Am 20.04.2012 08:02, schrieb Bob Hoffman: > /etc.fail2ban/jail.conf > In all sections I commented out the mailto section [...] I don't use mailto either. It's just not manageable if you have more than a very small number of machines. > line 16, added a space then my server ip address 123.123.123.123 > (example ip address, not real) > ignoreip = 127.0.0.1 123.456.789.123 I never felt a need for that. OTOH, in the typical configuration for machines in my DMZ, I always add my entire internal network here, eg. ignoreip = 127.0.0.1 10.0.0.0/16 > SSH section [...] > sasl section [...] > line 71, 'rewrote it to' action = iptables-multiport[name=POSTFIX, port="25,465,993,995", protocol=tcp] > this blocks all mail ports when someone tries and fails [...] > Apache [...] > action = iptables-multiport[name=ApacheAuth, port=80,443, protocol=tcp] I prefer action = iptables-allports on all of these, so that a source address attempting a bruteforce attack on one service is immediately banned from all services. I can't imagine a scenario where a machine that got blocked, for example, for attempting to bruteforce passwords via SMTP AUTH, should be allowed to try via FTP next. Even password attempts against ssh, which accepts only public key authentication on all my machines, trigger a block on all ports. So far I haven't had a single complaint about that. > service fail2ban start > chkconfig fail2ban on > service iptables restart (not sure if you have to or not with each > fail2ban restart) I don't think you have to. I never do, and it works fine anyway. HTH Tilman -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany