On 2020/09/09 15:41, Rhys McWilliams wrote:
I have my doubts about Fail2Ban being able to do that directly, but I've
done something along those lines with OpenVPN tunnel connections.
When an OpenVPN tunnel is established it is possible to run a script on
the server side, you could for example send an email notifying someone
that a VPN has connected. What I did is write a script that was run on a
successful VPN connection and the script will use the public IP for the
VPN and add it to the fail2ban ignoreip line in jail.local, using sed,
and keep a record of he addition so that in a week or so the IP is
removed from the ignoreip line and issue a fail2ban reload. This stopped
fail2ban blocking the users who successfully authenticate their VPNs but
still block the other malicious attempts...
I would like to leverage off the functionality that already exists in
fail2ban ie:
- monitoring of log files
- triggering an action from a regex match on a logfile entry
- keeping a database of IP and time un-jail
So maybe something like:
- a "whitelist" jail
- successful authentications trigger add the IP to the "whitelist" jail
for a period.
Then a real jail:
- mail auth jail
- failed authentications warn/jail the IP
- then an "ignorecommand" action in this jail, runs a script which
returns true if the IP is already in the "whitelist" jail.
But first:
Has anybody tried anything like this before? I don't want to re-invent
the wheel.
What is the best means of determining if an IP address is currently
"jailed"? Maybe "fail2ban-client status <jail>"
Another question. Does fail2ban remember the "state" of ip's in a jail
between restarts?
Thanks
Ian
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
