Banhammer Map Blocked IPs From Fail2ban
Displays locations of IP addresses banned using fail2ban on a Google map.
1. Download Ban Hammer
Clone the repository to a directory of your choosing
git clone https://git.demonlabs.be/ghoul/banhammer
2. Prepare the web scripts
Copy content of www folder into your webroot
Get a Google Maps API key and add it to index.html.
<script type="text/javascript" src="https://maps.googleapis.com/maps/api/js?key=ENTER_YOUR_GOOGLEMAPS_API_KEY_HERE"></script>
Create a mysql database and edit debinfo.php accordingly
<?php
$db_host = '127.0.0.1';
$db_user = 'fail2ban';
$db_pwd = 'PASSWORD';
$database = 'fail2ban';
$table = 'fail2ban';
?>
Import the database structure file fail2ban.sql into this database:
mysql -u fail2ban -p fail2ban < fail2ban.sql
3. Fail2sql
Copy the fail2sql folder into /usr/local/
Edit $home and $link in the fail2sql file and chmod +x it
$home = "/usr/local/fail2sql"; // path to fail2sql directory
$link = mysqli_connect('127.0.0.1', 'fail2ban', 'PASSWORD', 'fail2ban') // host, username, password, databse
4. Fail2ban
Configure fail2ban to execute fail2sql when banning:
Append the fail2sql command to the actionban statement in e.g. /etc/fail2ban/action.d/iptables.conf like this:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
/usr/local/fail2sql/fail2sql <name> <protocol> <port> <ip>
Update the geoip database
./fail2sql -u
Restart fail2ban
service fail2ban restart
Check the fail2sql output
./fail2sql -l
This should result in something like this:
ssh(22/tcp): 219.157.252.43 | Count: 1 | Geo: Zhengzhou, China
ssh(22/tcp): 66.102.69.199 | Count: 1 | Geo: Kingston, Canada
ssh(22/tcp): 118.31.77.6 | Count: 1 | Geo: Hangzhou, China
5. Check the information
On a marker, open the More info link. This should confirm the attack in the Security Rating section.
fail2gmap: Display locations of IP addresses banned using fail2ban on a Google map
References
This is an adaptation of Ban Hammer by RobinC., compatible with php7.2