Re: [Fail2ban-users] fail2ban on multiple servers

[Daniel B. <dan...@in...>]

On 17/05/13 21:56, Przemysław Orzechowski wrote:
> Hi
> I'm trying to create a fail2ban config that will ban an ip if it was 
> previously banned by 2 different servers
> For now i made a rule that writes each banned IP to a file shared among 
> all servers with following content
> TIMESTAMP OffenderIP servername_of_server_that_banned_this_ip.
> Would prefer to add rulename that originally issued

its an outstanding request, quite possible to implement.

https://github.com/fail2ban/fail2ban/issues/10

> the ban
> Im geting banned IPs from parsing fail2ban.log

That does sound like an bit of an ugly workaround.

> 
> Second question
> Is there a way to create a rule (failregexp) that would trigger only if 
> there is single offender IP logged by 2 different servers?

You wouldn't be doing it with failregex, its an action you need to
implement.

You've got a file. You can do as part of your action:

if [ `fgrep <ip> /sharedfile | wc  -l` -gt 1 ]....


Using a file does make the expiry writing difficult, so I'd do some
memcache implementation using the memcached where memcache handles the
expiry of the bans.