Displays locations of IP addresses banned using fail2ban on a Google map.

1. Download Ban Hammer

Clone the repository to a directory of your choosing

git clone https://git.demonlabs.be/ghoul/banhammer

2. Prepare the web scripts

Copy content of www folder into your webroot

Get a Google Maps API key and add it to index.html.

<script type="text/javascript" src="https://maps.googleapis.com/maps/api/js?key=ENTER_YOUR_GOOGLEMAPS_API_KEY_HERE"></script>

Create a mysql database and edit debinfo.php accordingly

<?php
$db_host = '127.0.0.1';
$db_user = 'fail2ban';
$db_pwd = 'PASSWORD';

$database = 'fail2ban';
$table = 'fail2ban';
?>

Import the database structure file fail2ban.sql into this database:

mysql -u fail2ban -p fail2ban < fail2ban.sql

3. Fail2sql

Copy the fail2sql folder into /usr/local/

Edit $home and $link in the fail2sql file and chmod +x it

$home = "/usr/local/fail2sql"; // path to fail2sql directory
$link = mysqli_connect('127.0.0.1', 'fail2ban', 'PASSWORD', 'fail2ban') // host, username, password, databse

4. Fail2ban

Configure fail2ban to execute fail2sql when banning:

Append the fail2sql command to the actionban statement in e.g. /etc/fail2ban/action.d/iptables.conf like this:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
            /usr/local/fail2sql/fail2sql <name> <protocol> <port> <ip>

Update the geoip database

./fail2sql -u

Restart fail2ban

service fail2ban restart

Check the fail2sql output

./fail2sql -l

This should result in something like this:

ssh(22/tcp): 219.157.252.43 | Count: 1 | Geo: Zhengzhou, China
ssh(22/tcp): 66.102.69.199 | Count: 1 | Geo: Kingston, Canada
ssh(22/tcp): 118.31.77.6 | Count: 1 | Geo: Hangzhou, China

5. Check the information

On a marker, open the More info link. This should confirm the attack in the Security Rating section.

fail2gmap: Display locations of IP addresses banned using fail2ban on a Google map

References

This is an adaptation of Ban Hammer by RobinC., compatible with php7.2