Hi,
mein Server wird manchmal geddost, ich hab eigentlich fail2ban, aber das funktioniert nicht, weil lighttpd nichts loggt, nur wenn es Startet halt welche PID usw., aber nicht die errors die fail2ban braucht.

Klingt nach fehlerhafter Konfiguration.

Eigentlich müsste lighttpd es loggen, hab in der Config nichts beim Loggen verändert.

Na dann.

Wir können die Diskussion nun hier beenden oder Du postest verwertbare Fakten. Z.B. die Konfiguraton.

Config:

server.modules = (
"mod_access",
"mod_alias",
"mod_compress",
"mod_simple_vhost",
"mod_evasive",
"mod_redirect",
# "mod_rewrite",
)

server.document-root = "/var/www"
server.upload-dirs = ( "/var/cache/lighttpd/uploads" )
server.errorlog = "/var/log/lighttpd/error.log"
server.pid-file = "/var/run/lighttpd.pid"
server.username = "www-data"
server.groupname = "www-data"
server.port = 80

evasive.max-conns-per-ip = 3

index-file.names = ( "index.php", "index.html", "index.lighttpd.html" )
url.access-deny = ( "~", ".inc" )
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )

compress.cache-dir = "/var/cache/lighttpd/compress/"
compress.filetype = ( "application/javascript", "text/css", "text/html", "text/plain" )

include_shell "/usr/share/lighttpd/use-ipv6.pl " + server.port
include_shell "/usr/share/lighttpd/create-mime.assign.pl"
include_shell "/usr/share/lighttpd/include-conf-enabled.pl"

$HTTP["host"] =~ "(^|\.)domain$" {
server.document-root = "/var/www/domain/"
}
$HTTP["host"] =~ "(^|\.)domain$" {
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/lighttpd/passwd"
auth.require = ( "" =>
(
"method" => "basic",
"realm" => "Nur mit Benutzer/Passwort",
"require" => "user=****"
)
)
}

ls -alF /var/log/lighttpd/

ok, jetzt haben wir eine lighttpd-Konfig. Jetzt dann noch bitte die von f2b.

fail2ban.conf:

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
# $Revision$
#

[Definition]

# Option: loglevel
# Notes.: Set the log level output.
# 1 = ERROR
# 2 = WARN
# 3 = INFO
# 4 = DEBUG
# Values: NUM Default: 3
#
loglevel = 3

# Option: logtarget
# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
# Only one log target can be specified.
# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log
#
logtarget = /var/log/fail2ban.log

# Option: socket
# Notes.: Set the socket file. This is used to communicate with the daemon. Do
# not remove this file when Fail2ban runs. It will not be possible to
# communicate with the server afterwards.
# Values: FILE Default: /var/run/fail2ban/fail2ban.sock
#
socket = /var/run/fail2ban/fail2ban.sock


Fail2ban jail.conf

# Fail2Ban configuration file.
#
# This file was composed for Debian systems from the original one
# provided now under /usr/share/doc/fail2ban/examples/jail.conf
# for additional examples.
#
# To avoid merges during upgrades DO NOT MODIFY THIS FILE
# and rather provide your changes in /etc/fail2ban/jail.local
#
# Author: Yaroslav O. Halchenko <debian@onerussian.com>
#
# $Revision$
#

# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto

#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = xcorezzz@gmail.com

#
# ACTIONS
#

# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport

# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail

# Default protocol
protocol = tcp

# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT

#
# Action shortcuts. To be used to define action parameter

# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]

# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s

#
# JAILS
#

# Next jails corresponds to the standard configuration in Fail2ban 0.6 which
# was shipped in Debian. Enable any defined here jail by including
#
# [SECTION_NAME]
# enabled = true

#
# in /etc/fail2ban/jail.local.
#
# Optionally you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local

[ssh]

enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 6

[dropbear]

enabled = false
port = ssh
filter = sshd
logpath = /var/log/dropbear
maxretry = 6

# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6

[xinetd-fail]

enabled = false
filter = xinetd-fail
port = all
banaction = iptables-multiport-log
logpath = /var/log/daemon.log
maxretry = 2


[ssh-ddos]

enabled = true
port = ssh
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6

#
# HTTP servers
#

[apache]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

# default action is now multiport, so apache-multiport jail was left
# for compatibility with previous (<0.7.6-2) releases
[apache-multiport]

enabled = false
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-noscript]

enabled = false
port = http,https
filter = apache-noscript
logpath = /var/log/apache*/*error.log
maxretry = 6

[apache-overflows]

enabled = false
port = http,https
filter = apache-overflows
logpath = /var/log/apache*/*error.log
maxretry = 2

