Intro
For those who are not aware, fail2ban is a reactive tool that triggers actions when events occur. The most common uses are failed login attempts resulting in a firewall block. Today I’ll show you a handful of tricks I’ve used to help protect my systems.
Permanent banning
Step 1.
Inside action.d/iptables-multiport.conf we will be changing 3 actions:
Change:
actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
to:
actionunban =
and then add this echo line below actionban and make sure the spaces line up:
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist-<name>Lastly change actionstart and add this line:
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
/usr/bin/screen -d -m /etc/fail2ban/reload.sh <name>
Step 2.
Create an /etc/fail2ban/reload.sh script containing:
#!/bin/bash
cat /etc/fail2ban/ip.blacklist-$1 | while read IP; do /sbin/iptables -I fail2ban-$1 1 -s $IP -j DROP; doneStep 3.
To test it, you should start to see files created in /etc/fail2ban/ looking like this:
ip.blacklist-apache-connect
ip.blacklist-pure-ftpd
Check your iptables, restart fail2ban and you should see iptables get repopulated.
Note: I have screen -d -m /etc/fail2ban/reload.sh which allows the iptables to be loaded in the background. Otherwise fail2ban actually hangs on start while it processes the iptables
If you ever find the need to unblock an ip, you will want to delete it from the blacklist and then restart fail2ban, or manually delete their entry from iptables.
Blocking Proxy Scanners
I originally built this due to proxy scanners slamming my server. Apparently once upon a time someone using the ip I currently had was on a proxy list and no one was removing it. filter.d/apache-connect.conf:
[Definition]
#ban anything sending a CONNECT
failregex = ^ - - \[.*(CONNECT |POST htt|HEAD http|GET http).*$
ignoreregex =