On 14 October 2017 at 07:02, Tony Collins <t...@evilplan.org.uk> wrote:
> Yep - actually it looks like all you need is some kind of notification
> that the IP address has triggered your jail.
>
> I have a jail that has one action: it sends me an email to tell me that an
> IP address has failed etc. but it doesn't actually block the IP address.
>
> In your jail.local (or jail.conf or whatever) file, look for the specific
> jail's configuration, and look at the "action" section. Just remove all
> actions except the one that sends you an email (normally called something
> like "%(mta-action)s........" (for safety's sake, I would copy and paste
> the entire jail, then put # in front of every line of the 'old' jail, so
> you can go back to it after you're done - do all your work on the pasted
> bit).
>
> If you leave the actual filter config as it was, then this will do what
> you want - you will still get a "banned" email, and Fail2ban will still log
> the IP address as "banned".
>
> You can do all sorts of things when an address is banned - you never have
> to actually block the address using iptables etc.
>
> In my case, this is what my "annoyances" config in jail.local looks like:
>
> [annoyances]
> enabled = true
> action = %(mta)s-whois-lines-logsonly[name=%(__name__)s,
> sender="%(sender)s", dest="%(destemail)s", logpath=/var/www/vhosts/
> system/mydomain/logs/access_log;/var/www/vhosts/system/
> mydomain/logs/access_log.processed;/var/www/vhosts/
> system/mydomain2/logs/access_log;/var/www/vhosts/system/
> mydomain2/logs/access_log.processed;/var/www/vhosts/
> system/mydomain3/logs/access_log;/var/www/vhosts/system/
> mydomain3/logs/access_log.processed, chain="%(chain)s"]
> # for this test I just need to check today's apache logs - I don't need to
> go back any further,
> # but when sending the ban email, I want it to show me all the stuff that
> this IP has been
> # doing for the last few months, for context
> logpath = %(todays_apache_logs)s
>
> All the other stuff (findthime etc) is handled by the default settings
> further up in the file. I made a custom config called
> sendmail-whois-lines-logsonly.conf which does a 'whois' but filters out
> most of the info, plus I wrote some script stuff to check for similar
> banned IP addresses, so when it emails me it points out if neighbouring IP
> addresses have been banned, to help me understand whether this is an IP
> range that I should just permanently ban or not.
>
> That's is how I do what you're talking about. I'm testing for stuff. F2b
> logs each one as a ban as normal - the emails are considered "ban actions",
> so f2b just treats this as a normal ban - it will be "banned" for the
> specified time, just as if the IP address was blocked. You don't need to
> simulate the actual iptables/ipset/firewall-cmd action, all you need to do
> is see if it would've been "banned".
>
> I hope I've been clear here!
> Tony Collins
>
​Thanks to you Tony and to Nick for the helpful suggestions.
Dominic​
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
