How to add a jail for specific IPs in fail2ban

fail2ban

I would like to add a specific list of IPs for which I would like to get an email from Fail2ban after they make a couple of "GET" requests.

The pattern to look for in apache's access logs is ^1.2.3.4 – .*$ but fail2ban-regex fails
(and I can't blame it) by saying:

Cannot remove regular expression. Index 0 is not valid
No 'host' group in ^1.2.3.4 – .*$

Is there anyway I can set the "HOST" variable in custom filters/jails?

Best Answer

The regex needs to have a (parentheses) grouping for the IP address so fail2ban knows what IP to ban:

In every line of failregex, the part that matches the host name or IP address must be wrapped in a (?P<host> ... ) sandwich. This is a Python-specific regex extension that assigns the contents of the match to the name <host>. The <host> tag is how you tell fail2ban which host was connecting, so it has to be present in every line of failregex. If it's not, fail2ban will issue an error message about "No 'host' group".

In your case, your regex should be

^(?P<host>1.2.3.4) - .*$
Related Topic