Debian 8: Recent Fail2Ban, ISPConfig with multiple log files

It’s always the same: The deadline of your current project is yesterday and there is a quick need for a machine with a firewall and some attack prevention mechanisms.

Fail2Ban is very useful in this case, because it scans all of the logfiles on the machine and looks for rejected logins, extremely high access numbers, bots that are crawling directories in the hope of finding something etc. The tool is able to skim through multiple logfiles at once, so one can secure multiple customers inside of an ISPConfig instance, for example.

At least that’s the theory.

In the real world, configuring this thing can be time-consuming, if your hosting provider (Alfahosting, I’m calling you out!) only provides you with Debian 8 – one year after the current version Debian 9 has been released. This ancient release of Debian only includes Fail2ban 0.8.13 from March 2014. You have to savour this one: You are renting a big, fat cloud server with 16 cores and 32 gigabytes of memory and then you’re stuck with software that is four years old. What the hell is happening here? 😒

You can find at least a little bit of remedy within the project NeuroDebian – a fork of Debian that has been created for the field of neuroscience. We don’t need most of the software included in this project, but fail2ban packages are available for version 0.9.7. This brings us up to May 2017 and we still have to pass on some of the features of the new version 0.10, but that’s not really important. This version recognizes logfiles of the current roundcube release, a feature that seemingly doesn’t work with fail2ban 0.8.

The package can be installed fairly quickly via NeuroDebian, we just have to import the repository + key and perform an update afterwards:

wget -O- http://neuro.debian.net/lists/jessie.de-m.full | tee /etc/apt/sources.list.d/neurodebian.sources.list
apt-key adv --recv-keys --keyserver hkp://pool.sks-keyservers.net:80 0xA5D32F012649A5A9
apt-get update
apt-get install fail2ban

Sadly, this version still contains a bug that causes it to fail when you specify multiple logfiles for one jail. By default, I am only able to monitor one single customer that’s been created in ISPConfig, which makes renting a powerful VServer pretty senseless:

fail2ban.transmitter    [3285]: WARNING Command ['set', 'apache-shellshock', 'addlogpath', '/apache2/error.log', '/clients/client
*/web*/log/error.log'] has failed. Received ValueError("File option must be 'head' or 'tail'",)

The patch for fixing this is 4 years old already and can be found here, but for some reason it’s not included in this version of fail2ban. Only a few lines in the file jailreader.py have to be changed. The NeuroDebian package puts them here:

/usr/lib/python3/dist-packages/fail2ban/client/

After that, the file /etc/fail2ban/paths-overrides.local can be created and filled with content like this:

[INCLUDES]
before = paths-debian.conf
after = paths-overrides_2.local
[DEFAULT]
apache_error_log = /apache2/*error.log
                            /clients/client*/web*/log/error.log
apache_access_log = /apache2/*access.log
                              /clients/client*/web*/log/access.log

After a reboot of fail2ban all websites that have been created in IPSConfig will be monitored. That’s only valid for websites served by Apache, of course.

It’s up to you to set up the rest of the jails and filters you need 🙂