 +│   ​├── mail.conf
 +│   ​├── mynetwatchman.conf
 +│   ​├── route.conf
 +│   ​├── sendmail-buffered.conf
 +│   ​├── sendmail-common.conf
 +│   ​├── sendmail.conf
 +│   ​├── sendmail-whois.conf
 +│   ​├── sendmail-whois-ipjailmatches.conf
 +│   ​├── sendmail-whois-ipmatches.conf
 +│   ​├── sendmail-whois-lines.conf
 +│   ​├── sendmail-whois-matches.conf
 +│   ​├── smtp.py
 +│   ​├── smtp.pyc
 +│   ​├── smtp.pyo
 +│   ​└── xarf-login-attack.conf
 +├── fail2ban.conf
 +├── fail2ban.d
 +├── fail2ban.local
 +├── filter.d
 +│   ​├── 3proxy.conf
 +│   ​├── apache-auth.conf
 +│   ​├── apache-badbots.conf
 +│   ​├── apache-botsearch.conf
 +│   ​├── apache-common.conf
 +│   ​├── apache-modsecurity.conf
 +│   ​├── apache-nohome.conf
 +│   ​├── apache-noscript.conf
 +│   ​├── apache-overflows.conf
 +│   ​├── assp.conf
 +│   ​├── asterisk.conf
 +│   ​├── common.conf
 +│   ​├── counter-strike.conf
 +│   ​├── courier-auth.conf
 +│   ​├── courier-smtp.conf
 +│   ​├── cyrus-imap.conf
 +│   ​├── dovecot.conf
 +│   ​├── dropbear.conf
 +│   ​├── ejabberd-auth.conf
 +│   ​├── exim-common.conf
 +│   ​├── exim.conf
 +│   ​├── exim-spam.conf
 +│   ​├── freeswitch.conf
 +│   ​├── groupoffice.conf
 +│   ​├── gssftpd.conf
 +│   ​├── guacamole.conf
 +│   ​├── horde.conf
 +│   ​├── kerio.conf
 +│   ​├── lighttpd-auth.conf
 +│   ​├── mysqld-auth.conf
 +│   ​├── nagios.conf
 +│   ​├── named-refused.conf
 +│   ​├── nginx-http-auth.conf
 +│   ​├── nsd.conf
 +│   ​├── openwebmail.conf
 +│   ​├── pam-generic.conf
 +│   ​├── perdition.conf
 +│   ​├── php-url-fopen.conf
 +│   ​├── postfix.conf
 +│   ​├── postfix-sasl.conf
 +│   ​├── proftpd.conf
 +│   ​├── pure-ftpd.conf
 +│   ​├── qmail.conf
 +│   ​├── recidive.conf
 +│   ​├── roundcube-auth.conf
 +│   ​├── selinux-common.conf
 +│   ​├── selinux-ssh.conf
 +│   ​├── sendmail-auth.conf
 +│   ​├── sendmail-reject.conf
 +│   ​├── sieve.conf
 +│   ​├── sogo-auth.conf
 +│   ​├── solid-pop3d.conf
 +│   ​├── squid.conf
 +│   ​├── squirrelmail.conf
 +│   ​├── sshd.conf
 +│   ​├── sshd-ddos.conf
 +│   ​├── stunnel.conf
 +│   ​├── suhosin.conf
 +│   ​├── tine20.conf
 +│   ​├── uwimap-auth.conf
 +│   ​├── vsftpd.conf
 +│   ​├── webmin-auth.conf
 +│   ​├── wuftpd.conf
 +│   ​└── xinetd-fail.conf
 +├── jail.conf
 +├── jail.d
 +├── jail.local
 +├── jail.local.rpmnew
 +├── paths-centos.conf
 +└── paths-common.conf
 +
 +4 directories,​ 104 files
 +</​code>​
 +
 +In der Konfigurationsdatei **fail2ban.local** werden folgende Parameter definiert:
 +
 +^ Option ​         ^ Beschreibung ​                                                                                                                   ^
 +| **loglevel** ​   | Definition des loglevels bei der Ausgabe. ​                                                                                      |
 +| **logtarget** ​  | Definition des Logziels, also z.B. **STDERR** (Konsole), **SYSLOG** oder **/​Pfad/​Datei** zum Schreiben in ein eigenes Logfile. ​ |
 +| **socket** ​     | Definition des UNIX-Sockets über den **fail2ban-client** mit dem **fail2ban-server** kommuniziert. ​                             |
 +| **pidfile** ​    | Definition des PID-Files, in dem die Prozess ID des **fail2ban-servers** gespeichert wird.                                      |
 +| **dbfile** ​     | Definition des Sqlite3-Datenbankfiles,​ in dem fail2ban die persistente Daten speichern soll.                                    |
 +| **dbpurgeage** ​ | Definition der Zeitspanne nach dem alte Daten aus der Datenbank gelöscht werden sollen. (default 86.400 Sekunden = 24 Stunden) ​ |
 +
 +
 +
 +   # cat /​etc/​fail2ban/​fail2ban.local
 +<file bash /​etc/​fail2ban/​fail2ban.local>#​ Fail2Ban main configuration file
 +#
 +# Comments: use '#'​ for comment lines and ';'​ (following a space) for inline comments
 +#
 +# Changes: ​ in most of the cases you should not modify this
 +#           file, but provide customizations in fail2ban.local file, e.g.:
 +#
 +# [Definition]
 +# loglevel = DEBUG
 +#
 +
 +[Definition]
 +
 +# Option: loglevel
 +# Notes.: Set the log level output.
 +#         ​CRITICAL
 +#         ERROR
 +#         ​WARNING
 +#         ​NOTICE
 +#         INFO
 +#         DEBUG
 +# Values: [ LEVEL ]  Default: ERROR
 +#
 +loglevel = INFO
 +
 +# Option: logtarget
 +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
 +#         Only one log target can be specified.
 +#         If you change logtarget from the default value and you are
 +#         using logrotate -- also adjust or disable rotation in the
 +#         ​corresponding configuration file
 +#         (e.g. /​etc/​logrotate.d/​fail2ban on Debian systems)
 +# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
 +#
 +logtarget = /​var/​log/​fail2ban.log
 +
 +# Option: socket
 +# Notes.: Set the socket file. This is used to communicate with the daemon. Do
 +#         not remove this file when Fail2ban runs. It will not be possible to
 +#         ​communicate with the server afterwards.
 +# Values: [ FILE ]  Default: /​var/​run/​fail2ban/​fail2ban.sock
 +#
 +socket = /​var/​run/​fail2ban/​fail2ban.sock
 +
 +# Option: pidfile
 +# Notes.: Set the PID file. This is used to store the process ID of the
 +#         ​fail2ban server.
 +# Values: [ FILE ]  Default: /​var/​run/​fail2ban/​fail2ban.pid
 +#
 +pidfile = /​var/​run/​fail2ban/​fail2ban.pid
 +
 +# Options: dbfile
 +# Notes.: Set the file for the fail2ban persistent data to be stored.
 +#         A value of ":​memory:"​ means database is only stored in memory ​
 +#         and data is lost once fail2ban is stops.
 +#         A value of "​None"​ disables the database.
 +# Values: [ None :memory: FILE ] Default: /​var/​lib/​fail2ban/​fail2ban.sqlite3
 +dbfile = /​var/​lib/​fail2ban/​fail2ban.sqlite3
 +
 +# Options: dbpurgeage
 +# Notes.: Sets age at which bans should be purged from the database
 +# Values: [ SECONDS ] Default: 86400 (24hours)
 +dbpurgeage = 86400
 +</​file>​
 +==== Jails ====
 +Die wichtigste Konfigurationsdatei ist vermutlich **jail.conf** bzw. **jail.local**,​ in der die einzelnen **jail**s definiert werden. In der Datei enthält bereits einige Musterbeispiele vorhanden, die man bei Bedarf einfach aktivieren kann.
