More details on Fail2ban unban page in Cockpit

yummiweb · February 5, 2021, 3:57pm

At the Moment, the unban page in Cockpit shows IPs only.
Sometime it wold be helpful to have more Informations about the reasons of banning.
(like details in fail2ban email report, but i am missing here some things too)

Details could be are:

the service (log) that was the reason for the ban (essential)
where comes the banned IP (Country or Location)
the associated username (this would be very helpful)
maybe the (last) loglines where fail2ban is stumbled

Regards
yummiweb

stephdl · February 5, 2021, 5:06pm

we parse the ipset, we have no information of it, sure a world map with the country will be nice, however we have to query the sqlite database of fail2ban. Not sure about the priority

github.com

NethServer/nethserver-fail2ban/blob/master/api/read#L64


       next if ($true ne 'true'); # if not true, then next one 
       push @count, $jail;
   }
    # If the file to stat does not exist, `fail2ban-status` will create it on the fly
    $data->{'date'} = (stat('/var/lib/nethserver/fail2ban/fail2ban.json'))[9];
    print encode_json({"date" => $data->{"date"},"TotalBannedIP" => $data->{"TotalBannedIP"},"JailStatus" => [@jailStatus],"JailEnabled" => scalar @count });
    exit(0);
}
elsif ($cmd eq 'IPList') {
    
    my @IP = ();
    my $IP = '';
    my @jailStatus;
    
    foreach my $set (split ("\n", `ipset -L -name`)) {
        next if ($set !~ m/^f2b-/);
        push(@jailStatus, substr($set, 4));
        $IP .= `ipset -L $set -exist| grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"`;
    }

yummiweb · February 5, 2021, 6:04pm

I dont know how many details are in the sqlite database of fail2ban.
i think about some details grepped from “fail2ban-listban” to get infos about the corresponding jail
and a “whois [IP] | grep descr: -A 2” (or something) to become some further infos.
Maybe with additional infos from “geoiplookup [IP]”.
(needs packages GeoIP and GeoIP-data)

I can use this in terminal but i think it would be more straightforward to integrate this infos in the Cockpit Fail2ban unban panel. Unfortunately, I don’t know how.

Regards
yummiweb

dnutan · February 5, 2021, 8:02pm

Old info but maybe it gives some ideas:
https://www.fail2ban.org/wiki/index.php/HOWTO_use_geoiplookup

A quick search shows someone else had the same thought (just linking one of the first results):

older projects were fail2rest + fail2web, Suspicious, fail2ban + splunk… some newer ones make use of ELK with fail2ban