I find myself adding IPs under [DEFAULT] on my /etc/fail2ban/jail.local file a fair amount (moving email domains I want to make sure that a known user doesn’t trip a ban for their whole office because of some slip-up moving that user, but I also want to ban the heck out of dictionary tries, etc).
Initially I didn’t realize that this had to be under [DEFAULT] to be of any use (I assumed that "ignoreip = " was enough, but that only counts for whatever jail it’s beneath), then I didn’t realize that it had to be [DEFAULT] in all caps, though the other blocks are all lowercase. Then I didn’t realize that even with each IP or block on a new line, the space-separated-list rule still counts (though without the preceding space fail2ban restarts fine… it just doesn’t allow the IPs) even a " " after each IP might not have done it (I am not sure what order I was in when I got rid of that)… which meant that the passthrough wasn’t allowing IPs while I learned about fail2ban config file syntax (and answering to tech support because some guy in some office has the wrong password and the whole office gets re-banned every couple of minutes).
That got me to thinking “Excluded IPs” would be a nice button to have right there on that “Fail2Ban Intrusion Detector” menu… that would just say “Enter single IPs or ranges as /24 /16 etc, one per line that you wish to be exempt from fail2ban” and then would just do all that for me.
Would that supersede fail2ban’s Bans? (I still like doing it at the fail2ban level better because its Ban/Unban logs would be confusing if they only worked for some IPs.)
Incidentally the Allow IP/CIDR button was broken last time I tried it. (Ignore the exchanges with ID10T there, I’d confused him by saying that it worked in public.xml when manually added… I am not convinced that when I did that I nested the IP in that “rule” block that seems to break it.)
At least I can say that if I pick a zone like “trusted” and click the Allow IP/CIDR and add an IP there, it does not work for the ports and services there (I think because the file it creates nests the IP in a rule, which is outside of the list of allowed ports). So the button will make this:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Internal</short>
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<rule family="ipv4" priority="-32767">
<source address="[SAID-IP-HERE]"/>
<accept/>
</rule>
</zone>
And presuming that ssh isn’t available in another group (like public), ssh will not work for SAID-IP… but that removing these two lines:
<rule family="ipv4" priority="-32767">
</rule>
Makes what the button creates work as one expects.