Persistent fail2ban bans

tommyvirtualmin · October 14, 2020, 1:28pm

Centos 8.2, what’s the best recommended way to permanently and persistently ban within iptables-multiport.local? I’m unsure if there is an option within Virtualmin to handle this, thanks.

ramin · October 14, 2020, 1:51pm

The Fail2ban package installed with CentOS 8 should be setup with Firewalld banactions that work nicely.

Be careful about long ban times with Fail2ban. It’s best to manually put IPs in Firewalld’s DROP zone for that.

firewall-cmd --permanent --zone=drop --add-source=12.34.56.78
firewall-cmd --reload

The IP will stay there until you un-drop it.

tommyvirtualmin · October 15, 2020, 3:24pm

Thanks for this. Do long ban times within fail2ban itself eventually cause errors?

ramin · October 15, 2020, 11:48pm

As IPs stack up in Fail2ban’s database the service becomes heavier and slower. You’ll know it’s too big if the service takes forever to restart or fail2ban-client takes longer than usual to reload. Swapping to disk is another symptom that it’s working too hard.

Somewhere in these forums there’s a good discussion about running Fail2ban as efficiently as possible. The main idea is finding the right balance between ban times and unbanning, a FIFO strategy so to speak. With most jails I normally don’t ban longer than 48 hours but recently with the apache-noscript jail I’ve increased it to 72 hours. IPs that keep coming back end up blocked indefinitely using Firewalld.

tommyvirtualmin · October 17, 2020, 2:23pm

I’ve got a bit to learn about fail2ban still for sure. What measures are in place in your jail.local to send those repeat offenders to the permanent iptables drop table? Or are you saying that this is a default procedure for fail2ban. Thanks

One interesting thing I noticed is when I set up a brand new mail account with my VPN, fail2ban.log shows my VPN IP address getting banned, even with proper credentials. I have to turn my VPN off, initiate the new mail account within Thunderbird, let it authenticate, and then moving forward I can keep my VPN on. Interesting. I like that it’s being overly-safe, though, makes me feel good. I need to learn how it makes that determination to ban my VPN IP.

system · November 16, 2020, 2:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.