diff -up fail2ban-0.9-d529151/config/jail.conf.logfiles fail2ban-0.9-d529151/config/jail.conf
--- fail2ban-0.9-d529151/config/jail.conf.logfiles 2013-07-28 03:43:54.000000000 -0600
+++ fail2ban-0.9-d529151/config/jail.conf 2013-08-08 21:23:41.785950007 -0600
@@ -152,20 +152,18 @@ action = %(action_)s
[sshd]
port = ssh
-logpath = /var/log/auth.log
- /var/log/sshd.log
+logpath = /var/log/secure
[sshd-ddos]
port = ssh
-logpath = /var/log/auth.log
- /var/log/sshd.log
+logpath = /var/log/secure
[dropbear]
port = ssh
filter = sshd
-logpath = /var/log/dropbear
+logpath = /var/log/secure
# Generic filter for PAM. Has to be used with action which bans all
@@ -175,12 +173,12 @@ logpath = /var/log/dropbear
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = iptables-allports
-logpath = /var/log/auth.log
+logpath = /var/log/secure
[xinetd-fail]
banaction = iptables-multiport-log
-logpath = /var/log/daemon.log
+logpath = /var/log/messages
maxretry = 2
# .. custom jails
@@ -201,7 +199,7 @@ filter = sshd
action = hostsdeny[daemon_list=sshd]
sendmail-whois[name=SSH, dest=you@example.com]
ignoreregex = for myuser from
-logpath = /var/log/sshd.log
+logpath = /var/log/secure
# Here we use blackhole routes for not requiring any additional kernel support
# to store large volumes of banned IPs
@@ -210,7 +208,7 @@ logpath = /var/log/sshd.log
filter = sshd
action = route
-logpath = /var/log/sshd.log
+logpath = /var/log/secure
# Here we use a combination of Netfilter/Iptables and IPsets
# for storing large volumes of banned IPs
@@ -221,13 +219,13 @@ logpath = /var/log/sshd.log
filter = sshd
action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp]
-logpath = /var/log/sshd.log
+logpath = /var/log/secure
[sshd-iptables-ipset6]
filter = sshd
action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600]
-logpath = /var/log/sshd.log
+logpath = /var/log/secure
# This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip"
# option is overridden in this jail. Moreover, the action "mail-whois" defines
@@ -238,7 +236,7 @@ logpath = /var/log/sshd.log
filter = sshd
action = ipfw[localhost=192.168.0.1]
sendmail-whois[name="SSH,IPFW", dest=you@example.com]
-logpath = /var/log/auth.log
+logpath = /var/log/secure
ignoreip = 168.192.0.1
# bsd-ipfw is ipfw used by BSD. It uses ipfw tables.
@@ -250,7 +248,7 @@ ignoreip = 168.192.0.1
[ssh-bsd-ipfw]
filter = sshd
action = bsd-ipfw[port=ssh,table=1]
-logpath = /var/log/auth.log
+logpath = /var/log/secure
#
# HTTP servers
@@ -259,7 +257,7 @@ logpath = /var/log/auth.log
[apache-auth]
port = http,https
-logpath = /var/log/apache*/*error.log
+logpath = /var/log/httpd/*error_log
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
@@ -267,21 +265,20 @@ logpath = /var/log/apache*/*error.log
[apache-badbots]
port = http,https
-logpath = /var/log/apache*/*access.log
- /var/www/*/logs/access_log
+logpath = /var/log/httpd/*access_log
bantime = 172800
maxretry = 1
[apache-noscript]
port = http,https
-logpath = /var/log/apache*/*error.log
+logpath = /var/log/httpd/*error_log
maxretry = 6
[apache-overflows]
port = http,https
-logpath = /var/log/apache*/*error.log
+logpath = /var/log/httpd/*error_log
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
@@ -291,7 +288,7 @@ maxretry = 2
[php-url-fopen]
port = http,https
-logpath = /var/www/*/logs/access_log
+logpath = /var/log/httpd/*access_log
# A simple PHP-fastcgi jail which works with lighttpd.
# If you run a lighttpd server, then you probably will
@@ -330,7 +327,7 @@ logpath = /var/log/sogo/sogo.log
filter = apache-auth
action = hostsdeny
-logpath = /var/log/apache*/*error.log
+logpath = /var/log/httpd/*error_log
maxretry = 6
@@ -347,7 +344,7 @@ logpath = /var/log/proftpd/proftpd.log
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
-logpath = /var/log/auth.log
+logpath = /var/log/secure
maxretry = 6
[vsftpd]
@@ -355,7 +352,7 @@ maxretry = 6
port = ftp,ftp-data,ftps,ftps-data
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
-# logpath = /var/log/auth.log
+# logpath = /var/log/secure
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
@@ -384,12 +381,12 @@ maxretry = 6
[courier-smtp]
port = smtp,ssmtp,submission
-logpath = /var/log/mail.log
+logpath = /var/log/maillog
[postfix]
port = smtp,ssmtp,submission
-logpath = /var/log/mail.log
+logpath = /var/log/maillog
# The hosts.deny path can be defined with the "file" argument if it is
# not in /etc.
@@ -410,7 +407,7 @@ bantime = 300
[courier-auth]
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
-logpath = /var/log/mail.log
+logpath = /var/log/maillog
[sasl]
@@ -419,12 +416,12 @@ port = smtp,ssmtp,submission,imap2,i
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
-logpath = /var/log/mail.log
+logpath = /var/log/maillog
[dovecot]
port = smtp,ssmtp,submission,imap2,imap3,imaps,pop3,pop3s
-logpath = /var/log/mail.log
+logpath = /var/log/maillog
#
# DNS servers
@@ -519,7 +516,7 @@ maxretry = 5
enabled=false
filter = sshd
action = pf
-logpath = /var/log/sshd.log
+logpath = /var/log/secure
maxretry=5
[3proxy]