I have been using Fail2Ban with Shorewall to block brute force attempts against open ports. I noticed that during a recent attack, the attackers were being repeatedly banned, so I decided to turn on the Recidive Jail. Unfortunately, it doesn’t work with the shorewall action – in a nut shell, the short term jail that finally triggers the recidive jail releases the IP even though the recidive jail believes it is still banned. I got around the problem by adding a new action ‘shorewall-recid’ and creating a few short scripts. Essentially, if the recidive jail is triggered, the scripts make sure the ip is unbanned from all other jails before it is banned with the recidive one. If you are interested in the scripts, just let me know.
Hello, I’m interested in the scripts shorewall-recid. Could you share it ? thanks.
I have abandoned those scripts in favour of ipsets. I created an ipset to hold all the addresses I have banned. I then created shorewall-ipset.conf that contained this line for banning:
actionban = ipset add F2BLIST timeout -exist
you can pass the bantime as a parameter in your recidive jail. The ipset function keeps track of how long to ban it, so you don’t have to worry about fail2ban doing it.