Fail2ban allows to ban users on some unsuccessful actions. For example on web page error 404 or incorrect ssh authentication. But what can we do if they continue to get failed attempts?
The main idea is to parse fail2ban self log and check who has already been banned by other rules, and re-ban it at a longer interval.
We can use built-in recidive.conf filter for it.
Create according jail-file: /etc/fail2ban/jail.d/recidive.conf with content:
[recidive] enabled = true logpath = /var/log/fail2ban.log filter = recidive # find how many times it was banned today findtime = 86400 ; 1 day # if it banned 4 times maxretry = 4 # ban this user for 3 hours bantime = 10800 ; 3 hours
But if we want to use it in “second level” for example to ban users for even longer time. We should modify recidive.conf and add ignoreregex to exclude already banned IPs by this rule.
I found solution in this link: https://blog.shanock.com/fail2ban-increased-ban-times-for-repeat-offenders/
So we should change
ignoreregex =
in /etc/fail2ban/filter.d/recidive.conf file to:
ignoreregex = \[recidive.*\]\s+Ban\s+<HOST>
and create /etc/fail2ban/jail.d/recidive.conf :
[recidive1] enabled = true filter = recidive bantime = 10800 ; 3 hours findtime = 86400 ; 1 day logpath = /var/log/fail2ban.log maxretry = 4 [recidive2] enabled = true filter = recidive bantime = 86400 ;1 day findtime = 604800 ;1 week logpath = /var/log/fail2ban.log maxretry = 7 [recidive3] enabled = true filter = recidive bantime = 604800 ;1 week findtime = 2592000 ;1 month logpath = /var/log/fail2ban.log maxretry = 10 [recidive4] enabled = true filter =recidive bantime = 2592000 ;1 month findtime = 15552000 ;6 months logpath = /var/log/fail2ban.log maxretry = 20