This commit is contained in:
Jacob Masse 2026-06-25 19:54:26 +00:00 committed by GitHub
commit 380201ba32
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 86 additions and 0 deletions

View file

@ -124,6 +124,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
* `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979)
* `filter.d/xrdp.conf` - new filter for XRDP, an open source RDP server (gh-3254)
* `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001)
* `action.d/flowtriq.conf` - new action to report banned IPs to Flowtriq for DDoS threat intelligence correlation
ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km

View file

@ -0,0 +1,85 @@
# Fail2ban configuration file
#
# Action to report banned IPs to a Flowtriq webhook channel.
# Flowtriq correlates ban events across networks to build real-time threat
# feeds and trigger network-level mitigation rules.
#
# Setup:
# 1. Create a webhook channel in your Flowtriq dashboard under
# Settings > Integrations > Webhooks.
# 2. Copy the webhook URL and, optionally, generate an API key for
# authenticated delivery.
#
# Usage example (in jail.local):
# [sshd]
# action = %(known/action)s
# flowtriq[flowtriq_webhook="https://flowtriq.com/webhooks/your-channel-id"]
#
# With authentication and a custom category:
# action = %(known/action)s
# flowtriq[flowtriq_webhook="https://flowtriq.com/webhooks/your-channel-id", flowtriq_apikey="your-api-key", flowtriq_category="ssh-bruteforce"]
#
[Definition]
# bypass action for restored tickets
norestored = 1
# Option: actionstart
# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values: CMD
#
actionstart =
# Option: actionstop
# Notes.: command executed at the stop of jail (or at the end of Fail2Ban)
# Values: CMD
#
actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: <ip> IP address
# <failures> number of failures
# <time> unix timestamp of the ban time
# Values: CMD
#
actionban = curl -sSf -X POST "<flowtriq_webhook>" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <flowtriq_apikey>" \
-d '{"ip":"<ip>","source":"fail2ban","jail":"<name>","category":"<flowtriq_category>","failures":<failures>}'
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Unban is a no-op; Flowtriq expires threat entries automatically.
# Values: CMD
#
actionunban =
[Init]
# Option: flowtriq_webhook
# Notes.: Your Flowtriq webhook URL. Create one from the Flowtriq dashboard
# under Settings > Integrations > Webhooks.
# Values: STRING Default: None (required)
flowtriq_webhook =
# Option: flowtriq_apikey
# Notes.: API key for webhook authentication (optional, recommended).
# Generate one from https://flowtriq.com/dashboard/settings
# Values: STRING Default: None
flowtriq_apikey =
# Option: flowtriq_category
# Notes.: Threat category for the reported IP. Common values:
# bruteforce, ddos, port-scan, web-attack, ssh-bruteforce
# Values: STRING Default: bruteforce
flowtriq_category = bruteforce