-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enrich ip information from internetdb.shodan.io #3422
base: master
Are you sure you want to change the base?
Conversation
Why? I mean for which purposes is it saved there? If you use the info by yourself somewhere in a UI (web-form etc) or protocol, why it is needed immediately if IP gets banned and not on demand if it gets listed in the UI or that protocol. |
First is the reason why it saves to /etc/fail2ban/jail.d is because this is where it stores IP lists that have been banned. I assume it is easy for users to find more banned IP info. Second is necessary to the time of ban. I just simply think that when an IP is unbanned it will be removed from jail.d, so I don't think that IP info is necessary anymore. My idea simply enriches IP details when it is being banned. I would be glad to have some suggestions from you. |
Again, for which exactly? You did not explain what you (or a user of that info) would achieve with that. And why it is necessary to time of ban.
Well, and I don't understand yet exactly that point - or rather its possible uses (and why it is needed at the time of ban). |
It's similar to providing GeoIP information about the banned IP. The information from InternetDB would tell the user whether the connection came from a compromised IP, VPN, etc. It can be helpful to identify behaviors in activity that are happening against a network to create potential firewall rules or simply get a better understanding of who's attacking. |
I know that it could be helpful and what it would tell the user... One can basically accumulate all information the world knows about the IP (and therefore probably retards the ban process for every single IP for minutes or hours)... However the question "why?" still remains. Simplest "fix" for such action would be to force running of that command in the background asynchronously ( nohup cmd "<ip>" > /dev/null 2>&1 & Just it may also introduce further issues, e. g. generate heavy load if some flood suddenly causes many bans for many IPs at once, etc... So normally one would either create some worker (or pool of them) retrieving that after ban asynchronously or provide a function capturing that info on demand (to time the user really needs it, not to time of ban). |
Ah I think I understand. Yes, it could definitely run in the background. It isn't necessary to run synchronously with the ban as the information isn't consumed during ban time. The purpose was just to have a file that can be looked at to fingerprint the types of IPs that were banned. |
Action
shodan-internetdb
adds open ports, vulnerabilities and other information to IPs when being banned. The result is save to /etc/fail2ban/jail.d/fail2ban-shodan-internetdb.csv.shodan-internetdb
use the free InternetDB API that is available to everybody and doesn't require an API key.