Thank you Tom for your help.
However your configuration will issue a whois on the culprit ip.
What I am trying to do is the following :
A prison runs on specific log, some ip makes unauthorized request and gets
banned.
Say that said ip generated such log entry with its request :
`1.2.3.4 - 10/18/2021 - 13:48 - GET /allyourbasearebelongtous - 100.101.102.103
- status: 403 - zebra`
Then a very convenient variable would allow me to configure such action :
action = log[bannedrequest="%(bannedrequest)s"]
and to pass on the whole entry as the variable 'bannedrequest' to the action of
my choosing, here 'log'.
Thanks again for your time and your help.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Le lundi 18 octobre 2021 à 13:21, TeWuEs <tew...@gmail.com> a écrit :
> Greetings Baptiste et al.
>
> See excerpt from my iptables-multiport.conf file
> on my own, small private server:
>
> # Option: actionstart
> # Notes.: command executed once at the start of Fail2Ban.
> # Values: CMD
> #
> actionstart = <iptables> -N f2b-<name>
> <iptables> -A f2b-<name> -j RETURN
> <iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
> cat /etc/fail2ban/persistent.bans | gawk '/^f2b-<name>/ {print $2}' \
> | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done
> /etc/fail2ban/iptables.save > /etc/fail2ban/iptables.saved
>
> # Option: actionstop
> # Notes.: command executed once at the end of Fail2Ban
> # Values: CMD
> #
> actionstop = /etc/fail2ban/iptables.save > /etc/fail2ban/iptables.saved
> <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
> <iptables> -F f2b-<name>
> <iptables> -X f2b-<name>
>
> Above always e-mails similar message:
>
> Quote
>
> Hi,
>
> The IP 209.141.54.186 has just been banned by Fail2Ban after
> 1 attempts against apache-access-recidive.
>
> Here is more information about 209.141.54.186 :
>
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at:
> https://www.arin.net/resources/registry/whois/tou/
> #
> # If you see inaccuracies in the results, please report at
> #
> https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
> #
> # Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
> #
>
> NetRange: 209.141.32.0 - 209.141.63.255
> CIDR: 209.141.32.0/19
> NetName: PONYNET-04
> NetHandle: NET-209-141-32-0-1
> Parent: NET209 (NET-209-0-0-0-0)
> NetType: Direct Allocation
> OriginAS: AS53667
> Organization: FranTech Solutions (SYNDI-5)
> RegDate: 2011-01-27
> Updated: 2012-03-25
> Ref:
> https://rdap.arin.net/registry/ip/209.141.32.0
> OrgName: FranTech Solutions
> OrgId: SYNDI-5
> Address: 1621 Central Ave
> City: Cheyenne
> StateProv: WY
> PostalCode: 82001
> Country: US
> RegDate: 2010-07-21
> Updated: 2017-01-28
> Ref:
> https://rdap.arin.net/registry/entity/SYNDI-5
> OrgTechHandle: FDI19-ARIN
> OrgTechName: Dias, Francisco
> OrgTechPhone: +1-778-977-8246
> OrgTechEmail:
> ad...@frantech.ca
> OrgTechRef:
> https://rdap.arin.net/registry/entity/FDI19-ARIN
> OrgAbuseHandle: FDI19-ARIN
> OrgAbuseName: Dias, Francisco
> OrgAbusePhone: +1-778-977-8246
> OrgAbuseEmail:
> ad...@frantech.ca
> OrgAbuseRef:
> https://rdap.arin.net/registry/entity/FDI19-ARIN
> #
> # ARIN WHOIS data and services are subject to the Terms of Use
> # available at:
> https://www.arin.net/resources/registry/whois/tou/
> #
> # If you see inaccuracies in the results, please report at
> #
> https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
> #
> # Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
> #
>
> Regards,
>
> Fail2Ban
>
> Unquote
>
> I believe this is what you're seeking for.
>
> Best regards.
> Tom
>
> On 2021-10-18 12:40, Baptiste via Fail2ban-users wrote:
>
>> Hello folks,
>>
>> I search through the wiki but could not find a list of actions variables.
>> When configuring an action you can pass a variable eg here :
>>
>> action = log[logpath="%(logpath)s"]
>> => would pass logpath to the log action
>>
>> Specifically, I am looking for a variable that would output the whole banned
>> request, and not just the ip. Using grep on logpath by ip is not ideal
>> either since a lot of lines might be concerned by that specific ip.
>>
>> Thanks for your help.
>
> https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient
> Wolny od wirusów.
> [www.avast.com](https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient)
>
> #DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2_______________________________________________
Fail2ban-users mailing list
Fail2ban-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
