Kaspars: 1 revision imported

2026-04-16T08:41:33Z

1 revision imported

← Older revision		Revision as of 10:41, 16 April 2026
(No difference)

Kaspars: Jauna lapa:

= Configure permanent bans = ---- This is the easiest part. Ban time can be set either globally (ie: for al...

2018-09-20T06:19:38Z

Jauna lapa: <div class="mw-parser-output"> </div> <div class="mw-parser-output"> = Configure permanent bans = ---- This is the easiest part. Ban time can be set either globally (ie: for al...

New page

<div class="mw-parser-output"> </div> <div class="mw-parser-output">
= Configure permanent bans =

----

This is the easiest part. Ban time can be set either globally (ie: for all jails), or per jail. It is controlled through the ‘bantime‘ parameter which defines the number of seconds an IP is banned.

To set a permanent ban, simply set the bantime parameter to a value of -1. Edit the jail.conf file, comment out the existing ‘bantime’ line, and set a new bantime to -1 :

 
<div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># "bantime" is the number of seconds that a host is banned.</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># bantime  = 600</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"> </div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Permanent ban</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>bantime = -1</code></div>
 

= Configure persistent bans =

----

In order for bans to persist across a service restart, they obviously have to be saved somewhere. No fancy database required, a simple text file will do the trick.

The principle is simple: every time Fail2Ban sets a new ban on an IP, we’ll save the information « jail name and IP address » in a file along the way. Next, upon each Fail2Ban service start, we’ll load this file a re-create the corresponding bans. All it takes is two lines in the right configuration file.

Each ban action is defined in a corresponding configuration file. Within this file, there’s two parameters we’re interested in:

#actionstart : here we can define a list of commands that will be executed only once at the start of Fail2Ban. So we’ll add a custom command loading the file /etc/fail2ban/persistent.bans and re-create the corresponding iptables entries.
#actionban : here we can defined a list of commands that will be executed when banning an IP. So we’ll add a custom command to save the useful information to the file /etc/fail2ban/persistent.bans.

The default action in Fail2Ban is iptables-multiport (as defined in the file jail.conf), so we have to edit the action.d/iptables-multiport.conffile and add the following highlighted lines:

 
<div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>[Definition]</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"> </div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Option:  actionstart</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Notes.:  command executed once at the start of Fail2Ban.</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Values:  CMD</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>#</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>actionstart = iptables -N fail2ban-<name></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>              </code><code>iptables -A fail2ban-<name> -j RETURN</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>              </code><code>iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>          </code><code><span style="background-color:#FFFF00;">cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \</span></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code><span style="background-color:#FFFF00;">          </span></code><code><span style="background-color:#FFFF00;">| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done</span></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"> </div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Option:  actionstop</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Notes.:  command executed once at the end of Fail2Ban</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Values:  CMD</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>#</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>             </code><code>iptables -F fail2ban-<name></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>             </code><code>iptables -X fail2ban-<name></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"> </div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Option:  actioncheck</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Notes.:  command executed once before each actionban command</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Values:  CMD</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>#</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"> </div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Option:  actionban</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Notes.:  command executed when banning an IP. Take care that the</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>#          command is executed with Fail2Ban user rights.</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Tags:    See jail.conf(5) man page</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code># Values:  CMD</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>#</code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype></code></div> <div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>        </code><code><span style="background-color:#FFFF00;">echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans</span></code></div>
 

Once done, it is required to restart Fail2Ban in order for those change to be applied.

 
<div style="background:#eee;border:1px solid #ccc;padding:5px 10px;"><code>service fail2ban restart</code></div>
 
</div>

Ubuntu/Configure Fail2Ban for permanent and persistent bans - Revision history

Kaspars: 1 revision imported

Kaspars: Jauna lapa: = Configure permanent bans = ---- This is the easiest part. Ban time can be set either globally (ie: for al...

Kaspars: Jauna lapa:

= Configure permanent bans = ---- This is the easiest part. Ban time can be set either globally (ie: for al...