Yep - actually it looks like all you need is some kind of notification that
the IP address has triggered your jail.
I have a jail that has one action: it sends me an email to tell me that an
IP address has failed etc. but it doesn't actually block the IP address.
In your jail.local (or jail.conf or whatever) file, look for the specific
jail's configuration, and look at the "action" section. Just remove all
actions except the one that sends you an email (normally called something
like "%(mta-action)s........" (for safety's sake, I would copy and paste
the entire jail, then put # in front of every line of the 'old' jail, so
you can go back to it after you're done - do all your work on the pasted
bit).
If you leave the actual filter config as it was, then this will do what you
want - you will still get a "banned" email, and Fail2ban will still log the
IP address as "banned".
You can do all sorts of things when an address is banned - you never have
to actually block the address using iptables etc.
In my case, this is what my "annoyances" config in jail.local looks like:
[annoyances]
enabled = true
action = %(mta)s-whois-lines-logsonly[name=%(__name__)s,
sender="%(sender)s", dest="%(destemail)s",
logpath=/var/www/vhosts/system/mydomain/logs/access_log;/var/www/vhosts/system/mydomain/logs/access_log.processed;/var/www/vhosts/system/mydomain2/logs/access_log;/var/www/vhosts/system/mydomain2/logs/access_log.processed;/var/www/vhosts/system/mydomain3/logs/access_log;/var/www/vhosts/system/mydomain3/logs/access_log.processed,
chain="%(chain)s"]
# for this test I just need to check today's apache logs - I don't need to
go back any further,
# but when sending the ban email, I want it to show me all the stuff that
this IP has been
# doing for the last few months, for context
logpath = %(todays_apache_logs)s
All the other stuff (findthime etc) is handled by the default settings
further up in the file. I made a custom config called
sendmail-whois-lines-logsonly.conf which does a 'whois' but filters out
most of the info, plus I wrote some script stuff to check for similar
banned IP addresses, so when it emails me it points out if neighbouring IP
addresses have been banned, to help me understand whether this is an IP
range that I should just permanently ban or not.
That's is how I do what you're talking about. I'm testing for stuff. F2b
logs each one as a ban as normal - the emails are considered "ban actions",
so f2b just treats this as a normal ban - it will be "banned" for the
specified time, just as if the IP address was blocked. You don't need to
simulate the actual iptables/ipset/firewall-cmd action, all you need to do
is see if it would've been "banned".
I hope I've been clear here!
Tony Collins
On 9 October 2017 at 07:59, Dominic Raferd <domi...@timedicer.co.uk> wrote:
> Is it possible to modify a setting for a fail2ban jail such that it takes
> no real action but still logs what it would have done?
>
> Use case: I have two jails which are reacting to the same underlying event
> - a failed smtp auth login - sometimes one triggers and sometimes the
> other. I want to see if I stop using one, the other picks up all the events
> or whether it misses some.
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Fail2ban-users mailing list
> Fail2ban-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
