This thread reminds me of why I still use CSF. It very handily does all the work that firewalld and fail2ban combined do, and then some.
The default configuration is sensible, but it can be customized as necessary for a particular use case. You can make it forgiving, heartless, both depending on recidivism, or anywhere in between.
It can block IP addresses or ranges automatically, manually, or programmatically; from the GUI, a terminal, or a script; temporarily, permanently, or temporarily-to-permanently; and it can trigger other, root-defined processes upon doing so, or upon rehabilitating the IPs.
In my own case, one of the things it does (via an external script) is populate a remote, ephemeral database of malicious IP addresses that generates text files that can be downloaded by other servers and firewalls. Multiple servers, numerous honeypots, and numerous failure scripts on public contact form spam filters also contribute to that database, which in turn is re-imported into CSF (and other firewalls that can import text-based blocklists) so all of the servers benefit from the data.
Anyone in the interwebs-connected world can download free, public versions of the blocklists if they like. They contain only the worst offenders’ IP addresses and are only updated once a day (I may change that soon to make them update more often), but they’re free.
https://www.rjmblocklist.com/free/badips.txt
https://www.rjmblocklist.com/free/webattack.txt
The philosophy behind those lists rests on rehabilitation by ephemerality. IP addresses that have behaved themselves are automatically removed between 72 and 96 hours following their most recent bad behavior, as reported (or not reported) by both CSF running on the servers or scripts running on the sites and honeypots. In a nutshell, if an IP is not observed misbehaving in that time period, it is rehabilitated. That avoids permanently banning an IP due to a temporary situation like a hack, breach, or malware infection, once it has been resolved.
Every IP that winds up on the list is also reported to AbuseIPDB in real time; so if you already use AbuseIPDB, you’re already benefiting from CSF’s work on my servers. This is my page on AbuseIPDB, by the way.
There would be more entries, but because the servers share their observations (as well as actions against the honeypots and web forms) with each other, IPs that act maliciously toward any one server or site are blocked by the rest, as well. That’s actually how this project began: I wanted an easy way for all my servers to share their events with each other. It just kind of morphed into a blocklist from there.
Of course, you can do all of this with firewalld and fail2ban if you want, but it would involve a heck of a lot more work. Not being one to reinvent the wheel, I let CSF do between 85 and 95 percent of the work. I wrote the honeypots, the web form failure scripts, the database scripts, and the scripts that interface with CSF. CSF itself does the rest and provides the great bulk of the malicious IP data.
Richard