I have fail2ban running to protect our freeswitch servers against attack. When an IP address has too many failed logins, it gets banned. I'd like to get notification of which account is being attacked - not just the IP address.
So a log line might be
2015-09-11 08:27:40.212155 [WARNING] sofia_reg.c:1477 SIP auth failure (REGISTER) on sofia profile 'internal' for [[email protected]@004-2025.sb12.dmclub.org] from ip 78.31.75.181
I would like an email sent (or some php script run) that includes the [[email protected]@004-2025.sb12.dmclub.org] bit (or even just the whole line)
Is that possible?
My guess is that it isn't, just due to the flow of data from many rows with a common host, so I'm not holding my breath! ;-)