 +
 +Am Anfang der **jail.local** wird in der Section **[INCLUDES]** die Datei **paths-centos.conf** eingebunden,​ die die wichtigsten CentOS spezifischen Definitionen (Logdateipfade) enthält.
 +   # vim /​etc/​fail2ban/​paths-centos.conf
 +
 +<file bash etc/​fail2ban/​paths-centos.conf>#​ CentOS
 +
 +[INCLUDES]
 +
 +before = paths-common.conf
 +
 +after  = paths-overrides.local
 +
 +
 +[DEFAULT]
 +
 +syslog_mail = /​var/​log/​maillog
 +
 +syslog_mail_warn = /​var/​log/​maillog
 +
 +syslog_authpriv = /​var/​log/​secure
 +
 +syslog_user =  /​var/​log/​messages
 +
 +syslog_ftp ​ = /​var/​log/​messages
 +
 +syslog_daemon ​ = /​var/​log/​messages
 +
 +syslog_local0 ​ = /​var/​log/​messages
 +
 +
 +apache_error_log = /​var/​log/​httpd/​*error_log
 +
 +apache_access_log = /​var/​log/​httpd/​*access_log
 +
 +# /​etc/​proftpd/​proftpd.conf (ExtendedLog for Anonymous)
 +# proftpd_log = /​var/​log/​proftpd/​auth.log
 +# Tested and it worked out in /​var/​log/​messages so assuming syslog_ftp for now.
 +
 +mysql_log = /​var/​lib/​mysql/​mysqld.log
 +</​file>​
 +
 +Als nächstes finden wir die Definition der Defaultwerte in der Section **[DEFAULT]** in der Konfigurationsdatei **jail.local**. ​
 +
 +   # vim /​etc/​fail2ban/​jail.local
 +<code bash>...
 +
 +# The DEFAULT allows a global definition of the options. They can be overridden
 +# in each jail afterwards.
 +
 +[DEFAULT]
 +
 +#
 +# MISCELLANEOUS OPTIONS
 +#
 +
 +# "​ignoreip"​ can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
 +# ban a host which matches an address in this list. Several addresses can be
 +# defined using space separator.
 +ignoreip = 127.0.0.1/8
 +
 +# External command that will take an tagged arguments to ignore, e.g. <ip>,
 +# and return true if the IP is to be ignored. False otherwise.
 +#
 +# ignorecommand = /​path/​to/​command <ip>
 +ignorecommand =
 +
 +# "​bantime"​ is the number of seconds that a host is banned.
 +bantime ​ = 600
 +
 +# A host is banned if it has generated "​maxretry"​ during the last "​findtime"​
 +# seconds.
 +findtime ​ = 600
 +
 +# "​maxretry"​ is the number of failures before a host get banned.
 +maxretry = 5
 +
 +# "​backend"​ specifies the backend used to get files modification.
 +# Available options are "​pyinotify",​ "​gamin",​ "​polling",​ "​systemd"​ and "​auto"​.
 +# This option can be overridden in each jail as well.
 +#
 +# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
 +#              If pyinotify is not installed, Fail2ban will use auto.
 +# gamin: ​    ​requires Gamin (a file alteration monitor) to be installed.
 +#              If Gamin is not installed, Fail2ban will use auto.
 +# polling: ​  uses a polling algorithm which does not require external libraries.
 +# systemd: ​  uses systemd python library to access the systemd journal.
 +#              Specifying "​logpath"​ is not valid for this backend.
 +#              See "​journalmatch"​ in the jails associated filter config
 +# auto:      will try to use the following backends, in order:
 +#              pyinotify, gamin, polling.
 +backend = auto
 +
 +# "​usedns"​ specifies if jails should trust hostnames in logs,
 +#   warn when DNS lookups are performed, or ignore all hostnames in logs
 +#
 +# yes:   if a hostname is encountered,​ a DNS lookup will be performed.
 +# warn:  if a hostname is encountered,​ a DNS lookup will be performed,
 +#        but it will be logged as a warning.
 +# no:    if a hostname is encountered,​ will not be used for banning,
 +#        but it will be logged as info.
 +usedns = warn
 +
 +# "​logencoding"​ specifies the encoding of the log files handled by the jail
 +#   This is used to decode the lines from the log file.
 +#   ​Typical examples: ​ "​ascii",​ "​utf-8"​
 +#
 +#   ​auto: ​  will use the system locale setting
 +logencoding = auto
 +
 +# "​enabled"​ enables the jails.
 +#  By default all jails are disabled, and it should stay this way.
 +#  Enable only relevant to your setup jails in your .local or jail.d/​*.conf
 +#
 +# true:  jail will be enabled and log files will get monitored for changes
 +# false: jail is not enabled
 +enabled = false
 +
 +
 +# "​filter"​ defines the filter to use by the jail.
 +#  By default jails have names matching their filter name
 +#
 +filter = %(__name__)s
 +
 +...
 +</​code>​
 +
 +Nachfolgende Werte werden vorgegeben und können entweder als neuen Standardwert gesetzt, oder in den einzelnen **jail**s überschrieben werden.
 +
 +^ Option ​            ^ Standardwert ​  ^ Beschreibung ​                                                                                                                                                                    ^
 +| **ignoreip** ​      | 127.0.0.1/​8 ​   | Liste von IP-Adressen oder Netzwerken (mit Kommatas getrennt), die von einem **ban**, also vom Sperren ausgenommen werden sollen. ​                                               |
 +| **ignorecommand** ​ |                | Externer Befehl der bei der Bewertung negativ besetzt werden soll                                                                                                                |
 +| **bantime** ​       |  600           | Zeitspanne in Sekunden, die ein Host gesperrt werden soll                                                                                                                        |
 +| **findtime** ​      ​| ​ 600           | Zeitspanne in Sekunden, in denen das erneute Auffinden einer IP-Adresse überwacht bzw. gewertet wird                                                                             |
 +| **maxretry** ​      ​| ​ 5             | Maximale Anzahl, die definiert, wie oft eine IP-Adresse aufgefunden werden muss, damit die **action** ausgeführt,​ also. z.B. ein Host gesperrt, werden soll.                     |
 +| **backend** ​       |  auto          | Definition des backends dass zur Überwachung der Logdatei in einem **jail** verwendet werden soll.                                                                               |
 +| **usedns** ​        ​| ​ warn          | Festlegung, ob Hostnamen in Logdateien vertraut oder ein NDS-Lokkup gemacht werden soll, oder ob Hostnamen in Logfiles ignoriert werden sollen. ​                                 |
 +| **logencoding** ​   |  auto          | Definition des Zeichensatzes/​Code-Tabelle,​ die beim Überwachen des Logfiles verwendet werden soll.                                                                               |
 +| **enabled** ​       |  false         | Festlegung, ob per se, alle **jail**s in der Konfigurationsdatei aktiviert werden sollen. ​                                                                                       |
 +| **filter** ​        ​| ​ %(__name__)s ​ | Festlegung der **filter**-Namen,​ die bei der **jail**-Konfiguration verwendet werden sollen. Als Standard wird der der Name des **jail** beim zugehörigen **filter** verwendet. ​ |
 +
 +
 +Nachdem wir uns die grundlegenden Konfigurationsparameter angesehen haben, betrachten wir nun an Hand des nachfolgenden Beispiels, wie eine **jail**-Definition genauer ansehen kann.
