[RFE]: expose "Found <IP>" via API

[pbiering]

I want to improve https://github.com/WKnak/fail2ban-block-ip-range which is currently screening last 1000 log lines of fail2ban output for "Found" entries and act. This is some kind of inefficient when doing every 5 minutes via cron or systemd timer.

I've checked the content of fail2ban's SQLite datebase and only found information of banned IPs inside.

I assume the list of "Found " only stored in memory, so is it possible to expose this via client somehow like

fail2ban-client get <JAIL> foundip [<SEP>|--with-time]

similar to the 'banip' selector?

[sebres]

Just by the way, may be this RFE will be also interesting here - #2304 (especially see #2304 (comment))

This is some kind of inefficient when doing every 5 minutes via cron or systemd timer.

Why cron? Fail2ban has recidive jail (however it's rudiment but anyway), which filter currently monitors fail2ban.log for bans to find recidive, but one can rewrite its failregex to consider Found instead of Ban.

[pbiering]

Why cron? Fail2ban has recidive jail (however it's rudiment but anyway), which filter currently monitors fail2ban.log for bans to find recidive, but one can rewrite its failregex to consider Found instead of Ban.

https://github.com/WKnak/fail2ban-block-ip-range supports (dnamic) aggregation of found IPs into network up to /24. "recidive" jail only supports blocking of 1 particular IP.

Since I've introduced this in addition with watching postfix/postscreen jails, it reduced traffic on related ports and also postfix log lines a lot.