[arch-general] fail2ban archlinux
Hi, I've configured fail2ban with action, filter for my php application. My app output log like this: unknown user foo (192.x.x.x) My jail conf: [php-app-login] enabled = true port = 80 protocol = tcp filter = php-app-login logpath = /var/www/php-app-login/var/logs/dev.log findtime = 3600 bantime = 86400 maxretry = 3 ignoreip = 127.0.0.1/8 My filter definition: [Definition] failregex = unknown user .* \(<HOST>\) ignoreregex = It works well, but I like fail2ban add comment in iptables rule when add ban IP. For example: iptables -A INPUT -p tcp --dport 80 -m comment --comment "Ban foo" -j DROP iptables -L -n -v Chain INPUT (policy ACCEPT 94 packets, 23457 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* Ban foo */ I've googled and I think something needs to be changed in action but I can't find how to pass the user variable to that action.
Maykel Franco via arch-general <arch-general@lists.archlinux.org> wrote:
Hi, I've configured fail2ban with action, filter for my php application.
My app output log like this:
unknown user foo (192.x.x.x)
My jail conf:
[php-app-login] enabled = true port = 80 protocol = tcp filter = php-app-login logpath = /var/www/php-app-login/var/logs/dev.log findtime = 3600 bantime = 86400 maxretry = 3 ignoreip = 127.0.0.1/8
My filter definition:
[Definition]
failregex = unknown user .* \(<HOST>\) ignoreregex =
It works well, but I like fail2ban add comment in iptables rule when add ban IP.
For example:
iptables -A INPUT -p tcp --dport 80 -m comment --comment "Ban foo" -j DROP
iptables -L -n -v
Chain INPUT (policy ACCEPT 94 packets, 23457 bytes) pkts bytes target prot opt in out source destination 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* Ban foo */
I've googled and I think something needs to be changed in action but I can't find how to pass the user variable to that action.
Something along the following lines, though I could be wrong, or incomplete. Create a local, customized, action.d/iptables-multiport.local where: 1. you set up the rule with the commment? 2. if I understood you correctly, a possible alternative for the comment would be to have a dedicated chain. [Definition] # Have a dedicated chain for php-app-login. # f2b-php-app-login is expected to exists. Possibly set up by whatever # sets iptables. actionstart = actionstop = iptables -F f2b-<name> Again, I could be wrong, or incomplete. -- u34
participants (2)
-
Maykel Franco
-
u34@net9.ga