Can I automate Fail2Ban to permanently blacklist IPs seen multiple times across jails?

March 27, 2025, 11:07 am / ggsu20003.ampblogs.com

Can I automate 축구중계 Fail2Ban to permanently blacklist IPs seen multiple times across jails?

Yes — and it’s one of the smartest things you can do to escalate defenses against persistent or rotating attackers. By default, Fail2Ban bans IPs per jail, temporarily. But with some strategic configuration, you can:

  • Track repeat offenders across multiple jails

  • Escalate ban durations automatically

  • Permanently blacklist repeat attackers

  • Sync IPs to external blocklists or firewall rules

Here’s how to build an automated, escalating ban system that adapts to repeat abuse.

✅ Strategy Overview

???? Goal:

  1. Detect multiple offenses from the same IP across different services (e.g., SSH, NGINX, Plex)

  2. Increase ban time on each offense

  3. Eventually, perma-ban that IP at firewall level or log it to a deny list

???? Method 1: Use the recidive Jail (Built-in to Fail2Ban)

The recidive jail watches Fail2Ban’s own ban logs, detecting IPs that were banned multiple times across jails.

✅ Step 1: Enable and Configure recidive

In /etc/fail2ban/jail.local:


 

ini

복사

[recidive] enabled = true filter = recidive logpath = /var/log/fail2ban.log bantime = 31536000 # 1 year ban (can be "forever" with custom method) findtime = 86400 # Look back 24 hours maxretry = 5 # Number of bans before permanent action action = iptables-allports

You can change action to your own script if you want to log to a custom blacklist or trigger external blocklists.

Restart Fail2Ban:


 

bash

복사

sudo systemctl restart fail2ban

Now, any IP that gets banned 5 times (from any jail) in 24 hours is auto-banned for a year.

???? Method 2: Create a Custom Persistent Blocklist (Advanced)

  1. Create a file to store permanent IPs:
    /etc/fail2ban/perma-ban.list

  2. Modify or create a custom action:

/etc/fail2ban/action.d/permaban.conf


 

ini

복사

[Definition] actionstart = 축구중계 actionstop = actionban = echo "<ip>" >> /etc/fail2ban/perma-ban.list && ipset add blacklist <ip> actionunban =

  1. Load IPSet and add initial list:


 

bash

복사

ipset create blacklist hash:ip iptables -I INPUT -m set --match-set blacklist src -j DROP

  1. In your recidive jail, use:


 

ini

복사

action = permaban

This will:

  • Add banned IPs to a blacklist

  • Use ipset to block them at the firewall level

  • Persist across reboots (with a restore script on boot)

???? Method 3: Escalate Ban Duration Automatically

You can also progressively increase ban times by stacking jails with different findtime and bantime values.

Example:


 

ini

복사

[nginx-auth-stage1] enabled = true maxretry = 5 findtime = 600 bantime = 600 [nginx-auth-stage2] enabled = true maxretry = 3 findtime = 86400 bantime = 86400 [nginx-auth-permaban] enabled = true maxretry = 2 findtime = 2592000 bantime = -1 # Permanent

The same IP will graduate from temporary → long → permanent ban over time.

???? Bonus: Visualize Repeat Offenders in Grafana

With Loki + Promtail + Grafana, you can:

  • Track most banned IPs

  • See which jails are triggering bans

  • Build dashboards like:

    • “Top repeat offenders this week”

    • “Services most targeted”

???? Summary

Feature축구중계 Tool / Config
Track multiple bans recidive jail
Permanent firewall ban ipset + custom action
Ban escalation Multi-stage jail logic
Global blacklists Add IPs to external services
Dashboard visibility Grafana + Loki

This setup makes your server adaptive and ruthless — the more persistent the attacker, the longer (and eventually permanent) their punishment.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Comments on “Can I automate Fail2Ban to permanently blacklist IPs seen multiple times across jails?”

Leave a Reply

Gravatar