Merge 36c2ee6dff into 9887ee4412

ChangeLog

@@ -98,6 +98,8 @@ ver. 1.1.1-dev-1 (20??/??/??) - development nightly edition
   by first ban (and automatically reloaded by update after small latency to avoid expensive stats check on every compare);
   the entries inside the file can be separated by comma, space or new line with optional comments (text following chars
   `#` or `;` after space or newline would be ignored up to next newline)
+  * `action.d/ellio.conf` - new action to send blocked IPs to ELLIO EDL (External Dynamic List) Management for centralized
+  IP blocking and multi-firewall deployment
 * `action.d/*-ipset.conf`:
   - parameter `ipsettype` to set type of ipset, e. g. hash:ip, hash:net, etc (gh-3760)
 * `action.d/iptables.conf` - action and few derivatives of it extended to handle multiple chains,

config/action.d/ellio.conf

@@ -0,0 +1,79 @@
+# Fail2ban action configuration for ELLIO API
+#
+# This action sends blocked IPs to ELLIO's EDL (External Dynamic List) Management Platform
+# for centralized IP blocking and distribution across multiple firewalls.
+#
+# Usage in jail.conf or jail.local:
+#   action = ellio[api_key="your_api_key",
+#                      ruleset_id="your_ruleset_id",
+#                      expires_in_days="14"]
+#
+# Author: ELLIO Technology Integration
+
+[Definition]
+
+# Option:  actionstart
+# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
+# Values:  CMD
+#
+actionstart =
+
+# Option:  actionstop
+# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
+# Values:  CMD
+#
+actionstop =
+
+# Option:  actioncheck
+# Notes.:  command executed once before each actionban command
+# Values:  CMD
+#
+actioncheck =
+
+# Option:  actionban
+# Notes.:  command executed when banning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+#          <name> name of the jail
+# Values:  CMD
+# 
+# Using https://docs.ellio.tech/edl-management/API/add-rule to dynamicaly populate IP Ruleset
+actionban = curl -s -o /dev/null -X POST \
+            -H "accept: application/json" \
+            -H "X-API-Key: <api_key>" \
+            -H "Content-Type: application/json" \
+            -d '{"conflict_resolution": "extend", "expires_in_days": <expires_in_days>, "ip": "<ip>", "name": "<name> - <failures> failures - banned at '"$(date --date=@<time> +'%%Y-%%m-%%d %%H:%%M:%%S')"'"}' \
+            <_ellio_api_url>
+
+# Option:  actionunban
+# Notes.:  command executed when unbanning an IP. Take care that the
+#          command is executed with Fail2Ban user rights.
+# Tags:    <ip>  IP address
+#          <failures>  number of failures
+#          <time>  unix timestamp of the ban time
+# Values:  CMD
+#
+# Note: We'll leave this empty as the rules will expire automatically. When this intergration is deployed to multiple machines unbanning is not advised. 
+actionunban =
+
+# API endpoint URL
+_ellio_api_url = https://api.ellio.tech/v1/edl/ip-rulesets/<ruleset_id>/rules
+
+[Init]
+
+# Option:  api_key
+# Notes:   Your ELLIO API key for authentication (required)
+# Values:  STRING  Default: None
+api_key = 
+
+# Option:  ruleset_id
+# Notes:   The ruleset ID where blocked IPs will be added (required)
+# Values:  STRING  Default: None
+ruleset_id = 
+
+# Option:  expires_in_days
+# Notes:   Number of days before the IP block expires
+# Values:  INTEGER  Default: 3
+expires_in_days = 3