https://github.com/yaleman/fail2ban-importer
Pull from JSON lists and fail2ban things.
https://github.com/yaleman/fail2ban-importer
fail2ban https python s3 security
Last synced: 7 months ago
JSON representation
Pull from JSON lists and fail2ban things.
- Host: GitHub
- URL: https://github.com/yaleman/fail2ban-importer
- Owner: yaleman
- Created: 2022-01-01T02:51:59.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2025-02-11T03:24:19.000Z (8 months ago)
- Last Synced: 2025-02-11T04:25:56.031Z (8 months ago)
- Topics: fail2ban, https, python, s3, security
- Language: Python
- Homepage: https://pypi.org/project/fail2ban_importer/
- Size: 513 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Codeowners: CODEOWNERS
- Security: SECURITY.MD
Awesome Lists containing this project
README
# fail2ban-from-s3
Grabs a JSON-encoded list of things to ban and bans them using [fail2ban](https://www.fail2ban.org).
# Installation
`python -m pip install --upgrade fail2ban-importer`
# Usage
`fail2ban-importer [--oneshot|--dryrun]`
# Configuration
The following paths will be tested (in order) and the first one loaded:
- `./fail2ban-importer.json`
- `/etc/fail2ban-importer.json`
- `~/.config/fail2ban-importer.json`
## Fields
Note the `fail2ban_jail` field. If you're going to pick up your logs from fail2ban, and use them for the source of automation, make sure to filter out the actions by this system - otherwise you'll end up in a loop!
| Field Name | Value Type | Default Value | Required | Description |
| --- | --- | --- | --- | --- |
| `download_module` | `str` | `http` | No | The download module to use (either `http` or `s3`) |
| `fail2ban_jail` | `str` | unset | **Yes** | The jail to use for banning - DO NOT REUSE AN EXISTING JAIL |
| `source` | `str` | `blank` | **Yes** | Where to pull the file from, can be a `http(s)://` or `s3://` URL. |
| `fail2ban_client` | `str` | `fail2ban_client` | No | The path to the `fail2ban-client` executable, in case it's not in the user's `$PATH` |
| `schedule_mins` | `int` | 15 | No | How often to run the action. |
| `ignore_list` | `List[str]`| '["127.0.0.1",]` | No | A list of IPs which will never be added to the ban list. |
| `s3_endpoint` | `str` | | No | The endpoint URL if you need to force it for s3, eg if you're using minio or another S3-compatible store. |
| `s3_v4` | `bool` | `false` | No | Whether to force `s3_v4` requests (useful for minio) |
| `s3_minio` | `bool` | `false` | No | Enable minio mode, force `s3_v4` requests |
## HTTP(S) Source
```json fail2ban-importer.json
x
{
"source": "https://example.com/fail2ban.json",
"fail2ban_client": "/usr/bin/fail2ban-client",
"fail2ban_jail" : "automated",
"schedule_mins" : 15
}
```
## S3-compatible Source
You can use the usual [boto3 AWS configuration](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/quickstart.html#configuration), or put the options in the config file.
```json fail2ban-importer.json
{
"source": "s3://my-magic-fail2ban-bucket/fail2ban.json",
"AWS_ACCESS_KEY_ID" : "exampleuser",
"AWS_SECRET_ACCESS_KEY" : "hunter2",
"schedule_mins" : 1
}
```
If you're using minio as your backend, you should add the following additional options to the config file:
```json
{
"s3_v4" : true,
"s3_endpoint" : "https://example.com",
}
```
# Example source data file
```json data.json
[
{
"jail": "sshd",
"ip": "196.30.15.254"
},
{
"jail": "sshd",
"ip": "119.13.89.28"
}
]
```
# Thanks
- [fail2ban](https://www.fail2ban.org)
- [boto3](https://boto3.amazonaws.com)
- [requests](https://docs.python-requests.org/en/master/index.html)
- [schedule](https://schedule.readthedocs.io/en/stable/)