Aha, ignorecommand looks perfect. Not sure how I missed that in my research. I implemented the actionban approach and it does work, but does have the problem I described. I'll change this to use ignorecommand now though.
Thank you! Mark On Sat, Oct 13, 2018 at 05:01:22PM +0200, Tom Hendrikx wrote: > On 13-10-18 01:56, Mark Costlow wrote: > > I have a jail which blocks IPs if they fail too many auth to our > > mail servers. I want to add a separate jail which does the same > > but with more aggressive thresholds (like maxretry=2 instead of > > maxretry=10) but only if the IP is from outside our country (or > > maybe some other factors too). > > > > I think I have found the "common hack" that several people are using > > to do this: insert geoiplookup in the "actionban" so that the > > firewall only gets modified if the IP meets the geographic criteria > > you have set. > > > > For example: > > https://munkjensen.net/wiki/index.php/Access_control_using_Fail2Ban_and_geoip > > > > This seems like it will work OK, but it will leave the fail2ban > > state and the firewall state out of sync with each other (fail2ban > > will report some IPs are banned which are not in fact being blocked). > > > > Am I silly to be concerned about this? Has anyone thought of a way > > around it? > > > > I think a more natural place for this would be a dynamic whitelist in > > the filter, instead of pushing it to the banaction. I don't think that > > is possible in current fail2ban though. And if you were going to go > > to that much trouble, perhaps it would be better to just add a geoip > > support to the whitelist instead of a generic dynamic whitelist facility. > > > > Thanks, > > > > Mark > > > > From jail.conf man page (0.9.3): > > ignorecommand > > command that is executed to determine if the current candidate IP for > banning should not be banned. IP will not be banned if command returns > successfully (exit code 0). Like ACTION FILES, tags like <ip> are > can be included in the ignorecommand value and will be substituted > before execution. Currently only <ip> is supported however more will be > added later. > > Seems that this is created just for your needs, no hacks required. > > Kind regards, > > Tom > > _______________________________________________ > Fail2ban-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fail2ban-users -- Mark Costlow | Southwest Cyberport | Fax: +1-505-232-7975 [email protected] | Web: www.swcp.com | Voice: +1-505-232-7992 _______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
