Ubuntu/Configure Fail2Ban for permanent and persistent bans: Difference between revisions
Jauna lapa: <div class="mw-parser-output"> </div> <div class="mw-parser-output"> = Configure permanent bans = ---- This is the easiest part. Ban time can be set either globally (ie: for al... |
m 1 revision imported |
||
(No difference)
| |||
Latest revision as of 10:41, 16 April 2026
Configure permanent bans
This is the easiest part. Ban time can be set either globally (ie: for all jails), or per jail. It is controlled through the ‘bantime‘ parameter which defines the number of seconds an IP is banned.
To set a permanent ban, simply set the bantime parameter to a value of -1. Edit the jail.conf file, comment out the existing ‘bantime’ line, and set a new bantime to -1 :
# "bantime" is the number of seconds that a host is banned.# bantime = 600# Permanent banbantime = -1
Configure persistent bans
In order for bans to persist across a service restart, they obviously have to be saved somewhere. No fancy database required, a simple text file will do the trick.
The principle is simple: every time Fail2Ban sets a new ban on an IP, we’ll save the information « jail name and IP address » in a file along the way. Next, upon each Fail2Ban service start, we’ll load this file a re-create the corresponding bans. All it takes is two lines in the right configuration file.
Each ban action is defined in a corresponding configuration file. Within this file, there’s two parameters we’re interested in:
- actionstart : here we can define a list of commands that will be executed only once at the start of Fail2Ban. So we’ll add a custom command loading the file /etc/fail2ban/persistent.bans and re-create the corresponding iptables entries.
- actionban : here we can defined a list of commands that will be executed when banning an IP. So we’ll add a custom command to save the useful information to the file /etc/fail2ban/persistent.bans.
The default action in Fail2Ban is iptables-multiport (as defined in the file jail.conf), so we have to edit the action.d/iptables-multiport.conffile and add the following highlighted lines:
[Definition]# Option: actionstart# Notes.: command executed once at the start of Fail2Ban.# Values: CMD#actionstart = iptables -N fail2ban-<name> iptables -A fail2ban-<name> -j RETURN iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \ | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done# Option: actionstop# Notes.: command executed once at the end of Fail2Ban# Values: CMD#actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name> iptables -F fail2ban-<name> iptables -X fail2ban-<name># Option: actioncheck# Notes.: command executed once before each actionban command# Values: CMD#actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'# Option: actionban# Notes.: command executed when banning an IP. Take care that the# command is executed with Fail2Ban user rights.# Tags: See jail.conf(5) man page# Values: CMD#actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype> echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans
Once done, it is required to restart Fail2Ban in order for those change to be applied.
service fail2ban restart
