LogBus as a fail2ban replacement

Ever wish you could take your logs, slice them like a chef, and use them to firewall off internet goblins automatically?

Let me introduce you to one of my favorite parts of LogBus: the fail2ban plugin. It's like duct-taping iptables, ipset, and intelligent pattern recognition onto your log stream, except instead of regex soup and cron jobs, it's clean, structured, and fast.

TL;DR - Automatic Blacklisting, Powered by Logs

With just a few lines of logic in the fail2ban plugin, I can:

• Detect brute-force SSH attacks, sketchy .env crawlers, or broken SMTP EHLOs
• Count repeated failures over time (per IP + service)
• Auto-ban with ipset when a threshold is crossed

No need for Fail2Ban daemons, custom log regexes, or a thousand jail.conf files.

How It Works: A Quick Peek

At the core is a function called failed(event) which inspects logs to figure out:

• Which service was targeted (SSH, web, mail, firewall)
• Who's the perp? (by IP)
• How many times has this IP failed?
• Is it time to ban them yet?

Here's a taste:

if (event.process === 'sshd') {
  match = event.message.match(/invalid user (?<user>\S+) (?<ip>\S+) port (?<port>\d+)/ui)
  if (match) {
    const {user, ip, port} = match.groups
    this.set(event, 'client.ip', ip)
    key = `ssh~${ip}`
    limit = 1
  }
}

That logic maps log lines to failure keys like ssh~1.2.3.4. It also tags metadata onto the event for later use. Other examples from the plugin:

• iptables probing = iptables~<ip> with a limit of 10
• Web traffic scanning for .env or bad status codes? → web~<ip>
• Mail relays with invalid EHLOs? → mail~<ip>

When the threshold is crossed, this ban logic runs - simple, fast, and it logs the action for visibility.

this.ipset(['add', '-!', `blacklist-${service}`, ip], ...)

The Blacklist Keys: Service-Based Granularity

By structuring keys like web~<ip> or ssh~<ip>, I can:

• Create per-service ipsets (e.g., blacklist-web, blacklist-ssh)
• Track failure behavior per service, not just globally
• Avoid banning SMTP clients for web traffic or vice versa

The plugin holds a short-lived memory of recent failures in this.config.failures, keyed by that service~ip string. This allows me to run LogBus continuously over system logs and let the plugin take care of:

• Tracking thresholds
• Applying the bans
• Logging what happened
• Tagging banned events

Web Traffic Gotchas

LogBus isn't just sniffing firewall logs and auth attempts. It even watches web traffic:

if (path.endsWith('.env') || path.includes('\\x')) {
  key = `web~${event.client.ip}`
  limit = 1
} else if (status >= 400 && status < 500) {
  key = `web~${event.client.ip}`
  limit = 5
}

This catches bad behavior like:

• Requests to sensitive files (.env, /.git, etc.)
• Obfuscated payloads
• High volumes of 4xx status codes

Because who really needs 27 "GET /wp-login.php" attempts in a row from a Ukrainian IP at 3am?

Bonus: Mail Filtering, Too

The plugin even catches garbage SMTP handshakes so I can ban misconfigured relays & password brute-forcers without touching Postfix configs.

match = event.message.match(/(smtp.invalid-ehlo|smtp.auth-not-allowed).* remoteip = (?<ip>[0-9.]+)/ui)

Final Thoughts

This fail2ban plugin is one of many tools in LogBus that lets me turn logs into real-time action. Instead of just archiving logs for postmortem, I'm using them to:

• Actively defend infrastructure
• Annotate malicious behavior
• Maintain clean iptables/ipset state automatically

Like any good Swiss Army knife, LogBus has a blade for every situation - and this one slices deep.