Banning Repeat With Fail2ban

If wont to prevent brute force on ssh service good choice is Fail2Ban, but If wont to ban attackers were repeatedly got ban by Fail2Ban on luckily we can easy setup "Repeat" service for permanent ban of attacker.

nano /etc/fail2ban/jail.d/repeat.conf

[repeat]
enabled  = true
filter   = repeat
logpath  = /var/log/fail2ban.log
bantime  = 31536000   ; 1 year
findtime = 31536000   ; 1 year
maxretry=3

nano /etc/fail2ban/filter.d/repeat.conf

[INCLUDES]
before = common.conf

[Definition]
_daemon = fail2ban\.actions\s*
_jailname = repeat
failregex = ^(%(__prefix_line)s| %(_daemon)s%(__pid_re)s?:\s+)NOTICE\s+\[(?!%(_jailname)s\])(?:.*)\]\s+Ban\s+<HOST>\s*$
ignoreregex =

[Init]
journalmatch = _SYSTEMD_UNIT=fail2ban.service PRIORITY=5

nano /etc/fail2ban/action.d/repeat.conf

actionban = if ! <iptables> -C f2b-<name> -s <ip> -j DROP; then <iptables> -I f2b-<name> 1 -s <ip> -j DROP; fi
if ! grep -Fxq '<ip>,<name>' /etc/fail2ban/ip.blacklist; then echo '<ip>,<name>' >> /etc/fail2ban/ip.blacklist; fi
actionunban = # Do nothing becasuse their IP is in the blocklist file

[Init]

After success created this files, just restart Fail2Ban service and that is all.

 

Page top