|
|
Created:
Jan. 10, 2017, 3:58 a.m. by f.lopez Modified:
Jan. 23, 2017, 3:32 p.m. CC:
Fred Visibility:
Public. |
DescriptionNoIssue - Write fail2ban configuration for CVE-2013-0235 on web2
Patch Set 1 #Patch Set 2 : Fixing call function inside template #Patch Set 3 : Remove unrelated change from codereview #
Total comments: 1
Patch Set 4 : For comments 9 to 11 #MessagesTotal messages: 14
The example private stub change affects a single host. Does it maybe make sense to do this on a webserver role level, also in private-stub?
Is this patch related to https://issues.adblockplus.org/ticket/4701 btw?
On 2017/01/10 09:05:21, f.nicolaisen wrote: > Is this patch related to https://issues.adblockplus.org/ticket/4701 btw? No, that's extending fail2ban module functionality, what we want to achieve here is only to block CVE-2013-0235 vulnerability.
On 2017/01/10 08:11:48, f.nicolaisen wrote: > The example private stub change affects a single host. Does it maybe make sense > to do this on a webserver role level, also in private-stub? This can be done with a role as well, I just don't know if every web role has to have it
> On 2017/01/10 09:05:21, f.nicolaisen wrote: > Is this patch related to https://issues.adblockplus.org/ticket/4701 btw? On 2017/01/11 15:37:45, f.lopez wrote: > No, that's extending fail2ban module functionality, what we want to achieve here > is only to block CVE-2013-0235 vulnerability. This is two patch-sets now though.
https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... File modules/private-stub/hiera/hosts/web2.yaml (right): https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... modules/private-stub/hiera/hosts/web2.yaml:8: logpath: '/var/log/nginx/access_log_hg' vagrant@web2:~$ less /var/log/nginx/access_log_hg /var/log/nginx/access_log_hg: No such file or directory Did you test this?
On 2017/01/12 14:28:14, f.nicolaisen wrote: > https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... > File modules/private-stub/hiera/hosts/web2.yaml (right): > > https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... > modules/private-stub/hiera/hosts/web2.yaml:8: logpath: > '/var/log/nginx/access_log_hg' > vagrant@web2:~$ less /var/log/nginx/access_log_hg > /var/log/nginx/access_log_hg: No such file or directory > > > Did you test this? I did test it several times before, I just noticed this particular host doesn't have this log file... although we cannot test it since this host also needs a geoip module for nginx but the fail2ban configuration works as expected, so we can use the default access log file or check inside the server which file it is using, also as discussed on IRC, this can be set in the private repo manually
On 2017/01/12 14:42:43, f.lopez wrote: > On 2017/01/12 14:28:14, f.nicolaisen wrote: > > > https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... > > File modules/private-stub/hiera/hosts/web2.yaml (right): > > > > > https://codereview.adblockplus.org/29370944/diff/29371561/modules/private-stu... > > modules/private-stub/hiera/hosts/web2.yaml:8: logpath: > > '/var/log/nginx/access_log_hg' > > vagrant@web2:~$ less /var/log/nginx/access_log_hg > > /var/log/nginx/access_log_hg: No such file or directory > > > > > > Did you test this? > > I did test it several times before, I just noticed this particular host doesn't > have this log file... although we cannot test it since this host also needs a > geoip module for nginx but the fail2ban configuration works as expected, so we > can use the default access log file or check inside the server which file it is > using, also as discussed on IRC, this can be set in the private repo manually In any case, I think it would make more sense to monitor /var/log/nginx/access.log in this example jail.
LGTM
LGTM. |