I have set up a custom jail for a spambot that is giving me trouble. Using "bantime -1" I was trying to permanently ban the botnet. I thought it was working, but when the weekly logrotate occured fail2ban unbanned all IPs.
What is the best way to permanently and persistently ban an IP using fail2ban?
Is doing something like this + logging permanently banned IP to a seperate files (that does not get rotated) a good solution?
Cheers, Thomas
P.S.: I would like to do this without new cronjobs and scripts.
P.P.S.: I'm using Debian.
Put the ban in your permanent iptables configuration file (possibly
/etc/sysconfig/iptables).I scoured the net for a couple hours trying to find a solid way of doing this. This article was a godsend for me! Fail2Ban: Permanent SSH Bans. It suggests a separate file to store and recall permanently-banned IPs, which is read on
fail2banlaunch and written to whenever an address is banned. A similar could be used to store bans in a database or the system-wide iptables rules.My peraban action file appends the IP the a file that my firewall loads on boot, so it's never lost. How you achieve that will depend on your setup and system.
Fail2ban monitors various logs and takes action based on what it finds. In this particular case it will be adding rules to the iptables firewall. You will have to save the state of your firewall before the ban rules are deleted.
How and where to do this depends on your system. For Red Hat systems and the like you can use
which will write the current state of your iptables firewall to /
etc/sysconfig/iptablesfor Ubuntu systems have a look at this document which give guidance on how and where to make changes to the startup/shutdown files to save and restore the iptables configuration.
For Debian systems have a look at this article.
Once you know how to save the state of your firewall you could do the save/restore in logrotate prerotate and postrotate scripts.