Fail2SQL v1.0

============ Introduction

Fail2SQL is called by Fail2Ban and logs information to a MySQL database including geographical location and total ban count. This information can then be used in reports, graphs or by third party programs to take further action such as permanent blocking, reporting to ISP etc..

Fail2SQL is written in PHP and makes use of the MaxMind GeoIP PHP API.

The following information is logged to MySQL: Name (from fail2ban) Protocol Port IP Count (total banned) Longitude Latitude Country Code Geo Data (city, country)

Sample Output: [root@server fail2sql]# ./fail2sql -l HTTP(80/tcp): XXX.65.YYY.217 | Count: 6 | Geo: Lisboa, Portugal SSH(22/tcp): XXX.19.YYY.132 | Count: 20 | Geo: Perth, Australia

============ Installation

1. Create a MySQL database called fail2ban
2. Create fail2ban MySQL user to access fail2ban database (needs INSERT, UPDATE, DELETE)
3. Create table by piping fail2ban.sql into mysql (mysql -u fail2ban -p fail2ban < fail2ban.sql)
4. Edit fail2sql and change home path and sql login details at the top of the file.
5. Update Geo IP Database (./fail2ban -u)
6. Tell fail2ban to call fail2sql by appending to actionban in your action script.

Example for /etc/fail2ban/action.d/iptables.conf

actionban = iptables -I fail2ban- 1 -s -j DROP /usr/local/fail2sql/fail2sql

===== Usage

fail2sql [-h|-l|-c|-u] -h: The help page -l: List entries in the database (max 50 showed) -c: Clear the database and start fresh -u: Update GeoIP database (downloads from maxmind)