I have a jail which blocks IPs if they fail too many auth to our mail servers. I want to add a separate jail which does the same but with more aggressive thresholds (like maxretry=2 instead of maxretry=10) but only if the IP is from outside our country (or maybe some other factors too).
I think I have found the "common hack" that several people are using to do this: insert geoiplookup in the "actionban" so that the firewall only gets modified if the IP meets the geographic criteria you have set. For example: https://munkjensen.net/wiki/index.php/Access_control_using_Fail2Ban_and_geoip This seems like it will work OK, but it will leave the fail2ban state and the firewall state out of sync with each other (fail2ban will report some IPs are banned which are not in fact being blocked). Am I silly to be concerned about this? Has anyone thought of a way around it? I think a more natural place for this would be a dynamic whitelist in the filter, instead of pushing it to the banaction. I don't think that is possible in current fail2ban though. And if you were going to go to that much trouble, perhaps it would be better to just add a geoip support to the whitelist instead of a generic dynamic whitelist facility. Thanks, Mark -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 [email protected] | Web: www.swcp.com | Voice: +1-505-232-7992 _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
