Fail2Ban action for ban IPs for a long time. Banned ips register in /etc/fail2ban/ip.blocklist. and re-populate iptables after fail2ban/system restart. I recommend to use this action in new filters as addition to the existing filters against brute force.
- fail2ban v. 0.8.x/0.9.x
-
Put iptables-repeater.conf to /etc/fail2ban/action.d/ directory.
-
Add new filter in /etc/fail2ban/jail.conf or /etc/fail2ban/jail.local like below
[<filter_name>]
enabled = true
port = <port>
logpath = <log_path>
action = iptables-repeater[name=<name_in_chain>, port="<port>", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
filter = <filter_name>
maxretry = <maxretry>
findtime = <findtime>
bantime = <bantime>Example:
[sshd-repeater]
enabled = true
port = 1234
logpath = %(sshd_log)s
action = iptables-repeater[name=sshd, port="1234", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
filter = sshd
maxretry = 13
findtime = 31536000
bantime = 31536000- Restart Fail2ban.
For check filter activity (new filter must be in jails list)
fail2ban-client statusFor view info about filter
fail2ban-client status <filter_name>Example:
fail2ban-client status sshd-repeaterFor unban certain IP
fail2ban-client set <filter_name> unbanip <IP>Example:
fail2ban-client set sshd-repeater unbanip 123.123.123.123Unbanned IP automatically deleted from ip.blocklist..
- 23.07.2017 - 1.1.0 - Bug fixes. Added multiport support and action for legacy versions (0.8.x).
- 06.07.2017 - 1.0.0 - Released