Hi all,
Sharing a plugin I've been building —
ProBAN (Progressive Ban).
Instead of fixed-tier, fail2ban-style blocking, ProBAN
grows an attacker's ban the more they knock and
decays it while they're quiet. A drive-by scanner earns a 30-second timeout; a relentless one digs itself into a ban measured in days, then months — no tiers to tune.
Banned IPs can be silently
dropped, funneled into a zero-window
tarpit that burns their time and sockets (it never reads their input — zero parser attack surface), or redirected to a
honeypot on ports you choose. All live under Reporting → ProBAN:
(https://raw.githubusercontent.com/Freeflite/PROBan/main/docs/images/settings.png)
A few things I cared about:
- IPv6 at full parity — with evidence-based /64 aggregation: ban /128s, escalate to the whole /64 only after N distinct offenders, so a shared-hosting /64 keeps its innocent neighbours.
- VPN-friendly — UDP tunnels (WireGuard/IPsec) are invisible to it, and a "protected ports" setting keeps OpenVPN-over-TCP and other inbound services from being mistaken for attacks.
- Safe by design — the tarpit target is reflection-locked to private/LAN/VPN addresses and tamper-checked every run, so it can't be aimed at a victim.
- Built the proper OPNsense way — settings in a model XML (config.xml), a configd/rc.d service, config.json from a template, firewall rules owned by a plugins.inc.d hook.
Status:
v0.1.0-rc.1, validated live on OPNsense 26.1 / PHP 8.3. It's a release candidate — testers, review, and honest feedback all very welcome.
Plugin: github.com/Freeflite/PROBan (https://github.com/Freeflite/PROBan)
Tarpit companion (Rust): github.com/Freeflite/TinyPit (https://github.com/Freeflite/TinyPit)
Thanks for taking a look!