fail2ban - Add Details (Login Name)
Often large Companies with lot's of Workstation are getting blocked because 1 Client in their Office is trying to log in with wrong Password (imap/pop/smtp) - then the whole Office of them is getting blocked and the search which PC/which User is causing the block.starts ...
It would help big times if one got a reference which Login Name / Username caused the block as additional Info next to the IP ...
Won't help on Brute Force Attacks where the Username changes ... but on this Scenario it would be a big Timesaver ...
Thank you for your input! We will consider this functionality in upcoming releases if it will be popular.
Everyone, please continue voting for this feature if you consider it important.
Andreas Schnederle-Wagner commented
Of course it is possible to add further Details of the blocking ...
Example for proftp Login Failure:
May 30 10:15:46 servername proftpd: pam_unix(proftpd:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/ftpd1 ruser=USERNAME rhost=0.0.0.0 user=USERNAME
Example for Mail:
May 30 10:35:22 servername plesk_saslauthd: failed mail authenticatication attempt for user 'firstname.lastname@example.org' (password len=8)
with fail2ban >= 0.10 the "<F-USER>" Tag had been introduced to excactly get this behaviour ... see: https://github.com/fail2ban/fail2ban/issues/2144
That's not how Fail2Ban works.
It filters the logs looking for brute force or attack patterns.
When it finds one, it just blocks the IP.
You can not do that user based.
Either educate them better or increase the limits of fail2ban.
This would be great, but I don't think it's actually possible with Fail2Ban. I've tried to modify jail actions so that the offending log file is sent with the action alert, but even that has proven to be very difficult. Fail2Ban is not "aware" of any username that caused the ban, it only "knows" about the line in a log file that matches a filter.