You might try something like this copy an action.conf file to deadcat.conf then in the [Definition] section for set:
actionstart = /bin/true actionstop = /bin/true actioncheck = /bin/true actionban = /bin/true actionunban = /bin/true The issue I see is that the voip does not include either an ip address or a host name that can resolved to an address. You can write a expression that will find the line but if it does not have a host the jail will fail and the server won't start that jail. If you can get the application to log the host name or address then you can write a filter and set an action for that filter. If you don't need this as real time then a bash or gawk script to scan the log file from a crontab will do this without a host required. On Wed, 2015-07-22 at 14:15 -0400, M F wrote: > Fail2ban is a great tool on top of a good iptable restrictions. > > Since I run it on some projects I am woundering is it possible to look for > lines that mention " UNREACHABLE! " like this in my voip system logs > > [2015-07-14 21:58:16] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now > Reachable. (30ms / 2000ms) > [2015-07-16 02:58:30] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now > UNREACHABLE! Last qualify: 47 > [2015-07-16 02:58:40] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now > Reachable. (17ms / 2000ms) > [2015-07-16 03:59:45] NOTICE[31870] chan_sip.c: Peer 'o1234_10' is now > UNREACHABLE! Last qualify: 18 > [2015-07-16 03:59:58] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now > UNREACHABLE! Last qualify: 18 > [2015-07-16 04:02:00] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now > Reachable. (30ms / 2000ms) > > then email me the unreachable line > [2015-07-16 03:59:58] NOTICE[31870] chan_sip.c: Peer 'o1234_1' is now > UNREACHABLE! Last qualify: 18 > and of course not block any ip address. > > I figure its running in the background anyway how would I go about doing > this? > > I also thought some times I get high lag and it does not go unreachable > would there be a way to do a if greater then milliseconds from the logs > also example > > [2015-04-27 23:45:25] NOTICE[20748] chan_sip.c: Peer '2003' is now Lagged. > (20020ms / 2000ms) > [2015-04-28 00:59:08] NOTICE[25115] chan_sip.c: Peer '2003' is now Lagged. > (5785ms / 2000ms) > [2015-04-29 19:58:31] NOTICE[30843] chan_sip.c: Peer '2003' is now Lagged. > (20019ms / 2000ms) > [2015-04-29 20:10:11] NOTICE[30843] chan_sip.c: Peer '2003' is now Lagged. > (20023ms / 2000ms) > > I guess I could just do a messaged search for is not lagged. > > make a filer called asterisklagged or something I know this will not work > figure someone would know though so I attempt below. > > [INCLUDES] > before = common.conf > [Definition] > _daemon = asterisk > __pid_re = (?:\[\d+\]) > log_prefix= (?:NOTICE)%(__pid_re)s:?(?:\[C-[\da-f]*\])? \S+:\d*( in \w+:)? > failregex = ^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s is now Lagged. > '[^']*')$ > ignoreregex = > > [asterisk-Lagged > > enabled = true > filter = asterisklagged > action = sendmail-whois[name=ASTERISK, > [email protected]] > logpath = /var/log/asterisk/messages > maxretry = 99999999 > > > Interested to see what some of your comments are. > > > >
------------------------------------------------------------------------------
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
