#!/bin/bash
set -euo pipefail
case "$SSH_ORIGINAL_COMMAND" in
  "ban "*)
    ip="${SSH_ORIGINAL_COMMAND#ban }"
    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
    exec fail2ban-client set sshd banip "$ip"
    ;;
  "unban "*)
    ip="${SSH_ORIGINAL_COMMAND#unban }"
    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
    exec fail2ban-client set sshd unbanip "$ip"
    ;;
  *)
    echo "denied" >&2; exit 1
    ;;
esac