I decided to experiment with creating a central database to hold the IP addresses banned by various servers / honeypots running Fail2Ban – so that the information could be used as a source for IPtables or TCPWrappers to protect other servers.
I created the file /etc/fail2ban/action.d/qshield.conf and in it placed the following:
actionban = /usr/bin/curl -s "http://mywebaddress.com/blocklist.php?target_ip=<ip>&added_by=fail2ban&source_details=Fail2BanSSH"
actionunban = = /usr/bin/curl -s "http://mywebaddress.com/blocklist.php?target_ip=<ip>&added_by=fail2ban&source_details=Fail2BanSSH&action=unban"
Then editied /etc/fail2ban/jail.conf adding a qshield line below the iptables action as follows:
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
sendmail-whois[name=SSH, firstname.lastname@example.org, email@example.com]
logpath = /var/log/secure
maxretry = 4
bantime = 1200
So the qshield action calls the web address blocklist.php that contains PHP code to add the details to a database for example:
$db = mysql_connect($DBHOST,$DBUSER,$DBPASS);
$query = “INSERT INTO blocklist (target_ip,source_ip,source_details,cdate,added_by) VALUES (‘”.$strTargetIp.”‘,'”.$strSourceIp.”‘,'”.$strSourceDetails.”‘,'”.date(‘Y-m-d H:i:s’).”‘,'”.$strAddedBy.”‘)”;
$result = mysql_query($query);
echo “OK IP added “.$strTargetIp;
echo “Oops there was a problem!”;
Obviously to improve the whole setup I would need to add API keys to authroise the adding of entries but I am still playing about with this.