Permanent block of IP after n retries using fail2ban
Solution 1:
Before 0.11, there was no default feature or a setting within fail2ban to achieve this. But starting with the upcoming 0.11 release, ban time is automatically calculated and increases exponentially with each new offense which, on the long term, will mean a more or less permanent block.
Until then, your best approach is probably setting up fail2ban to monitor its own log file. It is a two step process...
Step 1
We could need to create a filter to check for BAN's in the log file (fail2ban's log file)
Step 2
We need to define the jail, similar to the following...
[fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /path/to/fail2ban.log # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000
Technically, it is not a permanent block, but only blocks for a year (that we can increase too).
Anyway, for your question (Can this be achieved with fail2ban alone or I need to write my own script to do that?)... writing own script might work well. Setting up the script to extract the frequently banned IPs and then putting them into /etc/hosts.deny
is what I'd recommend.
Solution 2:
I believe if you put bantime = -1
in that config section, it is a permanent block.
Solution 3:
Phil Hagen wrote an excellent article on this subject. "Permanently Ban Repeat Offenders With fail2ban".
His suggestion is the same as Pothi but provides a step by step guide.
This included:
- separate ban list by jail (ip.blocklist.ssh, ip.blocklist.xxx)
- ban lists autoloaded if service restart (main advantage of this method imho)
- email notification if repeater engaged.
Solution 4:
fail2ban has already a jail to ban recidive. If you watch /etc/fail2ban/jail.conf
, you will found :
# Jail for more extended banning of persistent abusers
# !!! WARNING !!!
# Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
[recidive]
enabled = false
filter = recidive
logpath = /var/log/fail2ban.log
action = iptables-allports[name=recidive]
sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log]
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
maxretry = 5
How to add in jail.local ?
[recidive]
enabled = true
bantime = 31536000 ; 1 year
findtime = 18144000 ; 1 month
maxretry = 2
For check you loglevel you can do : fail2ban-client get loglevel
.
- set loglevel MYLEVEL : sets logging level to MYLEVEL. Levels: CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG
- More command on the wiki.
With old version of fail2ban, you can get this bug.
Solution 5:
To expand on Chin's answer this is pretty simple. Just edit the 2 settings in /etc/fail2ban/jail.local
to match your preferences.
# ban time in seconds. Use -1 for forever. Example is 1 week.
bantime = 604800
# number of failures before banning
maxretry = 5