A few things:
1) Do you need to monitor rotated files? The answer is, "no". You are right
to say once f2b captures a log item, it stores it and you don't need the
log file anymore. It has "used" the information from the log.
But also, there is something harmful about monitoring rotated log files:
*You will always get double-counting if you monitor rotated log files*.
Let's say your findtime (how far back into your log files f2b goes) is 1
month.
Let's say you have f2b monitoring 'wp-failed-logins.log' for a jail called
wp-logins.
This line:
*2018-06-01:10:32:09 99.88.77.66 WP login failed for user 'spammy'*
would've been picked up by f2b when it first appeared in the log. Your f2b
log file would say
2018-06-01 10:32:11 fail2ban.filter [1920]: INFO [wp-logins] Found
99.88.77.66 - 2018-06-01 10:32:09
Tonight, the log file gets rotated. So, wp-failed-logins.log is empty,
and wp-failed-logins.log.1
has all the stuff from the last month.
If f2b is monitoring wp-failed-logins.log.1 it will now have lots of lovely
new data to go through.
And guess what it will find?
*2018-06-01:10:32:09 99.88.77.66 WP login failed for user 'spammy'*
And guess what your f2b log file will show?
2018-07-01 00:06:37 fail2ban.filter [1920]: INFO [wp-logins] Found
99.88.77.66 - 2018-06-01 10:32:09
Fail2ban will think it's a different log entry. So now it's found at least
2 from IP address 99.88.77.66
So if you monitor a rotated file that contains info that has previously
been captured by f2b, you will end up with double-counted data.
If you are sure that f2b has monitored the log file when it was getting the
data, you don't need to monitor rotated files - that data has been taken
into f2b already.
I do *not* monitor rotated log files.
2) purgedb never worked properly on older versions of f2b - you're right,
it just keeps anything found by f2b, but only in v0.11 (and maybe v0.10)
did it work properly.
3) If you get one of the newer versions, there's a fantastic new system
called "ban multiplier". If something gets banned more than once, you can
increase the ban time as much as you want. Mine is set to go 2 hours, 2
days, 14 days, 90 days, 180 days, 1 year, 5 years. So much easier to use
than to set up another jail
4) I do actually include rotated log files in my 'sendmail' action - my f2b
emails always show everything that the banned IP address has done on my
system in the last 12 months. That's different to what you're talking
about, obviously, but I've written a script that gives me very detailed
emails every time an IP address is banned.
Tony Collins
RMT Tier 1 Health & Safety Representative
Edgware Road Traincrew Depot
07949 228324
On 30 June 2018 at 06:41, zypA13510 <[email protected]> wrote:
> Hi,
>
> Could someone give a definitive answer to this question: do I need to
> configure fail2ban to monitor the rotated log files in addition to the main
> log file? There is a similar question here: https://serverfault.com/
> q/490138/320744, but just like everywhere else, it gives me contradictory
> info.
>
> If I'm not mistaken, the DB referred to in dbpurgeage is used for keeping
> failed attempts (or just banned ip)? If so, then as long as I set
> dbpurgeage greater than the maximum findtime, I do not need to monitor
> rotated log files, and fail2ban will look for any failed attempts from the
> DB? I want to make sure I don't waste resources reading an old log for
> nothing.
>
> Regards,
> Yuping Zuo
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