 +
 +<​code>​[ssh-iptables]
 +#​enabled ​ = false
 +enabled ​ = true
 +filter ​  = sshd
 +action ​  = iptables[name=SSH,​ port=ssh, protocol=tcp]
 +#          mail-whois[name=SSH,​ dest=yourmail@mail.com]
 +#​logpath ​ = /​var/​log/​sshd.log
 +logpath ​ = /​var/​log/​secure
 +maxretry = 5
 +</​code>​
 +
 +Mit diesen Einstellungen wird folgendes festgelegt:
 +  - Der Definitionsbereich **[ssh-iptables]** wird aktiviert.
 +  - Der Filter **sshd.conf** im Unterverzeichnis **filter.d** wird verwendet.
 +  - Die Aktion **iptables.conf** aus dem Unterverzeichnis **action.d** wird ausgeführt,​ sobald der Filter oft genug anschlägt. Die zweite Aktion **mail-whois** wird nicht ausgeführt,​ da diese auskommentiert ist.
 +  - Die Logdatei **/​var/​log/​secure** wird überwacht.
 +  - Wird **5x** der betreffende logeintrag gefunden, werden die definierten **action** ausgeführt.
 +
 +In einem **jail** werden gewöhnlich **filter** und **action** kombiniert. Je **jail** ist nur ein **filter** erlaubt; jedoch können mehrere **action** je **jail** definiert werden. So kann man z.B. bei einem SSH-Einbruchsversuch,​ erst mit Hilfe des iptables-Paketfilters die Quell-IP sperren und dann z.B. via **whois** Informationen des beanstandeten Hosts erfragen und die Daten dann per eMail an den verantwortlichen Admin senden. ​
 +Genauso könnte man "​nur"​ eine eMail versenden, sobald die Seite //​**noaccess.html**//​ auf dem Webserver angesprochen wird.
 +
 +Fail2ban ist nicht nur auf **SSH** beschränkt. **Fail2ban** liefert viele Beispiele an **filter** und**action**,​ die man als Vorlage verwenden kann, bzw. die man aktivieren und erweitern kann. Im Unterverzeichnis **filter.d** sind viele Filter vordefiniert,​ die man dann einfach in der Konfigurationsdatei **jail.local** aktivieren kann.
 +
 +Der Abschnitt **[ssh-ddos]** kann hier als Beispiel dienen, wie man einen **filter**, einfach und schnell aktivieren kann. Die Variable **logpath** ist in jedem Fall, der eigenen Umgebung anzupassen:
 +
 +<​code>​[ssh-ddos]
 +
 +enabled = true
 +port    = ssh,sftp
 +filter ​ = sshd-ddos
 +logpath ​ = /​var/​log/​messages
 +maxretry = 2
 +</​code>​
 +
 +==== Actions ====
 +Im Konfigurationsbereich **ACTIONS** erfolt die Festlegung systemweiter Parameter, die später bei der Definition der einzelnen **jail**s als Variablen verwendet werden, bzw. auch dort überschrieben werden, können.
 +
 +Werfen wir also einen Blick in diesen Bereich der Konfigurationsdatei **jail.local***.
 +   # vim /​etc/​fail2ban/​jail.local
 +
 +<code bash>...
 +
 +#
 +# ACTIONS
 +#
 +
 +# Some options used for actions
 +
 +# Destination email address used solely for the interpolations in
 +# jail.{conf,​local,​d/​*} configuration files.
 +# Django : 2014-06-12
 +# default: destemail = root@localhost
 +destemail = django@nausch.org
 +
 +# Sender email address used solely for some actions
 +# Django : 2014-06-12
 +# default: sender = root@localhost
 +sender = fail2ban@vml000010.dmz.nausch.org
 +
 +# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
 +# mailing. Change mta configuration parameter to mail if you want to
 +# revert to conventional '​mail'​.
 +mta = sendmail
 +
 +# Default protocol
 +protocol = tcp
 +
 +# Specify chain where jumps would need to be added in iptables-* actions
 +chain = INPUT
 +
 +# Ports to be banned
 +# Usually should be overridden in a particular jail
 +port = 0:65535
 +
 +#
 +# Action shortcuts. To be used to define action parameter
 +
 +# Default banning action (e.g. iptables, iptables-new,​
 +# iptables-multiport,​ shorewall, etc) It is used to define
 +# action_* variables. Can be overridden globally or per
 +# section within jail.local file
 +banaction = iptables-multiport
 +
 +# The simplest action to take: ban only
 +action_ = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +
 +# ban & send an e-mail with whois report to the destemail.
 +action_mw = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +            %(mta)s-whois[name=%(__name__)s,​ dest="​%(destemail)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +
 +# ban & send an e-mail with whois report and relevant log lines
 +# to the destemail.
 +action_mwl = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +             ​%(mta)s-whois-lines[name=%(__name__)s,​ dest="​%(destemail)s",​ logpath=%(logpath)s,​ chain="​%(chain)s"​]
 +
 +# See the IMPORTANT note in action.d/​xarf-login-attack for when to use this action
 +#
 +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 +# to the destemail.
 +action_xarf = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +             ​xarf-login-attack[service=%(__name__)s,​ sender="​%(sender)s",​ logpath=%(logpath)s,​ port="​%(port)s"​]
 +
 +
 +# Report block via blocklist.de fail2ban reporting service API
 +
 +# See the IMPORTANT note in action.d/​blocklist_de.conf for when to
 +# use this action. Create a file jail.d/​blocklist_de.local containing
 +# [Init]
 +# blocklist_de_apikey = {api key from registration]
 +#
 +action_blocklist_de ​ = blocklist_de[email="​%(sender)s",​ service=%(filter)s,​ apikey="​%(blocklist_de_apikey)s"​]
 +
 +# Report ban via badips.com, and use as blacklist
 +#
 +# See BadIPsAction docstring in config/​action.d/​badips.py for
 +# documentation for this action.
 +#
 +# NOTE: This action relies on banaction being present on start and therefore
 +# should be last action defined for a jail.
 +#
 +action_badips = badips.py[category="​%(name)s",​ banaction="​%(banaction)s"​]
 +
 +# Choose default action. ​ To change, just override value of '​action'​ with the
 +# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 +# globally (section [DEFAULT]) or per specific section
 +action = %(action_)s
 +
 +...
 +</​code>​
 +
 +Folgende Variablen und Festlegungen werden in dem vorgenannten Abschnitt definiert.
 +
 +^ Option ​        ^ Wert                                ^ Beschreibung ​                                                                                                                     ^
 +| **destemail** ​ |  django@nausch.org ​                 | Empfänger-Adresse an die etwaige Meldungen gesendet werden soll, in unserem Beispiel erhält django@nausch.org diese Nachrichten. ​ |
 +| **sender** ​    ​| ​ fail2ban@vml000010.dmz.nausch.org ​ | Absenderadresse der Status-eMails (mail from)                                                                                     |
 +| **mta** ​       |  sendmail ​                          | Binary, welches zum Verschicken der Statusnachrichten verwendet werden soll. Nicht verwechseln mit dem Mailserver "​sendmail"​! ​    |
 +| **protocol** ​  ​| ​ tcp                                | Default Protokoll ​                                                                                                                |
 +| **chain** ​     |  INPUT                              | Name der iptables-chain in die benötigte Portblockingdefinitionen eingefügt werden sollen ​                                        |
 +| **port** ​      ​| ​ 0:​65535 ​                           | Portbereich,​ der ggf. gesperrt werden soll.                                                                                       |
 +
 +Neben der Definition der Standardparameter werden noch ein paar wichtige **action** definiert, die wir später so bei den einzelnen **jail**s leicht integrieren können.
