From 39711cf6c2ec5a3b4480dcb4800cc3802bda5bf2 Mon Sep 17 00:00:00 2001 From: Lukasz Kasprzak Date: Fri, 20 Mar 2026 19:16:32 +0100 Subject: feat: first fully successful run e2e on straper --- .../etc-fail2ban/action.d/xarf-login-attack.conf | 143 +++++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf (limited to 'straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf') diff --git a/straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf b/straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf new file mode 100644 index 0000000..f348b2c --- /dev/null +++ b/straper/db/public/fail2ban/etc-fail2ban/action.d/xarf-login-attack.conf @@ -0,0 +1,143 @@ +# Fail2Ban action for sending xarf Login-Attack messages to IP owner +# +# IMPORTANT: +# +# Emailing a IP owner of abuse is a serious complain. Make sure that it is +# serious. Fail2ban developers and network owners recommend you only use this +# action for: +# * The recidive where the IP has been banned multiple times +# * Where maxretry has been set quite high, beyond the normal user typing +# password incorrectly. +# * For filters that have a low likelihood of receiving human errors +# +# DEPENDENCIES: +# +# This requires the dig command from bind-utils +# +# This uses the https://abusix.com/contactdb.html to lookup abuse contacts. +# +# XARF is a specification for sending a formatted response +# for non-messaging based abuse including: +# +# Login-Attack, Malware-Attack, Fraud (Phishing, etc.), Info DNSBL +# +# For details see: +# https://github.com/xarf/xarf-specification +# http://www.x-arf.org/schemata.html +# +# Author: Daniel Black +# Based on complain written by Russell Odom +# +# + +[Definition] + +# bypass ban/unban for restored tickets +norestored = 1 + +actionstart = + +actionstop = + +actioncheck = + +actionban = oifs=${IFS}; + RESOLVER_ADDR="%(addr_resolver)s" + if [ "" -gt 0 ]; then echo "try to resolve $RESOLVER_ADDR"; fi + ADDRESSES=$(dig +short -t txt -q $RESOLVER_ADDR | tr -d '"') + IFS=,; ADDRESSES=$(echo $ADDRESSES) + IFS=${oifs} + IP= + FROM= + SERVICE= + FAILURES= + REPORTID=