From: Dominic R. <do...@ti...> - 2017-10-25 03:52:20
|
On 14 October 2017 at 07:02, Tony Collins <to...@ev...> wrote: > Yep - actually it looks like all you need is some kind of notification > that the IP address has triggered your jail. > > I have a jail that has one action: it sends me an email to tell me that an > IP address has failed etc. but it doesn't actually block the IP address. > > In your jail.local (or jail.conf or whatever) file, look for the specific > jail's configuration, and look at the "action" section. Just remove all > actions except the one that sends you an email (normally called something > like "%(mta-action)s........" (for safety's sake, I would copy and paste > the entire jail, then put # in front of every line of the 'old' jail, so > you can go back to it after you're done - do all your work on the pasted > bit). > > If you leave the actual filter config as it was, then this will do what > you want - you will still get a "banned" email, and Fail2ban will still log > the IP address as "banned". > > You can do all sorts of things when an address is banned - you never have > to actually block the address using iptables etc. > > In my case, this is what my "annoyances" config in jail.local looks like: > > [annoyances] > enabled = true > action = %(mta)s-whois-lines-logsonly[name=%(__name__)s, > sender="%(sender)s", dest="%(destemail)s", logpath=/var/www/vhosts/ > system/mydomain/logs/access_log;/var/www/vhosts/system/ > mydomain/logs/access_log.processed;/var/www/vhosts/ > system/mydomain2/logs/access_log;/var/www/vhosts/system/ > mydomain2/logs/access_log.processed;/var/www/vhosts/ > system/mydomain3/logs/access_log;/var/www/vhosts/system/ > mydomain3/logs/access_log.processed, chain="%(chain)s"] > # for this test I just need to check today's apache logs - I don't need to > go back any further, > # but when sending the ban email, I want it to show me all the stuff that > this IP has been > # doing for the last few months, for context > logpath = %(todays_apache_logs)s > > All the other stuff (findthime etc) is handled by the default settings > further up in the file. I made a custom config called > sendmail-whois-lines-logsonly.conf which does a 'whois' but filters out > most of the info, plus I wrote some script stuff to check for similar > banned IP addresses, so when it emails me it points out if neighbouring IP > addresses have been banned, to help me understand whether this is an IP > range that I should just permanently ban or not. > > That's is how I do what you're talking about. I'm testing for stuff. F2b > logs each one as a ban as normal - the emails are considered "ban actions", > so f2b just treats this as a normal ban - it will be "banned" for the > specified time, just as if the IP address was blocked. You don't need to > simulate the actual iptables/ipset/firewall-cmd action, all you need to do > is see if it would've been "banned". > > I hope I've been clear here! > Tony Collins > Thanks to you Tony and to Nick for the helpful suggestions. Dominic |