I have my fail2ban setup to log the ips I block into a MySQL database. I also have setup syslog-ng to log any traffic dropped or rejected into a separate logfile from which fail2ban gets it's "port scanners" data. That all works wonderfully, I would now like to log which ports are getting hit since syslog-ng logs the destination ports too. I have a regex in the failregex which works perfectly, but I don't know how to feed the port from the regex to the actionban in action.d.
Sounds like humbug but here: ** I patched some files under /usr/share/fail2ban to also replace <PORT> with a regex. just like <HOST> gets replaced. /etc/fail2ban/filter.d/scanners.conf: failregex = ^.*SRC=<HOST>\s.*DPT=<PORT>\s.*$ /etc/fail2ban/action.d/scanners.conf: actionban = /usr/local/bin/fail2ban_db <name> <protocol> <port> <ip> /etc/fail2ban/jail.local: [scanners] enabled = true action = scanners[name=Scanners] filter = scanners logpath = /var/log/iptables.log maxretry = 3 findtime = 423000 My script picks up all the arguments as sent, all but <port>. How could I go about adding that into the actionban, just like <ip> is added from <HOST> Thanks in advance ------------------------------------------------------------------------------ _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
