On 06/10/2015 03:09 PM, Arch Architecht wrote: > I have my fail2ban setup to log the ips I block into a MySQL database. > I also have setup syslog-ng to log any traffic dropped or rejected > into a separate logfile from which fail2ban gets it's "port scanners" > data. That all works wonderfully, I would now like to log which ports > are getting hit since syslog-ng logs the destination ports too. I have > a regex in the failregex which works perfectly, but I don't know how > to feed the port from the regex to the actionban in action.d. > > Sounds like humbug but here: > ** I patched some files under /usr/share/fail2ban to also replace > <PORT> with a regex. just like <HOST> gets replaced. > > /etc/fail2ban/filter.d/scanners.conf: > failregex = ^.*SRC=<HOST>\s.*DPT=<PORT>\s.*$ > > > /etc/fail2ban/action.d/scanners.conf: > actionban = /usr/local/bin/fail2ban_db <name> <protocol> <port> <ip> > > /etc/fail2ban/jail.local: > [scanners] > enabled = true > action = scanners[name=Scanners] > filter = scanners > logpath = /var/log/iptables.log > maxretry = 3 > findtime = 423000 > > > My script picks up all the arguments as sent, all but <port>. How > could I go about adding that into the actionban, just like <ip> is > added from <HOST>
What version of fail2ban are you using (fail2ban-client --version)? > > Thanks in advance > ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
