New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Time-based Whitelisting - Feature Request #2013
Comments
Just as a thought: possibly pass2allow would be good enough as alternative white-listing for you in this case, for realization see e. g. jail pass2allow-ftp |
I don't think the enhancement like this will provide a great benefits for fail2ban:
|
I must contradict here ... We are a Hosting Prodiver using fail2ban on our Shared Hosting Servers (next to Customer VHosts, ...). Also reload persistant Whitelist for CLI added (fail2ban-client addignoreip) IPs would be a big Deal here ... Andreas Schnederle-Wagner |
So why the |
IPs which I add through "fail2ban-client addignoreip" getting always purged when fail2ban Service is reloaded - not persistant? |
Yes, all the parameters supplied via But my question was about [DEFAULT]
# since latest 0.10 it can be cached (here - max 100 ips for max 5 minutes):
ignorecache = key="<ip>", max-count=100, max-time=5m
# example 1: check IP is in table ignore_ips (sqlite3 database my-ignored-ips.sqlite3):
ignorecommand = [ $(sqlite3 /var/lib/fail2ban/my-ignored-ips.sqlite3 \
"select 'ign' from ignore_ips where ip = '<ip>' limit 1") = "ign" ]
[jail_x]
# example 2: with single IP check (returns 0 if ignore, 1 otherwise):
ignorecommand = [ "<ip>" = "10.0.0.1" ]
[jail_y]
# example 3: with check via batch-script:
ignorecommand = /path/to/my-scripts/check-ip-ignored.sh "<ip>" So again, why it is not sufficient enough for you? |
@sebres - of course that's a nice approach - but unfortunately not flexible enough for Hosting Providers. fail2ban-client set jail addignoreip 1.1.1.1 5d //5 Days or something like that ... Expiry Date for Whitelist ... |
Come on! It looks like a try to relocate "your" work on our shoulders... :) If seriously I still not understand why you can not provide this self - I believe, you have surely some list or sql-table, where you store this IPs (with expiration- or start-date). _ignorestatement = select 'ign' from ignore_ips
where ip = '<ip>' and (datetime('now') < expired or expired is null) limit 1
ignorecommand = [ $(sqlite3 my-ignored-ips.sqlite3 "%(_ignorestatement)s") = "ign" ] Then execution of following code will add 3 IPs to your own "whitelist": sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips
(ip, expired) values ('192.0.2.1', datetime('now', '+5 days'))"
sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips
(ip, expired) values ('192.0.2.2', datetime('now', '+1 month'))"
sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips
(ip, expired) values ('192.0.2.3', NULL)" In this example: 192.0.2.1 - for 5 days, 192.0.2.2 - for 1 month and 192.0.2.3 - without expiration... Fast, permanently and totally under your control. To do a clean-up, this script can be used as cron/systemd-timer (e. g. once per night): sqlite3 my-ignored-ips.sqlite3 "delete from ignore_ips where datetime('now') > expired" |
Hey there, |
I'd very much like to see a temporary ignoreip= in whitelist.conf or better yet some condition-based flags that can be associated with a particular IP entry.
The problem I'm trying to solve here is that IPs are whitelisted manually but rarely removed so if I want to whitelist an IP for 1 week I'd have to manually remove it after making the ignoreip= entry.
The text was updated successfully, but these errors were encountered: