Not Blocking

Let’s configure fail2ban to watch a log, but not block an IP address

Fail2ban was made with the idea of blocking an IP address, and so it requires an IP address or host. There are cases in which you just want to know some information from a log when it happens, but you don’t want to block anyone. You can do this with a workaround.

I am adding a new section [auth-log] to the file /etc/fail2ban/jail.d/jail-debian.local.

enabled = true
port    = 80
filter  = wp-auth-filter
logpath = /var/log/apache2/error.log
maxretry = 2
bantime = 20
findtime = 180
action =  iptables-allports
ignoreip =

enabled = true
filter  = auth-log-filter
logpath = /var/log/auth.log
maxretry = 1
bantime = 1
findtime = 10
action =  auth-log-action

The line of text that the filter will look for in /var/log/auth.log is:

Nov 13 16:40:01 xm CRON[20847]: pam_unix(cron:session): session closed for user root

I create the file /etc/fail2ban/filter.d/auth-log-filter.conf.

failregex = .+?xm <HOST>\[(\d{1,10})?\]:(.*)root
ignoreregex =

It is ironic that there is a hostname. “xm” is the name of the server, but you may not have any hostname in the log you want to watch.

The workaround is that fail2ban will see the text “CRON” and think it is a hostname. It will try to resolve that name on the network. So, I add this line to my /etc/hosts file: CRON # required by fail2ban

The IP address goes to nothing. It won’t actually be blocked, but fail2ban needs to resolve a name.

I create the file /etc/fail2ban/action.d/auth-log-action.conf.


actionban = TT=`/usr/bin/tail -1 /var/log/auth.log`
            /usr/local/bin/ "<UFO> Last Line of /var/log/auth.log: $TT"

I reload fail2ban:

service fail2ban reload

And, every 5 minutes, I receive this message:

Fail2Ban has been tricked into thinking there is a host named CRON.

Last modified November 11, 2020