Maykel Franco via arch-general <arch-general@xxxxxxxxxxxxxxxxxxx> wrote:
> Hi, I've configured fail2ban with action, filter for my php application.
>
> My app output log like this:
>
> unknown user foo (192.x.x.x)
>
> My jail conf:
>
> [php-app-login]
> enabled = true
> port = 80
> protocol = tcp
> filter = php-app-login
> logpath = /var/www/php-app-login/var/logs/dev.log
> findtime = 3600
> bantime = 86400
> maxretry = 3
> ignoreip = 127.0.0.1/8
>
> My filter definition:
>
> [Definition]
>
> failregex = unknown user .* \(<HOST>\)
> ignoreregex =
>
> It works well, but I like fail2ban add comment in iptables rule when add ban IP.
>
> For example:
>
> iptables -A INPUT -p tcp --dport 80 -m comment --comment "Ban foo" -j DROP
>
> iptables -L -n -v
>
> Chain INPUT (policy ACCEPT 94 packets, 23457 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DROP tcp -- * * 0.0.0.0/0
> 0.0.0.0/0 tcp dpt:80 /* Ban foo */
>
> I've googled and I think something needs to be changed in action but I
> can't find how to pass the user variable to that action.
Something along the following lines, though I could be wrong, or
incomplete. Create a local, customized, action.d/iptables-multiport.local
where:
1. you set up the rule with the commment?
2. if I understood you correctly, a possible alternative for the comment
would be to have a dedicated chain.
[Definition]
# Have a dedicated chain for php-app-login.
# f2b-php-app-login is expected to exists. Possibly set up by whatever
# sets iptables.
actionstart =
actionstop = iptables -F f2b-<name>
Again, I could be wrong, or incomplete.
--
u34
