Fail2ban an sich is a very handy tool to keep out potential attacking. But it is sometimes unhandly when you just want to unlock a specific ip.
I had almost forgotten about the issue until I have to get a comment. 😉 I am now writing the recent entries in my firewall also a database. After a reboot, the corresponding values are available. I use the database also to keep other servers in sync.
The presented way also works without a database without any problems.
If you run fail2ban on one server (and use a centralized logserver) and want to add the created bans on a remote-server, you can modify “actionban” in a way, the it triggers a ssh-connect wich then creates the recent-entry on the remote. but be carefull: this can result in a dozen of ssh-connects.
This is my short resultion. The extended version (with using a database) will follow in 2013:
Instead of blocking each ip using iptbales -A … i switched to xt_recent and simple echo.
Change the coresponding action-file of fail2ban to:
actionban = echo +<ip> >/proc/net/xt_recent/fail2ban-<name>
actionunban = echo -<ip> >/proc/net/xt_recent/fail2ban-<name>
It´s not needed to definie actionunban, es the ip will be removed if the max. time is reached. When initilaizing the firewall i use:
iptables -N DenyAccess
iptables -A INPUT -m recent --update --seconds 86400 --name DenyAccess --hitcount 1 -j DROP
If you want a logfile, add:
iptables -A DenyAccess -m recent --rcheck --seconds 14400 --name DenyAccess --rsource -m limit --limit 1/min -j LOG --log-prefix "(DenyAccess): " --log-level 6
Each blocked ip could now be removed with
echo -<IP> > /proc/net/xt_recent/DenyAccess.
For genereall understanding see: Block outdated clients
And have a look at /sys/module/xt_recent/parameters/ip_list_tot.