Fail2Ban Custom Action

I decided to experiment with creating a central database to hold the IP addresses banned by various servers / honeypots running Fail2Ban – so that the information could be used as a source for IPtables or TCPWrappers to protect other servers.

I created the file /etc/fail2ban/action.d/qshield.conf and in it placed the following:

Then editied /etc/fail2ban/jail.conf adding a qshield line below the iptables action as follows:

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
qshield
sendmail-whois[name=SSH, dest=jonny@myaddress.com, sender=webmaster@myaddress.com]
logpath  = /var/log/secure
maxretry = 4
bantime  = 1200

So the qshield action calls the web address blocklist.php that contains PHP code to add the details to a database for example:

$strTargetIp=filter_var($_REQUEST[‘target_ip’], FILTER_VALIDATE_IP);
$strSourceIp=$_SERVER[‘REMOTE_ADDR’];
$strAddedBy=addslashes($_REQUEST[‘added_by’]);
$strSourceDetails=addslashes($_REQUEST[‘source_details’]);

$DBHOST=”localhost”;
$DBUSER=”blocklists”;
$DBPASS=”topsecret”;
$DBNAME=”blocklists”;

$db = mysql_connect($DBHOST,$DBUSER,$DBPASS);
mysql_select_db($DBNAME);
$query = “INSERT INTO blocklist (target_ip,source_ip,source_details,cdate,added_by) VALUES (‘”.$strTargetIp.”‘,'”.$strSourceIp.”‘,'”.$strSourceDetails.”‘,'”.date(‘Y-m-d H:i:s’).”‘,'”.$strAddedBy.”‘)”;
$result = mysql_query($query);
if($result){
echo “OK IP added “.$strTargetIp;
}else{
echo “Oops there was a problem!”;
}
Obviously to improve the whole setup I would need to add API keys to authroise the adding of entries but I am still playing about with this.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">