fail2ban mit xt_recent 3

Fail2ban an sich is a very handy tool to keep out potential attacking. But it is sometimes unhandly when you just want to unlock a specific ip.

I had almost forgotten about the issue until I have to get a comment. 😉 I am now writing the recent entries in my firewall also a database. After a reboot, the corresponding values ​​are available. I use the database also to keep other servers in sync.

The presented way also works without a database without any problems.

If you run fail2ban on one server (and use a centralized logserver) and want to add the created bans on a remote-server, you can modify “actionban” in a way, the it triggers a ssh-connect wich then creates the recent-entry on the remote. but be carefull: this can result in a dozen of ssh-connects.

This is my short resultion. The extended version (with using a database) will follow in 2013:

Instead of blocking each ip using iptbales -A … i switched to xt_recent and simple echo.

Change the coresponding action-file of fail2ban to:

It´s not needed to definie actionunban, es the ip will be removed if the max. time is reached. When initilaizing the firewall i use:

If you want a logfile, add:

Each blocked ip could now be removed with

echo -<IP> > /proc/net/xt_recent/DenyAccess.

For genereall understanding see: Block outdated clients

And have a look at /sys/module/xt_recent/parameters/ip_list_tot.