J D asked:
As per documentation, setting jail bantime to a negative value should result in a permanent ban. However once that is done, the following behavior changes, compared to when setting bantime to a positive integer:
ipset list doesn’t show fail2ban-sshd hash table
firewall-cmd --direct --get-all-rules is empty
/var/log/fail2ban.log becomes a single line. interesting entry
sshd: Invalid user ubuntu from 188.8.131.52 port 37477′, ‘ip’:
‘184.108.40.206’, ‘ipmatches’: at 0x7f4588f9dc08>,
‘ipfailures’: at 0x7f4588f9daa0>, ‘time’:
1536301842.088076, ‘failures’: 1443, ‘ipjailfailures’: at 0x7f4588f9dd70>})’: Error banning 220.127.116.11
/var/log/messages has the following
firewalld: WARNING: ‘/usr/sbin/iptables-restore –wait=2 -n’
failed: iptables-restore v1.4.21: Set fail2ban-sshd doesn’t
exist.#012#012Error occurred at line: 2#012Try ‘iptables-restore -h’
or ‘iptables-restore –help’ for more information. firewalld:
The only command working as expected is
fail2ban-client status sshd, however the IPs that are shown to be banned still try to connect. I think the root of all problems is that ipset isn’t created for whatever reason once the integer is negative.
Any ideas? Also, does the command
fail2ban-client reload has the same affect as
systemctl restart fail2ban.service when applying new configuration?
In my case, /etc/fail2ban/jail.d/local.conf
[sshd] enabled = true bantime = -1 findtime = 3600 maxretry = 5 action = %(action_)s
This was a bug in older versions of fail2ban. It has since been fixed, but if your Linux distribution still ships that older version, you may also need a workaround.
The GitHub issue which explains the problem and fix also includes a workaround:
This is fixed in newer versions. For 0.9 you can simply overwrite bantime (timeout) parameter in action inside the jail (parameter timeout for ipset persistent rule is 0).
[sshd] bantime = -1 action = %(banaction)s[name=%(__name__)s, bantime=0, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.