fail2ban and access.log symlink

Discussion in 'Installation/Configuration' started by bilbo_uk, Oct 5, 2014.

  1. bilbo_uk

    bilbo_uk New Member

    I apologise if this has been covered before - I searched but couldn't find it.

    I wonder if something can be done about the way ISPC3 handles Apache log files please?

    AIUI it uses a permanent symlink "log/access.log" which points to a 'day' file, e.g. 20140924-access.log. The symlink is updated to point to a new file when the old one is rotated (by ISPC3 I assume).

    That's fine but the symlink causes problems with fail2ban. The symlink is treated as a "dangling link" by fail2ban and the file is ignored. This means no fail2ban httpd jails will work.

    To get fail2ban to process the Apache logs I have to use a glob "log/*-access.log*"

    The biggest downside of this is that fail2ban will then read every logfile in the log directory even though it is only inspecting the past 15 minutes for events to monitor. This makes loading very slow. (Especially with 50 domains to monitor with 30 logfiles each and 3 separate Apache jails!)

    I think it would be better if ISPC3 followed the usual (?) practice of access.log being the current file (a physical file, not a symlink) and only changing to a 'dated' file when it is rotated. Then I could simply point fail2ban at the one file.

    Or am I missing something?

    Many thanks for any help,

    ISPConfig, "Perfect Server", CentOS 6, Apache 2.2.15, fail2ban 0.8.14
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig is not rotating the access.log. The rotation is done by vlogger.
  3. bilbo_uk

    bilbo_uk New Member

    Thanks for your reply.

    So the "perfect server" isn't quite so perfect :(

    I think you ought to point out that fail2ban jails on the web server logs will not work with the "perfect server" setup. People may miss the warning in the fail2ban log and assume that the jail is working, when it's not.

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The perfect server guide does not use fail2ban for the website logs, fail2ban is used for SMTP, POP3/IMAP, FTP and SSH. If you have jails for website logs on your server, then you must have added them manually as thats not described in our guides.
  5. bilbo_uk

    bilbo_uk New Member

    If by "added them manually" you mean simply enabling one of the other jails which come pre-configured with fail2ban, then yes.

    ISPConfig doesn't enable any jails by itself during setup. You have to enable the ones you want manually by editing jail.conf/jail.local.

    For anyone else finding this thread, I guess the answer is simple: ignore the vhost log files and use the standard Apache log file (e.g. /var/log/httpd/access_log) (i.e. dual logging to both the standard CustomLog as well as vlogger). This contains all the log entries for all virtual hosts in one file. If you need to tune the jail to a specific vhost then add '%v' to the LogFormat in Apache config and modify your fail2ban filter to suit your needs.
  6. wwhtf

    wwhtf New Member

    I just ran into this same issue as I am starting to migrate from ISPConfig2 to ISPConfig3 and I am disappointed for the same reason; I have MANY sites per server with MANY rotated log files and this causes serious CPU churn when starting up this jail.

    This behavior is different from ISPConfig2.

    And Till, I have to say that I don't consider jails that monitor the webserver log to be "optional" ... in most cases they are key to mitigating Content Spammers, Website Leechers, and various hack and DDoS attempts; and ensuring that your server has ample resources available to serve legitimate visitors.

Share This Page