 +
 +  * **banaction** : \\ //Default banning action//, also der Paketfilter,​ der zum Sperren von Hosts und Services verwendet wird. <​code>​banaction = iptables-multiport</​code>​
 +  * **action_** :  \\ Dies ist die einfachste Variante bei den **actions**,​ denn es wir nur der verursachende Host gesperrt.<​code>​action_ = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]</​code>​
 +  * **action_mw** : \\ Bei dieser **action** wird der Verursacher gesperrt und dem bei **destemail** definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers geschickt. <​code>​action_mw = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +            %(mta)s-whois[name=%(__name__)s,​ dest="​%(destemail)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]</​code>​
 +  * **action_mwl** : \\ Bei dieser **action** wird der Verursacher gesperrt und dem bei **destemail** definiertem Empfänger eine Nachricht mit den whois-Daten des Verursachers und den fraglichen Logzeilen, bei dem der Filter angeschlagen hatte, geschickt. <​code>​action_mwl = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +             ​%(mta)s-whois-lines[name=%(__name__)s,​ dest="​%(destemail)s",​ logpath=%(logpath)s,​ chain="​%(chain)s"​]</​code>​
 +  * **action_xarf** : \\ Bei dieser **action** wird der Verursacher gesperrt, sowie der Abuse-Adresxse aus dem whois-Daten des Verursachenden Host eine **//xarf eMail//** geschickt. \\ <WRAP center round important>​
 +Bei Verwendung dieser **action** wird auf die Anmerkungen in der **action** Definition **xarf-login_attack** verwiesen.
 +   # less /​etc/​fail2ban/​action.d/​xarf-login-attack.conf
 +<​code>#​ Fail2Ban action for sending xarf Login-Attack messages to IP owner
 +#
 +# IMPORTANT: ​
 +
 +# Emailing a IP owner of abuse is a serious complain. Make sure that it is
 +# serious. Fail2ban developers and network owners recommend you only use this
 +# action for:
 +#   * The recidive where the IP has been banned multiple times
 +#   * Where maxretry has been set quite high, beyond the normal user typing
 +#     ​password incorrectly.
 +#   * For filters that have a low likelyhood of receiving human errors
 +#
 +# DEPENDANCIES:​
 +#
 +# This requires the dig command from bind-utils
 +#
 +# This uses the https://​abusix.com/​contactdb.html to lookup abuse contacts.
 +#
 +# XARF is a specification for sending a formatted response
 +# for non-messaging based abuse including:
 +#
 +# Login-Attack,​ Malware-Attack,​ Fraud (Phishing, etc.), Info DNSBL
 +
 +
 +# See the IMPORTANT note in action.d/​xarf-login-attack for when to use this action
 +#
 +# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
 +# to the destemail.
 +</​code>​
 +
 +</​WRAP>​ Also keinenfalls leichtfertig und unüberlegt diese **action** einsetzen! <​code>​action_xarf = %(banaction)s[name=%(__name__)s,​ port="​%(port)s",​ protocol="​%(protocol)s",​ chain="​%(chain)s"​]
 +             ​xarf-login-attack[service=%(__name__)s,​ sender="​%(sender)s",​ logpath=%(logpath)s,​ port="​%(port)s"​]</​code>​
 +  * **action_blocklist_de** : \\ Melden des blockierten Hosts an //**via blocklist.de**//​ über deren Fail2ban-Reporting-Service-API. <​code>​action_blocklist_de ​ = blocklist_de[email="​%(sender)s",​ service=%(filter)s,​ apikey="​%(blocklist_de_apikey)s"​]</​code>​
 +  * **action_badips** : \\ Bei dieser **action** wird der blockierte Host an //​**badips.com**//​ gemeldet und als blacklist verwendet. <​code>​action_badips = badips.py[category="​%(name)s",​ banaction="​%(banaction)s"​]</​code>​
 +  * **action** : \\ Definition der Default **action**. Dieser wert kann systemweit oder auch je einzelnem **jail** gesetzt werden. <​code>​action = %(action_)s</​code>​
 +
 +
 +==== Filters ====
 +Im Verzeichnis //​**/​etc/​fail2ban/​filter.d**//​ finden sich bereits vorgefertigte,​ für wirklich fast alle Anwendungsfälle praxistaugliche,​ Filterdefinitionen mit regular Expressions.
 +   # ll -alF /​etc/​fail2ban/​filter.d/​
 +
 +<​code>​total 264
 +drwxr-xr-x 2 root root 4096 Jun 17 17:47 ./
 +drwxr-xr-x 6 root root 4096 Jun 17 15:11 ../
 +-rw-r--r-- 1 root root  442 Mar 15 01:18 3proxy.conf
 +-rw-r--r-- 1 root root 3233 Mar 15 01:18 apache-auth.conf
 +-rw-r--r-- 1 root root 2736 Mar 15 01:18 apache-badbots.conf
 +-rw-r--r-- 1 root root 1537 Mar 15 01:18 apache-botsearch.conf
 +-rw-r--r-- 1 root root  813 Mar 15 01:18 apache-common.conf
 +-rw-r--r-- 1 root root  402 Mar 15 01:18 apache-modsecurity.conf
 +-rw-r--r-- 1 root root  596 Mar 15 01:18 apache-nohome.conf
 +-rw-r--r-- 1 root root 1187 Mar 15 01:18 apache-noscript.conf
 +-rw-r--r-- 1 root root 2000 Mar 15 01:18 apache-overflows.conf
 +-rw-r--r-- 1 root root 1156 Mar 15 01:18 assp.conf
 +-rw-r--r-- 1 root root 2270 Mar 15 01:18 asterisk.conf
 +-rw-r--r-- 1 root root 1671 Mar 15 01:18 common.conf
 +-rw-r--r-- 1 root root  238 Mar 15 01:18 counter-strike.conf
 +-rw-r--r-- 1 root root  393 Mar 15 01:18 courier-auth.conf
 +-rw-r--r-- 1 root root  352 Mar 15 01:18 courier-smtp.conf
 +-rw-r--r-- 1 root root  418 Mar 15 01:18 cyrus-imap.conf
 +-rw-r--r-- 1 root root 1440 Mar 15 01:18 dovecot.conf
