fail2ban vuurmuur plugin

I made a decent vuurmuur firewall plugin(action) for fail2ban. I am debugging it, because it takes a good minute to stop the service... I will update this post when I figure out what the heck is taking so long. I am also going to submit this to fail2ban for possible inclusion.

I opted to go with the default behavior of fail2ban, which is to remove all bans on a restart. It is trivial to hardcode the network, and groups, if you don't want fail2ban messing with your vuurmuur structure or removing bans when it restarts.

place this in /etc/fail2ban/action.d/vuurmuur.conf

# Author: Nick Shobe
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
# Create a zone in vuurmuur called fail2ban... this script will add the "" network and all the hosts... you can use a custom rule in vuurmuur to block ports by network
# You can make multiple rules that block specific ports if you don't want to globally block an ip... Do this like any customized rules.
actionstart = vuurmuur_script --create --network .fail2ban
vuurmuur_script --modify --network .fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network .fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network .fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network .fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group ..fail2ban
vuurmuur_script --modify --group ..fail2ban --variable ACTIVE --set Yes

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = for group in `vuurmuur_script --list --group .fail2ban`; do vuurmuur_script --delete --group $group; done
for host in `vuurmuur_script --list --host .fail2ban`; do vuurmuur_script --delete --host $host; done
vuurmuur_script --delete --network .fail2ban
vuurmuur_script --create --network .fail2ban
vuurmuur_script --modify --network .fail2ban --variable ACTIVE --set Yes
vuurmuur_script --modify --network .fail2ban --variable NETWORK --set 0.0.0.0
vuurmuur_script --modify --network .fail2ban --variable NETMASK --set 0.0.0.0
append=''
for int in `vuurmuur_script --list --interface all`; do vuurmuur_script --modify --network .fail2ban $append --variable INTERFACE --set $int ; append='--append' ; done
vuurmuur_script --create --group ..fail2ban
vuurmuur_script --modify --group ..fail2ban --variable ACTIVE --set Yes
vuurmuur_script --reload

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = vuurmuur_script --list --host .fail2ban | tr '-' '.'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
actionban = vuurmuur_script --create --host `echo | tr '.' "-"`..fail2ban
vuurmuur_script --modify --host `echo | tr '.' "-"`..fail2ban --variable IPADDRESS --set
vuurmuur_script --modify --host `echo | tr '.' "-"`..fail2ban --variable ACTIVE --set Yes
append=''
for x in `vuurmuur_script --print --group .fail2ban --variable MEMBER`; do append='--append'; done
vuurmuur_script --modify --apply --group ..fail2ban $append --variable MEMBER --set `echo | tr '.' '-'`
vuurmuur_script --reload

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
# unix timestamp of the ban time
# Values: CMD
#
# If you want to keep known bad ip's around for review and moving to a perm ban list... use "--modify --variable ACTIVE --set No" instead of --delete You may need to change the way hosts are added to account for repeats.
# this script prints all of the current group members, deletes and recreates the group... without the member to be removed.
actionunban = vuurmuur_script --delete --host `echo | tr '.' "-"`..fail2ban
append='d'
for member in `vuurmuur_script --print --group ..fail2ban --variable MEMBER`;
do if [ $append != '--append' ];then
vuurmuur_script --delete --group ..fail2ban;
vuurmuur_script --create --group ..fail2ban;
vuurmuur_script --modify --group ..fail2ban --variable ACTIVE --set Yes;
fi;
tmp=`echo $member|grep -E -o "[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,3}"`;
if [ -z "$tmp" ]
then
tmp='d';
fi
if [ $tmp != `echo | tr '.' "-"` ];
then vuurmuur_script --modify --group ..fail2ban $append --variable MEMBER --set $member;
fi;
if [ $append != '--append' ];
then append='--append';
fi;
done
vuurmuur_script --reload

[Init]

# Defaut name of the chain
#
name = block

group = blockedhosts

Use this just like a normal iptables action file, only consider it is using vuurmuur. In vuurmuur, create a rule that uses the "blockedhosts" group under the appropriate network to block the appropriate traffic. Feel free to contact me if you have any questions.