Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Updated correct fail2ban for permanent and persistent bans from https://wp.me/p5Ub2q-7w because WordPress.com comments suck for code snippets.
[Definition]
# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/persistent.bans | awk '/^fail2ban-<name>/ {print $2}' \
| while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j <blocktype>; done
# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = iptables -D <chain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
iptables -F fail2ban-<name>
iptables -X fail2ban-<name>
# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = iptables -n -L <chain> | grep -q 'fail2ban-<name>[ \t]'
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
if ! grep -q "fail2ban-<name> <ip>" /etc/fail2ban/persistent.bans; then echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; fi
@jirislav

This comment has been minimized.

Copy link

jirislav commented Oct 16, 2018

Please note that grep will interpret the dots from the IP as any character, so it is possible that there won't be stored some IP addresses.

Let's consider the persistent.bans already contains:

fail2ban-permanent-ban 111.222.333.444

And now you have a new match of IP 1.1.222.3.3. The grep will "succeed" in finding this pattern, but the IP address is not inside the file. This sensitiviy is called true-negative.

As the result, IP of 1.1.222.3.3 will not be stored in the file and the ban will not be restored after machine restart.

The same applies not only for grep interpreting dots, but also not matching to the end of line.

Let's suppose you have fixed the problem described above and have escaped all the dots in the IP address so that grep doesn't interpret those. The grep would still "succeed" in finding 111.222.333.44 and 111.222.333.4, thus you also have to include end of line match character, so that it becomes:

actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
            if ! grep -q "fail2ban-<name> `sed 's,\.,\\.,g' <<<<ip>`$" /etc/fail2ban/persistent.bans; then 
              echo "fail2ban-<name> <ip>" >> /etc/fail2ban/persistent.bans; 
            fi
@shanept

This comment has been minimized.

Copy link

shanept commented Jan 22, 2019

The issue as mentioned by jirislav can be circumvented by adding the 'fixed strings' parameter for grep:

grep -Fq ...

@David-Frick

This comment has been minimized.

Copy link

David-Frick commented Apr 23, 2019

Can someone point me to where the log files of banned Ip addresses are stored? I want to see if any have been banned as I still seem to have a lot of failed IP attempt logins from far away places.

@braselectron

This comment has been minimized.

Copy link

braselectron commented Jun 12, 2019

@David-Frick if you are using Raspbian (ie Linux), and configured your system with fail2ban it should be stored at /var/log.

Check the /etc/fail2ban/fail2ban.conf it has a line with the path like this: logtarget = /var/log/fail2ban.log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.