 +-rw-r--r-- 1 root root 1696 Mar 15 01:18 dropbear.conf
 +-rw-r--r-- 1 root root 1282 Mar 15 01:18 ejabberd-auth.conf
 +-rw-r--r-- 1 root root  403 Mar 15 01:18 exim-common.conf
 +-rw-r--r-- 1 root root 1349 Mar 15 01:18 exim.conf
 +-rw-r--r-- 1 root root 2158 Mar 15 01:18 exim-spam.conf
 +-rw-r--r-- 1 root root  942 Mar 15 01:18 freeswitch.conf
 +-rw-r--r-- 1 root root  223 Mar 15 01:18 groupoffice.conf
 +-rw-r--r-- 1 root root  322 Mar 15 01:18 gssftpd.conf
 +-rw-r--r-- 1 root root  512 Mar 15 01:18 guacamole.conf
 +-rw-r--r-- 1 root root  404 Mar 15 01:18 horde.conf
 +-rw-r--r-- 1 root root  466 Mar 15 01:18 kerio.conf
 +-rw-r--r-- 1 root root  323 Mar 15 01:18 lighttpd-auth.conf
 +-rw-r--r-- 1 root root  886 Mar 15 01:18 mysqld-auth.conf
 +-rw-r--r-- 1 root root  400 Mar 15 01:18 nagios.conf
 +-rw-r--r-- 1 root root 1579 Mar 15 01:18 named-refused.conf
 +-rw-r--r-- 1 root root  422 Mar 15 01:18 nginx-http-auth.conf
 +-rw-r--r-- 1 root root  701 Mar 15 01:18 nsd.conf
 +-rw-r--r-- 1 root root  495 Mar 15 01:18 openwebmail.conf
 +-rw-r--r-- 1 root root  808 Mar 15 01:18 pam-generic.conf
 +-rw-r--r-- 1 root root  568 Mar 15 01:18 perdition.conf
 +-rw-r--r-- 1 root root  834 Mar 15 01:18 php-url-fopen.conf
 +-rw-r--r-- 1 root root  745 Mar 15 01:18 postfix.conf
 +-rw-r--r-- 1 root root  312 Mar 15 01:18 postfix-sasl.conf
 +-rw-r--r-- 1 root root 1054 Mar 15 01:18 proftpd.conf
 +-rw-r--r-- 1 root root 1725 Mar 15 01:18 pure-ftpd.conf
 +-rw-r--r-- 1 root root  795 Mar 15 01:18 qmail.conf
 +-rw-r--r-- 1 root root 1276 Mar 15 01:18 recidive.conf
 +-rw-r--r-- 1 root root  890 Mar 15 01:18 roundcube-auth.conf
 +-rw-r--r-- 1 root root  517 Mar 15 01:18 selinux-common.conf
 +-rw-r--r-- 1 root root  570 Mar 15 01:18 selinux-ssh.conf
 +-rw-r--r-- 1 root root  330 Mar 15 01:18 sendmail-auth.conf
 +-rw-r--r-- 1 root root 2424 Mar 15 01:18 sendmail-reject.conf
 +-rw-r--r-- 1 root root  371 Mar 15 01:18 sieve.conf
 +-rw-r--r-- 1 root root  472 Mar 15 01:18 sogo-auth.conf
 +-rw-r--r-- 1 root root 1093 Mar 15 01:18 solid-pop3d.conf
 +-rw-r--r-- 1 root root  193 Mar 15 01:18 squid.conf
 +-rw-r--r-- 1 root root  185 Mar 15 01:18 squirrelmail.conf
 +-rw-r--r-- 1 root root 2779 Mar 15 01:18 sshd.conf
 +-rw-r--r-- 1 root root  761 Mar 15 01:18 sshd-ddos.conf
 +-rw-r--r-- 1 root root  348 Mar 15 01:18 stunnel.conf
 +-rw-r--r-- 1 root root  645 Mar 15 01:18 suhosin.conf
 +-rw-r--r-- 1 root root  821 Mar 15 01:18 tine20.conf
 +-rw-r--r-- 1 root root  374 Mar 15 01:18 uwimap-auth.conf
 +-rw-r--r-- 1 root root  621 Mar 15 01:18 vsftpd.conf
 +-rw-r--r-- 1 root root  444 Mar 15 01:18 webmin-auth.conf
 +-rw-r--r-- 1 root root  514 Mar 15 01:18 wuftpd.conf
 +-rw-r--r-- 1 root root  503 Mar 15 01:18 xinetd-fail.conf
 +</​code>​
 +
 +Will oder muß man einen eigenen speziellen **__failregex__** Filter bauen, dann muss man dringend nachfolgende Regeln beachten. Man kann sich auch sehr schön an den vielen Beispielen orientieren,​ die dort aufgeführt sind.
 +
 +  - Ein **failregex** kann aus mehreren Zeilen bestehen, von denen dann jede eine einzelne Zeile der Protokolldatei als Übereinstimmung finden kann.
 +  - In jeder Zeile einer **failregex** muss die Ip-Adresse bzw. der Hostname als **(?​P<​host>​ ... )** eingebunden werden (siehe Beispiel in der //​**/​etc/​fail2ban/​filter.d/​common.conf**).
 +//. Die sit eine [[http://​docs.python.org/​library/​re.html|Python spezifische Erweiterung]],​ die, in diesem aufgezeigten Beispiel, der Variable **<​host>​** den Hostname bzw. die IP-Adresse des Angreifers zuweist. Somit ist die IP-Adresse des Angreifers bei jeder regex-Überprüfung bekannt. Andernfalls bricht **fail2ban** mit der Fehlermeldung **__"​No '​host'​ group"​__** ab.
 +  - Der Einfachheit halber kann man den vordefinierten tag **<​HOST>​** in den eigenen **failregex**-Definitionen verwenden. **<​HOST>​** ist ein alias für ''​(?:::​f{4,​6}:​)?​(?​P<​host>​\S+)'',​ was entweder einem Hostnamen oder einer IPv4-Adresse (ggf. in einer IPv6-Adresse eingebettet),​ repräsentiert.
 +  - Im **action** script ​ wird der tag **<​ip>​** mit der IP-Adresse des Hosts besetzt, die im tag**<​host>​** ermittelt wurde.
 +  - Damit eine Log-Zeile von der eigen definierten **failregex** erfasst werden kann, müssen zwei Teile übereinstimmen. Dies ist am Anfang der Logzeile ein auswertbarer Zeitstempel bze. eine regex und der Rest der Zeile mit der eigentlichen **failregex**. Beginnt der **failregex** mit einem **^**-Zeichen als Anker, dann markiert dieser Anker mitt ggf. folgenden Leerzeichgen der Rest der Zeile.
 +  - Wird der Zeitstempel der Logzeile nicht erkannt, wird auch ein Treffer der **failregex** fehlschlagen! Daher wird empfohlen, jede eigene **failregex**-Definition ausführlich zu testen, ob der betreffende Zeotstempel auch erkannt wird. Im Fehlerfall hat man aktuell nur zwei Möglichkeiten. Entweder passt man die Zeitstempel im Logfile des betreffenden Daemon an, damit dieser von **fail2ban** erkannt wird. Im anderen Fall kann man einen Bugreport aufmachen und bitten, dieses besondere Zeitstempel in den nächsten Release von **fail2ban** aufzunehmen.
