Introduction: I use fail2ban to
block excess login attempts at my
work place and it does a great job, but I kept seeing the same IP's
being banned and wanted a way to keep track of repeat offenders.
Fail2SQL is called by Fail2Ban and
logs information to a MySQL database including geographical location and total ban count. This information can then be used in reports, graphs
or by third party programs to take further action such as permanent
blocking, reporting to ISP etc..
Fail2SQL is written in PHP and makes use of the MaxMind GeoIP PHP API.
Download Fail2SQL, untar and read the README file for installation instructions. The following information is logged to MySQL: Name (from fail2ban) Protocol Port IP Count (total banned) Longitude Latitude Country Code Geo Data (city, country) Sample Output: [root@server fail2sql]# ./fail2sql -l HTTP(80/tcp): XXX.65.YYY.217 | Count: 6 | Geo: Lisboa, Portugal SSH(22/tcp): XXX.19.YYY.132 | Count: 20 | Geo: Perth, Australia |