CODEWITHSUNDEEP
centoscustomizationfail2ban
MarekChr
MarekChr

Reputation: 1160

fail2ban - how to ban ip permanently after it was baned 3 times temporarily

Have set up fail2ban service on CentOS 8 by this tutorial: https://www.cyberciti.biz/faq/how-to-protect-ssh-with-fail2ban-on-centos-8/.

I have set up settings similiarly according to tutorial above like this:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 1200
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

I would like an ip to be baned permanently after it was baned 3 times temporarily. How to do that?

Upvotes: 4

Views: 29824

Answers (2)

boldsuck
boldsuck

Reputation: 61

You can use jail [recidive] with bantime = -1 for permanent ban. Example jail.local:

# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
#    is not at DEBUG level -- which might then cause fail2ban to fall into
#    an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
#    to maintain entries for failed logins for sufficient amount of time
[recidive]
enabled = true
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = -1        ; permanent
findtime = 86400    ; 1 day
maxretry = 6

General note: Use SSH key auth and set "AllowGroups" or "AllowUsers" in sshd_config. Most SSH login attempts will stop after a few tries. I also notice on my servers that it is getting less and less after months or years.

Upvotes: 6

sebres
sebres

Reputation: 820

A persistent banning is not advisable - it simply unnecessarily overloads your net-filter subsystem (as well as fail2ban)... It is enough to have a long ban.

If you use v.0.11, you can use bantime increment feature, your config may looks like in this answer - https://github.com/fail2ban/fail2ban/discussions/2952#discussioncomment-414693

[sshd]
# initial ban time:
bantime = 1h
# incremental banning:
bantime.increment = true
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
bantime.factor = 24
# max banning time = 5 week:
bantime.maxtime = 5w

But note if this feature is enabled, it would also affect maxretry, so 2nd and following bans from known as bad IPs occur much earlier than after 3 attempts (it'd be halved each time).

Upvotes: 14

Related Questions