On 13-10-18 01:56, Mark Costlow wrote: > I have a jail which blocks IPs if they fail too many auth to our > mail servers. I want to add a separate jail which does the same > but with more aggressive thresholds (like maxretry=2 instead of > maxretry=10) but only if the IP is from outside our country (or > maybe some other factors too). > > I think I have found the "common hack" that several people are using > to do this: insert geoiplookup in the "actionban" so that the > firewall only gets modified if the IP meets the geographic criteria > you have set. > > For example: > https://munkjensen.net/wiki/index.php/Access_control_using_Fail2Ban_and_geoip > > This seems like it will work OK, but it will leave the fail2ban > state and the firewall state out of sync with each other (fail2ban > will report some IPs are banned which are not in fact being blocked). > > Am I silly to be concerned about this? Has anyone thought of a way > around it? > > I think a more natural place for this would be a dynamic whitelist in > the filter, instead of pushing it to the banaction. I don't think that > is possible in current fail2ban though. And if you were going to go > to that much trouble, perhaps it would be better to just add a geoip > support to the whitelist instead of a generic dynamic whitelist facility. > > Thanks, > > Mark >
From jail.conf man page (0.9.3):
ignorecommand
command that is executed to determine if the current candidate IP for
banning should not be banned. IP will not be banned if command returns
successfully (exit code 0). Like ACTION FILES, tags like <ip> are
can be included in the ignorecommand value and will be substituted
before execution. Currently only <ip> is supported however more will be
added later.
Seems that this is created just for your needs, no hacks required.
Kind regards,
Tom
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Fail2ban-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fail2ban-users
