github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

Rebuild to FAQ style using details/summary html-tags

master
Serg G. Brester 2017-06-30 17:13:54 +02:00
parent 3d40da457d
commit 776d4a85ec
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
How-to-ban-something-other-as-host-(IP-address),-like-user-or-mail,-etc..md

@ -1,5 +1,6 @@
**[Q]** Can I ban something other as host (IP-address), like user or e-mail, etc.<br/>
**[A]** Yes, it is theoretically possible with fail2ban, since no-host banning was implemented (v. 0.9.5 or 0.10). See [fail2ban/gh-1454](https://github.com/fail2ban/fail2ban/pull/1454) for more implementation details.
<details><summary>How to configure it:</summary><br/>
* You should create your own `action` and specify there which command(s) should be executed by ban/unban
* Version 0.10 allows you to define failure-ID in `failregex`:
@ -70,9 +71,14 @@ fail2ban-regex --raw /var/log/auth.log '^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)
# v. 0.9.5:
fail2ban-regex --raw /var/log/auth.log '^\s*(?:\S+\s+)?(?:[^:]+:auth\[\d+\]:\s+)?pam_unix(?:\(\S+\))?:?\s+authentication failure; login=(?P<host>\S+)'
```
</details>
***
**[Q]** I don't have any failure-ID in the log-entry, can I nevertheless configure the fail2ban, that it should simply execute some command if some message will be found in observed log-file<br/>
**[A]** Yes, if you've no failure-id at all (no user-id, e-mail or something other), but you'll that fail2ban execute some shell script after failure occurrence, you should additionally:
**[A]** Yes
<details><br/>
If you've no failure-id at all (no user-id, e-mail or something other), but you'll that fail2ban execute some shell script after failure occurrence, you should additionally:
* set empty or something other as match for failure-id (still `<host>` in 0.9th-branch) in `failregex`, example:
``` bash
# DDOS resp. "too many IPs" will be used as failure-ID:
@ -87,3 +93,4 @@ actionban = /user/bin/ids-attack.sh '<fid>'
```
* `actionban` script will be executed as root (or with user, fail2ban running), so use `su` if other/restricted user needed;
- set `usedns`, `ignoreip`, `ignorecommand` as suggested above, otherwise you can get error by comparison with empty/illegal host (that will be found by "failure");
</details>