I've had some issues with getting attack detector to work but today I made some changes that finally got the postfix-sasl going and banning problem IPs. I'm not sure if the cyrus-imap and openvpn jails are working correctly as it hasn't blocked anything yet.
Getting this running properly leads me to doing something about the https messages in the daily logwatch email.
Everyday I get "A total of "x" sites probed the server". Some days it is quite a list.
I am running two very basic brochure website using the built in webserver.
I'm trying to figure out how to set up the jails for this. The examples I've found don't look similar to our jail.conf or "clear" specific jails.
1) Where are these https probed the server messages found in the logs? Are they httpd/error_log , httpd/site1_com_error_log , httpd/site2_com_error_log ?
Couple of questions to the following example from the web.
2) The action below doesn't look anything in our jails. Is the "action = iptables-multiport[name=auth, port="http,https"]" valid?
3) If we have multiple sites and multiple error_log to search, can they be added in the logpath line or are jails required for each website?
4) When our logs rotate, are the fail2ban IPs automatically cleared?
Thanks in advance.