ban recurrent offenders
An idea found in the blog of Walter Heitman Jr. in the article Fail2Ban How To: Increased Ban Times for Repeat Offenders that allows to ban recurrent offenders.
Creation of the filter rule
The first thing to do is to write the rule that scans the log file of
Fail2ban itself (it must be reachable) in order
to find the pattern of a banned IP (because it breaks another rule).
For example, the following IP is banned and it has been logged in
2019-01-09 10:49:27,453 fail2ban.filter : INFO [sshd-extended] Found 51.xx.xx.xx 2019-01-09 10:49:27,622 fail2ban.actions : NOTICE [sshd-extended] Ban 51.xx.xx.xx
The pattern is
\]\s+Ban\s+<HOST> (it is always the same, see the source code of
filter.d/f2b-loop.conf file, we have:
# Fail2Ban configuration file for subsequent bans # [INCLUDES] before = common.conf [Definition] failregex = \]\s+Ban\s+<HOST> ignoreregex = \[f2b-loop.*\]\s+Ban\s+<HOST> # # Author: Walter Heitman Jr. http://blog.shanock.com
Creation of jail rules
The second thing to do is the configuration of the number of times
Fail2ban will find the filter rule in its logs.
# Fail2Ban configuration file for subsequent bans # [f2b-loop1] enabled = true filter = f2b-loop bantime = 86400 ;1 day findtime = 86400 ;1 day logpath = /var/log/fail2ban.log maxretry = 3 [f2b-loop2] enabled = true filter = f2b-loop bantime = 604800 ;1 week findtime = 604800 ;1 week logpath = /var/log/fail2ban.log maxretry = 5 # # Author: Walter Heitman Jr. http://blog.shanock.com
Fail2ban can quickly consume a lot of resources (CPU/RAM) if the logs file contains a lot of lines and if there are too many rules.
Be reasonnable and don’t do too many loops.