Permanent block of IP after n retries using fail2ban
I have a fail2ban configured like below:
- block the ip after 3 failed attempts
- release the IP after 300 sec timeout
This works perfectly and I want to keep it this way such that a valid user gets a chance to retry the login after the timeout. Now, I want to implement a rule where if same IP is been detected as attack and blocked, unblocked 5 times, permanently block the IP and never unblock again. Can this be achieved with fail2ban alone or I need to write my own script to do that?
I am doing this in centos.
Solution 1:
Before 0.11, there was no default feature or a setting within fail2ban to achieve this. But starting with the upcoming 0.11 release, ban time is automatically calculated and increases exponentially with each new offense which, on the long term, will mean a more or less permanent block.
Until then, your best approach is probably setting up fail2ban to monitor its own log file. It is a two step process...
Step 1
We could need to create a filter to check for BAN's in the log file (fail2ban's log file)
Step 2
We need to define the jail, similar to the following...
[fail2ban] enabled = true filter = fail2ban action = iptables-allports[name=fail2ban] logpath = /path/to/fail2ban.log # findtime: 1 day findtime = 86400 # bantime: 1 year bantime = 31536000
Technically, it is not a permanent block, but only blocks for a year (that we can increase too).
Anyway, for your question (Can this be achieved with fail2ban alone or I need to write my own script to do that?)... writing own script might work well. Setting up the script to extract the frequently banned IPs and then putting them into /etc/hosts.deny
is what I'd recommend.
Solution 2:
I believe if you put bantime = -1
in that config section, it is a permanent block.
Solution 3:
Phil Hagen wrote an excellent article on this subject. "Permanently Ban Repeat Offenders With fail2ban".
His suggestion is the same as Pothi but provides a step by step guide.
This included:
- separate ban list by jail (ip.blocklist.ssh, ip.blocklist.xxx)
- ban lists autoloaded if service restart (main advantage of this method imho)
- email notification if repeater engaged.