This is a bit of an ugly hack, but I believe works for your case:
I see actionban like:
actionban = oifs=${IFS}; IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP};
ADDRESSES=$(dig +short -t txt -q $4.$3.$2.$1.abuse-contacts.abusix.org);
IFS=${oifs}
We can modify it to get the DEST IP from the file tcpdump.txt
If you put a logger of syn packets in your server (I use here
tmux+script+tcpdump) logging just the syn in text format with date, you
can retrieve the DEST IP from it:
As root:
# tmux
# script -a /root/tcpdump.txt
# replace eth0 with your interface(s) below
# tcpdump -tttt -s0 -nni eth0 'tcp[tcpflags] & (tcp-syn) !=0'
2020-04-30 11:32:20.754344 IP 156.96.119.148.3 > 5.104.xxx.xxx.9545: Flags
[S], seq 14386, win 512, length 0
2020-04-30 11:32:25.022616 IP 5.104.16.107.8175 > 5.104.xxx.xxx.23: Flags
[S], seq 2315696541, win 14600, length 0
2020-04-30 11:32:41.633041 IP 37.49.226.111.53440 > 5.104.xxx.xxx.50802:
Flags [S], seq 1127665427, win 1024, length 0
actionban would become:
actionban = DESTIP=$( egrep <ip> /root/tcpdump.txt | tail -1 | awk -F' '
'{print $6}' | awk -F'.' '{print $1"."$2"."$3"."$4}' ) ; oifs=${IFS};
IFS=.;SEP_IP=( <ip> ); set -- ${SEP_IP}; ADDRESSES=$(dig +short -t txt -q
$4.$3.$2.$1.abuse-contacts.abusix.org); IFS=${oifs}
Didnt tested, but should work.
In case of multiple interfaces, multipel script+tcpdump
> It's auto-generated by the complain action.
>
>
> My servers typically have multiple IP addresses assigned to them. I could
> just include something like, "Here are the list of IPs that *COULD* have
> received the attack: 1.2.3.4, 5.6.7.8, a.b.c.d, etc." but I doubt that
> would go over well.
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> ----- Original Message -----
>
> From: "Fabio Martins" <[email protected]>
> To: "Mike Hammett" <[email protected]>
> Cc: [email protected]
> Sent: Thursday, April 30, 2020 9:09:06 AM
> Subject: Re: [Fail2ban-users] Log Modifications To Include Destination IP
>
>
> If the IP address of your server is static, you can hardcode it in the
> report.
>
> But if the IP address of your server is dynamic, like PPPoE, a script can
> obtain it while generating the report.
>
> How is your abuse report being generated?
>
> Regards
>
> --
> Fabio Martins
>
>> Tangential to Fail2Ban's core function, but does anyone know if there's
>> a
>> method to modify the logging behavior of sshd, apache, various mail
>> servers to include which IP address they received the request on?
>>
>>
>> I have abuse reports being rejected because I don't know which IP on my
>> server was attacked. The other networks much be running CGNAT or other
>> address-sharing methods and apparently need their hand held.
>>
>>
>>
>>
>> -----
>> Mike Hammett
>> Intelligent Computing Solutions
>> http://www.ics-il.com
>>
>>
>>
>> Midwest Internet Exchange
>> http://www.midwest-ix.com
>>
>>
>> _______________________________________________
>> Fail2ban-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fail2ban-users
>>
>
>
>
>
>
>
--
Fabio Martins
(+5521)979148106
PHOSPHORUS NETWORKS
https://phosphorusnetworks.com/
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
