fail2forward

playbooks/fail2ban-ingress/fail2forward.j2

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+case "$SSH_ORIGINAL_COMMAND" in
+  "ban "*)
+    ip="${SSH_ORIGINAL_COMMAND#ban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd banip "$ip"
+    ;;
+  "unban "*)
+    ip="${SSH_ORIGINAL_COMMAND#unban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd unbanip "$ip"
+    ;;
+  *)
+    echo "denied" >&2; exit 1
+    ;;
+esac