fail2ban txt list creation of banned IP

Question

using fail2ban for years, working nice, would like to automate and harden the security for my router.

So I would like that fail2ban created a local file, example, list.txt file with a list of banned IP addresses.

Something similar to this https://sslbl.abuse.ch/blacklist/sslipblacklist.txt

So I could share it on a webpage. My router is set up to import blocked IPs from such sources.

So how could I manage to do something like that? Any ideas?

Does this answer your question? How to show all banned ip with fail2ban? — digijay, Oct 07 '20 at 15:55

score 0 · Answer 1 · answered Oct 07 '20 at 14:41

0

Yes, you can forexample add a function to an existing "action" located in /etc/fail2ban/action.d/ , in my case I just added it into the "iptables-multiport.conf" file.

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
                echo '<ip>' >> /path/to/file/ips.txt

answered Oct 07 '20 at 14:41

Orphans

1,424

Added, restarted fail2ban but there is no file! – Johnny Oct 07 '20 at 14:54
Can someone explain why above mentioned dose not work? Any other solution? – Johnny Oct 08 '20 at 07:00
It could be everything to permission issues to a typo in your configuration. – Orphans Oct 08 '20 at 09:47
So put the code as mentioned above actionban = -I f2b- 1 -s -j echo '' >> /var/fail2ban/ip.txt Permissions are like other files. Were to look, how to test? Can some one please explain? – Johnny Oct 08 '20 at 10:40

score 0 · Answer 2 · answered Oct 24 '23 at 15:59

Orphan's answer is correct, but I will try to explain a little bit more.

First, you should check which jail are you interested in, and then check which is the actionban associated to that jail.

The actionban parameter can be traced in the config files of Fail2ban, but this is not necessarily straightforward. Take, for example, the following configuration in /etc/fail2ban/jail.local:

[DEFAULT]
backend = auto
banaction = iptables-multiport
bantime = 1h
[sshd]
enabled = true
logpath = %(sshd_log)s
maxretry = 3
port = 22

For the sshd jail, no banaction is directly defined, so the default banaction = iptables-multiport is taken. Therefore, we should look into /etc/fail2ban/action.d/iptables-multiport.conf config file. If an actionban is not explicitly defined there, then we should check which file it refers to. In this example, the iptables-multiport config file includes:

[INCLUDES]
before = iptables.conf

This points to /etc/fail2ban/action.d/iptables.conf, where we can finally find a definition for actionban:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

Now, following Orphan's answer, it is possible to modify the ban action on this line, adding a custom command:

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            echo '<ip>'  >> /path/to/file/ips.txt

Finally, Fail2ban client should be reloaded in order to apply the changes:

fail2ban-client reload

fail2ban txt list creation of banned IP

2 Answers2