From Fail2ban
Revision as of 02:00, 29 March 2011 by (Talk) (Support for BSD ip or pf)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Support for BSD ip or pf

Would it be possible to add support for BSD ip or pf?

See [1] for some script that does this.

It is copied below for convenience

list of banned addresses
sudo pfctl -t fail2ban -T show

Chris Jones - 2009.06.17


# PF jail


enabled = true
filter  = sshd
action  = pf
          sendmail-whois[name=SSH, dest=email at]
logpath = /var/log/auth.log




actionstart = 
actionstop = 
actioncheck = 
actionban = pfctl -t fail2ban -T add  <ip>
actionunban = pfctl -t fail2ban -T delete `pfctl -t fail2ban -T show 2>/dev/null | grep <ip>`


port = ssh
localhost =



table <fail2ban> persist
block in on $ext_if from <fail2ban>

Banning entire countries ip

Please support banning of entire countries, see also Talk:HOWTO_use_geoiplookup and Feature tracker on Source Forge.

Automatic abuse mail sending

Would it be possible to add a hook that can detect the abuse mail for that IP (with whois in the first time, and maybe some better tool afterwards) and send an automatic email to the abuse adresse with portion of the log incriminated ?

It can be useful for 2 case :

  • an hoster can know someone use badly its service. And if not, some server is hacked and must be reinstalled.
  • the user of a server can receive an abuse mail without knowing his box is hacked, so he can take the action to get his box clean.

I think it's a virtuous circle IF the abuse mail is treated as it should do ;)

Munin/cacti/rrd action ?

The asynchronuous file survey is awesome in term of efficiency compared to the "grep pattern | wc -l" shipped with cacti, or munin.

I'am already developping a counter updater (that I later use with munin) in perl that I use as an action in fail2ban, but (I guess it's not developement but a cookbook) isn't that possibly generalized ?

In this case, maybe lordOfTheFile (one program to survey them all) would be a better name than fail2ban :)

Fail2ban has the meanings to be a cool platform to get rid of archaic script for server survey. And as of munin it is a specialized efficient tool. Those two projects are really complementary.

Add a success filter to reset the retry counter

There is currently no way to reset the retry counter for an IP if that IP made a successful login. It would be useful to have a filter rule that detects a successful login from that HOST. The default action could reset the counter. This would also better match with the expectation of a common user.