solved - fail2ban problem w/ apache logfiles?

  • Quote


    I can not confirm that.
    Works without problems.


    same kernel version?


    If I start with all apache filters enabled I found this in the log:

    Code
    1. 2014-07-01 10:14:04,676 fail2ban.jail : INFO Creating new jail 'apache'2014-07-01 10:14:04,677 fail2ban.jail : INFO Jail 'apache' uses Gamin


    and the F2B start comand hungs, I can wait 30 minutes nothing happens

    Code
    1. [....] Starting authentication failure monitor: fail2ban


    I also checked the size off the logfiles, but there is no file greater than 50MB ...
    it always stops at the same domain error log:

    Code
    1. 2014-07-01 10:14:07,964 fail2ban.filter : INFO Added logfile = /var/log/apache2/domain99.info/error.log


    the pid and sock file is available under /var/run/fail2ban
    but I have no response from my shell start comand ... I always have to press STRG+C

  • and all the logs with "started" are missing

    Code
    1. 2014-07-01 10:09:00,381 fail2ban.jail : INFO Jail 'ssh' started
    2. 2014-07-01 10:09:00,391 fail2ban.jail : INFO Jail 'roundcube' started
    3. 2014-07-01 10:09:00,409 fail2ban.jail : INFO Jail 'apache-badbots' started
    4. 2014-07-01 10:09:00,423 fail2ban.jail : INFO Jail 'wordpress' started
    5. 2014-07-01 10:09:00,435 fail2ban.jail : INFO Jail 'imscp' started
    6. 2014-07-01 10:09:00,445 fail2ban.jail : INFO Jail 'imscp-multiport' started
    7. 2014-07-01 10:09:00,452 fail2ban.jail : INFO Jail 'imscp-noscript' started
    8. 2014-07-01 10:09:00,468 fail2ban.jail : INFO Jail 'imscp-overflows' started
    9. 2014-07-01 10:09:00,483 fail2ban.jail : INFO Jail 'proftpd' started


    something is wrong with the logfiles ... but how can this be fixed?

  • Quote

    same kernel version?


    Yes


    Linux version 3.2.0-4-amd64 ([email protected]) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.57-3+deb7u2


    Code
    1. 2014-07-01 10:32:05,278 fail2ban.jail : INFO Jail 'apache' started2014-07-01 10:32:05,298 fail2ban.jail : INFO Jail 'apache-multiport' started2014-07-01 10:32:05,315 fail2ban.jail : INFO Jail 'apache-noscript' started2014-07-01 10:32:05,324 fail2ban.jail : INFO Jail 'apache-overflows' started2014-07-01 10:32:05,337 fail2ban.jail : INFO Jail 'proftpd' started2014-07-01 10:32:05,375 fail2ban.jail : INFO Jail 'postfix' started2014-07-01 10:32:05,397 fail2ban.jail : INFO Jail 'sasl' started2014-07-01 10:32:05,432 fail2ban.jail : INFO Jail 'dovecot' started2014-07-01 10:32:05,458 fail2ban.jail : INFO Jail 'apache-webmail-phish' started2014-07-01 10:32:05,499 fail2ban.jail : INFO Jail 'apache-badbots' started2014-07-01 10:32:05,541 fail2ban.jail : INFO Jail 'apache-nohome' started2014-07-01 10:32:05,567 fail2ban.jail : INFO Jail 'apache-w00tw00t' started2014-07-01 10:32:05,610 fail2ban.jail : INFO Jail 'apache-myadmin' started2014-07-01 10:32:05,643 fail2ban.jail : INFO Jail 'imscp' started2014-07-01 10:32:05,675 fail2ban.jail : INFO Jail 'imscp-multiport' started2014-07-01 10:32:05,748 fail2ban.jail : INFO Jail 'imscp-noscript' started2014-07-01 10:32:05,810 fail2ban.jail : INFO Jail 'imscp-overflows' started2014-07-01 10:32:05,846 fail2ban.jail : INFO Jail 'roundcube' started


    Code
    1. [ ok ] Restarting authentication failure monitor: fail2ban.
  • thanks, I guess the only reason for that is a problem with the apache error logfiles
    maybe a permission problem or whatever ... without the apache error logs it works
    and therefore it seems the problem depends on IMSCP logfile processing / handling

  • with a single error log, it works:

    Code
    1. logpath = /var/log/apache2/admin.host3.domain.tld/error.log


    but not with the * inside the path:

    Code
    1. logpath = /var/log/apache2/*/error.log


    I guess it's not a problem with the file sizes

    Code
    1. du -sh /var/log/apache2
    2. 384M /var/log/apache2


    or to many files open ... I dont know but before the kernel update I never had such a problem
    also checked the system logs ... but nothing showed anything wrong with fail2ban or apache ...

  • @fulltilt


    Try to force the logs rotation before restarting fail2ban. If the problem gone, this mean that your logfiles were too big. Failban can take a lot of time to parse the log files.


    Shell-Script
    1. # logrotate -f /etc/logrotate.d/apache2
    2. # service fail2ban restart


    Also, try to lower the value for the findtime parameter to 120. If you have many logs, fail2ban (with the findtime parameter set to 3600 seconds), will parse each of them for the last hour... This can take a lot of time and give you the impression that the daemon hangs.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @fulltilt


    Try to force the logs rotation before restarting fail2ban. If the problem gone, this mean that your logfiles were too big. Failban can take a lot of time to parse the log files.


    Shell-Script
    1. # logrotate -f /etc/logrotate.d/apache2# service fail2ban restart


    Also, try to lower the value for the findtime parameter to 120. If you have many logs, fail2ban (with the findtime parameter set to 3600 seconds), will parse each of them for the last hour... This can take a lot of time and give you the impression that the daemon hangs.


    thank you, but no luck
    it hangs again, very strange ... after that I always have to kill the F2B processes, because I'm not able to stop F2B
    it works for all other logfiles also with access.logs but no longer with error.logs

    Code
    1. working:
    2. [wordpress]
    3. enabled = true
    4. port = http,https
    5. filter = wordpress-auth
    6. logpath = /var/log/apache2/*/access.log
    7. maxretry = 6


    do you think it could be a permission problem?

  • teamviewer?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206