Hello all,

I am delighted to have discovered fail2ban. It does exactly what I wanted to
achieve. I have a question however...

I am currently using fail2ban to block failed proxy attempts or attempts to
attack my webserver. I have one quite loose regex which I only want to block
after 3 or more attempts within a 10 minute findtime. I have a jail set up for
this and it works just fine.

I also have however another regex which is a very tight match for a slightly
rarer event. This one I would like to set maxtries=1 and findtime=1 week and
bantime= 2 weeks.

Now, I could very easily create another jail for this regex but I am concerned
that both these jails would be reading the same log file
(/var/log/httpd/error_log). Would this cause any conflict?

Is there a better way to do it?

Any advice or suggestions gratefully received...

Mark

Arthur Dent wrote:

[snip]
No, that's the way it works, some servers have separate log files, some
don't.

As an example, under Solaris I have 3 jails looking into the same
/var/log/authlog: sshd, sendmail, UW imap (actually pop3 which is the
one that gets attacked more often). Actually is 2, sendmail's
authorization uses sasl which doesn't give enough info in authlog, I had
to use /var/log/syslog for those attacks.
If you really want to use separate log files it can be configured at the
syslog level.

The only advantage I see is in performance, the case of one daemon
producing a lot of output to its log, separating logs will save work for
the other jail(s).