First steps to implement a advanced-actions function to block recurring offenders before fail2ban

2026-04-11 13:47:05 +02:00 · 2025-11-18 15:02:50 +01:00
parent aa28738d43
commit 2fcc30b1b6
15 changed files with 1391 additions and 114 deletions
--- a/internal/config/settings.go
+++ b/internal/config/settings.go
@@ -49,13 +49,14 @@ type SMTPSettings struct {

 // AppSettings holds the main UI settings and Fail2ban configuration
 type AppSettings struct {
-	Language       string       `json:"language"`
-	Port           int          `json:"port"`
-	Debug          bool         `json:"debug"`
-	RestartNeeded  bool         `json:"restartNeeded"`
-	AlertCountries []string     `json:"alertCountries"`
-	SMTP           SMTPSettings `json:"smtp"`
-	CallbackURL    string       `json:"callbackUrl"`
+	Language        string                `json:"language"`
+	Port            int                   `json:"port"`
+	Debug           bool                  `json:"debug"`
+	RestartNeeded   bool                  `json:"restartNeeded"`
+	AlertCountries  []string              `json:"alertCountries"`
+	SMTP            SMTPSettings          `json:"smtp"`
+	CallbackURL     string                `json:"callbackUrl"`
+	AdvancedActions AdvancedActionsConfig `json:"advancedActions"`

 	Servers []Fail2banServer `json:"servers"`

@@ -69,6 +70,56 @@ type AppSettings struct {
 	//Sender           string `json:"sender"`
 }

+type AdvancedActionsConfig struct {
+	Enabled     bool                        `json:"enabled"`
+	Threshold   int                         `json:"threshold"`
+	Integration string                      `json:"integration"`
+	Mikrotik    MikrotikIntegrationSettings `json:"mikrotik"`
+	PfSense     PfSenseIntegrationSettings  `json:"pfSense"`
+}
+
+type MikrotikIntegrationSettings struct {
+	Host        string `json:"host"`
+	Port        int    `json:"port"`
+	Username    string `json:"username"`
+	Password    string `json:"password"`
+	SSHKeyPath  string `json:"sshKeyPath"`
+	AddressList string `json:"addressList"`
+}
+
+type PfSenseIntegrationSettings struct {
+	BaseURL       string `json:"baseUrl"`
+	APIToken      string `json:"apiToken"`
+	APISecret     string `json:"apiSecret"`
+	Alias         string `json:"alias"`
+	SkipTLSVerify bool   `json:"skipTLSVerify"`
+}
+
+func defaultAdvancedActionsConfig() AdvancedActionsConfig {
+	return AdvancedActionsConfig{
+		Enabled:     false,
+		Threshold:   5,
+		Integration: "",
+		Mikrotik: MikrotikIntegrationSettings{
+			Port:        22,
+			AddressList: "fail2ban-permanent",
+		},
+	}
+}
+
+func normalizeAdvancedActionsConfig(cfg AdvancedActionsConfig) AdvancedActionsConfig {
+	if cfg.Threshold <= 0 {
+		cfg.Threshold = 5
+	}
+	if cfg.Mikrotik.Port <= 0 {
+		cfg.Mikrotik.Port = 22
+	}
+	if cfg.Mikrotik.AddressList == "" {
+		cfg.Mikrotik.AddressList = "fail2ban-permanent"
+	}
+	return cfg
+}
+
 // init paths to key-files
 const (
 	settingsFile              = "fail2ban-ui-settings.json" // this file is created, relatively to where the app was started
@@ -301,6 +352,12 @@ func applyAppSettingsRecordLocked(rec storage.AppSettingsRecord) {
 			currentSettings.AlertCountries = countries
 		}
 	}
+	if rec.AdvancedActionsJSON != "" {
+		var adv AdvancedActionsConfig
+		if err := json.Unmarshal([]byte(rec.AdvancedActionsJSON), &adv); err == nil {
+			currentSettings.AdvancedActions = adv
+		}
+	}
 }

 func applyServerRecordsLocked(records []storage.ServerRecord) {
@@ -346,25 +403,31 @@ func toAppSettingsRecordLocked() (storage.AppSettingsRecord, error) {
 		return storage.AppSettingsRecord{}, err
 	}

+	advancedBytes, err := json.Marshal(currentSettings.AdvancedActions)
+	if err != nil {
+		return storage.AppSettingsRecord{}, err
+	}
+
 	return storage.AppSettingsRecord{
-		Language:           currentSettings.Language,
-		Port:               currentSettings.Port,
-		Debug:              currentSettings.Debug,
-		CallbackURL:        currentSettings.CallbackURL,
-		RestartNeeded:      currentSettings.RestartNeeded,
-		AlertCountriesJSON: string(countryBytes),
-		SMTPHost:           currentSettings.SMTP.Host,
-		SMTPPort:           currentSettings.SMTP.Port,
-		SMTPUsername:       currentSettings.SMTP.Username,
-		SMTPPassword:       currentSettings.SMTP.Password,
-		SMTPFrom:           currentSettings.SMTP.From,
-		SMTPUseTLS:         currentSettings.SMTP.UseTLS,
-		BantimeIncrement:   currentSettings.BantimeIncrement,
-		IgnoreIP:           currentSettings.IgnoreIP,
-		Bantime:            currentSettings.Bantime,
-		Findtime:           currentSettings.Findtime,
-		MaxRetry:           currentSettings.Maxretry,
-		DestEmail:          currentSettings.Destemail,
+		Language:            currentSettings.Language,
+		Port:                currentSettings.Port,
+		Debug:               currentSettings.Debug,
+		CallbackURL:         currentSettings.CallbackURL,
+		RestartNeeded:       currentSettings.RestartNeeded,
+		AlertCountriesJSON:  string(countryBytes),
+		SMTPHost:            currentSettings.SMTP.Host,
+		SMTPPort:            currentSettings.SMTP.Port,
+		SMTPUsername:        currentSettings.SMTP.Username,
+		SMTPPassword:        currentSettings.SMTP.Password,
+		SMTPFrom:            currentSettings.SMTP.From,
+		SMTPUseTLS:          currentSettings.SMTP.UseTLS,
+		BantimeIncrement:    currentSettings.BantimeIncrement,
+		IgnoreIP:            currentSettings.IgnoreIP,
+		Bantime:             currentSettings.Bantime,
+		Findtime:            currentSettings.Findtime,
+		MaxRetry:            currentSettings.Maxretry,
+		DestEmail:           currentSettings.Destemail,
+		AdvancedActionsJSON: string(advancedBytes),
 	}, nil
 }

@@ -465,6 +528,11 @@ func setDefaultsLocked() {
 		currentSettings.IgnoreIP = "127.0.0.1/8 ::1"
 	}

+	if (currentSettings.AdvancedActions == AdvancedActionsConfig{}) {
+		currentSettings.AdvancedActions = defaultAdvancedActionsConfig()
+	}
+	currentSettings.AdvancedActions = normalizeAdvancedActionsConfig(currentSettings.AdvancedActions)
+
 	normalizeServersLocked()
 }