Greetings, I'm still trying to find my way around the documentation, so forgive me if this has been answered, perhaps in a mail archive... Although I have some systems running fail2ban 0.8.14, my question below is restricted to 0.11.x
the problem I'm trying to solve: I need to fire off two separate actions based on a single failure line First, I need to ban the IP using the route action, which is working fine. Second, I need to fire off some scripts with another field in the matched line as an argument (it's an email address). Example line (minus timestamp): # postfix/smtpd[9323]: NOQUEUE: filter: RCPT from unknown[*192.168.123.123*]: <*[email protected] <[email protected]>*>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[email protected]> to=< [email protected]> proto=ESMTP helo=<[10.11.12.13]> # I have configured: failregex = postfix/smtpd\[\d+\]: \w+: filter: RCPT from \w+\[<HOST>\]: <(?P<email>\S+@\S+)>: Sender address triggers FILTER.*$ The question is: (HOW) can I get at the captured group named 'email' in an action or elsewhere? I don't think I want the email address in the ban ticket key. I tried something like this before with the route action, and it was passed to the route command along with <host> and iptables complained. Must I stick with only what's defined in failregex.py? Thanks.
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
