nginx-proxy-manager-zh/docker/rootfs/fail2ban/action.d/opnsense.conf

92 lines
2.6 KiB
Plaintext
Raw Normal View History

## Version 2023/02/16
#
# Fail2Ban action configuration for OPNsense
# Author: https://linuxserver.io/
#
# Please ensure jail.local permission are secure (640) as it contains your OPNsense API key
#
# OPNsense API Key/Secret guide: https://docs.opnsense.org/development/how-tos/api.html
#
# This action maintains an OPNsense HOST group alias.
#
# Configure OPNsense with:
# A correctly named empty HOST group alias.
# An associated firewall rule.
#
# In most instances the OPNsense rule will likely take the form of a INBOUND WAN DROP but specifics are left to user discretion.
#
# WARNING: This action allows connections to default OPNsense installs deployed with self signed TLS certificates.
# If required disable this by setting `allow_insecure = false` in your `jail.local`
#
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
#actionstart =
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
#actionstop =
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
#actioncheck =
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/add/<alias>
# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = curl <_allow_insecure> -s -u "<key>":"<secret>" -H "Content-Type: application/json" -d '{"address":"<ip>"}' https://<firewall>/api/firewall/alias_util/delete/<alias>
# Internal variable handler for `allow_insecure`
_allow_insecure = $(if [ '<allow_insecure>' = true ]; then echo ' -k '; else echo ''; fi;)
[Init]
# Option: alias
# Notes.: The OPNsense host group name to add the Fail2ban IP to.
# Values: [ STRING ]
#
alias =
# Option: firewall
# Notes.: Your OPNsense IP or DNS name.
# Values: [ STRING ]
#
firewall =
# Option: key
# Notes.: Your OPNsense user key.
# Values: [ STRING ]
#
key =
# Option: secret
# Notes.: Your OPNsense user secret.
# Values: [ STRING ]
#
secret =
# Option: allow_insecure
# Notes.: Allow connections to default OPNsense installs deployed with self signed TLS certificates.
# Values: [ BOOLEAN ]
#
allow_insecure = true