I decided to experiment with creating a central database to hold the IP addresses banned by various servers / honeypots running Fail2Ban – so that the information could be used as a source for IPtables or TCPWrappers to protect other servers.
I created the file /etc/fail2ban/action.d/qshield.conf and in it placed the following:
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = /usr/bin/curl -s "http://mywebaddress.com/blocklist.php?target_ip=<ip>&added_by=fail2ban&source_details=Fail2BanSSH"
actionunban = = /usr/bin/curl -s "http://mywebaddress.com/blocklist.php?target_ip=<ip>&added_by=fail2ban&source_details=Fail2BanSSH&action=unban"
Then editied /etc/fail2ban/jail.conf adding a qshield line below the iptables action as follows:
[ssh-iptables]
enabled = true
filter = sshd
action = iptables[name=SSH, port=ssh, protocol=tcp]
qshield
sendmail-whois[name=SSH, dest=jonny@myaddress.com, sender=webmaster@myaddress.com]
logpath = /var/log/secure
maxretry = 4
bantime = 1200
So the qshield action calls the web address blocklist.php that contains PHP code to add the details to a database for example:
$strTargetIp=filter_var($_REQUEST[‘target_ip’], FILTER_VALIDATE_IP);
$strSourceIp=$_SERVER[‘REMOTE_ADDR’];
$strAddedBy=addslashes($_REQUEST[‘added_by’]);
$strSourceDetails=addslashes($_REQUEST[‘source_details’]);
$DBHOST=”localhost”;
$DBUSER=”blocklists”;
$DBPASS=”topsecret”;
$DBNAME=”blocklists”;
$db = mysql_connect($DBHOST,$DBUSER,$DBPASS);
mysql_select_db($DBNAME);
$query = “INSERT INTO blocklist (target_ip,source_ip,source_details,cdate,added_by) VALUES (‘”.$strTargetIp.”‘,'”.$strSourceIp.”‘,'”.$strSourceDetails.”‘,'”.date(‘Y-m-d H:i:s’).”‘,'”.$strAddedBy.”‘)”;
$result = mysql_query($query);
if($result){
echo “OK IP added “.$strTargetIp;
}else{
echo “Oops there was a problem!”;
}
Obviously to improve the whole setup I would need to add API keys to authroise the adding of entries but I am still playing about with this.
