Fail2ban: graphically examine attackers

How To graphically examine your attackers:

nano /etc/fail2ban/iptables-multiport.local

It tells fail2ban to do a request to our API for each IP that triggers this action (e.g. multiple failed logins). The only difference to the original is this line:

wget -q -O /dev/null www.badips.com/add//

# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning and Lukas Camenzind for persistent banning 
#
#
[Definition]
# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-
              iptables -A fail2ban- -j RETURN
              iptables -I INPUT -p  -m multiport --dports  -j fail2ban-
              # Load local list of offenders
              if [ -f /etc/fail2ban/ip.blacklist ]; then cat /etc/fail2ban/ip.blacklist | grep -e $ | cut -d "," -s -f 1 | while read IP; do iptables -I fail2ban- 1 -s $IP -j DROP; done; fi
# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D INPUT -p  -m multiport --dports  -j fail2ban-
             iptables -F fail2ban-
             iptables -X fail2ban-
# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L INPUT | grep -q fail2ban-
# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:      IP address
#            number of failures
#            unix timestamp of the ban time
# Values:  CMD
#
actionban = if ! iptables -C fail2ban- -s  -j DROP; then iptables -I fail2ban- 1 -s  -j DROP; fi
            # Add offenders to local blacklist, if not already there
            if ! grep -Fxq ',' /etc/fail2ban/ip.blacklist; then echo ',' >> /etc/fail2ban/ip.blacklist; fi
            # Report offenders to badips.com
            wget -q -O /dev/null www.badips.com/add//
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:      IP address
#            number of failures
#            unix timestamp of the ban time
# Values:  CMD
#
actionunban = iptables -D fail2ban- -s  -j DROP
              # Disabled clearing out entry from ip.blacklist (somehow happens after each stop of fail2ban)
              # sed --in-place '/,/d' /etc/fail2ban/ip.blacklist
[Init]
# Defaut name of the chain
#
name = default
# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh
# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: tcp
# 

http://www.fail2ban.org/wiki/index.php/HOWTOs https://www.netmess.org/examine-your-attackers/