Ah it seems they do: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf
IDK enough about fail2ban to know whether I can assign a per proto or per log type config (I assume I can). In which casethis does what my script does and then some. I would probably dump out a ipset save on exit and try to 'restore' on resume (which /I/ do) and I'm sure there's a way fail2ban can check a store of addresses and check what network a host belongs to (instead of just a host). So, fail2ban is probably the way to go. On Fri, Aug 30, 2013 at 10:00 AM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson <ag4ve...@gmail.com> wrote: > > > > > > Christopher Morrow <morrowc.li...@gmail.com> wrote: > >>On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder <don.wil...@gmail.com> > >>wrote: > >>> I wrote a script in Linux that watches for unauthorized login > >>attempts and > >>> adds the ip address to the blocked list in my firewall. You might > >>want to > >>> search sourceforge for a DYN Firewall and modify it from there. > >>> > >> > >>because fail2ban was too hard to install? or because you just wanted > >>to test yourself? > > > > Actually I did the same. I use ipset lists (generally with a timeout) > and take a regex or two and black / white list from a YAML file and just > take (possibly multiple inputs) from piping tail -F. I also store addresses > for future reference (by the script or otherwise). > > > > This is quite maintainable as I can look at a list of people who have > attacked the mail server and compare it to web attacks. Each process is a > different type of service (different config file) and probably a different > ipset. Due to ipset not actually doing anything until I make an iptables > rule for it, I can run my script in a test mode (by default) and just see > what happens (check it's logs and the ipset list it generates). I haven't > found the need for this yet but I can use cymru to look up how big their > net is (see geocidr for an example of how to do this in perl) and use a > hash:net ipset type and cover a whole net. > > > > Basically what I'm saying in doing it this way is quite expandable and > isn't very hard and I can do tons of stuff that fail2ban can't (I don't > think - it's been a while since I looked). > > you seem to be describing what fail2ban does... that and some grep of > syslog for fail2ban messages. If your solution works then great! :) >