I have been using Fail2Ban with Shorewall to block brute force attempts against open ports. I noticed that during a recent attack, the attackers were being repeatedly banned, so I decided to turn on the Recidive Jail. Unfortunately, it doesn’t work with the shorewall action – in a nut shell, the short term jail that finally triggers the recidive jail releases the IP even though the recidive jail believes it is still banned. I got around the problem by adding a new action ‘shorewall-recid’ and creating a few short scripts. Essentially, if the recidive jail is triggered, the scripts make sure the ip is unbanned from all other jails before it is banned with the recidive one. If you are interested in the scripts, just let me know.