fali2ban WARNING invalid command /w ISP Config disabled websites

Discussion in 'Server Operation' started by ircf, Nov 19, 2013.

  1. ircf

    ircf New Member

    [solved] fail2ban WARNING invalid command /w ISP Config disabled websites


    We have a Debian Squeezy (fully upgraded) webserver running ISP Config 3.0.3 (not upgradable because hacked :/) with fail2ban 0.8.6 and recently we added a apache-dos filter in fail2ban in order to mitigate DOS attacks :

    in /etc/fail2ban/filter.d/apache-dos.conf :

    # Fail2Ban configuration file
    # Author: http://www.go2linux.org
    # Option: failregex
    # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
    # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
    failregex = ^<HOST>.*\"(GET|POST).*
    # Option: ignoreregex
    # Notes.: regex to ignore. If this regex matches, the line is ignored.
    # Values: TEXT
    ignoreregex = ^<HOST>.*\"(GET|POST).*Googlebot
    in /etc/fail2ban/jail.local :

    enabled = true
    port = http,https
    filter = apache-dos
    logpath = /var/log/ispconfig/httpd/*/access.log
    maxretry = 300
    findtime = 60
    when we restart fail2ban we have the following error in /var/log/fail2ban.conf :

    2013-11-19 17:23:34,126 fail2ban.filter : INFO   Added logfile = /var/log/ispconfig/httpd/foo.com/access.log
    2013-11-19 17:23:34,128 fail2ban.comm   : WARNING Invalid command: ['set', 'apache-dos', 'addlogpath', '/var/log/ispconfig/httpd/bar.com/access.log']
    where foo.com is an active website and bar.com is a disabled website in ISP Config. Indeed the bar.com acces.log file doesn't exist anymore because of log rotation.

    There are other log files to load, but they don't appear in the list, like if fail2ban had stop loading them when this warning occurs, if so then it should be labelled as an error instead of a warning...

    Is there a way to fix that in fail2ban and/or ISP Config or do I have to delete its log dir manually each time I deactivate a website ?

    Thank you for your help.
    Last edited: Nov 19, 2013
  2. ircf

    ircf New Member

    Simple solution

    I found that the problem is about broken symbolic links created during the log rotation :

    access.log -> YYYYMMDD-access.log
    where YYYYMMDD is the day AFTER the website was desactivated, and so the YYYYMMDD-access.log does not exist.

    For now the simpler fix I found is to create manually the missing files so the symlinks are fixed and fail2ban can continue loading logfiles.

    That fixed my problem unless someone have a better/cleaner solution :)
  3. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Off topic, but: An old version like this contains security issues for sure. The neccessary work to upgrade to the latest version should be less than restoring the system because of being hacked, don't you think?
  4. ircf

    ircf New Member

    Sure ! We'd like to upgrade and we'll do it ASAP... but unfortunately we don't have time for that right now :(

    We use the ISP Config back-end internally inside our company on a closed network port. If there are opened vulnerabilities, they should be in configuration files and/or permissions that ISP Config writes (mainly for Apache2). If that would be the case (which I doubt) we could still modify config templates without having to upgrade ISPC.

    We plan to move our servers in a few months to a new architecture so we surely upgrade on that occasion.

    EDIT : More important : I will do my best NOT to hack ISPC next time so that we can upgrade it anytime ;)
    Last edited: Nov 19, 2013

Share This Page