Fail2Ban, Shorewall and Recidive Jail

I have been using Fail2Ban with Shorewall to block brute force attempts against open ports.  I noticed that during a recent attack, the attackers were being repeatedly banned, so I decided to turn on the Recidive Jail.  Unfortunately, it doesn’t work with the shorewall action – in a nut shell, the short term jail that finally triggers the recidive jail releases the IP even though the recidive jail believes it is still banned.  I got around the problem by adding a new action ‘shorewall-recid’ and creating a few short scripts.  Essentially, if the recidive jail is triggered, the scripts make sure the ip is unbanned from all other jails before it is banned with the recidive one.  If you are interested in the scripts, just let me know.

2 thoughts on “Fail2Ban, Shorewall and Recidive Jail”

  1. I have abandoned those scripts in favour of ipsets. I created an ipset to hold all the addresses I have banned. I then created shorewall-ipset.conf that contained this line for banning:

    actionban = ipset add F2BLIST timeout -exist

    you can pass the bantime as a parameter in your recidive jail. The ipset function keeps track of how long to ban it, so you don’t have to worry about fail2ban doing it.

Leave a Reply

Your email address will not be published. Required fields are marked *