I have written a number of fail2ban filters that work well on the various servers I support, but now I would like to try something new, and it is not clear to me how to do it.
I have an internet facing application that sometimes creates log file entries like: Sep 19 00:53:16 localhost xxx: Unable to yyy, host=[127.0.0.1] Sep 19 02:36:46 localhost xxx: Unable to yyy, host=www.example.com [127.0.0.1] Sep 19 02:36:46 localhost xxx: Unable to yyy, host=remote.myfriendlyknowndomain.com [127.0.0.1] (the application, the exact nature of error, the offending host domain, and the offending host IP are all masked). I would like to block based on a log file entry where no reverse lookup exists. (first example). I would like to block based on a domain name match in the second entry. For example, if the domain of interest was example.com, then I would like to match on and block the IP address for www.example.com, if that was in the log file. On the other hand, I do not wish to block the IP address of remote.myfriendlyknowndomain.com. It is known that example.com has a large number of IP addresses that are not easily or conveniently discovered, so the flexibility of fail2ban rather than a direct iptables entry has significant advantage. Any suggestions would be most welcome. Thanks. Ken _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
