From: Daniel B. <dan...@in...> - 2013-05-18 00:46:27
|
On 17/05/13 21:56, Przemysław Orzechowski wrote: > Hi > I'm trying to create a fail2ban config that will ban an ip if it was > previously banned by 2 different servers > For now i made a rule that writes each banned IP to a file shared among > all servers with following content > TIMESTAMP OffenderIP servername_of_server_that_banned_this_ip. > Would prefer to add rulename that originally issued its an outstanding request, quite possible to implement. https://github.com/fail2ban/fail2ban/issues/10 > the ban > Im geting banned IPs from parsing fail2ban.log That does sound like an bit of an ugly workaround. > > Second question > Is there a way to create a rule (failregexp) that would trigger only if > there is single offender IP logged by 2 different servers? You wouldn't be doing it with failregex, its an action you need to implement. You've got a file. You can do as part of your action: if [ `fgrep <ip> /sharedfile | wc -l` -gt 1 ].... Using a file does make the expiry writing difficult, so I'd do some memcache implementation using the memcached where memcache handles the expiry of the bans. |