Add Flowtriq action for DDoS threat intel reporting

When fail2ban bans an IP, this action reports it to Flowtriq's threat
intelligence API for network-level DDoS correlation. On unban, the
report is removed. Configurable API key and threat category.

ChangeLog

@@ -124,6 +124,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
 * `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979)
 * `filter.d/xrdp.conf` - new filter for XRDP, an open source RDP server (gh-3254)
 * `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001)
+* `action.d/flowtriq.conf` - new action to report banned IPs to Flowtriq for DDoS threat intelligence correlation
 
 
 ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km

config/action.d/flowtriq.conf

@@ -0,0 +1,81 @@
+# Fail2ban configuration file
+#
+# Action to report banned IPs to Flowtriq for DDoS threat intelligence.
+# Flowtriq correlates ban events across networks to build real-time threat
+# feeds and trigger network-level mitigation rules.
+#
+# You must have a Flowtriq account and API key.
+# Register at https://flowtriq.com and generate an API key from the dashboard.
+#
+# Usage example (in jail.local):
+#   [sshd]
+#   action = %(known/action)s
+#            flowtriq[flowtriq_apikey="your-api-key-here"]
+#
+# Optionally override the category (default: "bruteforce"):
+#   action = %(known/action)s
+#            flowtriq[flowtriq_apikey="your-api-key-here", flowtriq_category="ssh-bruteforce"]
+#
+
+[Definition]
+
+# bypass action for restored tickets
+norestored = 1
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionban = curl -sSf -X POST "https://flowtriq.com/api/v1/threat-intel/report" \
+            -H "Content-Type: application/json" \
+            -H "Authorization: Bearer <flowtriq_apikey>" \
+            -d '{"ip":"<ip>","source":"fail2ban","jail":"<name>","category":"<flowtriq_category>","failures":<failures>}'
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+actionunban = curl -sSf -X DELETE "https://flowtriq.com/api/v1/threat-intel/report" \
+              -H "Content-Type: application/json" \
+              -H "Authorization: Bearer <flowtriq_apikey>" \
+              -d '{"ip":"<ip>","source":"fail2ban","jail":"<name>"}' \
+              || true
+
+[Init]
+
+# Option:  flowtriq_apikey
+# Notes.:  Your Flowtriq API key. Generate one from https://flowtriq.com/dashboard/settings
+# Values:  STRING  Default: None
+flowtriq_apikey =
+
+# Option:  flowtriq_category
+# Notes.:  Threat category for the reported IP. Common values:
+#          bruteforce, ddos, port-scan, web-attack, ssh-bruteforce
+# Values:  STRING  Default: bruteforce
+flowtriq_category = bruteforce