How to automatically permanently ban IP addresses?












3














Currently I have been using iptables on a new Debian server running Asterisk.



Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP



I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.



Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.



fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.



The two main intrusion attempts I see are using false usernames and random ports.



Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?



I also see a lot like this:



Did not receive identification string from (malicious IP) port 48334


I'd like to ban those IPs too.



I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.



Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.



I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.










share|improve this question









New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
    – jsotola
    Dec 30 '18 at 0:57












  • @Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
    – InterLinked
    Dec 30 '18 at 1:15










  • @Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
    – InterLinked
    Dec 30 '18 at 1:39
















3














Currently I have been using iptables on a new Debian server running Asterisk.



Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP



I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.



Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.



fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.



The two main intrusion attempts I see are using false usernames and random ports.



Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?



I also see a lot like this:



Did not receive identification string from (malicious IP) port 48334


I'd like to ban those IPs too.



I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.



Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.



I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.










share|improve this question









New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
    – jsotola
    Dec 30 '18 at 0:57












  • @Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
    – InterLinked
    Dec 30 '18 at 1:15










  • @Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
    – InterLinked
    Dec 30 '18 at 1:39














3












3








3


1





Currently I have been using iptables on a new Debian server running Asterisk.



Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP



I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.



Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.



fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.



The two main intrusion attempts I see are using false usernames and random ports.



Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?



I also see a lot like this:



Did not receive identification string from (malicious IP) port 48334


I'd like to ban those IPs too.



I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.



Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.



I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.










share|improve this question









New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Currently I have been using iptables on a new Debian server running Asterisk.



Every day I have been checking auth.log for IP addresses and manually doing iptables -A INPUT -s IPA.DRE.SS.0/24 -j DROP



I was initially doing just IP addresses but many hits were coming from similar IP addresses so /24 has been working better, I have used /16 a couple of times.



Already I have hundreds of iptables entries and this is getting out of control! I know there must be an easier way to do this.



fail2ban has been recommended to me but it seems it blocks IPs only temporarily after a certain # of attempts.



The two main intrusion attempts I see are using false usernames and random ports.



Is it possible to, if an attempt is made to login with any username I am not currently using, to automatically permanently block the IP address? Same with ports that are not in use?



I also see a lot like this:



Did not receive identification string from (malicious IP) port 48334


I'd like to ban those IPs too.



I won't automatically block incorrect login attempts as if I fat-finger the password that could lock me out. But perhaps a permanent ban on an IP after 3 attempts will suffice.



Can I do this with iptables? I haven't found anything regarding "permanent bans" that work like this, it seems it just works more in the moment.



I'd more or less like to accomplish what I've been doing manually; permanently blocking IP ranges after a single wrong username login, a single wrong port connection, or 3 incorrect login attempts (with correct username). I'm hoping this will prevent auth.log from getting spammed.







debian iptables fail2ban ip-address






share|improve this question









New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited Dec 30 '18 at 1:07









Jeff Schaller

38.8k1053125




38.8k1053125






New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked Dec 30 '18 at 0:45









InterLinked

1184




1184




New contributor




InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






InterLinked is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
    – jsotola
    Dec 30 '18 at 0:57












  • @Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
    – InterLinked
    Dec 30 '18 at 1:15










  • @Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
    – InterLinked
    Dec 30 '18 at 1:39


















  • check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
    – jsotola
    Dec 30 '18 at 0:57












  • @Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
    – InterLinked
    Dec 30 '18 at 1:15










  • @Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
    – InterLinked
    Dec 30 '18 at 1:39
















check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
– jsotola
Dec 30 '18 at 0:57






check out honeyd.org/configuration.php ..... maybe the solution is to use a "tarpit" .... the undesirable connection is not refused, but becomes very, very, very slow and in the end does not lead anywhere
– jsotola
Dec 30 '18 at 0:57














@Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
– InterLinked
Dec 30 '18 at 1:15




@Christopher Only a small number of IP addresses are going to be connecting to my machine (hundreds maximum). It's a private Asterisk VoIP server.
– InterLinked
Dec 30 '18 at 1:15












@Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
– InterLinked
Dec 30 '18 at 1:39




@Christopher The only caveat is I don't know the IPs and some are changing constantly. Numerically the amount of possible connections is relatively small but I can't do a block-first approach sadly
– InterLinked
Dec 30 '18 at 1:39










1 Answer
1






active

oldest

votes


















8














fail2ban can be configured for permanent bans by setting bantine to -1



In jail.conf



bantime = -1 


These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...



If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.



Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...



So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf



We can add the following entries:



[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}'
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans


Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.



Of course, fail2ban needs restarting after any of the configuration files are changed.



All credit to "arno0x0x" and his wordpress site for this recipe.






share|improve this answer























  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
    – InterLinked
    Dec 30 '18 at 1:14






  • 1




    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
    – Stephen Harris
    Dec 30 '18 at 1:18












  • @StephenHarris Thanks, could you add that to your answer?
    – InterLinked
    Dec 30 '18 at 1:55










  • @Christopher OK, I've added the rules and an explanation.
    – Stephen Harris
    Dec 30 '18 at 2:15











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});






InterLinked is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491533%2fhow-to-automatically-permanently-ban-ip-addresses%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









8














fail2ban can be configured for permanent bans by setting bantine to -1



In jail.conf



bantime = -1 


These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...



