Hello. I`m newbie in fail2ban, regex & python. And i was need to ban ip was trying connect to miscellaneous don`t used ports on my hosts. For this i logged SYN by iptables rules "-A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4" to journald, like this Oct 22 17:27:34 hostname kernel: IPTables-Dropped: IN=eno1 OUT= MAC=ac:1f:6b:9a:71:38:e4:5d:37:95:9a:10:08:00 SRC=188.68.211.114 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=252 ID=5853 PROTO=TCP SPT=53148 DPT=51996 WINDOW=1024 RES=0x00 SYN URGP=0
After several days reading fail2ban mans, github docs, filters and others confs, some ansible playbooks for fail2ban and using https://regex101.com and http://buildregex.com/ i had write this filter and jail jail ---- [journald_ip] enabled = true backend = systemd action = iptables-allports maxretry = 3 bantime = 604800 findtime = 86400 filter ---- # Fail2Ban filter for iptables logged in journald by prefix. # # Example rule for iptaables # -A LOGGING -m limit --limit 2/sec -j LOG --log-prefix "IPTables-Dropped: " --log-level 4 # [INCLUDES] before = common.conf [Definition] failregex = ^%(__prefix_line)s(?:IPTables-Dropped:)(?:.*)(?:SRC=<HOST>)(?:.*)$ ignoreregex = # Author: Max Krylov Now it working for test on one my servers and after first 5 min was banned 1300+ ip This filter will be interset for community? I can do mr, but i dont khow was do jail in main jail.conf -- With regards, MaxK
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
