Support for BSD ip or pf
Would it be possible to add support for BSD ip or pf?
See  for some script that does this.
It is copied below for convenience
list of banned addresses sudo pfctl -t fail2ban -T show FAIL2BAN EDITS FOR PF ON FREEBSD Chris Jones - 2009.06.17 ============================================================ ./jail.conf: # PF jail [ssh-pf] enabled = true filter = sshd action = pf sendmail-whois[name=SSH, dest=email at domain.com] logpath = /var/log/auth.log ============================================================ ./action.d/pf.conf: [Definition] actionstart = actionstop = actioncheck = actionban = pfctl -t fail2ban -T add <ip> actionunban = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>` [Init] port = ssh localhost = 127.0.0.1 ============================================================ /etc/pf.conf: table <fail2ban> persist block in on $ext_if from <fail2ban>
Banning entire countries ip
Automatic abuse mail sending
Would it be possible to add a hook that can detect the abuse mail for that IP (with whois in the first time, and maybe some better tool afterwards) and send an automatic email to the abuse adresse with portion of the log incriminated ?
It can be useful for 2 case :
- an hoster can know someone use badly its service. And if not, some server is hacked and must be reinstalled.
- the user of a server can receive an abuse mail without knowing his box is hacked, so he can take the action to get his box clean.
I think it's a virtuous circle IF the abuse mail is treated as it should do ;)
Munin/cacti/rrd action ?
The asynchronuous file survey is awesome in term of efficiency compared to the "grep pattern | wc -l" shipped with cacti, or munin.
I'am already developping a counter updater (that I later use with munin) in perl that I use as an action in fail2ban, but (I guess it's not developement but a cookbook) isn't that possibly generalized ?
In this case, maybe lordOfTheFile (one program to survey them all) would be a better name than fail2ban :)
Fail2ban has the meanings to be a cool platform to get rid of archaic script for server survey. And as of munin it is a specialized efficient tool. Those two projects are really complementary.
Add a success filter to reset the retry counter
There is currently no way to reset the retry counter for an IP if that IP made a successful login. It would be useful to have a filter rule that detects a successful login from that HOST. The default action could reset the counter. This would also better match with the expectation of a common user.