If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.



Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...



So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf



We can add the following entries:



[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}'
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans


Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.



Of course, fail2ban needs restarting after any of the configuration files are changed.



All credit to "arno0x0x" and his wordpress site for this recipe.






share|improve this answer























  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
    – InterLinked
    Dec 30 '18 at 1:14






  • 1




    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
    – Stephen Harris
    Dec 30 '18 at 1:18












  • @StephenHarris Thanks, could you add that to your answer?
    – InterLinked
    Dec 30 '18 at 1:55










  • @Christopher OK, I've added the rules and an explanation.
    – Stephen Harris
    Dec 30 '18 at 2:15
















8














fail2ban can be configured for permanent bans by setting bantine to -1



In jail.conf



bantime = -1 


These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...



If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.



Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...



So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf



We can add the following entries:



[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}'
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans


Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.



Of course, fail2ban needs restarting after any of the configuration files are changed.



All credit to "arno0x0x" and his wordpress site for this recipe.






share|improve this answer























  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
    – InterLinked
    Dec 30 '18 at 1:14






  • 1




    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
    – Stephen Harris
    Dec 30 '18 at 1:18












  • @StephenHarris Thanks, could you add that to your answer?
    – InterLinked
    Dec 30 '18 at 1:55










  • @Christopher OK, I've added the rules and an explanation.
    – Stephen Harris
    Dec 30 '18 at 2:15














8












8








8






fail2ban can be configured for permanent bans by setting bantine to -1



In jail.conf



bantime = -1 


These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...



If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.



Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...



So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf



We can add the following entries:



[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}'
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans


Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.



Of course, fail2ban needs restarting after any of the configuration files are changed.



All credit to "arno0x0x" and his wordpress site for this recipe.






share|improve this answer














fail2ban can be configured for permanent bans by setting bantine to -1



In jail.conf



bantime = -1 


These will be lost on a reboot, but that's not necessarily a bad thing because so many attempts will be transient from pwned home machines in a botnet...



If you want persistence, then https://arno0x0x.wordpress.com/2015/12/30/fail2ban-permanent-persistent-bans/ may give some guidance.



Essentially modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot...



So if you check your default jail.conf you may find the default action is iptables-multiport. This corresponds to the configuration file /etc/fail2ban/ction.d/iptables-multiport.conf



We can add the following entries:



[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}'
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans


Now, when fail2ban flags an entry it will add a line to /etc/fail2ban/persistent.bans (via the actionban configuration). When fail2ban starts up it calls actionstart which reads this file and builds the iptables rules necessary.



Of course, fail2ban needs restarting after any of the configuration files are changed.



All credit to "arno0x0x" and his wordpress site for this recipe.







share|improve this answer














share|improve this answer



share|improve this answer








edited Dec 30 '18 at 2:14

























answered Dec 30 '18 at 0:53









Stephen Harris

25.1k24477




25.1k24477












  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
    – InterLinked
    Dec 30 '18 at 1:14






  • 1




    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
    – Stephen Harris
    Dec 30 '18 at 1:18












  • @StephenHarris Thanks, could you add that to your answer?
    – InterLinked
    Dec 30 '18 at 1:55










  • @Christopher OK, I've added the rules and an explanation.
    – Stephen Harris
    Dec 30 '18 at 2:15


















  • Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
    – InterLinked
    Dec 30 '18 at 1:14






  • 1




    This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
    – Stephen Harris
    Dec 30 '18 at 1:18












  • @StephenHarris Thanks, could you add that to your answer?
    – InterLinked
    Dec 30 '18 at 1:55










  • @Christopher OK, I've added the rules and an explanation.
    – Stephen Harris
    Dec 30 '18 at 2:15
















Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
– InterLinked
Dec 30 '18 at 1:14




Could the settings be saved, much like iptables-save, and restored on reboot somewhat like iptables-restore?
– InterLinked
Dec 30 '18 at 1:14




1




1




This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
– Stephen Harris
Dec 30 '18 at 1:18






This gets more complicated and involves modifying the fail2ban config to create a persistent configuration file of all the banned IPs, and have iptables load this list on reboot..... arno0x0x.wordpress.com/2015/12/30/… explains the details. I'm loathe to cut'n'paste that information because it'd be plagarism, and I've not tested it myself.
– Stephen Harris
Dec 30 '18 at 1:18














@StephenHarris Thanks, could you add that to your answer?
– InterLinked
Dec 30 '18 at 1:55




@StephenHarris Thanks, could you add that to your answer?
– InterLinked
Dec 30 '18 at 1:55












@Christopher OK, I've added the rules and an explanation.
– Stephen Harris
Dec 30 '18 at 2:15




@Christopher OK, I've added the rules and an explanation.
– Stephen Harris
Dec 30 '18 at 2:15










InterLinked is a new contributor. Be nice, and check out our Code of Conduct.










draft saved

draft discarded


















InterLinked is a new contributor. Be nice, and check out our Code of Conduct.













InterLinked is a new contributor. Be nice, and check out our Code of Conduct.












InterLinked is a new contributor. Be nice, and check out our Code of Conduct.
















Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f491533%2fhow-to-automatically-permanently-ban-ip-addresses%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

"Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

Alcedinidae

Origin of the phrase “under your belt”?