creating an alternate jail in fail2ban for manual banning

Solution 1

Here's how I did this..

I added this to jail.local:

[manban]
enabled  = true
filter   = manban
action   = iptables[name=HTTP, port="80,443,110,995,25,465,143,585,993,587,21,22", protocol=tcp]
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

Then I added the file /etc/fail2ban/filter.d/manban.conf:

[Definition]
failregex = ^\[\w{1,3}.\w{1,3}.\d{1,2}.\d{1,2}:\d{1,2}:\d{1,2} \d{1,4}. \[error] \[client.<HOST>].File does not exist:.{1,40}roundcube.{1,200}
ignoreregex =

I copied the filter protocol of another filter but point it to a file that doesn't exist, then I created a dummy file:

touch /var/log/manban.log

then run the command:

fail2ban-client reload

Now to manually ban an IP address for one month, type:

fail2ban-client set manban banip <IP>

This did the trick.

There are clients now that "learn" your fail2ban bantime, and will automatically adjust their system probes to not get banned. But when you look at the logs, it's obvious these are system probes. You can mess up their systems by creating extraordinary long ban times. You could also write a script that could dump IPs matching a certain criteria to your special ban log and have fail2ban ban them for an extended period of time.

Solution 2

I was getting error with the configuration above:

iptables v1.6.0: invalid port/service 80,443,110,995,25,465,143 specified.

In case to apply iptables on multiple ports the action should be iptables-multiport:

[manban]
enabled  = true
filter   = manban
action   = iptables-multiport[name=HTTP, port="80,443,110,995,25,465,220,585,587,8000,9600", protocol=tcp]
logpath  = /var/log/manban.log
maxretry = 1
# 1 month
bantime  = 2592000
findtime = 3600

this configuration works and properly updates the iptables rule set.

Author by

Trent Three

Updated on September 18, 2022