To use vallumd, you need an MQTT broker, like Mosquitto. Depending on your setup, you can run it on the same host that runs vallumd, but that’s no requirement. The next thing you need is an IPset. To give you full control over the type of IPset and its options, vallumd will not create the IPset itself. You can choose between these IPset types:
IPset creation example: ipset create blacklist hash:ip timeout 3600
Starting vallumd: vallumd -h 192.168.0.1 -t blacklist
This will listen for messages on the MQTT broker at 192.168.0.1, in the blacklist topic, and when a message is received, the IP address in the message will be added to or remove from the IPset named blacklist. So now we have everything in place to start adding IPs to the blacklist. All we have to do is configure our IDS, IPS or Honeypot to send malicious IP addresses to our MQTT broker. For fail2ban, this could be done with the Mosquitto client mosquitto_pub. Create a new action in /etc/fail2ban/action.d/vallumd.conf:
actionban = mosquitto_pub -h 192.168.0.1 -q 2 -t blacklist/add -m <ip>actionunban = mosquitto_pub -h 192.168.0.1 -q 2 -t blacklist/del -m <ip>
And configure your fail2ban jails to use the vallumd action.