fail2ban

fail2ban is a great software that ban ips failing auth.

Permanent ban

Unfortunately it doesn't provide an official way to make a permanent ban when some ip insist to fail, even after the gracefully period. Surfing I found this solution, anyway it doesn't works because there are many errors in the configs, following you can find my fixed configurations.

/etc/fail2ban/jail.conf

APPEND AT THE VERY BOTTOM!

[repeatoffender]
enabled  = true
filter   = repeatoffender
action   = repeatoffender[name=repeatoffender]
           sendmail-whois[name=Repeat-Offender, dest=destmailforpermanentban@domain.com, sender=fail2ban@domain.com]
logpath  = /var/log/fail2ban.log
maxretry = 10
findtime = 31536000
bantime  = -1

/etc/fail2ban/action.d/repeatoffender.conf

# Fail2Ban configuration file
#
# Author: Michele Porelli
#

[INCLUDES]

before = iptables-blocktype.conf


[Init]

# Default name of the chain
#
name = repeatoffender
name_permanent = ip-blocklist

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp | icmp | all ] Default: all
#
protocol = all

# Option:  chain
# Notes    specifies the iptables chain to which the fail2ban rules should be
#          added
# Values:  STRING  Default: <chain>
chain = INPUT


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = iptables -N fail2ban-<name>
              iptables -A fail2ban-<name> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name>
              # Establish chain and blocks for saved IPs
              iptables -N fail2ban-<name_permanent>
              iptables -A fail2ban-<name_permanent> -j RETURN
              iptables -I <chain> -p <protocol> -j fail2ban-<name_permanent>
              cat /etc/fail2ban/ip.blocklist.<name> |grep -v ^s*#|awk '{print $1}' | while read IP; do iptables -I fail2ban-<name_permanent> 1 -s $IP -j REJECT --reject-with icmp-port-unreachable; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = iptables -D <chain> -p <protocol> -j fail2ban-<name>
             iptables -F fail2ban-<name>
             iptables -X fail2ban-<name>
             # Remove chain and blocks for saved IPs to prevent duplicates on service restart
             iptables -D <chain> -p <protocol> -j fail2ban-<name_permanent>
             iptables -F fail2ban-<name_permanent>
             iptables -X fail2ban-<name_permanent>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = iptables -n -L  | grep -q 'fail2ban-<name>'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = VERIFY="<ip>"
            ADD="<ip> # fail2ban/$( date '+%%Y-%%m-%%d %%T' ): Perma-Banned"
            FILE=/etc/fail2ban/ip.blocklist.<name>
            grep -q "$VERIFY" "$FILE" || iptables -I fail2ban-<name> 1 -s <ip> -j REJECT --reject-with icmp-port-unreachable
            grep -q "$VERIFY" "$FILE" || echo "$ADD" >> "$FILE"

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = # Do nothing because their IP is in the blocklist file

# To manually unban from the ip blocklist file run this command:
# Be warned that if the ip is in log rotated files it must be whitelisted
#
# sed -i '/^/d' /etc/fail2ban/ip.blocklist.<name>

/etc/fail2ban/filter.d/repeatoffender.conf

# Fail2Ban configuration file
#
# Author: Michele Porelli
#
# This filter monitors the fail2ban log file, and permanently
# bans the ip addresses of persistent attackers.
#
# As of this version this ban only works with iptables.
#

[Definition]
_jailname = repeatoffender
failregex = fail2ban.actions:\sWARNING\s.*\sBan <HOST>
ignoreregex = fail2ban.actions:\sWARNING\s[%(_jailname)s]\sBan <HOST>

OpenVPN

/etc/fail2ban/filter.d/openvpn.conf

[Definition]
failregex = failregex = .* ovpn-.* <HOST> Connection reset, restarting \[[0-9-]{1,2}\]
ignoreregex =

/etc/fail2ban/jail.conf

[openvpn-tcp]
enabled  = true
port     = 1194
protocol = tcp
filter   = openvpn
action   = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
logpath  = /var/log/syslog
maxretry = 3

[openvpn-udp]
enabled  = true
port     = 1194
protocol = udp
filter   = openvpn
action   = iptables[name=%(__name__)s, port=%(port)s, protocol=%(protocol)s]
logpath  = /var/log/syslog
maxretry = 3
Navigation
Print/export
QR Code
QR Code fail2ban (generated for current page)