extending fail2ban
Brian Jedsen
jedsen at gmail.com
Thu May 22 17:13:07 UTC 2008
On Thu, 22 May 2008 09:42:11 -0700
"Don Russell" <fedora at drussell.dnsalias.com> wrote:
> I installed fail2 ban and it seems to do a nice job of reporting
> people knocking at my door and shutting them down temporarily.
>
> Is there any doc on how I could add other "intruder detection".... :-)
> man fail2ban and info fail2ban come up dry. :-(
> The fedora project page doesn't have anything on it either:
> https://admin.fedoraproject.org/pkgdb/packages/name/fail2ban
>
> i.e. I have an application I run via xinetd.
>
> If the client tries to connect with the incorrect protocol, I just
> respond with a terse "wrong protocol" message and exit.
>
> My xinet logs show the same IP address connecting with the wrong
> protocol over and over... They're obviously "up to no good" :-).
>
> How can I "teach" fail2ban to block those people too?
>
> It's not a password violation.. there's no password on it... it's
> meant for public consumption, but only if you are using the correct
> protocol.
>
> I could do my own "blocking", but I'd like to use the tools that are
> already there.
>
> Thanks,
>
You'd have to set up a new jail along with a new filter and an action.
You could probably reuse the action from any of the other fail2ban
rules. The hard part would finding the right regular expression that
matches these entries when fail2ban scans your logs.
More information about the users
mailing list