Jan 15 19:23:37 homebrou sshd[3418]: error: Could not get shadow information for NOUSER
Jan 15 19:23:37 homebrou sshd[3418]: Failed password for invalid user test from 88.191.23.27 port 41017 ssh2
Jan 15 19:23:38 homebrou sshd[3420]: Invalid user test from 88.191.23.27
Jan 15 19:23:38 homebrou sshd[3420]: error: Could not get shadow information for NOUSER
Jan 15 19:23:38 homebrou sshd[3420]: Failed password for invalid user test from 88.191.23.27 port 41096 ssh2
Jan 15 19:23:38 homebrou sshd[3422]: Invalid user test from 88.191.23.27
Jan 15 19:23:38 homebrou sshd[3422]: error: Could not get shadow information for NOUSER
Jan 15 19:23:38 homebrou sshd[3422]: Failed password for invalid user test from 88.191.23.27 port 41162 ssh2
Jan 15 19:23:38 homebrou sshd[3424]: Invalid user test from 88.191.23.27
I have a use case similar to the above. However, I need to block the IP and PORT binding - not just the IP as this would be too restrictive.

Would it be possible for fail2ban-regex to be able to deliver a <HOST> and <PORT> back when it recognises patterns such as 88.191.23.27:41096 or 88.191.23.27 port 41096?

Then I would like to be able to use that <PORT> keyword in a jail statement such as:

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, sport=<PORT>, protocol=tcp]
logpath  = /var/log/sshd.log
maxretry = 5
 
where sport is source port

Thanks.
 
With best regards
Jerry