hi medsource
got everything on my router working again
my problem wasn't related to the configuration of fail2ban,
now i know, that since i had edited the root user's homepath,
then my WL700g got crazy on reboot.
now i want to work further on getting fail2ban to work.
my problem is, how can i get dropbear and vsftp to write their
log entries into a logfile, which can be read by fail2ban ?
any solution which wouldn't disable the standard syslog provided
by syslogd, and access with logread command would be preferred.
i tried using syslog-ng which basically works, but syslogd and klogd
have to be disabled if syslog-ng shall be used.
medsource, how did you manage this issue ?
thanks && brgds
tiwag
I changed, in the vsftpd.conf file, the location and method of the logging. I set it (if memory serves correct) to /var/tmp/log and called it ftp.log (I think). I then set a cron job to run a script to check the size of the log and purge it if it got too big (I think it was set to 200kb).
I too would have loved fail2ban to just peruse the syslog, but I never found a way to do that. Anyway, using a true log file (on the ramdisk so spindown is preserved) works.
any other one, who has some other ideas
(maybe with tested and working scriptfiles
and precise instructions, what has to be changed where,
instead of "maybe could be working when my brain remembers correctly" )
sorry medsource, but you are way too unspecific !
therefore of no great help.
brgds
tiwag
<rant>
Well, that lovely public bash really makes me want to check my config files and cron scripts WHEN I GET HOME TO WHERE MY WL-700GE IS to help you out.
Maybe you should learn to ask politely and not behave like a complete ass. Methinks your results might be better.
</rant>
looking politely forward ...
just a small reminder to what i requested a few times already ...
anyhow, i made some progress in the meanwhile
i got syslog-ng working, which produces nice logfiles, which can be read by fail2ban.
at the moment i'm working to find out, which are the least common settings for syslog-ng,
in order to produce a /opt/var/log/auth.log where dropbear and vsftp logins are collected,
and all the other necessary stuff goes to /opt/var/log/syslog
and all the unnecessary stuff is silently dropped.
brgds
Last edited by tiwag; 04-09-2007 at 22:35.
tiwag
You might run into a problem with that log location for two reasons...
1) Unless /opt/var/log is cramfs (need to check the mount point for that) then everytime you experience an attack this data will get written to the drive and will negate spindown on the HD (granted if you are not using spindown then this is not an issue).
2) Make sure you set a size limit for the log files (syslog-ng SHOULD be able to do this; but I have never used it so I can't say for sure) else the log files (at least vsftpd) will get large over time (speed of increase in size depending on how heavy you are getting hit or how often you use ftp).