 +
 +
 +
 +==== Baustelle ====
 +FIXME
 +
 +# service fail2ban start
 +Starting fail2ban: ​                                        ​[ ​ OK  ]
 +
 +# cat /​var/​log/​fail2ban.log
 +2014-06-11 12:​03:​36,​460 fail2ban.server.server[21260]:​ INFO    Changed logging target to /​var/​log/​fail2ban.log for Fail2ban v0.9.0
 +2014-06-11 12:​03:​36,​462 fail2ban.server.database[21260]:​ INFO    Connected to fail2ban persistent database '/​var/​lib/​fail2ban/​fail2ban.sqlite3'​
 +2014-06-11 12:​03:​37,​566 fail2ban.server.database[21260]:​ WARNING New database created. Version '​2'​
 +
 +
 +   # cat /​var/​log/​fail2ban.log ​
 +<​code>​2014-06-11 12:​37:​51,​938 fail2ban.server.server[23574]:​ INFO    Changed logging target to /​var/​log/​fail2ban.log for Fail2ban v0.9.0
 +2014-06-11 12:​37:​51,​940 fail2ban.server.database[23574]:​ INFO    Connected to fail2ban persistent database '/​var/​lib/​fail2ban/​fail2ban.sqlite3'​
 +2014-06-11 12:​37:​51,​944 fail2ban.server.jail[23574]:​ INFO    Creating new jail '​sshd-ddos'​
 +2014-06-11 12:​37:​51,​944 fail2ban.server.jail[23574]:​ INFO    Jail '​sshd-ddos'​ uses poller
 +2014-06-11 12:​37:​52,​006 fail2ban.server.filter[23574]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-11 12:​37:​52,​006 fail2ban.server.jail[23574]:​ INFO    Initiated '​polling'​ backend
 +2014-06-11 12:​37:​52,​200 fail2ban.server.filter[23574]:​ INFO    Added logfile = /​var/​log/​secure
 +2014-06-11 12:​37:​52,​201 fail2ban.server.filter[23574]:​ INFO    Set maxRetry = 5
 +2014-06-11 12:​37:​52,​202 fail2ban.server.filter[23574]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-11 12:​37:​52,​203 fail2ban.server.actions[23574]:​ INFO    Set banTime = 600
 +2014-06-11 12:​37:​52,​208 fail2ban.server.filter[23574]:​ INFO    Set findtime = 600
 +2014-06-11 12:​37:​52,​208 fail2ban.server.filter[23574]:​ INFO    Set maxlines = 10
 +2014-06-11 12:​37:​52,​573 fail2ban.server.server[23574]:​ INFO    Jail sshd-ddos is not a JournalFilter instance
 +2014-06-11 12:​37:​52,​592 fail2ban.server.jail[23574]:​ INFO    Creating new jail '​postfix-sasl'​
 +2014-06-11 12:​37:​52,​592 fail2ban.server.jail[23574]:​ INFO    Jail '​postfix-sasl'​ uses poller
 +2014-06-11 12:​37:​52,​593 fail2ban.server.filter[23574]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-11 12:​37:​52,​594 fail2ban.server.jail[23574]:​ INFO    Initiated '​polling'​ backend
 +2014-06-11 12:​37:​52,​750 fail2ban.server.filter[23574]:​ INFO    Added logfile = /​var/​log/​maillog
 +2014-06-11 12:​37:​52,​751 fail2ban.server.filter[23574]:​ INFO    Set maxRetry = 5
 +2014-06-11 12:​37:​52,​752 fail2ban.server.filter[23574]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-11 12:​37:​52,​753 fail2ban.server.actions[23574]:​ INFO    Set banTime = 600
 +2014-06-11 12:​37:​52,​757 fail2ban.server.filter[23574]:​ INFO    Set findtime = 600
 +2014-06-11 12:​37:​52,​818 fail2ban.server.jail[23574]:​ INFO    Jail '​sshd-ddos'​ started
 +2014-06-11 12:​37:​52,​848 fail2ban.server.jail[23574]:​ INFO    Jail '​postfix-sasl'​ started
 +</​code>​
 +
 +
 +   # service fail2ban status
 +<​code>​fail2ban-server (pid  23574) is running...
 +Status
 +|- Number of jail: 2
 +`- Jail list:​ postfix-sasl,​ sshd-ddos
 +</​code>​
 +
 +
 +   # iptables -nvL f2b-sasl
 +<​code>​Chain f2b-sasl (1 references)
 + pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination ​        
 +   ​13 ​  556 REJECT ​    ​all ​ --  *      *       ​202.191.206.242 ​     0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 + ​1265 ​ 194K RETURN ​    ​all ​ --  *      *       ​0.0.0.0/​0 ​           0.0.0.0/0
 +</​code>​
 +
 +
 +
 +
 +===== Programmstart =====
 +
 +==== erster manueller Start ====
 +In RPM wird uns ein Startupscript mitgeliefert - über dieses starten wir unseren SMTP-Server.
 +
 +   # service fail2ban start
 +
 +   ​Starting fail2ban: ​                                        ​[ ​ OK  ]
 +
 +Im eigenen Logfile von fail2ban wird auch der Start entsprechend dokumentiert.
 +    # less /​var/​log/​fail2ban.log
 +
 +<​code>​2014-06-14 00:​12:​19,​028 fail2ban.server.server[11950]:​ INFO    Changed logging target to /​var/​log/​fail2ban.log for Fail2ban v0.9.0
 +2014-06-14 00:​12:​19,​029 fail2ban.server.database[11950]:​ INFO    Connected to fail2ban persistent database '/​var/​lib/​fail2ban/​fail2ban.sqlite3'​
 +2014-06-14 00:​12:​19,​260 fail2ban.server.jail[11950]:​ INFO    Creating new jail '​dovecot'​
 +2014-06-14 00:​12:​19,​261 fail2ban.server.jail[11950]:​ INFO    Jail '​dovecot'​ uses poller
 +2014-06-14 00:​12:​19,​291 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​19,​292 fail2ban.server.jail[11950]:​ INFO    Initiated '​polling'​ backend
 +2014-06-14 00:​12:​19,​612 fail2ban.server.filter[11950]:​ INFO    Added logfile = /​var/​log/​maillog
 +2014-06-14 00:​12:​19,​613 fail2ban.server.filter[11950]:​ INFO    Set maxRetry = 5
 +2014-06-14 00:​12:​19,​616 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​19,​616 fail2ban.server.actions[11950]:​ INFO    Set banTime = 600
 +2014-06-14 00:​12:​19,​618 fail2ban.server.filter[11950]:​ INFO    Set findtime = 600
 +2014-06-14 00:​12:​19,​643 fail2ban.server.server[11950]:​ INFO    Jail dovecot is not a JournalFilter instance
 +2014-06-14 00:​12:​19,​657 fail2ban.server.jail[11950]:​ INFO    Creating new jail '​sshd-ddos'​
 +2014-06-14 00:​12:​19,​657 fail2ban.server.jail[11950]:​ INFO    Jail '​sshd-ddos'​ uses poller
 +2014-06-14 00:​12:​19,​658 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​19,​659 fail2ban.server.jail[11950]:​ INFO    Initiated '​polling'​ backend
 +2014-06-14 00:​12:​20,​001 fail2ban.server.filter[11950]:​ INFO    Added logfile = /​var/​log/​secure
 +2014-06-14 00:​12:​20,​003 fail2ban.server.filter[11950]:​ INFO    Set maxRetry = 5
 +2014-06-14 00:​12:​20,​004 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​20,​005 fail2ban.server.actions[11950]:​ INFO    Set banTime = 600
 +2014-06-14 00:​12:​20,​006 fail2ban.server.filter[11950]:​ INFO    Set findtime = 600
 +2014-06-14 00:​12:​20,​007 fail2ban.server.filter[11950]:​ INFO    Set maxlines = 10
 +2014-06-14 00:​12:​20,​221 fail2ban.server.server[11950]:​ INFO    Jail sshd-ddos is not a JournalFilter instance
 +2014-06-14 00:​12:​20,​235 fail2ban.server.jail[11950]:​ INFO    Creating new jail '​sieve'​
 +2014-06-14 00:​12:​20,​235 fail2ban.server.jail[11950]:​ INFO    Jail '​sieve'​ uses poller
 +2014-06-14 00:​12:​20,​237 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​20,​237 fail2ban.server.jail[11950]:​ INFO    Initiated '​polling'​ backend
 +2014-06-14 00:​12:​20,​485 fail2ban.server.filter[11950]:​ INFO    Added logfile = /​var/​log/​maillog
 +2014-06-14 00:​12:​20,​486 fail2ban.server.filter[11950]:​ INFO    Set maxRetry = 5
 +2014-06-14 00:​12:​20,​487 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​20,​488 fail2ban.server.actions[11950]:​ INFO    Set banTime = 600
 +2014-06-14 00:​12:​20,​489 fail2ban.server.filter[11950]:​ INFO    Set findtime = 600
 +2014-06-14 00:​12:​20,​507 fail2ban.server.jail[11950]:​ INFO    Creating new jail '​postfix-sasl'​
 +2014-06-14 00:​12:​20,​507 fail2ban.server.jail[11950]:​ INFO    Jail '​postfix-sasl'​ uses poller
 +2014-06-14 00:​12:​20,​508 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​20,​509 fail2ban.server.jail[11950]:​ INFO    Initiated '​polling'​ backend
 +2014-06-14 00:​12:​20,​660 fail2ban.server.filter[11950]:​ INFO    Added logfile = /​var/​log/​maillog
 +2014-06-14 00:​12:​20,​661 fail2ban.server.filter[11950]:​ INFO    Set maxRetry = 5
 +2014-06-14 00:​12:​20,​662 fail2ban.server.filter[11950]:​ INFO    Set jail log file encoding to UTF-8
 +2014-06-14 00:​12:​20,​663 fail2ban.server.actions[11950]:​ INFO    Set banTime = 600
 +2014-06-14 00:​12:​20,​664 fail2ban.server.filter[11950]:​ INFO    Set findtime = 600
 +2014-06-14 00:​12:​20,​695 fail2ban.server.jail[11950]:​ INFO    Jail '​dovecot'​ started
 +2014-06-14 00:​12:​20,​752 fail2ban.server.jail[11950]:​ INFO    Jail '​sshd-ddos'​ started
 +2014-06-14 00:​12:​20,​775 fail2ban.server.jail[11950]:​ INFO    Jail '​sieve'​ started
 +2014-06-14 00:​12:​20,​864 fail2ban.server.jail[11950]:​ INFO    Jail '​postfix-sasl'​ started
 +</​code>​
 +
 +==== automatisches Starten des Dienste beim Systemstart ====
 +Damit nun unser SMTP-Mailserver beim Booten automatisch gestartet wird, nehmen wir noch folgende Konfigurationsschritte vor.
