I’m trying to set up a system where a number of remote hosts send logs to a single analysis host running fail2ban + rsyslog, which then runs actions *on the log-sending host* to accomplish the ban/unban actions.
This came up in the archives years ago: https://sourceforge.net/p/fail2ban/mailman/fail2ban-users/thread/bay177-w256b8065d8b79af526d47d6...@phx.gbl/ …but in my case, I don’t have a single border firewall I can send the ban/unban commands back to. Each host sending these messages has its own firewall. The log messages I wish to react to look like this: 2022-04-09T22:36:30.662556-06:00 myswitch.lan system,error,critical login failure for user admin from 198.51.100 via ssh I’ve got the failfilter matching on this, and I know how to make the actionban line block the malefactor (198.51.100 in this example), but I can’t work out how to get fail2ban to give me back the “myswitch.lan” part in the action, since that is the host that needs to block 198.51.100. This is only partly about centralized administration. These hosts can’t run fail2ban themselves because their OS is locked-down. I can make them send their messages out by syslog, and they have an SSH command interface, but fail2ban has to run somewhere else. How do I teach fail2ban how to SSH back to the host that sent the log message? I suppose I could set up one jail for each log-sending host, passing its IP as a variable into the jail, but ick. If it helps, I’m in the process of writing an article about this, which gives more context on the problem: https://tangentsoft.com/mikrotik/wiki?name=Using%20fail2ban%20with%20Remote%20syslog The article currently talks about macOS and Homebrew, but due to a problem I found getting fail2ban to run there, I may end up recasting the article in terms of some flavor of Linux. Don’t get too hung up on those details. _______________________________________________ Fail2ban-users mailing list Fail2ban-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fail2ban-users
