I've recently started using fail2ban more to ban suspicious traffic on my web servers. It's great because it looks at logs and if an entry matches a regular expression it will perform an action on the IP address from the log. You can make the actions do pretty much anything, typically the action is an iptables rule that will ban the user. The problem is when you restart the fail2ban service fail2ban clears the chain for the filter and parses the current log for matches, not the rotated logs. So you don't ban any IPs that were banned before logrotate rotated the old log.
You can make the bans persistent by setting up a blacklist and automatically loading them when fail2ban is restarted. First, you need to create a file to store blacklisted IPs.
sudo touch /etc/fail2ban/ip.blacklist
Then you can either make a copy or edit the /etc/fail2ban/action.d/iptables-multiport.conf
file. I prefer to make a copy of it because I version all of my configs.
In the action config file you have a few different directives, we want to focus on 2, the actionstart
and actionban
. First, when fail2ban bans an IP we want to not only ban it, but we want to add the IP address to the ip.blacklist
file.
actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
echo <ip> >> /etc/fail2ban/ip.blacklist
Then we want to be sure that the iptables rule is added when fail2ban is started, so we add the following lines of code to the actionstart
directive:
actionstart = iptables -N fail2ban-<name>
iptables -A fail2ban-<name> -j RETURN
iptables -I INPUT -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
cat /etc/fail2ban/ip.blacklist | while read IP; do iptables -I fail2ban-<name> 1 -s $IP -j DROP; done
That's it, once you restart fail2ban it will automatically ban all of the IPs in your ip.blacklist
file.