Fail2Ban: Set a permanent ban per IP

Fail2Ban is a really good piece of software that allows to understand when someone (a bot) is trying to offend your server using a brute force attack.

Let’s say that you don’t want to apply a permanent ban as a default rule (because it is possibile, setting the bantime at -1 in the relative filter of the jail.conf file).
Let’s say that you see an offending IP that is continuosly banned.
Let’s say that you don’t want to see it anymore!

To ban permanently an IP a really simple way is to add the following line under the “actionstart” rule (the actions used when fail2ban starts/restarts):

cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done

in the configuration file used as default ban action. For example, if your default ban action is “iptables-multiport” (the default one) you need to add the previous line in the configuration file:

/etc/fail2ban/action.d/iptables-multiport.conf

After that, you need to manually add the offending IP, one IP per line, in the file /etc/fail2ban/ip.blacklist (you need to create it the first time).

Thanks to Looke, which uses this tecnique but saving the offending IPs automatically (for this I prefer the bantime = -1 option).

In order to use Disqus to comment out you have to accept the use of third-party cookies.