This refactors the AbuseIPDB integration for Fail2Ban with major improvements:
- Introduced separate lock files (LOCK_INIT, LOCK_BAN, LOCK_DONE) to better handle concurrent
initialization and prevent race conditions during restarts.
- LOCK_BAN → serializes ban reports to the API (during actionban).
- LOCK_DONE → can signal completion or be used for future synchronization (like restart-safe exits).
- LOCK_INIT with flock in actionstart to prevent concurrent
initialization, ensuring SQLite and log file integrity during parallel
Fail2Ban restarts or multiple jail startups.
- Enhanced argument validation for both actionstart and actionban to prevent silent failures.
- Improved database initialization checks, ensuring proper creation of directories and log files.
- Added persistent SQLite pragmas for performance optimization under concurrent access.
- Refined error handling and logging for API interactions, including better detection of
rate-limiting (HTTP 429) and invalid responses.
- Implemented consistent whitespace trimming and sanitization on IP addresses and bantime inputs.
- Improved modularity with dedicated helper functions, reducing code duplication and improving
maintainability.
- Ensured background execution with better log redirection and failure tracking.
- Verify local DB insertions, aborting the process on failure to prevent
incomplete or invalid state.
- Roll back local DB entries if AbuseIPDB reporting fails, ensuring no
orphaned records remain.
- Replace basic info logs with clear status and error messages to improve
traceability and debugging.
- Maintain high integrity between the local database and AbuseIPDB by
only proceeding when all previous steps succeed.
- Shift from a "continue regardless" flow to a controlled stop on any
critical error, ensuring system reliability.
Previously, the script assumed success of key steps, risking stale database
entries, silent API call failures, and duplicate reports after Fail2Ban
restarts. These changes improve reliability, prevent data corruption under
high concurrency, and ensure accurate synchronization between local db and
AbuseIPDB API.
since line 7 matches successfully now (it was disabled in gh-358 because of obsolete format), it is marked as match:true (line can be removed later if unneeded)
configuration `ignoreip` and fail2ban-client commands `addignoreip`/`delignoreip` extended with `file:...` syntax to ignore IPs from file-ip-set (containing IP, subnet, dns/fqdn or raw strings);
the file would be read lazy on demand, by first ban (and automatically reloaded by update after small latency to avoid expensive stats check on every compare);
the entries inside the file can be separated by comma, space or new line with optional comments (text following chars # or ; after space or newline would be ignored up to next newline)
- Replace local file storage with AbuseIPDB SQLite database.
- Offload heavy tasks to background to avoid latency during concurrent actionban calls.
- Add global lock to ensure actionstart runs only once across all jails.
fix syntax in example, because `dst` as command parameter doesn't have precedence over or-expression, so second `sport` would ignore `dst` and kill any connection for https regardless the IP
- Reorganized script to be used by both 'actionstart' and 'actionban' in 'abuseipdb.local'
- Isolated heavy 'actionstart' tasks using nohup to prevent latency
- Removed redundant API checks to improve performance and reduce overhead
- Implemented a lock mechanism to prevent 'actionban' execution if 'actionstart' fails
- Ensured 'actionban' does not run at runtime due to missing dependencies or permission issues
- Added an override configuration to enhance Fail2Ban’s AbuseIPDB integration.
- Introduced a local banned IP list for better isolation from Fail2Ban.
- Optimized API calls (`/v2/check` → `/v2/report`) to reduce redundant reports.
- Ensured `norestored=1` handling to prevent re-reporting after restarts.
- Improved logging and added custom comments to avoid sensitive data exposure.
This override provides more control, efficiency, and security while maintaining compatibility with the main configuration.
- Clarified integration steps for placing the script in 'action.d'
- Updated example configuration with correct script name 'fail2ban-abuseipdb.sh'
- Emphasized the need to set 'abuseipdb_apikey' in the config file
- Improved formatting and readability for better user understanding
No functional changes, just documentation updates.
Hasan ÇALIŞIR