Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 19th November 2013, 18:52
ircf ircf is offline
Member
 
Join Date: Feb 2011
Posts: 30
Thanks: 5
Thanked 8 Times in 5 Posts
Default [solved] fail2ban WARNING invalid command /w ISP Config disabled websites

Hello,

We have a Debian Squeezy (fully upgraded) webserver running ISP Config 3.0.3 (not upgradable because hacked :/) with fail2ban 0.8.6 and recently we added a apache-dos filter in fail2ban in order to mitigate DOS attacks :

in /etc/fail2ban/filter.d/apache-dos.conf :

Code:
# Fail2Ban configuration file
#
# Author: http://www.go2linux.org
#
[Definition]

# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.

failregex = ^<HOST>.*\"(GET|POST).*

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex = ^<HOST>.*\"(GET|POST).*Googlebot
in /etc/fail2ban/jail.local :

Code:
[apache-dos]
enabled = true
port = http,https
filter = apache-dos
logpath = /var/log/ispconfig/httpd/*/access.log
maxretry = 300
findtime = 60
when we restart fail2ban we have the following error in /var/log/fail2ban.conf :

Code:
2013-11-19 17:23:34,126 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/foo.com/access.log
2013-11-19 17:23:34,128 fail2ban.comm   : WARNING Invalid command: ['set', 'apache-dos', 'addlogpath', '/var/log/ispconfig/httpd/bar.com/access.log']
where foo.com is an active website and bar.com is a disabled website in ISP Config. Indeed the bar.com acces.log file doesn't exist anymore because of log rotation.

There are other log files to load, but they don't appear in the list, like if fail2ban had stop loading them when this warning occurs, if so then it should be labelled as an error instead of a warning...

Is there a way to fix that in fail2ban and/or ISP Config or do I have to delete its log dir manually each time I deactivate a website ?

Thank you for your help.

Last edited by ircf; 19th November 2013 at 19:10. Reason: solved
Reply With Quote
Sponsored Links
  #2  
Old 19th November 2013, 19:09
ircf ircf is offline
Member
 
Join Date: Feb 2011
Posts: 30
Thanks: 5
Thanked 8 Times in 5 Posts
Default Simple solution

I found that the problem is about broken symbolic links created during the log rotation :

Code:
access.log -> YYYYMMDD-access.log
where YYYYMMDD is the day AFTER the website was desactivated, and so the YYYYMMDD-access.log does not exist.

For now the simpler fix I found is to create manually the missing files so the symlinks are fixed and fail2ban can continue loading logfiles.

That fixed my problem unless someone have a better/cleaner solution
Reply With Quote
  #3  
Old 19th November 2013, 19:25
Croydon Croydon is offline
ISPConfig Developer
 
Join Date: Jul 2007
Location: Koblenz, Germany
Posts: 932
Thanks: 16
Thanked 263 Times in 208 Posts
Default

Off topic, but: An old version like this contains security issues for sure. The neccessary work to upgrade to the latest version should be less than restoring the system because of being hacked, don't you think?
__________________
Marius Cramer

pixcept KG
Reply With Quote
  #4  
Old 19th November 2013, 19:48
ircf ircf is offline
Member
 
Join Date: Feb 2011
Posts: 30
Thanks: 5
Thanked 8 Times in 5 Posts
 
Default

Sure ! We'd like to upgrade and we'll do it ASAP... but unfortunately we don't have time for that right now

We use the ISP Config back-end internally inside our company on a closed network port. If there are opened vulnerabilities, they should be in configuration files and/or permissions that ISP Config writes (mainly for Apache2). If that would be the case (which I doubt) we could still modify config templates without having to upgrade ISPC.

We plan to move our servers in a few months to a new architecture so we surely upgrade on that occasion.

EDIT : More important : I will do my best NOT to hack ISPC next time so that we can upgrade it anytime

Last edited by ircf; 19th November 2013 at 19:50.
Reply With Quote
Reply

Bookmarks

Tags
addlogpath, fail2ban, warning

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
cannot create new sites in 3.5.0.2 Debian 6 WesB Installation/Configuration 2 31st July 2013 14:40
postfix/mysql virtual users/domains id10t HOWTO-Related Questions 0 8th July 2013 21:01
Squirrelmail login failure Cracklefish Installation/Configuration 9 30th June 2010 21:38
cyrus-sasl won't install on my ubuntu9.04 kameelperdza Installation/Configuration 1 13th June 2009 11:28
Problem with the apache (I can't start ist) M.Behrens Installation/Configuration 11 31st March 2006 11:48


All times are GMT +2. The time now is 06:23.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.