Rsyslog and fail2ban — reload fail2ban if you add new remote logging

If the purpose of implementing rsyslog is to store logs that’s good.  If you get all the logs in one place and you don’t use those to implement security with fail2ban well we have to question your sanity.  Not really, but it would be a good idea to consider that.  This post is about one thing I noted when setting this up.

I’d initially set up rsyslog on my containers and then thought about setting it up on all containers/computers that had exposed ports to the internet for any service.  That brought to mind my SSH jump server.

My opinion of security is pretty strict.  If you try to get in and you aren’t supposed to for any reason you are banned for life, period.  I won’t debate it.  My SSH jump server is set up to make it extremely difficult to get in and in the event that someone has found an exploit that exploit might take a couple of tries to accomplish.  Unless they have a lot of bot machines or have access to lots of IP addresses their first try, at least, will result in a ban of that machine.

Let’s say you have a computer and try my jump server and you have no keys.  That’s a failure and you are banned permanently.  Well, you tried my machine without permission and even if it were a mistake who cares, you are banned permanently.  You’ll never try it again.

I set up rsyslog to send logs over to the rsyslog server and looked to see if the log file were making it over. They were making it over just fine…

So…

When you set up the jail you can use wildcards however, there are limits.  You can’t just use something like

/var/log/RemLogs/*/sshd.log

You have to instead use

/var/log/RemLogs/192*/sshd.log

If you look at the status of the jail by

sudo fail2ban-client status sshd

You’ll see the list of files and their path.

Upon adding the ssh jump server, I looked and noticed that it was missing the file/path to the folder (named as the IP address of the machine I just added).  Yes that folder exists.  Yes the logs exist.  However, the folder was missing from the path during that request for the status.

I rebooted (I could have just restarted fail2ban) and came back and immediately checked that again with

sudo fail2ban-client status sshd

This time it included the path which now included the folder named with the IP address of the machine that I just added to rsyslog.

Why would I make this small point?

Because the containers are typically not restarted like you would a normal computer. So, if you see something odd check it out.