Time-based Whitelisting - Feature Request

[arvoshift]

I'd very much like to see a temporary ignoreip= in whitelist.conf or better yet some condition-based flags that can be associated with a particular IP entry.

The problem I'm trying to solve here is that IPs are whitelisted manually but rarely removed so if I want to whitelist an IP for 1 week I'd have to manually remove it after making the ignoreip= entry.

[sebres]

Just as a thought: possibly pass2allow would be good enough as alternative white-listing for you in this case, for realization see e. g. jail pass2allow-ftp

[sebres]

I don't think the enhancement like this will provide a great benefits for fail2ban:

• option ignorecommand can be used to check the IP should be ignored (and if Cache for ignore-facilities (for ignoreip, ignoreself and ignorecommand) #2176 gets merged it's fast enough also);
• you could use fail2ban-client (addignoreip and delignoreip) to add your white-listed IPs and remove it hereafter via cron resp. systemd unit timer;
• and last but not least, ignore... primitives are just a way out's to avoid mistakenly banning, so normally better the service should just not produce a failure log-entry from white-listed IPs at all.

[futureweb]

I must contradict here ... We are a Hosting Prodiver using fail2ban on our Shared Hosting Servers (next to Customer VHosts, ...).
Very often we need to put Customer IPs on the Whitelist to prevent getting their whole Company Network banned until PC/Service Technician can look onto their Devices what's going wrong (PW changes on Mailboxes, new Boxes which get configured wrong by Customer, insert some dozens of different reasons here, ...)
So in fact it's daily business for Providers like us getting the IPs on Whitelist - and it would help big times to have Time-Limited Whitelisting. (as it's double work to get back to the Whitelist later and remove the entry)

Also reload persistant Whitelist for CLI added (fail2ban-client addignoreip) IPs would be a big Deal here ...

Andreas Schnederle-Wagner

[sebres]

So why the ignorecommand would not be suitable in your case?

[futureweb]

IPs which I add through "fail2ban-client addignoreip" getting always purged when fail2ban Service is reloaded - not persistant?

[sebres]

Yes, all the parameters supplied via fail2ban-client are simply run-time values (thus not persistent)...
For persistent entries there are config-files.

But my question was about ignorecommand, so why not something like:

[DEFAULT]
# since latest 0.10 it can be cached (here - max 100 ips for max 5 minutes):
ignorecache = key="<ip>", max-count=100, max-time=5m

# example 1: check IP is in table ignore_ips (sqlite3 database my-ignored-ips.sqlite3):
ignorecommand = [ $(sqlite3 /var/lib/fail2ban/my-ignored-ips.sqlite3 \
                      "select 'ign' from ignore_ips where ip = '<ip>' limit 1") = "ign" ]

[jail_x]
# example 2: with single IP check (returns 0 if ignore, 1 otherwise):
ignorecommand = [ "<ip>" = "10.0.0.1" ]

[jail_y]
# example 3: with check via batch-script:
ignorecommand = /path/to/my-scripts/check-ip-ignored.sh "<ip>"

So again, why it is not sufficient enough for you?

[futureweb]

@sebres - of course that's a nice approach - but unfortunately not flexible enough for Hosting Providers.
Often Customer tells our Support Staff that Technician is coming in X Days - then Whitelisting will be deleted in X+1, ...
It would be nice if one could just say

fail2ban-client set jail addignoreip 1.1.1.1 5d //5 Days
fail2ban-client set jail addignoreip 1.1.1.1 15d //15 Days
...

or something like that ...

Expiry Date for Whitelist ...
Right now we have a centralized custom GUI for all Servers running fail2ban - with ban/unban/whitelist functionality so that normal Support Staff can easily manage fail2ban ... just saying it would help big times if they were also capable of adding time based whitelist entries ... ;-)

[sebres]

Come on! It looks like a try to relocate "your" work on our shoulders... :)

If seriously I still not understand why you can not provide this self - I believe, you have surely some list or sql-table, where you store this IPs (with expiration- or start-date).
So what you need is just some date-expression, for example in case of expiration date with sql-table method, you can simply extend your table with expired column, so simply build something like this:

_ignorestatement = select 'ign' from ignore_ips 
                   where ip = '<ip>' and (datetime('now') < expired or expired is null) limit 1
ignorecommand = [ $(sqlite3 my-ignored-ips.sqlite3 "%(_ignorestatement)s") = "ign" ]

Then execution of following code will add 3 IPs to your own "whitelist":

sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips 
  (ip, expired) values ('192.0.2.1', datetime('now', '+5 days'))"
sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips 
  (ip, expired) values ('192.0.2.2', datetime('now', '+1 month'))"
sqlite3 my-ignored-ips.sqlite3 "insert or replace into ignore_ips 
  (ip, expired) values ('192.0.2.3', NULL)"

In this example: 192.0.2.1 - for 5 days, 192.0.2.2 - for 1 month and 192.0.2.3 - without expiration...

Fast, permanently and totally under your control.

To do a clean-up, this script can be used as cron/systemd-timer (e. g. once per night):

sqlite3 my-ignored-ips.sqlite3 "delete from ignore_ips where datetime('now') > expired"

[futureweb]

Hey there,
with hundreds of different Servers (shared, managed, unmanaged, ...) it's always preferable to get functionality out of stock instead of custom implementations as it increases complexity with that much systems.
But I like the approach you pointed out with your last Posting and will have a look into it.
thx, bye from Austria
Andreas