addToFail2Ban

sudo apt-get install fail2ban
2 years ago · b15ef2ac0e
2 changed files with 37 additions and 22 deletions
--- a/api.json
+++ b/api.json
@ -39,7 +39,8 @@
 				"timeout": 1800,
 				"invalidPercent": 30,
 				"checkThreshold": 30,
-				"malformedLimit": 5
+				"malformedLimit": 5,
+				"fail2banCommand": "fail2ban-client"
 			},
 			"limits": {
 				"enabled": false,
--- a/policy/policy.go
+++ b/policy/policy.go
@ -39,6 +39,7 @@ type Banning struct {
 	InvalidPercent  float32 `json:"invalidPercent"`
 	CheckThreshold  int32   `json:"checkThreshold"`
 	MalformedLimit  int32   `json:"malformedLimit"`
+	Fail2BanCommand string  `json:"fail2banCommand"`
 }

 type Stats struct {
@ -69,6 +70,34 @@ type PolicyServer struct {
 	walletblacklist []string
 }

+// addToFail2Ban adds the given IP address to Fail2Ban's blacklist.
+func addToFail2Ban(ip string) error {
+	cmd := exec.Command("fail2ban-client", "set", "blacklist", "add", ip)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("Error adding to Fail2Ban: %v, Output: %s", err, output)
+	}
+	return nil
+}
+
+// doBan bans the specified IP address using the configured IPSet and timeout.
+func (s *PolicyServer) doBan(ip string) {
+	set, timeout := s.config.Banning.IPSet, s.config.Banning.Timeout
+	cmd := fmt.Sprintf("sudo ipset add %s %s timeout %v -!", set, ip, timeout)
+	args := strings.Fields(cmd)
+	head := args[0]
+	args = args[1:]
+
+	log.Printf("Banned %v with timeout %v on ipset %s", ip, timeout, set)
+
+	_, err := exec.Command(head, args...).Output()
+	if err != nil {
+		log.Printf("CMD Error: %s", err)
+		// Add a call here to add the IP address to Fail2Ban
+		addToFail2Ban(ip)
+	}
+}
+
 func Start(cfg *Config, storage *storage.RedisClient) *PolicyServer {
 	s := &PolicyServer{config: cfg, startedAt: util.MakeTimestamp()}
 	grace := util.MustParseDuration(cfg.Limits.Grace)
@ -338,21 +367,6 @@ func (s *PolicyServer) InWhiteList(ip string) bool {
 	return util.StringInSlice(ip, s.whitelist)
 }

-func (s *PolicyServer) doBan(ip string) {
-	set, timeout := s.config.Banning.IPSet, s.config.Banning.Timeout
-	cmd := fmt.Sprintf("sudo ipset add %s %s timeout %v -!", set, ip, timeout)
-	args := strings.Fields(cmd)
-	head := args[0]
-	args = args[1:]
-
-	log.Printf("Banned %v with timeout %v on ipset %s", ip, timeout, set)
-
-	_, err := exec.Command(head, args...).Output()
-	if err != nil {
-		log.Printf("CMD Error: %s", err)
-	}
-}
-
 func (x *Stats) heartbeat() {
 	now := util.MakeTimestamp()
 	atomic.StoreInt64(&x.LastBeat, now)