Fail2Ban Custom Action

I decided to experiment with creating a central database to hold the IP addresses banned by various servers / honeypots running Fail2Ban – so that the information could be used as a source for IPtables or TCPWrappers to protect other servers.

I created the file /etc/fail2ban/action.d/qshield.conf and in it placed the following:

actionstart =
actionstop =
actioncheck =
actionban = /usr/bin/curl -s "<ip>&added_by=fail2ban&source_details=Fail2BanSSH"
actionunban = = /usr/bin/curl -s "<ip>&added_by=fail2ban&source_details=Fail2BanSSH&action=unban"

Then editied /etc/fail2ban/jail.conf adding a qshield line below the iptables action as follows:


enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/secure
maxretry = 4
bantime  = 1200

So the qshield action calls the web address blocklist.php that contains PHP code to add the details to a database for example:

$strTargetIp=filter_var($_REQUEST[‘target_ip’], FILTER_VALIDATE_IP);


$db = mysql_connect($DBHOST,$DBUSER,$DBPASS);
$query = “INSERT INTO blocklist (target_ip,source_ip,source_details,cdate,added_by) VALUES (‘”.$strTargetIp.”‘,'”.$strSourceIp.”‘,'”.$strSourceDetails.”‘,'”.date(‘Y-m-d H:i:s’).”‘,'”.$strAddedBy.”‘)”;
$result = mysql_query($query);
echo “OK IP added “.$strTargetIp;
echo “Oops there was a problem!”;
Obviously to improve the whole setup I would need to add API keys to authroise the adding of entries but I am still playing about with this.

Leave a Reply

  • (will not be published)

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>