From f9b78ba92798da40509c5743c1d15e13d6a7f3ec Mon Sep 17 00:00:00 2001
From: Michael Gebetsroither <michael@mgeb.org>
Date: Thu, 3 Jan 2013 18:46:31 +0100
Subject: [PATCH 1/3] add support for blocking through blackhole routes

---
 config/action.d/route.conf | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 config/action.d/route.conf

diff --git a/config/action.d/route.conf b/config/action.d/route.conf
new file mode 100644
index 00000000..2d11c700
--- /dev/null
+++ b/config/action.d/route.conf
@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+#
+# Author: Michael Gebetsroither
+#
+# This is for blocking whole hosts through blackhole routes.
+#
+# PRO:
+#   - Works on all kernel versions and as no compatibility problems (back to debian lenny and WAY further).
+#   - It's FAST for very large numbers of blocked ips.
+#   - It's FAST because it Blocks traffic before it enters common iptables chains used for filtering.
+#   - It's per host, ideal as action against ssh password bruteforcing to block further attack attempts.
+#   - No additional software required beside iproute/iproute2
+#
+# CON:
+#   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
+
+[Definition]
+actionban   = ip route add blackhole <ip>
+actionunban = ip route del blackhole <ip>

From 03433f79cd52a87c3fd7309e7fe9967076bbb866 Mon Sep 17 00:00:00 2001
From: Michael Gebetsroither <michael@mgeb.org>
Date: Fri, 4 Jan 2013 16:09:04 +0100
Subject: [PATCH 2/3] add example jail.conf for blocking through blackhole
 routes for ssh

---
 config/jail.conf | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/config/jail.conf b/config/jail.conf
index 3f2425b4..fb9f9ca0 100644
--- a/config/jail.conf
+++ b/config/jail.conf
@@ -101,6 +101,17 @@ action      = hostsdeny
 ignoreregex = for myuser from
 logpath     = /var/log/sshd.log
 
+# Here we use blackhole routes for not requiring any additional kernel support
+# to store large volumes of banned IPs
+
+[ssh-route]
+
+enabled = false
+filter = sshd
+action = route
+logpath = /var/log/sshd.log
+maxretry = 5
+
 # Here we use a combination of Netfilter/Iptables and IPsets
 # for storing large volumes of banned IPs
 #

From 47b1ee39d8e5e918afaea40f361b3932a2b8616e Mon Sep 17 00:00:00 2001
From: Daniel Black <grooverdan@users.sourceforge.net>
Date: Sun, 17 Feb 2013 12:37:34 +1100
Subject: [PATCH 3/3] add blocking type

---
 config/action.d/route.conf | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/action.d/route.conf b/config/action.d/route.conf
index 2d11c700..ec940b74 100644
--- a/config/action.d/route.conf
+++ b/config/action.d/route.conf
@@ -15,5 +15,11 @@
 #   - Blocking is per IP and NOT per service, but ideal as action against ssh password bruteforcing hosts
 
 [Definition]
-actionban   = ip route add blackhole <ip>
-actionunban = ip route del blackhole <ip>
+actionban   = ip route add <type> <ip>
+actionunban = ip route del <type> <ip>
+
+# Type of blocking
+#
+# Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+
+type = blackhole