On 06/09/2019 20.25, Phil Stracchino wrote:
On 9/6/19 2:03 PM, @lbutlr wrote:
> On 6 Sep 2019, at 09:30, Phil Stracchino <ph...@caerllewys.net> wrote:
>> Can anyone by chance point me to any documentation that explains how to do
this?
>
> Not off hand, but what you are looking for on google is:
>
> fail2ban "action.d”
>
> (the quotes will force google to return results with action.d)
>
> In fact, if you look in the action.d/ folder there should be a couple of files there that will likely get you started. (I’d check, but I’m using sshguard now).
Yeah, I've already had a browse through that, but it appears to me that
all of the prewritten actions assume you're talking to a *local*
firewall, and I don't know enough about fail2ban yet to feel confident
modifying it without something to work from.
I was *about to say* that every single document I've so far found seems
to assume a local firewall, but I just now stumbled across one with a
remote-firewall example that I think I can work with.
I use a custom script (/usr/local/sbin/fail2ban_action.sh) to block a
given IP, from which I call nft to add the IP to a set,
by calling "nft $1 element inet filter fail2ban { $2 }" (where $1 is add
or delete and $2 is the IP).
If you want that action to happen on a remote system you could just
prepend "ssh <firewall>" to the command
(assuming that your local root can login as root to the firewall system
without user interaction..)
For reference, here is my /etc/fail2ban/action.d/local_block.conf:
[Definition]
actionban = /usr/local/sbin/fail2ban_action.sh add <ip>
actionunban = /usr/local/sbin/fail2ban_action.sh delete <ip>
actioncheck =
actionstart =
actionstop =
[Init]
where in /etc/fail2ban/jail.local I have
..
banaction = local_block
..
Hope that helps!