 +   # chkconfig fail2ban on
 +Anschließend überprüfen wir noch unsere Änderung:
 +   # chkconfig --list | grep fail2ban
 +
 +   ​fail2ban ​       0:off   ​1:​off ​  ​2:​on ​   3:on    4:on    5:on    6:off
 +
 +
 +===== Problembehandlung =====
 +
 +<WRAP center round important>​
 +**Wichtig** Damit beim Starten des Daemon keine Warnmeldung,​ wie z.B. <​code>​Starting fail2ban: WARNING '​ignoreregex'​ not defined in '​Definition'​. Using default one: ''</​code>​ ist bei allen aktivierten Filtern zu prüfen, ob dort ein <​code>​ignoreregex =</​code>​ enthalten ist. Bei Bedarf, also einfach nachtragen!
 +</​WRAP>​
 +
 +===== erweiterte Konfiguration =====
 +==== Konfigurationsbeispiel ====
 +<WRAP center round info> \\
 +Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern. \\ Diesen Scriptkiddies wollen wir doch gleich mal mit Hilfe von **fail2ban** ein wenig auf die Sprünge helfen.
 +</​WRAP>​
 +
 +Als Praxisbeispiel werden wir nun die gerade angesprochenen Spielkindern eine besondere Behandlung angedeihen lassen.
 +  - **Log-Einträge** \\ Als erstes schauen wir uns mal an, wie diese abnormen Anfragen //Negativ aufgefallen sind//. Dazu werfen wir einen Blick in das betreffende Error-Logfile unseres Webservers. <​code>​ # less /​var/​log/​httpd/​kunde_1408/​web_error.log>​ <​code>​[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​nyet.gif
 +[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​components
 +[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​administrator
 +[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​components
 +[Wed Jun 18 09:17:24 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​components
 +[Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​components
 +[Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​cs-CZ
 +[Wed Jun 18 09:17:25 2014] [error] [client 80.72.40.41] File does not exist: /​var/​www/​dokuwiki/​cs-CZ </​code>​ Wir haben also in dem Logfile folgende drei Werte: \\ **-** Datum \\ **-** Verursacher Quell-Host-IP \\ **-** ''​File does not exist: /​var/​www/​dokuwiki/''​
 +  - **failregex ermitteln** \\ Aus den wiederkehrenden Meldungen im Logfile können wir nun eine **failregex** ableiten, die wie folgt aussehen kann: <​code>'​\[error\].\[client.<​HOST>​\].*File.does.not.exist'</​code>​
 +  - **failregex testen** \\ Nachdem wir die **failregex** definiert haben, können wir diese schon mal testen. <​code>​ # fail2ban-regex "[Tue Jun 17 08:11:01 2014] [error] [client 195.191.24.12] File does not exist: /​var/​www/​dokuwiki/​components"​ '​\[error\].\[client.<​HOST>​\].*File.does.not.exist:'</​code>​ <​code>​Running tests
 +=============
 +
 +Use   ​failregex line : \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +Use      single line : [Tue Jun 17 08:11:01 2014] [error] [client 195.191...
 +
 +
 +Results
 +=======
 +
 +Failregex: 1 total
 +|-  #) [# of hits] regular expression
 +|   1) [1] \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [1] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 1 lines, 0 ignored, 1 matched, 0 missed
 +</​code>​ Nachdem der Test positiv ausfiel, können wir noch einen zweiten Test, gegen die Logdatei selbst vornehmen.<​code>​ # fail2ban-regex /​var/​log/​httpd/​kunde_1408/​web_error.log '​\[error\].\[client.<​HOST>​\].*File.does.not.exist:'​ </​code>​ <​code>​Running tests
 +=============
 +
 +Use   ​failregex line : \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +Use         log file : /​var/​log/​httpd/​kunde_1408/​web_error.log
 +Use         ​encoding : UTF-8
 +
 +
 +Results
 +=======
 +
 +Failregex: 961 total
 +|-  #) [# of hits] regular expression
 +|   1) [961] \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [2043] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed
 +Missed line(s): too many to print. ​ Use --print-all-missed to print all 1082 lines
 +</​code>​
 +  - **Filter definieren** \\ Als nächstes definieren wir uns unseren Filter. <​code>​ # vim /​etc/​fail2ban/​filter.d/​apache-dw-nofile.conf</​code>​ <​code>#​ Django : 2014-06-18
 +# Fail2Ban Filter zum Ermitteln von Web-Anfragen auf viele unbekannte Dateien bei
 +# unserem Apache Webserver.
 +
 +# Zur Zeit scheint es von irgendwelchen Spielkindern sehr beliebt zu sein, wahllos ​
 +# igendwelche Dateien bei (m)einer Dokuwiki-Installation anzufordern. Diesen ​
 +# Scriptkiddies wollen wir mit Hilfe von **fail2ban** ein wenig auf die Sprünge ​
 +# helfen.
 +
 +[INCLUDES]
 +
 +before = common.conf
 +
 +[Definition]
 +
 +failregex = \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +
 +ignoreregex = \[error\].\[client.<​HOST>​\].*File.does.not.exist:​.robots.txt
 +
 +# Author: Django <​django@nausch.org>​
 +</​code>​
 +  - **Filter testen** \\ Um sicherzustellen,​ dass der gerade angelegte Filter auch zuschlägt wiederholen wir den Test mit **fail2ban-regex**. <​code>#​ fail2ban-regex /​var/​log/​httpd/​kunde_1408/​web_error.log /​etc/​fail2ban/​filter.d/​apache-dw-nofile.conf</​code>​ <​code><​code>​Running tests
 +=============
 +
 +Use   ​failregex line : \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +Use         log file : /​var/​log/​httpd/​kunde_1408/​web_error.log
 +Use         ​encoding : UTF-8
 +
 +
 +Results
 +=======
 +
 +Failregex: 961 total
 +|-  #) [# of hits] regular expression
 +|   1) [961] \[error\].\[client.<​HOST>​\].*File.does.not.exist:​
 +`-
 +
 +Ignoreregex:​ 0 total
 +
 +Date template hits:
 +|- [# of hits] date format
 +|  [2043] (?:DAY )?MON Day 24hour:​Minute:​Second(?:​\.Microseconds)?​(?:​ Year)?
