[RFE]: add ip-api.com info to fail2ban.log for jail members #3790

IgorLytkin · 2024-07-09T00:49:23Z

Feature request type

Description

Considered alternatives

Any additional information

sebres · 2024-07-09T10:48:50Z

Geolocation?
Just to link it to #3467 (not about ignore, but geo-info related stuff)...

In between (as long as not implemented) one could try something like that:

{ jail="sshd"; curl http://ip-api.com/batch?fields=country --data "$(fail2ban-client get "$jail" banned | tr "'" '"')"; }

However it'd work only for maximal 100 IPs, otherwise raises an error "HTTP 422 Unprocessable Entity", so one have to buffer them with max 100 IPs per chunk.
Also note another restriction, related to there description (for free access):

Our endpoints are limited to 45 HTTP requests per minute from an IP address. If you go over this limit your requests will be throttled (HTTP 429) until your rate limit window is reset.

So an alternative could be asynchronous service updating the tickets in the database (to avoid repeated bulk queries for already "known" IPs).

IgorLytkin · 2024-07-09T11:18:33Z

Yes, it would be a nice solution.

IgorLytkin · 2024-07-28T22:10:46Z

So? Let's do it?

sebres · 2024-07-28T22:36:01Z

Let us define the order of RFEs regarding the precedence questions by ourselves, please.
There are several other open tasks and feature requests with higher or same priority, that I'd like to implement before.

IgorLytkin · 2024-07-30T09:07:00Z

Yes, of course.

Fixes fail2ban#3790 This should be a good fix for issue fail2ban#3790, ip-api is a pretty nice API but I haven't had a ton of time to play with it so I might be missing something. I would greatly appreciate any review on this if someone wanted to help. --- For more details, open the [Copilot Workspace session](https://copilot-workspace.githubnext.com/fail2ban/fail2ban/issues/3790?shareId=XXXX-XXXX-XXXX-XXXX).

05bmckay · 2024-10-29T21:32:26Z

I would also be pretty interested in this, I was playing with the ip-api today and it seems pretty awesome. @sebres I made a small pull request.

pano9000 · 2024-12-18T16:51:15Z

what about using an "offline" geo-ip database instead of doing an API request to a web server?
Should be a) faster and b) potentially more reliable (because you are not relying on the API being available 24/7)

https://db-ip.com/db/
https://db-ip.com/db/lite.php (this one is CC BY 4.0 licensed)

you would only need to do some monthly database rotation, as they publish new databases on a monthly base

abdullahdevrel · 2024-12-25T07:49:08Z

If you are interested, you can take a look at this request: #3687.

From my experience of running fail2ban, geoip alone does not cut it. ASN is also an important metadata. This uses an offline local database and gives both country and ASN information. I am not sure with Fail2ban how important city information is but my experience says that a combination of country and ASN, also known as data centers, could be quite useful. The database is updated daily, comes with full accuracy, and is licensed under CC-BY-SA 4.0 without an EULA.

I work at IPinfo, by the way. We also have a solid free API to offer that provides zip code level accuracy along with ASN.

IgorLytkin added the enhancement label Jul 9, 2024

05bmckay mentioned this issue Oct 29, 2024

Add GeoIP support for banning IPs #3868

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[RFE]: add ip-api.com info to fail2ban.log for jail members #3790

[RFE]: add ip-api.com info to fail2ban.log for jail members #3790

[RFE]: add ip-api.com info to fail2ban.log for jail members #3790

[RFE]: add ip-api.com info to fail2ban.log for jail members #3790

Comments

Feature request type

Description

Considered alternatives

Any additional information