ban recurrent offenders

An idea found in the blog of Walter Heitman Jr. in the article Fail2Ban How To: Increased Ban Times for Repeat Offenders that allows to ban recurrent offenders.

Creation of the filter rule

The first thing to do is to write the rule that scans the log file of Fail2ban itself (it must be reachable) in order to find the pattern of a banned IP (because it breaks another rule).

For example, the following IP is banned and it has been logged in /var/log/fail2ban.log:

2019-01-09 10:49:27,453 fail2ban.filter         [27657]: INFO    [sshd-extended] Found 51.xx.xx.xx
2019-01-09 10:49:27,622 fail2ban.actions        [27657]: NOTICE  [sshd-extended] Ban 51.xx.xx.xx

The pattern is \]\s+Ban\s+<HOST> (it is always the same, see the source code of Fail2ban).

In the filter.d/f2b-loop.conf file, we have:

# Fail2Ban configuration file for subsequent bans
#
[INCLUDES]
before = common.conf

[Definition]
failregex = \]\s+Ban\s+<HOST>
ignoreregex = \[f2b-loop.*\]\s+Ban\s+<HOST>
#
# Author: Walter Heitman Jr.  http://blog.shanock.com

Creation of jail rules

The second thing to do is the configuration of the number of times Fail2ban will find the filter rule in its logs.

In the jail.d/f2b-loop.conf file:

# Fail2Ban configuration file for subsequent bans
#
[f2b-loop1]
enabled = true
filter = f2b-loop
bantime = 86400     ;1 day
findtime = 86400    ;1 day
logpath = /var/log/fail2ban.log
maxretry = 3

[f2b-loop2]
enabled = true
filter = f2b-loop
bantime = 604800    ;1 week
findtime = 604800   ;1 week
logpath = /var/log/fail2ban.log
maxretry = 5
#
# Author: Walter Heitman Jr.  http://blog.shanock.com

Fail2ban can quickly consume a lot of resources (CPU/RAM) if the logs file contains a lot of lines and if there are too many rules.

Be reasonnable and don’t do too many loops.