[lighttpd-fastcgi]
enabled = true
port = http,https
filter = lighttpd-fastcgi
logpath = /var/log/lighttpd/error.log #adapt as needed
maxretry = 6
#
# FTP servers
#

[vsftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = vsftpd
logpath = /var/log/vsftpd.log
# or overwrite it in jails.local to be
# logpath = /var/log/auth.log
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
maxretry = 6


[proftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6


[pure-ftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = pure-ftpd
logpath = /var/log/auth.log
maxretry = 6


[wuftpd]

enabled = false
port = ftp,ftp-data,ftps,ftps-data
filter = wuftpd
logpath = /var/log/auth.log
maxretry = 6


#
# Mail servers
#

[postfix]

enabled = false
port = smtp,ssmtp
filter = postfix
logpath = /var/log/mail.log


[couriersmtp]

enabled = false
port = smtp,ssmtp
filter = couriersmtp
logpath = /var/log/mail.log


#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#

[courierauth]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = courierlogin
logpath = /var/log/mail.log


[sasl]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = sasl
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = /var/log/mail.log

[dovecot]

enabled = false
port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log

# DNS Servers


# These jails block attacks against named (bind9). By default, logging is off
# with bind9 installation. You will need something like this:
#
# logging {
# channel security_file {
# file "/var/log/named/security.log" versions 3 size 30m;
# severity dynamic;
# print-time yes;
# };
# category security {
# security_file;
# };
# };
#
# in your named.conf to provide proper logging

# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#[named-refused-udp]
#
#enabled = false
#port = domain,953
#protocol = udp
#filter = named-refused
#logpath = /var/log/named/security.log

[named-refused-tcp]

enabled = false
port = domain,953
protocol = tcp
filter = named-refused
logpath = /var/log/named/security.log

bitte noch die Ausgabe posten:


ls -alF /var/log/lighttpd/

drwxr-x--- 2 www-data www-data 4096 Okt 6 23:13 ./
drwxr-xr-x 9 root root 4096 Okt 7 11:34 ../
-rw-r--r-- 1 www-data www-data 80847 Okt 7 13:12 error.log

Der Server logt, f2b hat das (richtige?) Logfile konfiguriert.

Entweder logt der Server nicht das, was Du willst (-> Server-Konfig von lighttpd) oder f2b erkennt nicht, was Du haben willst (f2b-Filter).

Es liegt an lighttpd ich hab mal selber einen dos auf meinen Server gemacht und es loggt nicht das, was fail2ban braucht. Ich hab jetzt "mod_evasive" aktiviert, hilft erstmal, aber das ist ja auch nicht die Lösung.

Das ist der fail2ban filter:
failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
In einer VM gehts und ich hab an den log leveln von lighttpd nichts geändert.

Es liegt an lighttpd ich hab mal selber einen dos auf meinen Server gemacht und es loggt nicht das, was fail2ban braucht. Ich hab jetzt "mod_evasive" aktiviert, hilft erstmal, aber das ist ja auch nicht die Lösung.

Das ist der fail2ban filter:
failregex = .*ALERT\ -\ .*attacker\ \'<HOST>\'
In einer VM gehts und ich hab an den log leveln von lighttpd nichts geändert.

das regex stamm aus dem Filter "lighttpd-fastcgi"?

Wo sagst du lighttpd wie er php zu starten hat?
legt das fastcgi evtl eine eigene Logdatei irgendwo an?

Hier gibt es ein paar tips, wie man das debug loggin aktiviert.
http://agyuku.net/2011/03/debugging-lighttpds-404-handler/

tauchen dann deine Einträge auf?

Ja aus dem Filter lighttpd-fastcgi.

PHP wird mit einer config im conf-enabled ordner gestartet

Nein fastcgi hat keine eigene log datei

Beim debugging wird alles angezeigt nur nicht die Warnungen für fail2ban.

adde mal testweise mod_fastcgi und mod_auth zu den server.modules

und aktiviere fastcgi.debug = 1

leider gehen mir die Ideen langsam aus :/


Edit:
hast du das suhosin Modul in PHP geladen und konfiguriert?
http://www.hardened-php.net/suhosin/

Die beiden Mods werden schon geladen. Sind beide im conf-enabled(Ich glaub, weil ich die mit Command aktiviert hab).

Nein, Suhosin hab ich nicht, sollte man das haben ? Ich installiers mal

fastcgi.debug = 1 bringt auch nichts

Edit: suhosin gibts noch nicht für Debian 7, aber ich hab einfach mal eine Fehlermeldung wie sie eigentlich da sein müsste gegooglet und die kommt von suhosin. Hat sich also erledigt.

Danke an alle :)