We have a Debian Squeezy (fully upgraded) webserver running ISP Config 3.0.3 (not upgradable because hacked :/) with fail2ban 0.8.6 and recently we added a apache-dos filter in fail2ban in order to mitigate DOS attacks :
in /etc/fail2ban/filter.d/apache-dos.conf :
# Fail2Ban configuration file
# Author: http://www.go2linux.org
# Option: failregex
# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
failregex = ^<HOST>.*\"(GET|POST).*
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
ignoreregex = ^<HOST>.*\"(GET|POST).*Googlebot
in /etc/fail2ban/jail.local :
enabled = true
port = http,https
filter = apache-dos
logpath = /var/log/ispconfig/httpd/*/access.log
maxretry = 300
findtime = 60
when we restart fail2ban we have the following error in /var/log/fail2ban.conf :
2013-11-19 17:23:34,126 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/foo.com/access.log
2013-11-19 17:23:34,128 fail2ban.comm : WARNING Invalid command: ['set', 'apache-dos', 'addlogpath', '/var/log/ispconfig/httpd/bar.com/access.log']
where foo.com is an active website and bar.com is a disabled website in ISP Config. Indeed the bar.com acces.log file doesn't exist anymore because of log rotation.
There are other log files to load, but they don't appear in the list, like if fail2ban had stop loading them when this warning occurs, if so then it should be labelled as an error instead of a warning...
Is there a way to fix that in fail2ban and/or ISP Config or do I have to delete its log dir manually each time I deactivate a website ?
Thank you for your help.