 +`-
 +
 +Lines: 2043 lines, 0 ignored, 961 matched, 1082 missed
 +Missed line(s): too many to print. ​ Use --print-all-missed to print all 1082 lines
 +</​code>​ Auch dieser Test hat funktioniert,​ wir können also daran schon mal einen :OK: machen.
 +  - **Jail definieren** \\ Passend zu unserem **Filter** benötigen wir nun noch ein **jail** in dem wir dann festlegen, was passieren soll, wenn dieser Filter zugeschlagen hat. <​code>​ # vim /​etc/​fail2ban/​jail.local</​code>​ <​code>​ ...
 +
 +[apache-dw-nofile]
 +enabled = true
 +port    = http,https
 +action ​ = %(action_mwl)s
 +logpath = /​var/​log/​httpd/​kunde_1408/​web_error.log
 +findtime ​ = 60
 +maxretry = 3
 +bantime ​ = 3600
 +
 +...
 +</​code>​ Mit dieser **jail** Definition haben wir festgelegt, dass die **action //​action_mwl//​** ausgeführt werden soll, wenn der **filer //​apache-dw-nofile//​** innerhalb von 1 Minute 3x anschlägt. In diesem Fall wird der Host für 1 Stunde ausgesperrt.
 +  - **Konfiguration testen** \\ Bevor wir den neuen Filter scharf schalten, testen wir noch kurz unsere Konfigurationsänderungen.<​code>​ # fail2ban-client -d</​code>​ <​code>​['​set',​ '​logtarget',​ '/​var/​log/​fail2ban.log'​]
 +['​set',​ '​loglevel',​ '​INFO'​]
 +['​set',​ '​dbpurgeage',​ 86400]
 +['​set',​ '​dbfile',​ '/​var/​lib/​fail2ban/​fail2ban.sqlite3'​]
 +['​add',​ '​apache-dw-nofile',​ '​auto'​]
 +['​set',​ '​apache-dw-nofile',​ '​usedns',​ '​warn'​]
 +['​set',​ '​apache-dw-nofile',​ '​addlogpath',​ '/​var/​log/​httpd/​kunde_1408/​web_error.log',​ '​head'​]
 +['​set',​ '​apache-dw-nofile',​ '​maxretry',​ 3]
 +['​set',​ '​apache-dw-nofile',​ '​addignoreip',​ '​127.0.0.1/​8'​]
 +['​set',​ '​apache-dw-nofile',​ '​logencoding',​ '​auto'​]
 +['​set',​ '​apache-dw-nofile',​ '​bantime',​ 3600]
 +['​set',​ '​apache-dw-nofile',​ '​ignorecommand',​ ''​]
 +['​set',​ '​apache-dw-nofile',​ '​findtime',​ 60]
 +['​set',​ '​apache-dw-nofile',​ '​addfailregex',​ '​\\[error\\].\\[client.<​HOST>​\\].*File.does.not.exist:'​]
 +['​set',​ '​apache-dw-nofile',​ '​addignoreregex',​ '​\\[error\\].\\[client.<​HOST>​\\].*File.does.not.exist:​.robots.txt'​]
 +['​set',​ '​apache-dw-nofile',​ '​addaction',​ '​iptables-multiport'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​actionban',​ '​iptables -I f2b-<​name>​ 1 -s <ip> -j <​blocktype>​\n#​ Django : 2014-04-16\n#​ reporting only 4 badips.com\nwget -q -0 /dev/null www.badips.com/​add/<​name>/<​ip>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​actionstop',​ '​iptables -D <​chain>​ -p <​protocol>​ -m multiport --dports <​port>​ -j f2b-<​name>​\niptables -F f2b-<​name>​\niptables -X f2b-<​name>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​actionstart',​ '​iptables -N f2b-<​name>​\niptables -A f2b-<​name>​ -j RETURN\niptables -I <​chain>​ -p <​protocol>​ -m multiport --dports <​port>​ -j f2b-<​name>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​actionunban',​ '​iptables -D f2b-<​name>​ -s <ip> -j <​blocktype>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​actioncheck',​ "​iptables -n -L <​chain>​ | grep -q '​f2b-<​name>​[ \\t]'"​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​blocktype',​ '​REJECT --reject-with icmp-port-unreachable'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​protocol',​ '​tcp'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​name',​ '​apache-dw-nofile'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​chain',​ '​INPUT'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​iptables-multiport',​ '​port',​ '​http,​https'​]
 +['​set',​ '​apache-dw-nofile',​ '​addaction',​ '​sendmail-whois-lines'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​actionban',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ banned <ip> from `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe IP <ip> has just been banned by Fail2Ban after\n<​failures>​ attempts against <​name>​.\\n\\n\nHere is more information about <​ip>:​\\n\n`/​usr/​bin/​whois <ip> || echo missing whois program`\\n\\n\nLines containing IP:<​ip>​ in <​logpath>​\\n\n`grep \'​[^0-9]<​ip>​[^0-9]\'​ <​logpath>​`\\n\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​actionstop',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ stopped on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe jail <​name>​ has been stopped.\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​actionstart',​ '​printf %b "​Subject:​ [Fail2Ban] <​name>:​ started on `uname -n`\nDate: `LC_TIME=C date -u +"%a, %d %h %Y %T +0000"​`\nFrom:​ <​sendername>​ <<​sender>>​\nTo:​ <​dest>​\\n\nHi,​\\n\nThe jail <​name>​ has been started successfully.\\n\nRegards,​\\n\nFail2Ban"​ | /​usr/​sbin/​sendmail -f <​sender>​ <​dest>'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​actionunban',​ ''​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​actioncheck',​ ''​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​name',​ '​apache-dw-nofile'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​chain',​ '​INPUT'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​dest',​ '​f2b-reports@nausch.org'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​logpath',​ '/​var/​log/​httpd/​kunde_1408/​web_error.log'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​sendername',​ '​Fail2Ban'​]
 +['​set',​ '​apache-dw-nofile',​ '​action',​ '​sendmail-whois-lines',​ '​sender',​ '​fail2ban'​]
 +['​start',​ '​apache-dw-nofile'​]
 +</​code>​ Nun steht nichts mehr im Weg und wir können unsere Konfiguration aktivieren.<​code>​ # service fail2ban restart</​code>​ <​code>​Stopping fail2ban: ​                                        ​[ ​ OK  ]
 +Starting fail2ban: ​                                        ​[ ​ OK  ]
 +</​code>​
 +
 +Schon nach kurzer Zeit werden wir nun nichtr mehr so belästigt, wie früher.
 +   # iptables -nvL
 +<​code>​...
 +
 +Chain f2b-apache-dw-nofile (1 references)
 + pkts bytes target ​    prot opt in     ​out ​    ​source ​              ​destination ​        
 +    0     0 REJECT ​    ​all ​ --  *      *       ​31.186.170.148 ​      ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​46.32.252.31 ​        ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​91.206.200.218 ​      ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​184.107.58.119 ​      ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​37.58.149.98 ​        ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​70.38.11.12 ​         0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​91.185.212.8 ​        ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable ​
 +    0     0 REJECT ​    ​all ​ --  *      *       ​80.172.225.139 ​      ​0.0.0.0/​0 ​          ​reject-with icmp-port-unreachable
 +</​code>​
 +
 +==== blacklist.de ====
 +
 +==== badips.com ====
 +
 +====== Links ======
 +  * **[[wiki:​start|Zurück zu Projekte und Themenkapitel]]**
 +  * **[[http://​dokuwiki.nausch.org/​doku.php/​|Zurück zur Startseite]]**
 +