LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   fail2ban on a NFS network sharing one log file (https://www.linuxquestions.org/questions/linux-security-4/fail2ban-on-a-nfs-network-sharing-one-log-file-4175734569/)

BluePukeko 03-04-2024 11:26 PM
fail2ban on a NFS network sharing one log file
 
I'm restructuring my systems and running everything on a ProxMox hypervisor with one VM being a dedicated NFS file server.
The idea being that I can assign one large disk partition of 3Tb across all servers rather than splitting the 3Tb into smaller chunks for each of up to 10 VM's

As part of this restructuring I'm thinking that the file logs could be shared by all servers as well, in other words one Apache2 log file for each of the apache servers on all the servers with an extra field added to the log record with the machine name or other identifier.

In general this approach looks promising BUT!!!!

Fail2Ban, as far as I have been able to ascertain does not have provision for customising the log file.

It would be particularly useful to combine all log records for Fail2Ban as I could get a better picture of overall attacks and also have all VM's ban IP address that have tried to attack other VM's.

So my question is, has anybody found a way of adding extra fields to the Fail2Ban log file or maybe have some suggestion of work-a-rounds.

elgrandeperro 03-10-2024 11:21 PM
That is NOT how apache logs work. They don't open/close the file for each connection, they keep the fd open. So when for instance you rotate the files, most likely the other apaches are going to write into the old file. and chaos will ensue.

You can insert what you want into the apache log file, you would just write a filter in fail2ban to trigger the action. I guess I don't understand your comment perhaps.

One way to unify your fail2ban you can forward the apache logs using syslog to a central server. That server can interpret the log files and push out the fail2ban commands to all your servers. The syslog server can either watch each log or a unified one. There is no problem with "sharing" syslog that you would have with an nfs mount. The only commands it probably need to push is one to ban and ip and one to unban and ip, since the management would be a unified instance.

BluePukeko 03-18-2024 02:16 PM
Quote:
Originally Posted by elgrandeperro (Post 6488910)
That is NOT how apache logs work. They don't open/close the file for each connection, they keep the fd open. So when for instance you rotate the files, most likely the other apaches are going to write into the old file. and chaos will ensue.

You can insert what you want into the apache log file, you would just write a filter in fail2ban to trigger the action. I guess I don't understand your comment perhaps.

One way to unify your fail2ban you can forward the apache logs using syslog to a central server. That server can interpret the log files and push out the fail2ban commands to all your servers. The syslog server can either watch each log or a unified one. There is no problem with "sharing" syslog that you would have with an nfs mount. The only commands it probably need to push is one to ban and ip and one to unban and ip, since the management would be a unified instance.
Thanks for your reply.
You have confirmed what I had assumed was must likely the stituation.
From observation of Linux behaviour I was sure if the log files were opened written to and then closed for each entry, or what appeared to be the more likely that they were opened when the application started and closed when the application was closed or restarted.
From many year ago I had the feeling that Unix and most likely Linux used file ID's rather than names to access files and therefore changing a file name or even moving it made no difference to an application accessing the file.
I will now need to review my approach to this concept and find an alternative approach.

Thank you once again for responding.


All times are GMT -5. The time now is 01:41 AM.