Re: [Fail2ban-users] Failregex Problem

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Cyril,

Thanks for the reply... in my case I am working with a lot of NAT'ed 
addresses so I can not use the IP address to create a 'blocking' rule. 
If I were to block the NAT'ed IP address I would be affecting thousands 
of users, not just the one or two who are being a problem.

If I can get the username from the log, I can use a shell script to 
disable that particular user login etc.

In this particular application, I'd be telling fail2ban to shell out to 
perl and do a whole host of things to that users account to disable 
their access and email the admins of the issue.

I can live with the fact that fail2ban needs an IP address, and don't 
get me wrong, the product works great and I am using it on many hosts 
for SSH DDOS etc.

What I would need is the ability for it to not only recognize the IP 
address but also let me know what the user name is, or use both IP and 
Username to figure out when to ban. etc. Then be able to use <user> or 
something in the shell script line to run the program etc.

- Reynold

Cyril Jaquier wrote:
> Hi Reynold,
> 
>> Unfortunately that did not work.
>>
> 
> Yes, because fail2ban currently *needs* an IP address.
> 
>> Has anyone adapted this software to users instead of ip addresses for 
>> nat'ed hosts etc?
>>
> 
> I will try to add such feature. Could you maybe give a use case?
> 
>> If the IP we're all looking at happens to be a natted address, that will 
>> effect many users, not a single offending machine.
>>
>> Being able to grab the user name and do something with that would be 
>> beneficial.
>>
> 
> What would you do with the user name?
> 
> Thank you.
> 
> Cyril