Permanent IP Block After Retries Using Fail2ban – Fail2ban Configuration Guide

fail2ban

I have a fail2ban configured like below:

  • block the ip after 3 failed attempts
  • release the IP after 300 sec timeout

This works perfectly and I want to keep it this way such that a valid user gets a chance to retry the login after the timeout. Now, I want to implement a rule where if same IP is been detected as attack and blocked, unblocked 5 times, permanently block the IP and never unblock again. Can this be achieved with fail2ban alone or I need to write my own script to do that?

I am doing this in centos.

Best Answer

Before 0.11, there was no default feature or a setting within fail2ban to achieve this. But starting with the upcoming 0.11 release, ban time is automatically calculated and increases exponentially with each new offense which, on the long term, will mean a more or less permanent block.

Until then, your best approach is probably setting up fail2ban to monitor its own log file. It is a two step process...

Step 1

We could need to create a filter to check for BAN's in the log file (fail2ban's log file)

Step 2

We need to define the jail, similar to the following...

[fail2ban]
enabled = true
filter = fail2ban
action = iptables-allports[name=fail2ban]
logpath = /path/to/fail2ban.log
# findtime: 1 day
findtime = 86400
# bantime: 1 year
bantime = 31536000

Technically, it is not a permanent block, but only blocks for a year (that we can increase too).

Anyway, for your question (Can this be achieved with fail2ban alone or I need to write my own script to do that?)... writing own script might work well. Setting up the script to extract the frequently banned IPs and then putting them into /etc/hosts.deny is what I'd recommend.

Related Topic