From 5ce075c8fb12df67db8cd41e06e8c9a9f4f54eb3 Mon Sep 17 00:00:00 2001 From: Jacob Date: Thu, 25 Jun 2026 15:25:32 -0400 Subject: [PATCH] Add Flowtriq action for DDoS threat intel reporting When fail2ban bans an IP, this action reports it to Flowtriq's threat intelligence API for network-level DDoS correlation. On unban, the report is removed. Configurable API key and threat category. --- ChangeLog | 1 + config/action.d/flowtriq.conf | 81 +++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+) create mode 100644 config/action.d/flowtriq.conf diff --git a/ChangeLog b/ChangeLog index 216ffe88..1ed9a332 100644 --- a/ChangeLog +++ b/ChangeLog @@ -124,6 +124,7 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition * `filter.d/vaultwarden.conf` - new filter and jail for Vaultwarden (gh-3979) * `filter.d/xrdp.conf` - new filter for XRDP, an open source RDP server (gh-3254) * `fail2ban-regex` extended with new option `-i` or `--invert` to output not-matched lines by `-o` or `--out` (gh-4001) +* `action.d/flowtriq.conf` - new action to report banned IPs to Flowtriq for DDoS threat intelligence correlation ver. 1.1.0 (2024/04/25) - object-found--norad-59479-cospar-2024-069a--altitude-36267km diff --git a/config/action.d/flowtriq.conf b/config/action.d/flowtriq.conf new file mode 100644 index 00000000..4669c9ae --- /dev/null +++ b/config/action.d/flowtriq.conf @@ -0,0 +1,81 @@ +# Fail2ban configuration file +# +# Action to report banned IPs to Flowtriq for DDoS threat intelligence. +# Flowtriq correlates ban events across networks to build real-time threat +# feeds and trigger network-level mitigation rules. +# +# You must have a Flowtriq account and API key. +# Register at https://flowtriq.com and generate an API key from the dashboard. +# +# Usage example (in jail.local): +# [sshd] +# action = %(known/action)s +# flowtriq[flowtriq_apikey="your-api-key-here"] +# +# Optionally override the category (default: "bruteforce"): +# action = %(known/action)s +# flowtriq[flowtriq_apikey="your-api-key-here", flowtriq_category="ssh-bruteforce"] +# + +[Definition] + +# bypass action for restored tickets +norestored = 1 + +# Option: actionstart +# Notes.: command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false). +# Values: CMD +# +actionstart = + +# Option: actionstop +# Notes.: command executed at the stop of jail (or at the end of Fail2Ban) +# Values: CMD +# +actionstop = + +# Option: actioncheck +# Notes.: command executed once before each actionban command +# Values: CMD +# +actioncheck = + +# Option: actionban +# Notes.: command executed when banning an IP. Take care that the +# command is executed with Fail2Ban user rights. +# Tags: IP address +# number of failures +#