skip to Main Content

Have set up fail2ban service on CentOS 8 by this tutorial: https://www.cyberciti.biz/faq/how-to-protect-ssh-with-fail2ban-on-centos-8/.

I have set up settings similiarly according to tutorial above like this:

[DEFAULT]
# Ban IP/hosts for 24 hour ( 24h*3600s = 86400s):
bantime = 86400
 
# An ip address/host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 1200
maxretry = 3
 
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator. For example, add your 
# static IP address that you always use for login such as 103.1.2.3
#ignoreip = 127.0.0.1/8 ::1 103.1.2.3
 
# Call iptables to ban IP address
banaction = iptables-multiport
 
# Enable sshd protection
[sshd]
enabled = true

I would like an ip to be baned permanently after it was baned 3 times temporarily. How to do that?

2

Answers


  1. A persistent banning is not advisable – it simply unnecessarily overloads your net-filter subsystem (as well as fail2ban)… It is enough to have a long ban.

    If you use v.0.11, you can use bantime increment feature, your config may looks like in this answer – https://github.com/fail2ban/fail2ban/discussions/2952#discussioncomment-414693

    [sshd]
    # initial ban time:
    bantime = 1h
    # incremental banning:
    bantime.increment = true
    # default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
    bantime.factor = 24
    # max banning time = 5 week:
    bantime.maxtime = 5w
    

    But note if this feature is enabled, it would also affect maxretry, so 2nd and following bans from known as bad IPs occur much earlier than after 3 attempts (it’d be halved each time).

    Login or Signup to reply.
  2. You can use jail [recidive] with bantime = -1 for permanent ban. Example jail.local:

    # Jail for more extended banning of persistent abusers
    # !!! WARNINGS !!!
    # 1. Make sure that your loglevel specified in fail2ban.conf/.local
    #    is not at DEBUG level -- which might then cause fail2ban to fall into
    #    an infinite loop constantly feeding itself with non-informative lines
    # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
    #    to maintain entries for failed logins for sufficient amount of time
    [recidive]
    enabled = true
    logpath = /var/log/fail2ban.log
    banaction = %(banaction_allports)s
    bantime = -1        ; permanent
    findtime = 86400    ; 1 day
    maxretry = 6
    

    General note:
    Use SSH key auth and set "AllowGroups" or "AllowUsers" in sshd_config. Most SSH login attempts will stop after a few tries. I also notice on my servers that it is getting less and less after months or years.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search