From: <pi...@al...> - 2013-08-30 09:47:55
|
Hi, Working on Ubuntu 13.04 I've got fail2ban working for sshd|ssh-ddos etc, however when I configure a new jail :- filter = portscan action = iptables[name=portscan] bantime = 300 logpath = /var/log/syslog maxretry = 3 It works fine (a test portscan is detected and iptables are updated) but I don't get a notification in email. Addionally on start/stop the portscan jail isn't notifed in +email as the others are. I have searched and played with it, I do get a notification if I set the action to be iptables-multiport, however due to the nature of a portscan I obviously don't want to +create a rule like that. Testing with the client and -d shows for a jail that does get the notifications, the following lines appear :- ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'dest', 'root@localhost'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'logpath', '/var/log/auth.log'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'name', 'ssh-ddos'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'chain', 'INPUT'] ['set', 'ssh-ddos', 'setcinfo', 'sendmail-whois-lines', 'sender', 'fail2ban'] but for the portscan jail they do not. I have action = %(action_mwl)s configured globally and all config is in jail.local, as I say the actual action works and I get emails in response to tests for the other configured jails - just not this one! Can some kind soul point me in the right direction please? Ta J -- interesting quote here |